[GitHub] [pulsar] BewareMyPower commented on a diff in pull request #16201: [fix][broker] Fix passing incorrect authentication data

GitBox Mon, 27 Jun 2022 21:54:53 -0700


BewareMyPower commented on code in PR #16201:
URL: https://github.com/apache/pulsar/pull/16201#discussion_r908028138



##########
pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java:
##########
@@ -411,9 +412,13 @@ private CompletableFuture<Boolean> 
isTopicOperationAllowed(TopicName topicName,
     private CompletableFuture<Boolean> isTopicOperationAllowed(TopicName 
topicName, String subscriptionName,
                                                                TopicOperation 
operation) {
         if (service.isAuthorizationEnabled()) {
-            AuthenticationDataSource authData =
-                    new 
AuthenticationDataSubscription(getAuthenticationData(), subscriptionName);
-            return isTopicOperationAllowed(topicName, operation, authData);
+            AuthenticationDataSource authDataSource =
+                    new AuthenticationDataSubscription(authenticationData, 
subscriptionName);
+            AuthenticationDataSource originalAuthDataSource = null;
+            if (originalAuthData != null) {
+                originalAuthDataSource = new 
AuthenticationDataSubscription(originalAuthData, subscriptionName);
+            }
+            return isTopicOperationAllowed(topicName, operation, 
authDataSource, originalAuthDataSource);

Review Comment:
   I don't get why should it be so complicated? For the modified code,
   - if `originalAuthData` is not `null`, `originalAuthData` will be used to 
construct the `AuthenticationDataSubscription` object **as the 4th argument** 
that will be used in `isTopicOperationAllowed`.
   - Otherwise, the `authenticationData` will be used to construct the 
`AuthenticationDataSubscription` object (`authDataSource`) as the 3rd argument 
that will be used in `isTopicOperationAllowed`.
   
   I think it's equivalent to
   
   ```java
               return isTopicOperationAllowed(topicName, operation,
                       new 
AuthenticationDataSubscription(getAuthenticationData(), subscriptionName), 
null);
   ```
   - if `originalAuthData` is not `null`, `getAuthenticationData()` will return 
`originalAuthData` that will be used to  construct the 
`AuthenticationDataSubscription` object as **the 3rd argument** that will be 
used in `isTopicOperationAllowed`.
   - Otherwise, `getAuthenticationData()` will return `authenticationData` that 
will be used to construct the `AuthenticationDataSubscription` object 
(`authDataSource`) as the 3rd argument that will be used in 
`isTopicOperationAllowed`.
   
   After applying my change, 
`testVerifyOriginalPrincipalWithAuthDataForwardedFromProxy` will fail, but 
that's because you assume `allowTopicOperationAsync` will accept a non-null 4th 
argument.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [pulsar] BewareMyPower commented on a diff in pull request #16201: [fix][broker] Fix passing incorrect authentication data

Reply via email to