[improve][broker] Require authRole is proxyRole to set originalPrincipal #19455
Conversation
michaeljmarshall
added
area/broker
doc-required
michaeljmarshall
requested review from
merlimat,
lhotari,
eolivelli,
codelipenghui and
nodece
|
Good work!
I think we should add a paramter in the config file, and when this paramter is enabled, we perform the strict checks. |
My primary concern with making this requirement configurable is that it is prone to error. For me, the justification comes here: A proxy that forwards an admin call without being configured as a |
|
I added a commit to expand the scope of this PR so that both admin and binary endpoints have the same requirements. |
@michaeljmarshall good work! |
|
/pulsarbot rerun-failure-checks |
|
There are some test failures that seem related to incorrect resources getting copied around. I deleted some of the github actions artifacts to try to make it work. |
|
This seems to be a breaking change, I would tend to think it's a security enhancement (it's not a vulnerability), wouldn't it be more appropriate to enable it by default in some future version? Now to avoid the impact on user clusters, can we introduce an option to support disable or enable it. @michaeljmarshall cc/@nodece |
|
@tuteng - the proxy is supposed to connect using one of the |
|
This change is always positive, but we shouldn't affect the old version because many users don't care about the I think this change can only be released in 3.0. If you agree, please help revert this PR in the old branch! |
I do not think we should revert this change from old branches. The risk to users is that misconfiguration leads to excessive permissions, as I documented. The solution is to use dedicated authentication data for a proxy so that it has a proxy role. I will reply on the mailing list as well. |
|
I understand that, but for the sake of the user, I think this check is optional, and we can add a switch to control this check, then we update our documentation that how to enable this switch. Default to enable this switch in the 3.0.0, disable this switch in the 2.8, 2.9, 2.10, 2.11. |
I would like to confirm if it is possible to make it optional (enabled or disabled), in many user environments it can be trusted and there is no such risk, now it is enabled by default in all major versions and cannot be disabled by the user? @michaeljmarshall |
Can you clarify what "it" is here? What is the purpose of authorization if the environment is trusted? |
Before this change, if a client wanted to connect to the cluster using the super role, the role had to be configured in the proxy's superUserRoles, otherwise the proxy would not be able to authenticate it, after this change, if a client connected to the cluster using the super role, the role could not appear in superUserRoles of the proxy and proxyRoles of the broker, otherwise the connect also will fail, which seems to be an opposite behavior I think this is a security enhancement, not a vulnerability (I'm sure you agree), but now that this change has been introduced on most major branches.I understand it doesn't make sense to use the proxy's superRoles, but it works correctly, and if a user performs a minor version upgrade without understanding the context, such as upgrading a cluster from 2.10.3 to 2.10.4 (ideally there should be no breaking changes), that will result in clients not being able to successfully connect to the cluster, which will cause some failures, which have actually happened in some users' test environments I don't think it is a problem to introduce this change in a major release (e.g. 3.0) because it will give users enough time to understand it. Minor upgrades are frequent, so I don't think it is appropriate to introduce it on a minor release and not be configurable, which can very easily lead to unpredictable failures |
Sure, and that is why this PR is necessary for the older branches. If the proxy has a super user role that is not in the
This analysis does not match my understanding of the PR. The proxy's It sounds like the problem you're encountering is that your proxy's role is not in the
I disagree that this is only an enhancement. This change protects operators from dangerous misconfigurations. The only way this is not a vulnerability is if we agree that a proxy is supposed to connect with a role in the |
…alPrincipal (apache#19455)" This reverts commit 6a599af.
…alPrincipal (apache#19455)" This reverts commit c7eabc9.
…alPrincipal (apache#19455)" This reverts commit 6a599af.
…alPrincipal (apache#19455)" This reverts commit 85f0a85.
…ior (#19845) Relates to: #19455 #19830 ### Motivation When I added the requirement for the proxy to use a role in the `proxyRoles` set, I didn't add a test that checked the negative case. This new test was first added in #19830 with one small difference. The goal of this test is to ensure that authorization of the client role and the original role is handled correctly. ### Modifications * Add new test class named `AuthorizationServiceTest`. We use `pass.proxy` and `fail.proxy` as proxy roles to simulate cases where the proxy's role passes and fails authorization, which is always possible. * Add new mock authorization provider named `MockAuthorizationProvider`. The logic is to let any role that starts with `pass` be considered authorized. ### Verifying this change This is a new test. It simply verifies the existing behavior to prevent future regressions. ### Documentation - [x] `doc-not-needed` ### Matching PR in forked repository PR in forked repository: Skipping forked test since the new tests pass locally and there are no other modifications.
### Motivation In #19455, I added a requirement that only the proxy role could supply an original principal. That check is only supposed to apply when the broker has authorization enabled. However, in one case, that was not the case. This PR does a check and returns early when authorization is not enabled in the broker. See #19830 (comment) for additional motivation. ### Modifications * Update the `PulsarWebResource#validateSuperUserAccessAsync` to only validate when authentication and authorization are enabled in the configuration. ### Verifying this change This is a trivial change. It'd be good to add tests, but I didn't include them here because this is a somewhat urgent fix. There was one test that broke because of this change, so there is at least some existing coverage. ### Documentation - [x] `doc-not-needed` ### Matching PR in forked repository PR in forked repository: michaeljmarshall#39
### Motivation In #19455, I added a requirement that only the proxy role could supply an original principal. That check is only supposed to apply when the broker has authorization enabled. However, in one case, that was not the case. This PR does a check and returns early when authorization is not enabled in the broker. See #19830 (comment) for additional motivation. ### Modifications * Update the `PulsarWebResource#validateSuperUserAccessAsync` to only validate when authentication and authorization are enabled in the configuration. ### Verifying this change This is a trivial change. It'd be good to add tests, but I didn't include them here because this is a somewhat urgent fix. There was one test that broke because of this change, so there is at least some existing coverage. ### Documentation - [x] `doc-not-needed` ### Matching PR in forked repository PR in forked repository: michaeljmarshall#39 (cherry picked from commit 1a6c28d)
In #19455, I added a requirement that only the proxy role could supply an original principal. That check is only supposed to apply when the broker has authorization enabled. However, in one case, that was not the case. This PR does a check and returns early when authorization is not enabled in the broker. See #19830 (comment) for additional motivation. * Update the `PulsarWebResource#validateSuperUserAccessAsync` to only validate when authentication and authorization are enabled in the configuration. This is a trivial change. It'd be good to add tests, but I didn't include them here because this is a somewhat urgent fix. There was one test that broke because of this change, so there is at least some existing coverage. - [x] `doc-not-needed` PR in forked repository: michaeljmarshall#39 (cherry picked from commit 1a6c28d)
In #19455, I added a requirement that only the proxy role could supply an original principal. That check is only supposed to apply when the broker has authorization enabled. However, in one case, that was not the case. This PR does a check and returns early when authorization is not enabled in the broker. See #19830 (comment) for additional motivation. * Update the `PulsarWebResource#validateSuperUserAccessAsync` to only validate when authentication and authorization are enabled in the configuration. This is a trivial change. It'd be good to add tests, but I didn't include them here because this is a somewhat urgent fix. There was one test that broke because of this change, so there is at least some existing coverage. - [x] `doc-not-needed` PR in forked repository: michaeljmarshall#39 (cherry picked from commit 1a6c28d) (cherry picked from commit 36f0db5)
…ior (apache#19845) Relates to: apache#19455 apache#19830 ### Motivation When I added the requirement for the proxy to use a role in the `proxyRoles` set, I didn't add a test that checked the negative case. This new test was first added in apache#19830 with one small difference. The goal of this test is to ensure that authorization of the client role and the original role is handled correctly. ### Modifications * Add new test class named `AuthorizationServiceTest`. We use `pass.proxy` and `fail.proxy` as proxy roles to simulate cases where the proxy's role passes and fails authorization, which is always possible. * Add new mock authorization provider named `MockAuthorizationProvider`. The logic is to let any role that starts with `pass` be considered authorized. ### Verifying this change This is a new test. It simply verifies the existing behavior to prevent future regressions. ### Documentation - [x] `doc-not-needed` ### Matching PR in forked repository PR in forked repository: Skipping forked test since the new tests pass locally and there are no other modifications. (cherry picked from commit c6de57c)
…#19989) In apache#19455, I added a requirement that only the proxy role could supply an original principal. That check is only supposed to apply when the broker has authorization enabled. However, in one case, that was not the case. This PR does a check and returns early when authorization is not enabled in the broker. See apache#19830 (comment) for additional motivation. * Update the `PulsarWebResource#validateSuperUserAccessAsync` to only validate when authentication and authorization are enabled in the configuration. This is a trivial change. It'd be good to add tests, but I didn't include them here because this is a somewhat urgent fix. There was one test that broke because of this change, so there is at least some existing coverage. - [x] `doc-not-needed` PR in forked repository: michaeljmarshall#39 (cherry picked from commit 1a6c28d) (cherry picked from commit 36f0db5)
Motivation
While working on #19270, I noticed we do not set any strict rules on which roles can supply the
originalPrincipalororiginalAuthDatafields on theConnectCommand:pulsar/pulsar-common/src/main/proto/PulsarApi.proto
Lines 279 to 288 in b0945d1
This PR's goal is to prevent connections where the
originalPrincipalis set with anauthRolethat is not a proxy role. This is an invalid state that was allowed to persist before. It was not, strictly speaking, a vulnerability because theisTopicOperationAllowedvalidates that both theoriginalPrincipaland theauthRolehave permission to perform any operation the client attempts.Additionally, in the admin http service, there is a risk where a proxy that is configured with a superuser token that is not also a proxy role, the call is authorized only with the proxy's auth data, which could result in excessive permissions.
This is technically a breaking change in that upgrading existing proxies will not work if the
proxyRolesis not correctly configured in thebroker.conf.Modifications
originalPrincipalis set, theauthRole(orauthenticatedPrincipal) must be in theproxyRolesset. Because we run this check after authenticating theoriginalAuthData, we will correctly fail calls that pass and do not pass theoriginalAuthDatain theServerCnx.validateOriginalPrincipalin theAuthorizationService.staticmodifier from several methods. This could break extensions, though it is unlikely because these methods are all HTTP server related.Verifying this change
An existing test is updated to cover the added logic.
Does this pull request potentially affect one of the following parts:
This change affects the binary protocol's usage without changing the binary protocol itself.
Documentation
doc-completeDocument connecting through a proxy pulsar-site#408
If we accept this change, I'll follow up with a docs PR to make sure all documentation is up to date.
Matching PR in forked repository
PR in forked repository: michaeljmarshall#25