Add subscription auth mode by prefix #899
Merged
+246
−53
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
yush1ga
force-pushed
the
subscription-acl
branch
from
3d06de6
to
6924b86
Compare
yush1ga
added
the
type/feature
yush1ga
force-pushed
the
subscription-acl
branch
3 times, most recently
from
d69efdf
to
cf2d669
Compare
yush1ga
force-pushed
the
subscription-acl
branch
2 times, most recently
from
5788c78
to
3668902
Compare
nkurihar
reviewed
Jan 9, 2018
| case Prefix: | ||
| if (!subscription.startsWith(role)) { | ||
| permissionFuture.complete(false); | ||
| return; |
There was a problem hiding this comment.
Should we return permissionFuture here?
return permissionFuture;
There was a problem hiding this comment.
This return is for lambda of line 88 and it need not return any values.
|
LGTM 👍 |
nkurihar
approved these changes
Jan 9, 2018
merlimat
reviewed
Jan 10, 2018
| switch (policies.get().subscription_auth_mode) { | ||
| case Prefix: | ||
| if (!subscription.startsWith(role)) { | ||
| permissionFuture.complete(false); |
There was a problem hiding this comment.
I think it's important to bubble back to user the exact reason for the consumer creation to fail. E.g.: In the exception thrown, it should include something like:
Failed to create consumer - The subscription name needs to be prefixed by the authentication role, like MY-ROLE-xxxx
Including the actual role used by the consumer.
saandrews
reviewed
Jan 10, 2018
yush1ga
force-pushed
the
subscription-acl
branch
from
3668902
to
b1ba82b
Compare
saandrews
reviewed
Jan 11, 2018
| case Prefix: | ||
| if (!subscription.startsWith(role)) { | ||
| PulsarServerException ex = new PulsarServerException( | ||
| String.format("Failed to create consumer - The subscription name needs to be prefixed by the authentication role, like %s-xxxx", role)); |
There was a problem hiding this comment.
Can you add the destination info in the message?
yush1ga
force-pushed
the
subscription-acl
branch
from
b1ba82b
to
acb351f
Compare
yush1ga
force-pushed
the
subscription-acl
branch
from
acb351f
to
35c3198
Compare
|
@saandrews @merlimat |
saandrews
approved these changes
Jan 12, 2018
15 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
#893
In our use case, there are cases that one tenant's producer wants to send messages to the other tenants' consumers.
In such a case, some consumers use very simple subscription name like "sub", "sub1" or "subscription_prod" and these are conflicted.
Modifications
subscription_auth_modeto namespace policy.subscription_auth_modeisPrefix, a client have to use subscription name including role name prefix like${AuthRroleName}-foobar.Result
Since a client is forced to use role-prefixed subscription name, conflicts of subscription name can be avoided.
I'm going to create test and documentation for this and send another PR.