Ma77Ball opened a new pull request, #5049:
URL: https://github.com/apache/texera/pull/5049
### What changes were proposed in this PR?
`@RolesAllowed` annotations on `config-service`,
`computing-unit-managing-service`, and `workflow-compiling-service` resources
were decorative because none of these services registered Jersey's
`RolesAllowedDynamicFeature`. This PR registers that feature in each
service's `run(...)`. For `workflow-compiling-service`, which was not
registering JWT auth at all, this PR also registers
`AuthDynamicFeature(JwtAuthFilter)` and the `SessionUser`
`AuthValueFactoryProvider.Binder`, and adds `Auth` as an sbt dependency for the
module. `access-control-service` and `file-service` use
no `@RolesAllowed` today and were intentionally left alone to keep the
change minimal.
### Any related issues, documentation, or discussions?
Closes: #4904
### How was this PR tested?
Added `ConfigServiceRunSpec` (mirrors `AccessControlServiceRunSpec`) that
mocks the Jersey environment and verifies `RolesAllowedDynamicFeature` is
registered when `ConfigService.run` runs. The
same one-line registration applies to the other two services; tests there
would require either refactoring `SqlServer.initConnection` out of `run` or
static-mocking the Scala `SqlServer` object,
both larger than the fix itself, so they are out of scope. Manual
verification via the reproduction in the issue (low-role JWT against an
annotated endpoint should now return 403;
unauthenticated request to `WorkflowCompilationResource` should now return
401).
### Was this PR authored or co-authored using generative AI tooling?
Co-authored with Claude Opus 4.7 in compliance with ASF
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
