This repository has been archived by the owner on Jan 24, 2024. It is now read-only.
[improve] Pass group ID to authorizer when using OAuth #1926
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report
@@ Coverage Diff @@
## master #1926 +/- ##
============================================
- Coverage 17.94% 17.85% -0.10%
- Complexity 745 752 +7
============================================
Files 194 195 +1
Lines 13957 14061 +104
Branches 1291 1308 +17
============================================
+ Hits 2505 2511 +6
- Misses 11271 11368 +97
- Partials 181 182 +1
|
Demogorgon314
commented
Jun 29, 2023
kafka-impl/src/main/java/io/streamnative/pulsar/handlers/kop/KafkaServiceConfiguration.java
Show resolved
Hide resolved
BewareMyPower
added
release/2.11
release/2.10.4
release/3.0
type/enhancement
BewareMyPower
suggested changes
Jun 30, 2023
Demogorgon314
force-pushed
the
Demogorgon314/pass-groupid-when-use-oauth
branch
from
3aa978d
to
591c45b
Compare
Comment on lines
41
to
47
| /** | ||
| * {@code SaslServer} implementation for SASL/OAUTHBEARER in Kafka. An instance | ||
| * of {@link OAuthBearerToken} is available upon successful authentication via | ||
| * the negotiated property "{@code OAUTHBEARER.token}"; the token could be used | ||
| * in a custom authorizer (to authorize based on JWT claims rather than ACLs, | ||
| * for example). | ||
| */ |
There was a problem hiding this comment.
Did you just copy the Java docs from Kafka? It might be misleading here. It's better to remove them. For example, {@code SaslServer} and {@code OAUTHBEARER.token} never link correctly.
tests/src/test/java/io/streamnative/pulsar/handlers/kop/SaslOAuthKopHandlersWithGroupId.java
Outdated
Show resolved
Hide resolved
oauth-client/src/main/java/io/streamnative/pulsar/handlers/kop/security/oauth/ClientConfig.java
Outdated
Show resolved
Hide resolved
oauth-client/src/main/java/io/streamnative/pulsar/handlers/kop/security/oauth/ClientConfig.java
Outdated
Show resolved
Hide resolved
.../main/java/io/streamnative/pulsar/handlers/kop/security/oauth/OauthLoginCallbackHandler.java
Show resolved
Hide resolved
|
@Demogorgon314 Could you resolve the conflicts? |
Demogorgon314
force-pushed
the
Demogorgon314/pass-groupid-when-use-oauth
branch
from
e159653
to
dc9f1d7
Compare
|
@BewareMyPower Resolved. |
.../test/java/io/streamnative/pulsar/handlers/kop/security/oauth/ClientCredentialsFlowTest.java
Show resolved
Hide resolved
...mpl/src/main/java/io/streamnative/pulsar/handlers/kop/security/auth/SimpleAclAuthorizer.java
Outdated
Show resolved
Hide resolved
BewareMyPower
approved these changes
Jul 5, 2023
Demogorgon314
added a commit
to Demogorgon314/kop
that referenced
this pull request
Jul 5, 2023
…1926) ### Motivation Currently, the KoP only supports checking the topic permission when doing the consume authorization, but Kafka support checking the topic and group ID permission. Before introducing this change, let's understand why KoP can't check group ID permission. When Kafka does the consume authorization check, it will first check the group ID permission in `handleJoinGroupRequest` method, then it will check the topic permission in the `handleFetchRequest` method. However, Pulsar is using another way to check consume permission. See the `org.apache.pulsar.broker.authorization.AuthorizationService#canConsumeAsync` method, it requires passing the topic name and subscription to check both permissions in the same place, and the topic name is required param. ``` public CompletableFuture<Boolean> canConsumeAsync(TopicName topicName, String role, AuthenticationDataSource authenticationData,String subscription) ``` If we follow the Kafka way to check the consumer permission, we can't get the topic name when joining a group since the join group request does not contain the topic name. So we have to authorize permission in the fetch request. However, to authorization consume permission in the fetch request, we can only get the topic name in this request. In this case, we can't authorize the group ID. ### Modifications Since we can't get group ID when handling fetch requests, we need to find a way to pass through group ID when doing the authentication. In OAuth, we have a `credentials_file.json` file that needs to be config, for example: ``` { "client_id": "my-id", "client_secret": "my-secret", "tenant": "my-tenant" } ``` Here we can add a new parameter into the config: ``` { "client_id": "my-id", "client_secret": "my-secret", "tenant": "my-tenant", "group_id": "my-group-id" } ``` Then we can add these parameters to `SaslExtensions`, and send it to the broker. (cherry picked from commit e108e44)
Demogorgon314
added a commit
to Demogorgon314/kop
that referenced
this pull request
Jul 5, 2023
…1926) ### Motivation Currently, the KoP only supports checking the topic permission when doing the consume authorization, but Kafka support checking the topic and group ID permission. Before introducing this change, let's understand why KoP can't check group ID permission. When Kafka does the consume authorization check, it will first check the group ID permission in `handleJoinGroupRequest` method, then it will check the topic permission in the `handleFetchRequest` method. However, Pulsar is using another way to check consume permission. See the `org.apache.pulsar.broker.authorization.AuthorizationService#canConsumeAsync` method, it requires passing the topic name and subscription to check both permissions in the same place, and the topic name is required param. ``` public CompletableFuture<Boolean> canConsumeAsync(TopicName topicName, String role, AuthenticationDataSource authenticationData,String subscription) ``` If we follow the Kafka way to check the consumer permission, we can't get the topic name when joining a group since the join group request does not contain the topic name. So we have to authorize permission in the fetch request. However, to authorization consume permission in the fetch request, we can only get the topic name in this request. In this case, we can't authorize the group ID. ### Modifications Since we can't get group ID when handling fetch requests, we need to find a way to pass through group ID when doing the authentication. In OAuth, we have a `credentials_file.json` file that needs to be config, for example: ``` { "client_id": "my-id", "client_secret": "my-secret", "tenant": "my-tenant" } ``` Here we can add a new parameter into the config: ``` { "client_id": "my-id", "client_secret": "my-secret", "tenant": "my-tenant", "group_id": "my-group-id" } ``` Then we can add these parameters to `SaslExtensions`, and send it to the broker. (cherry picked from commit e108e44)
BewareMyPower
pushed a commit
that referenced
this pull request
Jul 6, 2023
…#1926) (#1945) ### Motivation Currently, the KoP only supports checking the topic permission when doing the consume authorization, but Kafka support checking the topic and group ID permission. Before introducing this change, let's understand why KoP can't check group ID permission. When Kafka does the consume authorization check, it will first check the group ID permission in `handleJoinGroupRequest` method, then it will check the topic permission in the `handleFetchRequest` method. However, Pulsar is using another way to check consume permission. See the `org.apache.pulsar.broker.authorization.AuthorizationService#canConsumeAsync` method, it requires passing the topic name and subscription to check both permissions in the same place, and the topic name is required param. ``` public CompletableFuture<Boolean> canConsumeAsync(TopicName topicName, String role, AuthenticationDataSource authenticationData,String subscription) ``` If we follow the Kafka way to check the consumer permission, we can't get the topic name when joining a group since the join group request does not contain the topic name. So we have to authorize permission in the fetch request. However, to authorization consume permission in the fetch request, we can only get the topic name in this request. In this case, we can't authorize the group ID. ### Modifications Since we can't get group ID when handling fetch requests, we need to find a way to pass through group ID when doing the authentication. In OAuth, we have a `credentials_file.json` file that needs to be config, for example: ``` { "client_id": "my-id", "client_secret": "my-secret", "tenant": "my-tenant" } ``` Here we can add a new parameter into the config: ``` { "client_id": "my-id", "client_secret": "my-secret", "tenant": "my-tenant", "group_id": "my-group-id" } ``` Then we can add these parameters to `SaslExtensions`, and send it to the broker. (cherry picked from commit e108e44)
3 tasks
BewareMyPower
pushed a commit
that referenced
this pull request
Jul 31, 2023
Demogorgon314
added a commit
to Demogorgon314/kop
that referenced
this pull request
Aug 14, 2023
…1926) ### Motivation Currently, the KoP only supports checking the topic permission when doing the consume authorization, but Kafka support checking the topic and group ID permission. Before introducing this change, let's understand why KoP can't check group ID permission. When Kafka does the consume authorization check, it will first check the group ID permission in `handleJoinGroupRequest` method, then it will check the topic permission in the `handleFetchRequest` method. However, Pulsar is using another way to check consume permission. See the `org.apache.pulsar.broker.authorization.AuthorizationService#canConsumeAsync` method, it requires passing the topic name and subscription to check both permissions in the same place, and the topic name is required param. ``` public CompletableFuture<Boolean> canConsumeAsync(TopicName topicName, String role, AuthenticationDataSource authenticationData,String subscription) ``` If we follow the Kafka way to check the consumer permission, we can't get the topic name when joining a group since the join group request does not contain the topic name. So we have to authorize permission in the fetch request. However, to authorization consume permission in the fetch request, we can only get the topic name in this request. In this case, we can't authorize the group ID. ### Modifications Since we can't get group ID when handling fetch requests, we need to find a way to pass through group ID when doing the authentication. In OAuth, we have a `credentials_file.json` file that needs to be config, for example: ``` { "client_id": "my-id", "client_secret": "my-secret", "tenant": "my-tenant" } ``` Here we can add a new parameter into the config: ``` { "client_id": "my-id", "client_secret": "my-secret", "tenant": "my-tenant", "group_id": "my-group-id" } ``` Then we can add these parameters to `SaslExtensions`, and send it to the broker. (cherry picked from commit e108e44)
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
Currently, the KoP only supports checking the topic permission when doing the consume authorization, but Kafka support checking the topic and group ID permission.
Before introducing this change, let's understand why KoP can't check group ID permission.
When Kafka does the consume authorization check, it will first check the group ID permission in
handleJoinGroupRequestmethod, then it will check the topic permission in thehandleFetchRequestmethod.However, Pulsar is using another way to check consume permission. See the
org.apache.pulsar.broker.authorization.AuthorizationService#canConsumeAsyncmethod, it requires passing the topic name and subscription to check both permissions in the same place, and the topic name is required param.If we follow the Kafka way to check the consumer permission, we can't get the topic name when joining a group since the join group request does not contain the topic name. So we have to authorize permission in the fetch request.
However, to authorization consume permission in the fetch request, we can only get the topic name in this request. In this case, we can't authorize the group ID.
Modifications
Since we can't get group ID when handling fetch requests, we need to find a way to pass through group ID when doing the authentication.
In OAuth, we have a
credentials_file.jsonfile that needs to be config, for example:Here we can add a new parameter into the config:
Then we can add these parameters to
SaslExtensions, and send it to the broker.Documentation
Check the box below.
Need to update docs?
doc-required(If you need help on updating docs, create a doc issue)
no-need-doc(Please explain why)
doc(If this PR contains doc changes)