This is an automated email from the ASF dual-hosted git repository. sanjeevrk pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/master by this push: new eda3526 Ensure that admin operations are gated by super user check (#7226) eda3526 is described below commit eda3526b335d58e7aa7ba4bb81d44ea03a2922a7 Author: Sanjeev Kulkarni <sanjee...@gmail.com> AuthorDate: Thu Jun 11 16:43:35 2020 -0700 Ensure that admin operations are gated by super user check (#7226) * Ensure that admin operations are gated by super user check * keep /clusters open Co-authored-by: Sanjeev Kulkarni <sanje...@splunk.com> --- .../java/org/apache/pulsar/broker/admin/impl/BrokersBase.java | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/BrokersBase.java b/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/BrokersBase.java index 072e91c..57c88ab 100644 --- a/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/BrokersBase.java +++ b/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/BrokersBase.java @@ -153,9 +153,12 @@ public class BrokersBase extends AdminResource { @Path("/configuration/values") @ApiOperation(value = "Get value of all dynamic configurations' value overridden on local config") @ApiResponses(value = { + @ApiResponse(code = 403, message = "You don't have admin permission to view configuration"), @ApiResponse(code = 404, message = "Configuration not found"), @ApiResponse(code = 500, message = "Internal server error")}) public Map<String, String> getAllDynamicConfigurations() throws Exception { + validateSuperUserAccess(); + ZooKeeperDataCache<Map<String, String>> dynamicConfigurationCache = pulsar().getBrokerService() .getDynamicConfigurationCache(); Map<String, String> configurationMap = null; @@ -175,7 +178,10 @@ public class BrokersBase extends AdminResource { @GET @Path("/configuration") @ApiOperation(value = "Get all updatable dynamic configurations's name") + @ApiResponses(value = { + @ApiResponse(code = 403, message = "You don't have admin permission to get configuration")}) public List<String> getDynamicConfigurationName() { + validateSuperUserAccess(); return BrokerService.getDynamicConfiguration(); } @@ -240,7 +246,9 @@ public class BrokersBase extends AdminResource { @GET @Path("/internal-configuration") @ApiOperation(value = "Get the internal configuration data", response = InternalConfigurationData.class) + @ApiResponses(value = { @ApiResponse(code = 403, message = "Don't have admin permission") }) public InternalConfigurationData getInternalConfigurationData() { + validateSuperUserAccess(); return pulsar().getInternalConfigurationData(); }