[fix][broker] Fix tenant admin authorization bug.

[dragonls]

Fixes #20066

Motivation

Fixes the bug that producers/consumers will all disconnect while using tenant admin to produce/consume.

The root cause is that the permission check logic is not the same bewteen org.apache.pulsar.broker.service.ServerCnx and org.apache.pulsar.broker.service.persistent.PersistentTopic#onPoliciesUpdate.

In org.apache.pulsar.broker.service.ServerCnx, while handleProducer and handleSubscribe, the permission check will go to isTopicOperationAllowed and finally be processed by org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider#allowTopicOperationAsync, which will validateTenantAdminAccess. Everything is fine.

In org.apache.pulsar.broker.service.persistent.PersistentTopic#onPoliciesUpdate, it checks the permission by producer.checkPermissionsAsync and consumer.checkPermissionsAsync. Let's take the processing logic of the producer as an example. It will be processed by org.apache.pulsar.broker.authorization.AuthorizationService#canProduceAsync and finally org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider#canProduceAsync. The tenant admin can not pass the check.

Modifications

Update org.apache.pulsar.broker.authorization.AuthorizationProvider#canProduceAsync to org.apache.pulsar.broker.authorization.AuthorizationProvider#allowTopicOperationAsync in org.apache.pulsar.broker.authorization.AuthorizationService#canProduceAsync. So do org.apache.pulsar.broker.authorization.AuthorizationService#canConsumeAsync and org.apache.pulsar.broker.authorization.AuthorizationService#canLookupAsync

Verifying this change

• Make sure that the change passes the CI checks.

This change added tests and can be verified as follows:

• Added and fixed the test in org.apache.pulsar.broker.auth.AuthorizationTest#simple
• Added and fixed the test in org.apache.pulsar.websocket.proxy.ProxyAuthorizationTest

Does this pull request potentially affect one of the following parts:

If the box was checked, please highlight the changes

• Dependencies (add or upgrade a dependency)
• The public API
• The schema
• The default values of configurations
• The threading model
• The binary protocol
• The REST endpoints
• The admin CLI options
• The metrics
• Anything that affects deployment

Documentation

• doc
• doc-required
• doc-not-needed
• doc-complete

Matching PR in forked repository

PR in forked repository: dragonls#7

[dragonls]

In fact, there are many places in the current code that check the permission of super user or tenant admin:

1. org.apache.pulsar.broker.authorization.AuthorizationProvider#isSuperUser in org.apache.pulsar.broker.authorization.AuthorizationService, including functions canProduceAsync, canConsumeAsync, canLookupAsync. No tenant admin check here.
2. org.apache.pulsar.broker.authorization.AuthorizationProvider#isSuperUserOrAdmin in org.apache.pulsar.broker.authorization.AuthorizationService, including function allowSinkOpsAsync, allowSourceOpsAsync, allowFunctionOpsAsync.
3. After this PR, org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider#validateTenantAdminAccess in org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider, including functions canProduceAsync, canConsumeAsync. No tenant admin check in allowTheSpecifiedActionOpsAsync.

Maybe we need to uniformly add/update permission check wherever we need. And also remove some reduplicated check, for example:

1. validateTenantAdminAccess in org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider#allowTopicOperationAsync
2. isSuperUser in org.apache.pulsar.broker.authorization.AuthorizationService, including functions canProduceAsync, canConsumeAsync, canLookupAsync.

I am just afaid that there are still some authorization bug not found.

What do you think? @Technoboy- @nodece

[nodece]

I know these cases, I want to deprecate the canProduceAsync, canConsumeAsync, and canLookupAsync, use the allowTopicOperationAsync instead.

[dragonls]

I know these cases, I want to deprecate the canProduceAsync, canConsumeAsync, and canLookupAsync, use the allowTopicOperationAsync instead.

Sounds good. I can do this after this PR merged.

[Technoboy-]

I know these cases, I want to deprecate the canProduceAsync, canConsumeAsync, and canLookupAsync, use the allowTopicOperationAsync instead.

Sounds good. I can do this after this PR merged.

Yes, this will keep the logic the same. But we'd better discuss it in the dev mail list first.

[dragonls]

Make sense. I also find some function in org.apache.pulsar.broker.authorization.AuthorizationService marked deprecated.

Maybe we can do the same thing.

[nodece]

Thank @dragonls for your contribution, I made #19461 to that before.

[dragonls]

/pulsarbot rerun-failure-checks

[codecov-commenter]

Codecov Report

Merging #20068 (44bf9fe) into master (dc1cdac) will increase coverage by 48.70%.
The diff coverage is 100.00%.

@@              Coverage Diff              @@
##             master   #20068       +/-   ##
=============================================
+ Coverage     24.26%   72.96%   +48.69%     
- Complexity      294    31823    +31529     
=============================================
  Files          1609     1868      +259     
  Lines        125669   138332    +12663     
  Branches      13707    15220     +1513     
=============================================
+ Hits          30490   100930    +70440     
+ Misses        90689    29390    -61299     
- Partials       4490     8012     +3522     

Flag	Coverage Δ
inttests	24.13% <0.00%> (-0.13%)	⬇️
systests	24.78% <0.00%> (?)
unittests	72.25% <100.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
...sar/broker/authorization/AuthorizationService.java	59.75% <100.00%> (+54.55%)	⬆️

... and 1590 files with indirect coverage changes

[michaeljmarshall]

I don't think we want to change the canProduceAsync and canConsumeAsync methods. Instead, we can change the calling code. Let me know what you think.

[nodece]

I expect the test to fail. You also need to modify the org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider#allowTopicOperationAsync to avoid a dead loop.

@dragonls, Sorry for providing an incorrect review.

[dragonls]

I expect the test to fail. You also need to modify the org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider#allowTopicOperationAsync to avoid a dead loop.

I didn't find dead loop. Can you be more specific?

[nodece]

I expect the test to fail. You also need to modify the org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider#allowTopicOperationAsync to avoid a dead loop.

I didn't find dead loop. Can you be more specific?

Sorry that I provide an incorrect review.

[nodece]

LGTM

[nodece]

/pulsarbot rerun-failure-checks

Updated

[nodece]

Thank @dragonls for your contribution!

[michaeljmarshall]

@nodece @dragonls - I don't think we should have taken this direction with the PR. I propose an alternative here: #20142.

[dragonls]

@nodece @dragonls - I don't think we should have taken this direction with the PR. I propose an alternative here: #20142.

OK. I looked into all relative discussion, the right direction seems to be:

1. All superUser/admin check should be moved into AuthorizationService, which keep AuthorizationProvider clean and more focused on the inner check.
2. Outer callers, such as Producer/Consumer, shoud call AuthorizationService.allowTopicOperationAsync instead of canProduceAsync/canConsumerAsync/canLookupAsync. The canProduceAsync/canConsumerAsync/canLookupAsync in AuthorizationProvider might be deprecated in the future.

[poorbarcode]

@michaeljmarshall

To avoid conflicts, I cherry-picked all three patches into branch 3.1.

• [fix][broker] Fix tenant admin authorization bug. #20068
• [fix][broker] Producer/Consumer should call allowTopicOperationAsync #20142
• [revert] "[fix][broker] Fix tenant admin authorization bug. (#20068)" #20143