-
Notifications
You must be signed in to change notification settings - Fork 136
[FEATURE] Add authorization to handle topic metadata request #662
[FEATURE] Add authorization to handle topic metadata request #662
Conversation
3cdac8e
to
9798a9f
Compare
kafka-impl/src/main/java/io/streamnative/pulsar/handlers/kop/KafkaRequestHandler.java
Outdated
Show resolved
Hide resolved
kafka-impl/src/main/java/io/streamnative/pulsar/handlers/kop/KafkaRequestHandler.java
Outdated
Show resolved
Hide resolved
...mpl/src/main/java/io/streamnative/pulsar/handlers/kop/security/auth/SimpleAclAuthorizer.java
Outdated
Show resolved
Hide resolved
kafka-impl/src/main/java/io/streamnative/pulsar/handlers/kop/KafkaRequestHandler.java
Show resolved
Hide resolved
kafka-impl/src/main/java/io/streamnative/pulsar/handlers/kop/security/auth/ResourceType.java
Outdated
Show resolved
Hide resolved
My review is completed, PTAL. The main problem is that we should not authorize the I also add the |
Thanks for review, I will update docs later. |
.../src/test/java/io/streamnative/pulsar/handlers/kop/CustomOAuthBearerCallbackHandlerTest.java
Outdated
Show resolved
Hide resolved
.../test/java/io/streamnative/pulsar/handlers/kop/KafkaRequestHandlerWithAuthorizationTest.java
Outdated
Show resolved
Hide resolved
a933591
to
0a7d5e0
Compare
…ative#662) Add authorization to handleTopicMetadataRequest(streamnative#236 ). Fix streamnative#415 and streamnative#571 ## Motivation When client fetch metadata need check topic permission, so we need add authorization in handleTopicMetadataRequest, and do not perform role verification in authentication. ## Modifications Add a common method in `KafkaRequestHandler#authorize` , this method use `authorizer` to authorization. Modify the authentication behavior, and do not verify the role during authentication, verify the role in fetch metadata(streamnative#571 )
Add authorization to handleTopicMetadataRequest(#236 ). Fix #415 and #571 ## Motivation When client fetch metadata need check topic permission, so we need add authorization in handleTopicMetadataRequest, and do not perform role verification in authentication. ## Modifications Add a common method in `KafkaRequestHandler#authorize` , this method use `authorizer` to authorization. Modify the authentication behavior, and do not verify the role during authentication, verify the role in fetch metadata(#571 )
This implementation is probably wrong. I am working on the KOP Proxy and this is the test that fails using the Proxy In the test we grant AuthAction.consume, AuthAction.produce and the the topic is "visible" using When you use the KOP proxy we use I have filed this issue on Pulsar we have to have a consistent behaviour in KOP |
@eolivelli You're right, the behaviour is not consistent. Current pulsar don't support Topic Level permissions to listTopics, IMO, if we have the topics permissions, we should be able to list the topic? |
#236 Add authorization to handleTopicMetadataRequest.
Fix #415 and #571
Motivation
When client fetch metadata need check topic permission, so we need add authorization in handleTopicMetadataRequest, and do not perform role verification in authentication.
Modifications
Add a common method in
KafkaRequestHandler#authorize
, this method useauthorizer
to authorization.Modify the authentication behavior, and do not verify the role during authentication, verify the role in fetch metadata(#571 )