[improve][broker] Authorize originalPrincipal when provided #19830
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
michaeljmarshall
added
area/broker
doc-required
michaeljmarshall
requested review from
lhotari,
hangc0276,
Technoboy-,
eolivelli,
codelipenghui,
nodece and
mattisonchao
mattisonchao
approved these changes
Mar 16, 2023
Technoboy-
approved these changes
Mar 16, 2023
hangc0276
approved these changes
Mar 16, 2023
codelipenghui
approved these changes
Mar 16, 2023
coderzc
approved these changes
Mar 16, 2023
...broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationService.java
Show resolved
Hide resolved
nodece
reviewed
Mar 16, 2023
...er-common/src/test/java/org/apache/pulsar/broker/authorization/AuthorizationServiceTest.java
Show resolved
Hide resolved
1 task
eolivelli
approved these changes
Mar 17, 2023
mattisonchao
approved these changes
Mar 17, 2023
michaeljmarshall
added a commit
that referenced
this pull request
Mar 17, 2023
(cherry picked from commit 6bc3530)
michaeljmarshall
added a commit
that referenced
this pull request
Mar 17, 2023
michaeljmarshall
added
cherry-picked/branch-2.8
|
I'm not sure it really makes sense to add the |
|
@michaeljmarshall |
|
@coderzc good catch. The test is actually failing here too. It is in the "flaky test" batch and I didn't take a look. There are several |
michaeljmarshall
added a commit
that referenced
this pull request
Mar 18, 2023
The ServerCnxTest class is run as part of the flaky tests, so #19830 was merged without noticing that the changes didn't actually pass tests. This commit fixes the test by changing the assertions to ensure that "correct" combinations of roles and original principals are verified.
michaeljmarshall
added a commit
that referenced
this pull request
Mar 18, 2023
The ServerCnxTest class is run as part of the flaky tests, so #19830 was merged without noticing that the changes didn't actually pass tests. This commit fixes the test by changing the assertions to ensure that "correct" combinations of roles and original principals are verified. (cherry picked from commit 13f4a0d)
michaeljmarshall
added a commit
that referenced
this pull request
Mar 18, 2023
The ServerCnxTest class is run as part of the flaky tests, so #19830 was merged without noticing that the changes didn't actually pass tests. This commit fixes the test by changing the assertions to ensure that "correct" combinations of roles and original principals are verified. (cherry picked from commit 13f4a0d)
michaeljmarshall
added a commit
that referenced
this pull request
Mar 18, 2023
The ServerCnxTest class is run as part of the flaky tests, so #19830 was merged without noticing that the changes didn't actually pass tests. This commit fixes the test by changing the assertions to ensure that "correct" combinations of roles and original principals are verified. (cherry picked from commit 13f4a0d)
|
@coderzc - all branches |
michaeljmarshall
added a commit
that referenced
this pull request
Mar 20, 2023
…ior (#19845) Relates to: #19455 #19830 ### Motivation When I added the requirement for the proxy to use a role in the `proxyRoles` set, I didn't add a test that checked the negative case. This new test was first added in #19830 with one small difference. The goal of this test is to ensure that authorization of the client role and the original role is handled correctly. ### Modifications * Add new test class named `AuthorizationServiceTest`. We use `pass.proxy` and `fail.proxy` as proxy roles to simulate cases where the proxy's role passes and fails authorization, which is always possible. * Add new mock authorization provider named `MockAuthorizationProvider`. The logic is to let any role that starts with `pass` be considered authorized. ### Verifying this change This is a new test. It simply verifies the existing behavior to prevent future regressions. ### Documentation - [x] `doc-not-needed` ### Matching PR in forked repository PR in forked repository: Skipping forked test since the new tests pass locally and there are no other modifications.
Hi @michaeljmarshall any progress on the doc? Thanks! |
nicoloboschi
pushed a commit
to datastax/pulsar
that referenced
this pull request
Mar 29, 2023
nicoloboschi
pushed a commit
to datastax/pulsar
that referenced
this pull request
Mar 29, 2023
The ServerCnxTest class is run as part of the flaky tests, so apache#19830 was merged without noticing that the changes didn't actually pass tests. This commit fixes the test by changing the assertions to ensure that "correct" combinations of roles and original principals are verified. (cherry picked from commit 13f4a0d) (cherry picked from commit 45f303c)
|
I saw that you pushed a commit into You can reproduce this issue like this:
Same for Could you take a look? |
I'm not sure what you mean here. This PR (#19830) was merged to
That was not a mistake.
I can see in the code why this is happening. It must just be a case that wasn't covered by any tests. I can try to put up a fix soon.
You also need to connect through a pulsar proxy for this to actually be an issue because the Let me know if you have any questions. |
1 task
|
@poorbarcode - this should solve it: #19989. We might want to stop the current 2.10 and 2.11 releases, depending on how important it is for users to run with authn but without authz. |
michaeljmarshall
added a commit
that referenced
this pull request
Apr 5, 2023
### Motivation In #19455, I added a requirement that only the proxy role could supply an original principal. That check is only supposed to apply when the broker has authorization enabled. However, in one case, that was not the case. This PR does a check and returns early when authorization is not enabled in the broker. See #19830 (comment) for additional motivation. ### Modifications * Update the `PulsarWebResource#validateSuperUserAccessAsync` to only validate when authentication and authorization are enabled in the configuration. ### Verifying this change This is a trivial change. It'd be good to add tests, but I didn't include them here because this is a somewhat urgent fix. There was one test that broke because of this change, so there is at least some existing coverage. ### Documentation - [x] `doc-not-needed` ### Matching PR in forked repository PR in forked repository: michaeljmarshall#39
michaeljmarshall
added a commit
that referenced
this pull request
Apr 5, 2023
### Motivation In #19455, I added a requirement that only the proxy role could supply an original principal. That check is only supposed to apply when the broker has authorization enabled. However, in one case, that was not the case. This PR does a check and returns early when authorization is not enabled in the broker. See #19830 (comment) for additional motivation. ### Modifications * Update the `PulsarWebResource#validateSuperUserAccessAsync` to only validate when authentication and authorization are enabled in the configuration. ### Verifying this change This is a trivial change. It'd be good to add tests, but I didn't include them here because this is a somewhat urgent fix. There was one test that broke because of this change, so there is at least some existing coverage. ### Documentation - [x] `doc-not-needed` ### Matching PR in forked repository PR in forked repository: michaeljmarshall#39 (cherry picked from commit 1a6c28d)
michaeljmarshall
added a commit
that referenced
this pull request
Apr 6, 2023
In #19455, I added a requirement that only the proxy role could supply an original principal. That check is only supposed to apply when the broker has authorization enabled. However, in one case, that was not the case. This PR does a check and returns early when authorization is not enabled in the broker. See #19830 (comment) for additional motivation. * Update the `PulsarWebResource#validateSuperUserAccessAsync` to only validate when authentication and authorization are enabled in the configuration. This is a trivial change. It'd be good to add tests, but I didn't include them here because this is a somewhat urgent fix. There was one test that broke because of this change, so there is at least some existing coverage. - [x] `doc-not-needed` PR in forked repository: michaeljmarshall#39 (cherry picked from commit 1a6c28d)
michaeljmarshall
added a commit
that referenced
this pull request
Apr 6, 2023
In #19455, I added a requirement that only the proxy role could supply an original principal. That check is only supposed to apply when the broker has authorization enabled. However, in one case, that was not the case. This PR does a check and returns early when authorization is not enabled in the broker. See #19830 (comment) for additional motivation. * Update the `PulsarWebResource#validateSuperUserAccessAsync` to only validate when authentication and authorization are enabled in the configuration. This is a trivial change. It'd be good to add tests, but I didn't include them here because this is a somewhat urgent fix. There was one test that broke because of this change, so there is at least some existing coverage. - [x] `doc-not-needed` PR in forked repository: michaeljmarshall#39 (cherry picked from commit 1a6c28d) (cherry picked from commit 36f0db5)
michaeljmarshall
added a commit
to datastax/pulsar
that referenced
this pull request
Apr 13, 2023
…pache#19830)" This reverts commit 0c365e2. This commit was made as a concession because some were concerned that it might break implementations. My primary argument was that those implementations were at risk, so they were okay to "break". Therefore, I am reverting this on our fork. It is unlikely for there to be many conflicts because of this diversion.
michaeljmarshall
added a commit
to datastax/pulsar
that referenced
this pull request
Apr 13, 2023
…ior (apache#19845) Relates to: apache#19455 apache#19830 ### Motivation When I added the requirement for the proxy to use a role in the `proxyRoles` set, I didn't add a test that checked the negative case. This new test was first added in apache#19830 with one small difference. The goal of this test is to ensure that authorization of the client role and the original role is handled correctly. ### Modifications * Add new test class named `AuthorizationServiceTest`. We use `pass.proxy` and `fail.proxy` as proxy roles to simulate cases where the proxy's role passes and fails authorization, which is always possible. * Add new mock authorization provider named `MockAuthorizationProvider`. The logic is to let any role that starts with `pass` be considered authorized. ### Verifying this change This is a new test. It simply verifies the existing behavior to prevent future regressions. ### Documentation - [x] `doc-not-needed` ### Matching PR in forked repository PR in forked repository: Skipping forked test since the new tests pass locally and there are no other modifications. (cherry picked from commit c6de57c)
michaeljmarshall
added a commit
to datastax/pulsar
that referenced
this pull request
Apr 13, 2023
This reverts commit 6a9a22c.
nicoloboschi
pushed a commit
to datastax/pulsar
that referenced
this pull request
May 11, 2023
…#19989) In apache#19455, I added a requirement that only the proxy role could supply an original principal. That check is only supposed to apply when the broker has authorization enabled. However, in one case, that was not the case. This PR does a check and returns early when authorization is not enabled in the broker. See apache#19830 (comment) for additional motivation. * Update the `PulsarWebResource#validateSuperUserAccessAsync` to only validate when authentication and authorization are enabled in the configuration. This is a trivial change. It'd be good to add tests, but I didn't include them here because this is a somewhat urgent fix. There was one test that broke because of this change, so there is at least some existing coverage. - [x] `doc-not-needed` PR in forked repository: michaeljmarshall#39 (cherry picked from commit 1a6c28d) (cherry picked from commit 36f0db5)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
In #19455, I made a change to require that only a role in the broker's
proxyRolesconfiguration could provide an original principal. Because this change can break certain installations on patch upgrades, a better temporary solution is to always authorize theoriginalPrincipalwhen present and to allow non proxy roles to supply the original principal.Modifications
AuthorizationService#isValidOriginalPrincipalto allow non proxy roles to supply an original principal. I added a log line in place of the previous failure.ServiceConfiguration#getProxyRoles()to also check if the original principal is not blank. When it is not blank, we will authorize both roles. Note that this is consistent with the logic in theAuthorizationService#isValidOriginalPrincipalmethod that is already merged to master.Verifying this change
I modified existing tests to make this work, and I added a new test to cover mos of the relevant cases where we changed logic.
I plan to copy the new tests to master since they will be valuable there too.
Documentation
doc-requiredI will follow up with docs for these proxy changes.
Matching PR in forked repository
PR in forked repository: in order to save time, we'll run tests directly in the pulsar repo.