-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Authorization] AuthorizationService should use provider's canLookupAsync method #11777
[Authorization] AuthorizationService should use provider's canLookupAsync method #11777
Conversation
/pulsarbot run-failure-checks |
@michaeljmarshall Thanks for your contribution. Please do not forget to update docs later. And you can ping me to review the docs, thanks. |
/pulsarbot run-failure-checks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@Anonymitaet, @eolivelli, @sijie - how do we document changes that correct existing behavior? This change will only affect users with custom |
@michaeljmarshall if it is a major change or affects how to use this feature, maybe you add a note about the previous usage and current changes here? |
@Anonymitaet - I don't classify this as a major change. It is a correction in behavior. I think it only needs to be documented in the release notes. @eolivelli - do you have any insight here? |
it's not a major change or api change so, it won't require documentation. |
@michaeljmarshall Please provide a correct documentation label for your PR. |
…sync method (apache#11777) (cherry picked from commit 32f7340)
Motivation
The AuthenticationService essentially implements the
canLookupAsync
method instead of relying on the provider'scanLookupAsync
method.Before this change, the
AuthenticationService
was essentially callingprovider.canConsume
andprovider.canProduce
in order to determine if the role had sufficient permission tolookup
. While the logic should be sufficient, it wasn't the correct implementation because theprovider
has acanLookup
method that ought to be used.Modifications
AuthenticationService
methodcanLookupAsync
to first check if the role is a super user and then call the configured provider'scanLookupAsync
method. Note that this implementation follows the same paradigm ascanProduceAsync
andcanConsumeAsync
in theAuthenticationService
.PulsarAuthorizationProvider
implementation ofcanLookupAsync
to improve readability.Verifying this change
This change is already covered by existing tests, such as the
AuthorizationTest
.Does this pull request potentially affect one of the following parts:
This test could result in a change of behavior for users that have implemented their own
AuthorizationProvider
. ThePulsarAuthorizationProvider
is not affected because its logic was equivalent before and after this change.Documentation
For contributor
For this PR, do we need to update docs?
It's possible we'll want to update docs or to include a note about this fix for users who are upgrading. The main change in behavior is for users with a custom
AuthorizationProvider
.For committer
For this PR, do we need to update docs?
If yes,
if you update docs in this PR, label this PR with the
doc
label.if you plan to update docs later, label this PR with the
doc-required
label.if you need help on updating docs, create a follow-up issue with the
doc-required
label.If no, label this PR with the
no-need-doc
label and explain why.