This is an automated email from the ASF dual-hosted git repository.
sanjeevrk pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/master by this push:
new 77dccd2 Differentiate authorization between source/sink/function
operations (#7466)
77dccd2 is described below
commit 77dccd2824699c9be96f518a8a1079df51612c8e
Author: Sanjeev Kulkarni <sanjee...@gmail.com>
AuthorDate: Tue Jul 7 15:43:57 2020 -0700
Differentiate authorization between source/sink/function operations (#7466)
* Differentiate between source/sink/function operations
* Added release notes
Co-authored-by: Sanjeev Kulkarni <sanje...@splunk.com>
---
.../broker/authorization/AuthorizationProvider.java | 20 ++++++++++++++++++++
.../broker/authorization/AuthorizationService.java | 10 ++++++++++
.../authorization/PulsarAuthorizationProvider.java | 20 ++++++++++++++++++--
.../api/AuthorizationProducerConsumerTest.java | 10 ++++++++++
.../pulsar/common/policies/data/AuthAction.java | 6 ++++++
.../functions/worker/rest/api/ComponentImpl.java | 14 ++++++++++++--
site2/website/release-notes.md | 6 ++++++
7 files changed, 82 insertions(+), 4 deletions(-)
diff --git
a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationProvider.java
b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationProvider.java
index 4eb5d93..63ca4cd 100644
---
a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationProvider.java
+++
b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationProvider.java
@@ -142,6 +142,26 @@ public interface AuthorizationProvider extends Closeable {
AuthenticationDataSource
authenticationData);
/**
+ * Allow all source operations with in this namespace
+ * @param namespaceName The namespace that the sources operations can be
executed in
+ * @param role The role to check
+ * @param authenticationData authentication data related to the role
+ * @return a boolean to determine whether authorized or not
+ */
+ CompletableFuture<Boolean> allowSourceOpsAsync(NamespaceName
namespaceName, String role,
+ AuthenticationDataSource
authenticationData);
+
+ /**
+ * Allow all sink operations with in this namespace
+ * @param namespaceName The namespace that the sink operations can be
executed in
+ * @param role The role to check
+ * @param authenticationData authentication data related to the role
+ * @return a boolean to determine whether authorized or not
+ */
+ CompletableFuture<Boolean> allowSinkOpsAsync(NamespaceName namespaceName,
String role,
+ AuthenticationDataSource
authenticationData);
+
+ /**
*
* Grant authorization-action permission on a namespace to the given client
*
diff --git
a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationService.java
b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationService.java
index 10b35ef..e964faa 100644
---
a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationService.java
+++
b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationService.java
@@ -331,6 +331,16 @@ public class AuthorizationService {
return provider.allowFunctionOpsAsync(namespaceName, role,
authenticationData);
}
+ public CompletableFuture<Boolean> allowSourceOpsAsync(NamespaceName
namespaceName, String role,
+
AuthenticationDataSource authenticationData) {
+ return provider.allowSourceOpsAsync(namespaceName, role,
authenticationData);
+ }
+
+ public CompletableFuture<Boolean> allowSinkOpsAsync(NamespaceName
namespaceName, String role,
+
AuthenticationDataSource authenticationData) {
+ return provider.allowSinkOpsAsync(namespaceName, role,
authenticationData);
+ }
+
/**
* Grant authorization-action permission on a tenant to the given client
*
diff --git
a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
index 1aa79bf..a394311 100644
---
a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
+++
b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
@@ -221,6 +221,22 @@ public class PulsarAuthorizationProvider implements
AuthorizationProvider {
@Override
public CompletableFuture<Boolean> allowFunctionOpsAsync(NamespaceName
namespaceName, String role, AuthenticationDataSource authenticationData) {
+ return allowFunctionSourceSinkOpsAsync(namespaceName, role,
authenticationData, AuthAction.functions);
+ }
+
+ @Override
+ public CompletableFuture<Boolean> allowSourceOpsAsync(NamespaceName
namespaceName, String role, AuthenticationDataSource authenticationData) {
+ return allowFunctionSourceSinkOpsAsync(namespaceName, role,
authenticationData, AuthAction.sources);
+ }
+
+ @Override
+ public CompletableFuture<Boolean> allowSinkOpsAsync(NamespaceName
namespaceName, String role, AuthenticationDataSource authenticationData) {
+ return allowFunctionSourceSinkOpsAsync(namespaceName, role,
authenticationData, AuthAction.sinks);
+ }
+
+ private CompletableFuture<Boolean>
allowFunctionSourceSinkOpsAsync(NamespaceName namespaceName, String role,
+
AuthenticationDataSource authenticationData,
+
AuthAction authAction) {
CompletableFuture<Boolean> permissionFuture = new
CompletableFuture<>();
try {
configCache.policiesCache().getAsync(POLICY_ROOT +
namespaceName.toString()).thenAccept(policies -> {
@@ -231,7 +247,7 @@ public class PulsarAuthorizationProvider implements
AuthorizationProvider {
} else {
Map<String, Set<AuthAction>> namespaceRoles =
policies.get().auth_policies.namespace_auth;
Set<AuthAction> namespaceActions =
namespaceRoles.get(role);
- if (namespaceActions != null &&
namespaceActions.contains(AuthAction.functions)) {
+ if (namespaceActions != null &&
namespaceActions.contains(authAction)) {
// The role has namespace level permission
permissionFuture.complete(true);
return;
@@ -239,7 +255,7 @@ public class PulsarAuthorizationProvider implements
AuthorizationProvider {
// Using wildcard
if (conf.isAuthorizationAllowWildcardsMatching()) {
- if (checkWildcardPermission(role,
AuthAction.functions, namespaceRoles)) {
+ if (checkWildcardPermission(role, authAction,
namespaceRoles)) {
// The role has namespace level permission by
wildcard match
permissionFuture.complete(true);
return;
diff --git
a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
index ddeed96..180142c 100644
---
a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
+++
b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
@@ -470,6 +470,16 @@ public class AuthorizationProducerConsumerTest extends
ProducerConsumerBase {
}
@Override
+ public CompletableFuture<Boolean> allowSourceOpsAsync(NamespaceName
namespaceName, String role, AuthenticationDataSource authenticationData) {
+ return null;
+ }
+
+ @Override
+ public CompletableFuture<Boolean> allowSinkOpsAsync(NamespaceName
namespaceName, String role, AuthenticationDataSource authenticationData) {
+ return null;
+ }
+
+ @Override
public CompletableFuture<Void> grantPermissionAsync(NamespaceName
namespace, Set<AuthAction> actions,
String role, String authenticationData) {
return CompletableFuture.completedFuture(null);
diff --git
a/pulsar-common/src/main/java/org/apache/pulsar/common/policies/data/AuthAction.java
b/pulsar-common/src/main/java/org/apache/pulsar/common/policies/data/AuthAction.java
index 6f70e96..646ca03 100644
---
a/pulsar-common/src/main/java/org/apache/pulsar/common/policies/data/AuthAction.java
+++
b/pulsar-common/src/main/java/org/apache/pulsar/common/policies/data/AuthAction.java
@@ -30,4 +30,10 @@ public enum AuthAction {
/** Permissions for functions ops. **/
functions,
+
+ /** Permissions for sources ops. **/
+ sources,
+
+ /** Permissions for sinks ops. **/
+ sinks,
}
diff --git
a/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/rest/api/ComponentImpl.java
b/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/rest/api/ComponentImpl.java
index 2e31f73..11c7b20 100644
---
a/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/rest/api/ComponentImpl.java
+++
b/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/rest/api/ComponentImpl.java
@@ -1518,8 +1518,18 @@ public abstract class ComponentImpl {
public boolean allowFunctionOps(NamespaceName namespaceName, String role,
AuthenticationDataSource
authenticationData) {
try {
- return worker().getAuthorizationService().allowFunctionOpsAsync(
- namespaceName, role,
authenticationData).get(worker().getWorkerConfig().getZooKeeperOperationTimeoutSeconds(),
SECONDS);
+ switch (componentType) {
+ case SINK:
+ return
worker().getAuthorizationService().allowSinkOpsAsync(
+ namespaceName, role,
authenticationData).get(worker().getWorkerConfig().getZooKeeperOperationTimeoutSeconds(),
SECONDS);
+ case SOURCE:
+ return
worker().getAuthorizationService().allowSourceOpsAsync(
+ namespaceName, role,
authenticationData).get(worker().getWorkerConfig().getZooKeeperOperationTimeoutSeconds(),
SECONDS);
+ case FUNCTION:
+ default:
+ return
worker().getAuthorizationService().allowFunctionOpsAsync(
+ namespaceName, role,
authenticationData).get(worker().getWorkerConfig().getZooKeeperOperationTimeoutSeconds(),
SECONDS);
+ }
} catch (InterruptedException e) {
log.warn("Time-out {} sec while checking function authorization on
{} ", worker().getWorkerConfig().getZooKeeperOperationTimeoutSeconds(),
namespaceName);
throw new RestException(Status.INTERNAL_SERVER_ERROR,
e.getMessage());
diff --git a/site2/website/release-notes.md b/site2/website/release-notes.md
index 2476a67..5bb0d49 100644
--- a/site2/website/release-notes.md
+++ b/site2/website/release-notes.md
@@ -1,6 +1,12 @@
## Apache Pulsar Release Notes
+### 2.7.0 — Not Yet Released <a id=“2.7.0”></a>
+
+##### Upgrade notes
+
+* [IO] If Function Authorization is enabled, users have to be given the
source/sink entitlement to run them. See
https://github.com/apache/pulsar/pull/7466
+
### 2.6.0 — 2020-06-17 <a id=“2.6.0”></a>
#### Features
