apache
[Bug] Multi-role does not forbid user if proxy superuser
Search before reporting
- [x] I searched in the issues and found nothing similar.
Read release policy
- [x] I understand that unsupported versions don't get bug fixes. I will attempt to reproduce the issue on a supported version of Pulsar client and Pulsar broker.
User environment
Cluster deployed with Apache Pulsar Helm Chart master (v4.2.0) Broker version : 4.0.5
Issue Description
The proxy and broker are configured with Openid authentification :
authenticationEnabled: "true"
authenticationProviders: org.apache.pulsar.broker.authentication.oidc.AuthenticationProviderOpenID
PULSAR_PREFIX_openIDAllowedAudiences: pulsar-au
PULSAR_PREFIX_openIDAllowedTokenIssuers: https://token.issuer.com
PULSAR_PREFIX_openIDRoleClaim: scope
The proxy and broker are configured with Oauth2 client authentication :
brokerClientAuthenticationParameters: '{"privateKey":"file:///pulsar/auth/<component>/credentials_file.json","audience":"pulsar-aud","issuerUrl":"https://token.issuer.com","scope":"pulsar-<component>"}'
brokerClientAuthenticationPlugin: org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2
Broker authorization config :
authorizationEnabled: "true"
tokenAuthClaim: scope
superUserRoles: pulsar-broker,pulsar-proxy
proxyRoles: pulsar-proxy
I create 2 topics :
tenant1/ns1/topic1with permissionsproduce/consumefor rolerole1tenant2/ns2/topic2with permissionsproduce/consumefor rolerole2
When the broker authorizationProvider is the default, my client with role role1 can produce only to tenant1/ns1/topic1.
But when I set broker authorizationProvider=org.apache.pulsar.broker.authorization.MultiRolesTokenAuthorizationProvider, my client with role1 can produce to both topics. I don't know if it's due to proxy superuser role ?
I don't know how to test it in MultiRolesTokenAuthorizationProviderTest ?
Error messages
Reproducing the issue
See previous
Additional information
No response
Are you willing to submit a PR?
- [ ] I'm willing to submit a PR!
Futhermore, if I propagate the auth from proxy to broker :
- proxy conf :
forwardAuthorizationCredentials: "true"
- broker conf :
authenticateOriginalAuthData: "true"
The client is correctly forbidden with MultiRoles plugin on broker side.
It's like if proxy only check authentication, the authenticated user can access all resources on the cluster. Why the broker doesn't check the authorization part ?
It's like if proxy only check authentication
Correct.
Why the broker doesn't check the authorization part ?
This broker can check the client role and proxy role. Does your token include multiple roles?
I have done the test with one role in the client token, so I expect the same behavior with the 2 authorization providers org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider and org.apache.pulsar.broker.authorization.MultiRolesTokenAuthorizationProvider
I have done the test with one role in the client token, so I expect the same behavior with the 2 authorization providers
org.apache.pulsar.broker.authorization.PulsarAuthorizationProviderandorg.apache.pulsar.broker.authorization.MultiRolesTokenAuthorizationProvider
this seems to be a reasonable expectation.
I don't know how to test it in
MultiRolesTokenAuthorizationProviderTest?
Since in this case, it's a results of multiple components, I think reproducing the case with a Pulsar test (which are mostly integration tests) would be the way to observe details.
These test classes would provide useful details in how to test this. Creating a new test class in pulsar-proxy/src/test/java would be recommended.
https://github.com/apache/pulsar/blob/master/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyTlsWithAuthTest.java
https://github.com/apache/pulsar/blob/master/pulsar-broker/src/test/java/org/apache/pulsar/client/api/TokenOauth2AuthenticatedProducerConsumerTest.java
