[pulsar] branch master updated: [Broker] Optimize authz checks in ServerCnx when authz is not enabled (#12067)

Thu, 16 Sep 2021 18:06:38 -0700 

This is an automated email from the ASF dual-hosted git repository.

mmerli pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/master by this push:
     new c32b524  [Broker] Optimize authz checks in ServerCnx when authz is not 
enabled (#12067)
c32b524 is described below

commit c32b52454ae5677bc61e15047d56ee3702b38300
Author: Michael Marshall <[email protected]>
AuthorDate: Thu Sep 16 20:04:21 2021 -0500

    [Broker] Optimize authz checks in ServerCnx when authz is not enabled 
(#12067)
---
 .../apache/pulsar/broker/service/ServerCnx.java    | 38 +++++++++-------------
 1 file changed, 16 insertions(+), 22 deletions(-)

diff --git 
a/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java 
b/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java
index 8ce5f66..a7c96db 100644
--- 
a/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java
+++ 
b/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java
@@ -353,21 +353,18 @@ public class ServerCnx extends PulsarHandler implements 
TransportCnx {
     // ////
 
     private CompletableFuture<Boolean> isTopicOperationAllowed(TopicName 
topicName, TopicOperation operation) {
+        if (!service.isAuthorizationEnabled()) {
+            return CompletableFuture.completedFuture(true);
+        }
         CompletableFuture<Boolean> isProxyAuthorizedFuture;
-        CompletableFuture<Boolean> isAuthorizedFuture;
-        if (service.isAuthorizationEnabled()) {
-            if (originalPrincipal != null) {
-                isProxyAuthorizedFuture = 
service.getAuthorizationService().allowTopicOperationAsync(
-                    topicName, operation, originalPrincipal, 
getAuthenticationData());
-            } else {
-                isProxyAuthorizedFuture = 
CompletableFuture.completedFuture(true);
-            }
-            isAuthorizedFuture = 
service.getAuthorizationService().allowTopicOperationAsync(
-                topicName, operation, authRole, authenticationData);
+        if (originalPrincipal != null) {
+            isProxyAuthorizedFuture = 
service.getAuthorizationService().allowTopicOperationAsync(
+                topicName, operation, originalPrincipal, 
getAuthenticationData());
         } else {
             isProxyAuthorizedFuture = CompletableFuture.completedFuture(true);
-            isAuthorizedFuture = CompletableFuture.completedFuture(true);
         }
+        CompletableFuture<Boolean> isAuthorizedFuture = 
service.getAuthorizationService().allowTopicOperationAsync(
+            topicName, operation, authRole, authenticationData);
         return isProxyAuthorizedFuture.thenCombine(isAuthorizedFuture, 
(isProxyAuthorized, isAuthorized) -> {
             if (!isProxyAuthorized) {
                 log.warn("OriginalRole {} is not authorized to perform 
operation {} on topic {}",
@@ -1748,21 +1745,18 @@ public class ServerCnx extends PulsarHandler implements 
TransportCnx {
 
     private CompletableFuture<Boolean> 
isNamespaceOperationAllowed(NamespaceName namespaceName,
                                                                    
NamespaceOperation operation) {
+        if (!service.isAuthorizationEnabled()) {
+            return CompletableFuture.completedFuture(true);
+        }
         CompletableFuture<Boolean> isProxyAuthorizedFuture;
-        CompletableFuture<Boolean> isAuthorizedFuture;
-        if (service.isAuthorizationEnabled()) {
-            if (originalPrincipal != null) {
-                isProxyAuthorizedFuture = 
service.getAuthorizationService().allowNamespaceOperationAsync(
-                        namespaceName, operation, originalPrincipal, 
getAuthenticationData());
-            } else {
-                isProxyAuthorizedFuture = 
CompletableFuture.completedFuture(true);
-            }
-            isAuthorizedFuture = 
service.getAuthorizationService().allowNamespaceOperationAsync(
-                    namespaceName, operation, authRole, authenticationData);
+        if (originalPrincipal != null) {
+            isProxyAuthorizedFuture = 
service.getAuthorizationService().allowNamespaceOperationAsync(
+                    namespaceName, operation, originalPrincipal, 
getAuthenticationData());
         } else {
             isProxyAuthorizedFuture = CompletableFuture.completedFuture(true);
-            isAuthorizedFuture = CompletableFuture.completedFuture(true);
         }
+        CompletableFuture<Boolean> isAuthorizedFuture = 
service.getAuthorizationService().allowNamespaceOperationAsync(
+                namespaceName, operation, authRole, authenticationData);
         return isProxyAuthorizedFuture.thenCombine(isAuthorizedFuture, 
(isProxyAuthorized, isAuthorized) -> {
             if (!isProxyAuthorized) {
                 log.warn("OriginalRole {} is not authorized to perform 
operation {} on namespace {}",

Reply via email to