thetumbled · thetumbled · Apr 25, 2024 · Apr 25, 2024 · Apr 26, 2024 · Apr 26, 2024
diff --git a/...mon/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java b/...mon/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
@@ -111,11 +111,10 @@ public CompletableFuture<Boolean> canConsumeAsync(TopicName topicName, String ro
                         }
                     } else {
                         if (isNotBlank(subscription)) {
-                            // validate if role is authorized to access subscription. (skip validation if authorization
-                            // list is empty)
+                            // validate if role is authorized to access subscription.
                             Set<String> roles = policies.get().auth_policies
                                     .getSubscriptionAuthentication().get(subscription);
-                            if (roles != null && !roles.isEmpty() && !roles.contains(role)) {
+                            if (roles == null || roles.isEmpty() || !roles.contains(role)) {
                                 log.warn("[{}] is not authorized to subscribe on {}-{}", role, topicName, subscription);
                                 return CompletableFuture.completedFuture(false);
                             }

diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/broker/admin/TopicAuthZTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/broker/admin/TopicAuthZTest.java
@@ -298,6 +298,7 @@ public void testGetPartitionedStatsAndInternalStats() {
     @SneakyThrows
     public void testCreateSubscriptionAndUpdateSubscriptionPropertiesAndAnalyzeSubscriptionBacklog() {
         final String random = UUID.randomUUID().toString();
+        final String namespace = "public/default";
         final String topic = "persistent://public/default/" + random;
         final String subject =  UUID.randomUUID().toString();
         final String token = Jwts.builder()
@@ -322,7 +323,9 @@ public void testCreateSubscriptionAndUpdateSubscriptionPropertiesAndAnalyzeSubsc
         for (AuthAction action : AuthAction.values()) {
             superUserAdmin.topics().grantPermission(topic, subject, Set.of(action));
             if (action == AuthAction.consume) {
-                subAdmin.topics().createSubscription(topic, "test-sub" + suffix.incrementAndGet(), MessageId.earliest);
+                String subscriptionName = "test-sub" + suffix.incrementAndGet();
+                superUserAdmin.namespaces().grantPermissionOnSubscription(namespace, subscriptionName, Sets.newHashSet(subject));
+                subAdmin.topics().createSubscription(topic, subscriptionName, MessageId.earliest);
             } else {
                 Assert.assertThrows(PulsarAdminException.NotAuthorizedException.class,
                         () -> subAdmin.topics().createSubscription(topic, "test-sub" + suffix.incrementAndGet(), MessageId.earliest));
@@ -361,8 +364,10 @@ public void testCreateSubscriptionAndUpdateSubscriptionPropertiesAndAnalyzeSubsc
         for (AuthAction action : AuthAction.values()) {
             superUserAdmin.topics().grantPermission(topic, subject, Set.of(action));
             if (action == AuthAction.consume) {
-                subAdmin.topics().updateSubscriptionProperties(topic, "test-sub", properties);
-                subAdmin.topics().getSubscriptionProperties(topic, "test-sub");
+                String subscriptionName = "test-sub";
+                superUserAdmin.namespaces().grantPermissionOnSubscription(namespace, subscriptionName, Sets.newHashSet(subject));
+                subAdmin.topics().updateSubscriptionProperties(topic, subscriptionName, properties);
+                subAdmin.topics().getSubscriptionProperties(topic, subscriptionName);
                 subAdmin.topics().analyzeSubscriptionBacklog(TopicName.get(topic).getPartition(0).getLocalName(), "test-sub", Optional.empty());
             } else {
                 Assert.assertThrows(PulsarAdminException.NotAuthorizedException.class,
@@ -706,6 +711,7 @@ public void testGetInternalStats(boolean partitioned) {
     @SneakyThrows
     public void testDeleteSubscription(boolean partitioned) {
         final String random = UUID.randomUUID().toString();
+        final String namespace = "public/default";
         final String topic = "persistent://public/default/" + random;
         final String subject =  UUID.randomUUID().toString();
         final String token = Jwts.builder()
@@ -734,6 +740,8 @@ public void testDeleteSubscription(boolean partitioned) {
         for (AuthAction action : AuthAction.values()) {
             superUserAdmin.topics().grantPermission(topic, subject, Set.of(action));
             if (AuthAction.consume == action) {
+                String subscriptionName = "test-sub";
+                superUserAdmin.namespaces().grantPermissionOnSubscription(namespace, subscriptionName, Sets.newHashSet(subject));
                 subAdmin.topics().deleteSubscription(topic, "test-sub");
             } else {
                 Assert.assertThrows(PulsarAdminException.NotAuthorizedException.class,
@@ -748,6 +756,7 @@ public void testDeleteSubscription(boolean partitioned) {
     @SneakyThrows
     public void testSkipAllMessage(boolean partitioned) {
         final String random = UUID.randomUUID().toString();
+        final String namespace = "public/default";
         final String topic = "persistent://public/default/" + random;
         final String subject =  UUID.randomUUID().toString();
         final String token = Jwts.builder()
@@ -773,6 +782,7 @@ public void testSkipAllMessage(boolean partitioned) {
         for (AuthAction action : AuthAction.values()) {
             superUserAdmin.topics().grantPermission(topic, subject, Set.of(action));
             if (AuthAction.consume == action) {
+                superUserAdmin.namespaces().grantPermissionOnSubscription(namespace, subName, Sets.newHashSet(subject));
                 subAdmin.topics().skipAllMessages(topic,subName);
             } else {
                 Assert.assertThrows(PulsarAdminException.NotAuthorizedException.class,
@@ -787,6 +797,7 @@ public void testSkipAllMessage(boolean partitioned) {
     @SneakyThrows
     public void testSkipMessage() {
         final String random = UUID.randomUUID().toString();
+        final String namespace = "public/default";
         final String topic = "persistent://public/default/" + random;
         final String subject =  UUID.randomUUID().toString();
         final String token = Jwts.builder()
@@ -811,6 +822,7 @@ public void testSkipMessage() {
         for (AuthAction action : AuthAction.values()) {
             superUserAdmin.topics().grantPermission(topic, subject, Set.of(action));
             if (AuthAction.consume == action) {
+                superUserAdmin.namespaces().grantPermissionOnSubscription(namespace, subName, Sets.newHashSet(subject));
                 subAdmin.topics().skipMessages(topic, subName, 1);
             } else {
                 Assert.assertThrows(PulsarAdminException.NotAuthorizedException.class,
@@ -861,6 +873,7 @@ public void testExpireMessagesForAllSubscriptions(boolean partitioned) {
     @SneakyThrows
     public void testResetCursor(boolean partitioned) {
         final String random = UUID.randomUUID().toString();
+        final String namespace = "public/default";
         final String topic = "persistent://public/default/" + random;
         final String subject =  UUID.randomUUID().toString();
         final String token = Jwts.builder()
@@ -885,6 +898,7 @@ public void testResetCursor(boolean partitioned) {
         for (AuthAction action : AuthAction.values()) {
             superUserAdmin.topics().grantPermission(topic, subject, Set.of(action));
             if (AuthAction.consume == action) {
+                superUserAdmin.namespaces().grantPermissionOnSubscription(namespace, subName, Sets.newHashSet(subject));
                 subAdmin.topics().resetCursor(topic, subName, System.currentTimeMillis());
             } else {
                 Assert.assertThrows(PulsarAdminException.NotAuthorizedException.class,
@@ -899,6 +913,7 @@ public void testResetCursor(boolean partitioned) {
     @SneakyThrows
     public void testResetCursorOnPosition() {
         final String random = UUID.randomUUID().toString();
+        final String namespace = "public/default";
         final String topic = "persistent://public/default/" + random;
         final String subject =  UUID.randomUUID().toString();
         final String token = Jwts.builder()
@@ -923,6 +938,7 @@ public void testResetCursorOnPosition() {
         for (AuthAction action : AuthAction.values()) {
             superUserAdmin.topics().grantPermission(topic, subject, Set.of(action));
             if (AuthAction.consume == action) {
+                superUserAdmin.namespaces().grantPermissionOnSubscription(namespace, subName, Sets.newHashSet(subject));
                 subAdmin.topics().resetCursor(topic, subName, MessageId.latest);
             } else {
                 Assert.assertThrows(PulsarAdminException.NotAuthorizedException.class,
@@ -983,6 +999,7 @@ public void testGetMessageById() {
     @SneakyThrows
     public void testPeekNthMessage() {
         final String random = UUID.randomUUID().toString();
+        final String namespace = "public/default";
         final String topic = "persistent://public/default/" + random;
         final String subject =  UUID.randomUUID().toString();
         final String token = Jwts.builder()
@@ -1015,6 +1032,7 @@ public void testPeekNthMessage() {
         for (AuthAction action : AuthAction.values()) {
             superUserAdmin.topics().grantPermission(topic, subject, Set.of(action));
             if (AuthAction.consume == action) {
+                superUserAdmin.namespaces().grantPermissionOnSubscription(namespace, subName, Sets.newHashSet(subject));
                 subAdmin.topics().peekMessages(topic, subName, 1);
             } else {
                 Assert.assertThrows(PulsarAdminException.NotAuthorizedException.class,
@@ -1075,6 +1093,7 @@ public void testExamineMessage() {
     @SneakyThrows
     public void testExpireMessage() {
         final String random = UUID.randomUUID().toString();
+        final String namespace = "public/default";
         final String topic = "persistent://public/default/" + random;
         final String subject =  UUID.randomUUID().toString();
         final String token = Jwts.builder()
@@ -1112,6 +1131,7 @@ public void testExpireMessage() {
         for (AuthAction action : AuthAction.values()) {
             superUserAdmin.topics().grantPermission(topic, subject, Set.of(action));
             if (AuthAction.consume == action) {
+                superUserAdmin.namespaces().grantPermissionOnSubscription(namespace, subName, Sets.newHashSet(subject));
                 subAdmin.topics().expireMessages(topic, subName, 1);
             } else {
                 Assert.assertThrows(PulsarAdminException.NotAuthorizedException.class,
@@ -1127,6 +1147,7 @@ public void testExpireMessage() {
     public void testExpireMessageByPosition() {
         final String random = UUID.randomUUID().toString();
         final String topic = "persistent://public/default/" + random;
+        final String namespace = "public/default";
         final String subject =  UUID.randomUUID().toString();
         final String token = Jwts.builder()
                 .claim("sub", subject).signWith(SECRET_KEY).compact();
@@ -1163,6 +1184,7 @@ public void testExpireMessageByPosition() {
         for (AuthAction action : AuthAction.values()) {
             superUserAdmin.topics().grantPermission(topic, subject, Set.of(action));
             if (AuthAction.consume == action) {
+                superUserAdmin.namespaces().grantPermissionOnSubscription(namespace, subName, Sets.newHashSet(subject));
                 subAdmin.topics().expireMessages(topic, subName, MessageId.earliest, false);
             } else {
                 Assert.assertThrows(PulsarAdminException.NotAuthorizedException.class,

diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/broker/auth/AuthorizationTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/broker/auth/AuthorizationTest.java
@@ -230,14 +230,19 @@ public void simple() throws Exception {
         assertTrue(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "role1", null));
         assertTrue(auth.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "role2", null));
         try {
+            admin.namespaces().grantPermissionOnSubscription("p1/c1/ns1", "sub1", Sets.newHashSet("role1"));
             assertFalse(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "role1", null, "sub1"));
             fail();
         } catch (Exception ignored) {}
         try {
+            admin.namespaces().grantPermissionOnSubscription("p1/c1/ns1", "sub2", Sets.newHashSet("role2"));
             assertFalse(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "role2", null, "sub2"));
             fail();
         } catch (Exception ignored) {}
 
+        // though we use prefix subscription mode, we still require that the role own the permission.
+        admin.namespaces().grantPermissionOnSubscription("p1/c1/ns1", "role1-sub1", Sets.newHashSet("role1"));
+        admin.namespaces().grantPermissionOnSubscription("p1/c1/ns1", "role2-sub2", Sets.newHashSet("role2"));
         assertTrue(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "role1", null, "role1-sub1"));
         assertTrue(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "role2", null, "role2-sub2"));
         assertTrue(auth.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "pulsar.super_user", null, "role3-sub1"));