You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I searched in the issues and found nothing similar.
Read release policy
I understand that unsupported versions don't get bug fixes. I will attempt to reproduce the issue on a supported version of Pulsar client and Pulsar broker.
Version
Running on a UBI 9 base image, java version: openjdk 17.0.10, pulsar version: 3.1.2, 3.2.0, and 3.2.1.
Minimal reproduce step
Enable a broker with multi-role authorization/JWT authentication.
Create token with multiple roles. Mine has these 2:
Use the multi-role token (with the second as the only role with permission to access the tenant/namespace) to confirm that it has access:
Attempt to permit access to a role on that topic. Will fail with {"reason":"Don't have permission to administrate resources on this tenant"} despite being able to successfully run other commands against that tenant/namespace:
Switch admin role of tenant to first role in JWT:
bash-5.1$ bin/pulsar-admin tenants update public -r Group_Test-admin
Re-run access granting command:
Verify the access granting succeeded when the first role of the JWT has access:
What did you expect to see?
I expected that this operation should have succeeded when either of the roles in the JWT were permitted access to the tenant/namespace.
What did you see instead?
To be able to successfully perform the topic role permission granting action, the permitted role MUST be the first in the claim.
Anything else?
Like I said before, I have tried this on multiple supported versions and in many different clusters/use cases. I find that this issue is not only on the POST but also the GET and presumably the DELETE. I have spent quite a while trying to find any other endpoints that are afflicted by this same issue, but my testing has only yielded this one. Any help is appreciated.
Are you willing to submit a PR?
I'm willing to submit a PR!
The text was updated successfully, but these errors were encountered:
@dhsy6z Could you help confirm if the below test match your reproduced steps? I can't reproduce it.
you can put this method in org.apache.pulsar.client.api.MultiRolesTokenAuthorizationProviderTest.
and then run it with green bar
Search before asking
Read release policy
Version
Running on a UBI 9 base image, java version: openjdk 17.0.10, pulsar version: 3.1.2, 3.2.0, and 3.2.1.
Minimal reproduce step
{"reason":"Don't have permission to administrate resources on this tenant"}
despite being able to successfully run other commands against that tenant/namespace:What did you expect to see?
I expected that this operation should have succeeded when either of the roles in the JWT were permitted access to the tenant/namespace.
What did you see instead?
To be able to successfully perform the topic role permission granting action, the permitted role MUST be the first in the claim.
Anything else?
Like I said before, I have tried this on multiple supported versions and in many different clusters/use cases. I find that this issue is not only on the POST but also the GET and presumably the DELETE. I have spent quite a while trying to find any other endpoints that are afflicted by this same issue, but my testing has only yielded this one. Any help is appreciated.
Are you willing to submit a PR?
The text was updated successfully, but these errors were encountered: