Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix authorization not working when subscription permission is empty #11113

Closed
wants to merge 7 commits into from
Closed

fix authorization not working when subscription permission is empty #11113

wants to merge 7 commits into from

Conversation

wuzhanpeng
Copy link
Contributor

@wuzhanpeng wuzhanpeng commented Jun 26, 2021
edited
Loading

Motivation

This PR fixed the problem that org.apache.pulsar.broker.authorization.AuthorizationProvider#canConsumeAsync returned true when org.apache.pulsar.common.policies.data.AuthPolicies#getSubscriptionAuthentication was empty (i.e. the set of subscription_auth_roles in admin policies is empty). This is equivalent to allowing subscription permissions not to be checked during authorization.

Modifications

  • modifies canConsumeAsync of PulsarAuthorizationProvider and its relative test case.

@wuzhanpeng
Copy link
Contributor Author

@rdhabalia @hangc0276
Could you help review these changes ?

@eolivelli
Copy link
Contributor

This looks like a behaviour change.
You we advertise this in the release notes ?
Will existing users be affected by this change ?

@wuzhanpeng
Copy link
Contributor Author

This looks like a behaviour change.
You we advertise this in the release notes ?
Will existing users be affected by this change ?

  1. for regular users who enable authorization, they will grant topic and subscription permissions before actually consuming messages, thus these users would not be affected.
  2. for those noncompliant users who never grant subscription permissions but still want authorization service, the subscriber would not be able to establish after this behavior takes effect.

@wuzhanpeng
Copy link
Contributor Author

@hangc0276 @eolivelli @codelipenghui Could you help review these changes?

@sijie sijie added this to the 2.9.0 milestone Jul 23, 2021
@hangc0276
Copy link
Contributor

@hangc0276 @eolivelli @codelipenghui Could you help review these changes?

@wuzhanpeng This PR will break the existing subscription behavior although the existing behavior not expected. It will cause the existing applications which doesn't grant role and subscription permission, subscribe failed after upgrading Pulsar to the version including this PR. We'd better start a discussion in dev@pulsar.apache.org first.

@hangc0276
Copy link
Contributor

move to 2.8.2

michaeljmarshall
michaeljmarshall requested changes Aug 27, 2021
View reviewed changes
Copy link
Member

@michaeljmarshall michaeljmarshall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 for moving to the dev mailing list.

...common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
@@ -120,7 +120,7 @@ public void initialize(ServiceConfiguration conf, ConfigurationCacheService conf
// list is empty)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It appears that the original intent of this code was to consider an empty list as a special case that had special logic. I don't have enough context to know why, but it might be worth reviewing #2981, where this code was first introduced. If I had to guess, it's because it doesn't make much sense to have a subscription that cannot be consumed.

If this change is accepted, the comment on this line and the one above need to be updated:

pulsar/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java

Lines 119 to 120 in 879ab3a

// validate if role is authorize to access subscription. (skip validatation if authorization
// list is empty)

@eolivelli eolivelli modified the milestones: 2.9.0, 2.10.0 Oct 6, 2021
@315157973
Copy link
Contributor

@wuzhanpeng Hello, is there an email address for discussion?

@github-actions
Copy link

@wuzhanpeng:Thanks for your contribution. For this PR, do we need to update docs?
(The PR template contains info about doc, which helps others know more about the changes. Can you provide doc-related info in this and future PR descriptions? Thanks)

@Anonymitaet
Copy link
Member

@wuzhanpeng is this a bug fix (no need to update docs?)

@codelipenghui codelipenghui modified the milestones: 2.10.0, 2.11.0 Jan 18, 2022
@michaeljmarshall
Copy link
Member

I am going to remove the 2.8 label for now. @wuzhanpeng do you plan to continue with this work, or should we close this PR?

@michaeljmarshall
Copy link
Member

michaeljmarshall commented May 10, 2022
edited
Loading

@wuzhanpeng - if you're still interested in making this change, I think this feature might be viable if we put it behind a feature flag. The underlying question for this PR is how to interpret a lack of configuration for a subscription. Given that null has already been chosen to implicitly mean that the subscription permission feature is ignored, I think we need to maintain that functionality. However, a cluster focused on strict security where no permission is granted implicitly will interpret a lack of configuration for a subscription to mean the role doesn't have permission.

Additionally, I notice that admin roles not included in the subscription's allow list will get rejected from consuming a subscription. It's worth discussing if admins get implicit permission to consume from a subscription. Note that admins will have permission to update the subscription at a namespace level with clearBacklog, but might not be able to clear an individual subscription backlog (this conclusion is based on my memory, so we'd need to verify it).

@michaeljmarshall michaeljmarshall mentioned this pull request May 13, 2022
Closed
@michaeljmarshall
Copy link
Member

I've created #15597 to make this behavior configurable. Please feel free to add your feedback on the mailing list thread: https://lists.apache.org/thread/x6zg2l7hrtopd0yty93fhctsnm9n0wbt.

@sijie sijie mentioned this pull request May 14, 2022
Open
@codelipenghui codelipenghui modified the milestones: 2.11.0, 2.12.0 Jul 26, 2022
@tisonkun
Copy link
Member

tisonkun commented Dec 9, 2022

Closed as stale and conflict. Please rebase and resubmit the patch if it's still relevant.

@tisonkun tisonkun closed this Dec 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michaeljmarshall michaeljmarshall michaeljmarshall requested changes

@rdhabalia rdhabalia Awaiting requested review from rdhabalia

@315157973 315157973 Awaiting requested review from 315157973

@codelipenghui codelipenghui Awaiting requested review from codelipenghui

@gaoran10 gaoran10 Awaiting requested review from gaoran10

Assignees

@wuzhanpeng wuzhanpeng

Labels
area/security doc-label-missing
Projects
None yet
Milestone
3.0.0
Development

Successfully merging this pull request may close these issues.
9 participants
@wuzhanpeng @eolivelli @hangc0276 @315157973 @Anonymitaet @michaeljmarshall @tisonkun @sijie @codelipenghui