[fix][broker] Producer/Consumer should call allowTopicOperationAsync

[michaeljmarshall]

Fixes: #20066

Motivation

In #20068 we changed the way that the AuthorizationService is implemented. I think we should change the Consumer and the Producer logic to call the correct AuthorizationService method.

Given that our goal is to deprecate the AuthorizationService methods for canProduce and canConsume, this change helps us move in the right direction.

Modifications

• Update Producer and Consumer in broker to call the AuthorizationService#allowTopicOperationAsync method.

Verifying this change

This change is trivial.

Documentation

• doc-not-needed

Matching PR in forked repository

PR in forked repository: Skipping PR as I ran tests locally.

[nodece]

#20068 is the correct implementation, I don't suggest we revert that.

I suggest we just update the Producer.java and Consumer.java to call the AuthorizationService#allowTopicOperationAsync method, and we also can add the @Deprecated to AuthorizationService#canProduceAsync, AuthorizationService#canConsumeAsync.

BTW, the canLookupAsync should also be deprecated.

[michaeljmarshall]

#20068 is the correct implementation, I don't suggest we revert that.

What is the purpose of changing the implementation of an abstraction that we are deprecating?

[nodece]

#20068 is the correct implementation, I don't suggest we revert that.

What is the purpose of changing the implementation of an abstraction that we are deprecating?

Make sure this logic/behavior is correct.

Maybe this affects the commit history, but I still suggest we keep #20068.

[michaeljmarshall]

#20068 is the correct implementation, I don't suggest we revert that.

What is the purpose of changing the implementation of an abstraction that we are deprecating?

Make sure this logic is correct.

The logic has been there for a long time. It's likely extensions built on top of those methods already account for the short coming, which is why I said that solution could have unintended consequences.

The problem described by #20066 is that the Producer and Consumer use the wrong method in the AuthorizationService. In my opinion, the right fix is to fix which method those classes use.

Maybe this affects the commit history, but I still suggest we keep #20068.

That's a fair point. I will break this PR into two PRs to make the discussion clearer.

[nodece]

LGTM

[michaeljmarshall]

@nodece - I'll open a PR to deprecate those methods.

[nodece]

I rethought this PR, if the custom authorization provider didn't handle the TopicOperation, which introduces unintended consequences.

[michaeljmarshall]

I rethought this PR, if the custom authorization provider didn't handle the TopicOperation, which introduces unintended consequences.

@nodece - by that same logic, #20068 is invalid. The default for the provider is to fail, so it is a safe change:

pulsar/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationProvider.java

Lines 344 to 351 in efb251c

	default CompletableFuture<Boolean> allowTopicOperationAsync(TopicName topic,
	String role,
	TopicOperation operation,
	AuthenticationDataSource authData) {
	return FutureUtil.failedFuture(
	new IllegalStateException("TopicOperation [" + operation.name() + "] is not supported by the Authorization"
	+ "provider you are using."));
	}

Further, the allowTopicOperationAsync has been used by ServerCnx for a while.

[nodece]

I rethought this PR, if the custom authorization provider didn't handle the TopicOperation, which introduces unintended consequences.

@nodece - by that same logic, #20068 is invalid. The default for the provider is to fail, so it is a safe change:

pulsar/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationProvider.java

Lines 344 to 351 in efb251c

	default CompletableFuture<Boolean> allowTopicOperationAsync(TopicName topic,
	String role,
	TopicOperation operation,
	AuthenticationDataSource authData) {
	return FutureUtil.failedFuture(
	new IllegalStateException("TopicOperation [" + operation.name() + "] is not supported by the Authorization"
	+ "provider you are using."));
	}

Further, the allowTopicOperationAsync has been used by ServerCnx for a while.

I know we've been using allowTopicOperationAsync for a long time, but I'm still concerned about compatibility issues.

If we allow for this change, I think #20068 is also safe, is it right?

[michaeljmarshall]

If we allow for this change, I think #20068 is also safe, is it right?

My concern for #20068 is not with the AuthorizationProvider implementation but rather with pulsar extensions running in the broker that call the AuthorizationService#canProduceAsync and AuthorizationService#canConsumeAsync. My primary argument is that there is no compelling reason to change the AuthorizationService implementation because there is already a "correct" alternative to use. As such, I want to leave those methods unchanged and to update the broker code to use the newer method to get the correct behavior.

[nodece]

Thank you for your explanation, we focus on different points, so different ideas emerge.
In my opinion, both #20142 and #20068 PRs are able to solve #20066, and in order to solve the issue completely I submitted #20145.

#20068 can also be reverted.

[codecov-commenter]

Codecov Report

Merging #20142 (f757419) into master (9b72302) will increase coverage by 39.78%.
The diff coverage is 100.00%.

@@              Coverage Diff              @@
##             master   #20142       +/-   ##
=============================================
+ Coverage     33.17%   72.96%   +39.78%     
- Complexity    12236    31927    +19691     
=============================================
  Files          1499     1868      +369     
  Lines        114413   138402    +23989     
  Branches      12431    15236     +2805     
=============================================
+ Hits          37962   100986    +63024     
+ Misses        71499    29397    -42102     
- Partials       4952     8019     +3067     

Flag	Coverage Δ
inttests	24.25% <50.00%> (?)
systests	24.84% <62.50%> (?)
unittests	72.26% <100.00%> (+39.08%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
...sar/broker/authorization/AuthorizationService.java	58.92% <100.00%> (+48.92%)	⬆️
...ava/org/apache/pulsar/broker/service/Consumer.java	86.64% <100.00%> (+26.85%)	⬆️
...ava/org/apache/pulsar/broker/service/Producer.java	82.46% <100.00%> (+25.20%)	⬆️

... and 1538 files with indirect coverage changes

[poorbarcode]

@michaeljmarshall

To avoid conflicts, I cherry-picked all three patches into branch 3.0.

• [fix][broker] Fix tenant admin authorization bug. #20068
• [fix][broker] Producer/Consumer should call allowTopicOperationAsync #20142
• [revert] "[fix][broker] Fix tenant admin authorization bug. (#20068)" #20143