Yicong-Huang opened a new pull request, #5199: URL: https://github.com/apache/texera/pull/5199
### What changes were proposed in this PR? Re-applies #5049 (Jersey `@RolesAllowed` enforcement on `config-service`, `computing-unit-managing-service`, and `workflow-compiling-service`) and additionally marks the two pre-login `ConfigResource` endpoints — `/api/config/gui` and `/api/config/user-system` — as `@PermitAll`. Those endpoints are loaded by `GuiConfigService.load()` in the Angular `APP_INITIALIZER` before any login, so once role enforcement is on they must keep returning `200` to unauthenticated callers; missing this was what broke bootstrap and got #5049 reverted in #5173. Everything outside `config-service` matches #5049 byte-for-byte. ### Any related issues, documentation, or discussions? Closes: #4904 Prior attempt: #5049, reverted by #5173. The bootstrap root cause was diagnosed inline at https://github.com/apache/texera/pull/5049#issuecomment-4527214062. ### How was this PR tested? Added `ConfigResourceAuthSpec`: wires `ConfigResource` through the same `JwtAuthFilter` + `RolesAllowedDynamicFeature` pipeline production uses (via Dropwizard's `ResourceExtension`) and fires HTTP requests with no `Authorization` header. - `GET /config/gui` → expects `200` - `GET /config/user-system` → expects `200` - `GET /auth-probe` (an in-test `@RolesAllowed` resource) → expects `403` The `403` sanity guard ensures the feature is actually enforcing, so a future "200 everywhere" regression cannot silently slip through. Kept the three `*ServiceRunSpec` structural tests from #5049 verifying that `RolesAllowedDynamicFeature` is registered. Manual reproduction with `curl` against a local dev server confirmed the unauthenticated bootstrap path returns `200` while a low-role JWT against an annotated endpoint returns `403`. ### Was this PR authored or co-authored using generative AI tooling? Co-authored with Claude Opus 4.7 in compliance with ASF. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
