Ensure that admin operations are gated by super user check (apache#7226)

* Ensure that admin operations are gated by super user check * keep /clusters open Co-authored-by: Sanjeev Kulkarni <sanjeevk@splunk.com>
nodece · Jun 11, 2020 · eda3526 · eda3526
1 parent 47f57b0
commit eda3526
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/BrokersBase.java b/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/BrokersBase.java
@@ -153,9 +153,12 @@ public void deleteDynamicConfiguration(@PathParam("configName") String configNam
     @Path("/configuration/values")
     @ApiOperation(value = "Get value of all dynamic configurations' value overridden on local config")
     @ApiResponses(value = {
+        @ApiResponse(code = 403, message = "You don't have admin permission to view configuration"),
         @ApiResponse(code = 404, message = "Configuration not found"),
         @ApiResponse(code = 500, message = "Internal server error")})
     public Map<String, String> getAllDynamicConfigurations() throws Exception {
+        validateSuperUserAccess();
+
         ZooKeeperDataCache<Map<String, String>> dynamicConfigurationCache = pulsar().getBrokerService()
                 .getDynamicConfigurationCache();
         Map<String, String> configurationMap = null;
@@ -175,7 +178,10 @@ public Map<String, String> getAllDynamicConfigurations() throws Exception {
     @GET
     @Path("/configuration")
     @ApiOperation(value = "Get all updatable dynamic configurations's name")
+    @ApiResponses(value = {
+            @ApiResponse(code = 403, message = "You don't have admin permission to get configuration")})
     public List<String> getDynamicConfigurationName() {
+        validateSuperUserAccess();
         return BrokerService.getDynamicConfiguration();
     }
 
@@ -240,7 +246,9 @@ private synchronized void updateDynamicConfigurationOnZk(String configName, Stri
     @GET
     @Path("/internal-configuration")
     @ApiOperation(value = "Get the internal configuration data", response = InternalConfigurationData.class)
+    @ApiResponses(value = { @ApiResponse(code = 403, message = "Don't have admin permission") })
     public InternalConfigurationData getInternalConfigurationData() {
+        validateSuperUserAccess();
         return pulsar().getInternalConfigurationData();
     }