Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proxy roles enforcement #1168

Merged
merged 6 commits into from Feb 6, 2018
Merged

Proxy roles enforcement #1168

merged 6 commits into from Feb 6, 2018

Conversation

jai1
Copy link
Contributor

@jai1 jai1 commented Feb 1, 2018

The broker should be able to distinguish between a proxy and a client so that no compromised proxy can impersonate a client.

To be specific - once a proxy host is compromised it can choose to send originalPrincipal as null which will make the broker treat it as a normal client and authenticate/authorize the proxy as a normal client rather than demanding to authorize the originalPrincipal.

So for example:-
A client using topic T1 with roleToken R1 going through proxy with roleToken R3 will require granting AuthAction produce/consume on both R1 and R3 (proxy).
Similarly, a client using topic T2 with roleToken R2 going through the same proxy will require granting AuthAction produce/consume on both R1 and R3 (proxy).

Now with my current code if proxy is compromised it can access topics T1 and T2 without requiring client roleToken (R1 and R2) at all by passing originalPrincipal as null.

If I add a broker side setting "proxyRoles=R3, R4", then as soon as I see that the roleToken (R3) extracted from the incoming cert is in proxyRoles (R3, R4) then I can return an error if originalPrincipal is null.

Thanks to @msb-at-yahoo for suggesting this.

@jai1 jai1 self-assigned this Feb 1, 2018
@jai1 jai1 added the type/enhancement The enhancements for the existing features or docs. e.g. reduce memory usage of the delayed messages label Feb 1, 2018
@jai1
Copy link
Contributor Author

jai1 commented Feb 1, 2018

Forgot to mention: This enhancement is configurable - if you don't populate the proxyRoles then the behavior falls back to default.

merlimat
merlimat reviewed Feb 1, 2018
View reviewed changes
pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java Outdated
@@ -196,6 +202,16 @@ protected void handleLookup(CommandLookupTopic lookup) {
if (lookupSemaphore.tryAcquire()) {
final String originalPrincipal = lookup.hasOriginalPrincipal() ? lookup.getOriginalPrincipal()
: this.originalPrincipal;
if (service.isAuthorizationEnabled() && proxyRoles.contains(authRole)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should have the 3 similar blocks of code in a single method

@jai1
Copy link
Contributor Author

jai1 commented Feb 2, 2018

retest this please

@jai1
Copy link
Contributor Author

jai1 commented Feb 2, 2018

@merlimat @rdhabalia @saandrews @msb-at-yahoo - please review this when you find the time.

saandrews
saandrews reviewed Feb 2, 2018
View reviewed changes
pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyRolesEnforcementTest.java Outdated
// Step 1: Create Admin Client
createAdminClient();
final String proxyServiceUrl = "pulsar://localhost:" + servicePort;
// create a client which connects to proxy over tls and pass authData
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the test is not using tls, please remove the comment.

@jai1 jai1 mentioned this pull request Feb 2, 2018
Merged
merlimat
merlimat approved these changes Feb 4, 2018
View reviewed changes
Copy link
Contributor

@merlimat merlimat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@jai1 Can you also update the deployment documentation for the proxy with all the instructions and the different options on how to enable auth with proxy?

@merlimat merlimat added this to the 1.22.0-incubating milestone Feb 4, 2018
@jai1
Copy link
Contributor Author

jai1 commented Feb 5, 2018

retest this please

@jai1 jai1 merged commit 15e6655 into apache:master Feb 6, 2018
@jai1 jai1 deleted the ProxyRolesEnforcement branch February 6, 2018 02:50
merlimat
merlimat reviewed Feb 6, 2018
View reviewed changes
pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java
@@ -196,6 +215,13 @@ protected void handleLookup(CommandLookupTopic lookup) {
if (lookupSemaphore.tryAcquire()) {
final String originalPrincipal = lookup.hasOriginalPrincipal() ? lookup.getOriginalPrincipal()
: this.originalPrincipal;
if (!validateOriginalPrincipal(originalPrincipal,
newLookupErrorResponse(ServerError.AuthorizationError,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We cannot create the buffer in all cases, otherwise this is being leaked when there is no error.

This was referenced Feb 6, 2018
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@merlimat merlimat merlimat approved these changes

@saandrews saandrews saandrews approved these changes

@rdhabalia rdhabalia Awaiting requested review from rdhabalia

@joefk joefk Awaiting requested review from joefk

Assignees

@jai1 jai1

Labels
type/enhancement The enhancements for the existing features or docs. e.g. reduce memory usage of the delayed messages
Projects
None yet
Milestone
1.22.0-incubating
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jai1 @merlimat @saandrews