Technoboy-
commented
7 months ago @dhsy6z Could you help confirm if the below test match your reproduced steps? I can't reproduce it. you can put this method in org.apache.pulsar.client.api.MultiRolesTokenAuthorizationProviderTest. and then run it with green bar
@Test
public void testMultiRole() throws Exception {
String tenant = "tenant1";
@Cleanup
PulsarAdmin admin = newPulsarAdmin(superUserToken);
admin.tenants().createTenant(tenant, TenantInfo.builder()
.adminRoles(Sets.newHashSet("Group_Test-user"))
.allowedClusters(Sets.newHashSet(configClusterName)).build());
String namespace = tenant + "/namespace1";
admin.namespaces().createNamespace(namespace);
String topic = namespace + "/" + "test-topic";
admin.topics().createNonPartitionedTopicAsync(topic);
//
Map<String, Object> claims = new HashMap<>();
Set<String> roles = new HashSet<>();
roles.add("Group_Test-admin");
roles.add("Group_Test-user");
claims.put("roles", roles);
final String token = Jwts.builder()
.setClaims(claims)
.signWith(secretKey)
.compact();
@Cleanup
PulsarAdmin adminTest = newPulsarAdmin(token);
adminTest.namespaces().getTopics(namespace);
admin.topics().grantPermission(topic, "Group_Test-user", Sets.newHashSet(AuthAction.consume, AuthAction.produce));
}
Search before asking
Read release policy
Version
Running on a UBI 9 base image, java version: openjdk 17.0.10, pulsar version: 3.1.2, 3.2.0, and 3.2.1.
Minimal reproduce step
Enable a broker with multi-role authorization/JWT authentication.
Create token with multiple roles. Mine has these 2:
Set the second of those roles associated with the created token as an admin role of the tenant or namespace
Create a topic. I did it under the public/default namespace, but it doesn't matter.
Use the multi-role token (with the second as the only role with permission to access the tenant/namespace) to confirm that it has access:
Attempt to permit access to a role on that topic. Will fail with
{"reason":"Don't have permission to administrate resources on this tenant"}despite being able to successfully run other commands against that tenant/namespace:Switch admin role of tenant to first role in JWT:
Re-run access granting command:
Verify the access granting succeeded when the first role of the JWT has access:
What did you expect to see?
I expected that this operation should have succeeded when either of the roles in the JWT were permitted access to the tenant/namespace.
What did you see instead?
To be able to successfully perform the topic role permission granting action, the permitted role MUST be the first in the claim.
Anything else?
Like I said before, I have tried this on multiple supported versions and in many different clusters/use cases. I find that this issue is not only on the POST but also the GET and presumably the DELETE. I have spent quite a while trying to find any other endpoints that are afflicted by this same issue, but my testing has only yielded this one. Any help is appreciated.
Are you willing to submit a PR?