[fix][broker] Fix incorrect authorization issue when using proxy

[Technoboy-]

Motivation

When the client uses the proxy to connect to the broker, if enabled the authorization and set namespace subscription auth mode with Prefix, the client will always face the authorization issue :

Failed to create consumer - The subscription name needs to be prefixed by the authentication role, like abc-xxxx for topic: persistent://public/default/test

The related codes to the root cause:

pulsar/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java

Lines 468 to 494 in dd1b579

	private CompletableFuture<Boolean> isTopicOperationAllowed(TopicName topicName, TopicOperation operation,
	AuthenticationDataSource authDataSource, AuthenticationDataSource originalAuthDataSource) {
	if (!service.isAuthorizationEnabled()) {
	return CompletableFuture.completedFuture(true);
	}
	CompletableFuture<Boolean> isProxyAuthorizedFuture;
	if (originalPrincipal != null) {
	isProxyAuthorizedFuture = service.getAuthorizationService().allowTopicOperationAsync(
	topicName, operation, originalPrincipal,
	originalAuthDataSource != null ? originalAuthDataSource : authDataSource);
	} else {
	isProxyAuthorizedFuture = CompletableFuture.completedFuture(true);
	}
	CompletableFuture<Boolean> isAuthorizedFuture = service.getAuthorizationService().allowTopicOperationAsync(
	topicName, operation, authRole, authDataSource);
	return isProxyAuthorizedFuture.thenCombine(isAuthorizedFuture, (isProxyAuthorized, isAuthorized) -> {
	if (!isProxyAuthorized) {
	log.warn("OriginalRole {} is not authorized to perform operation {} on topic {}",
	originalPrincipal, operation, topicName);
	}
	if (!isAuthorized) {
	log.warn("Role {} is not authorized to perform operation {} on topic {}",
	authRole, operation, topicName);
	}
	return isProxyAuthorized && isAuthorized;
	});
	}

Verifying this change

Add a related test to cover this change.

Documentation

• doc
• doc-required
• doc-not-needed
• doc-complete

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 73.42%. Comparing base (bbc6224) to head (cdb2e37).
Report is 456 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff              @@
##             master   #23045      +/-   ##
============================================
- Coverage     73.57%   73.42%   -0.16%     
- Complexity    32624    33391     +767     
============================================
  Files          1877     1914      +37     
  Lines        139502   143634    +4132     
  Branches      15299    15669     +370     
============================================
+ Hits         102638   105458    +2820     
- Misses        28908    30111    +1203     
- Partials       7956     8065     +109     

Flag	Coverage Δ
inttests	27.78% <0.00%> (+3.19%)	⬆️
systests	24.68% <0.00%> (+0.36%)	⬆️
unittests	72.48% <100.00%> (-0.37%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files	Coverage Δ
...va/org/apache/pulsar/broker/service/ServerCnx.java	72.19% <100.00%> (+0.05%)	⬆️

... and 497 files with indirect coverage changes

[nodece]

Isn't proxy super user? Similar to #23036