Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Pulsar Authorization with Standalone Websocket returns 403 Forbidden #23325

Open
2 of 3 tasks
pulsarfan opened this issue Sep 19, 2024 · 0 comments
Open
2 of 3 tasks

[Bug] Pulsar Authorization with Standalone Websocket returns 403 Forbidden #23325

pulsarfan opened this issue Sep 19, 2024 · 0 comments
Labels
type/bug The PR fixed a bug or issue reported a bug

Comments

@pulsarfan
Copy link

Search before asking

  • I searched in the issues and found nothing similar.

Read release policy

  • I understand that unsupported versions don't get bug fixes. I will attempt to reproduce the issue on a supported version of Pulsar client and Pulsar broker.

Version

3.3.1

Minimal reproduce step

  1. Configure standalone.conf as follows:
    authenticationEnabled=true authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderToken authorizationEnabled=true authorizationProvider=org.apache.pulsar.broker.authorization.MultiRolesTokenAuthorizationProvider tokenPublicKey=file:///keys/my-public.key tokenAuthClaim=roles

  2. Start pulsar docker image as standalone.

  3. Create tenant, namespace and topic.

  4. Grant consume and produce permissions to namespace to role.

  5. Connect to websocket and try to consume topic with that role.
    ws://localhost:8080/ws/v2/consumer/persistent/test/node/receive/testSubscription?token=<token>

The token looks like this:
{ "iss": "issuerName", "sub": "Test User", "aud": "test.domain", "iat": 1726771943, "nbf": 1726771943, "exp": 1726815143, "jti": "test-user", "roles": [ "admin.test", "role2", "role3" ] }

What did you expect to see?

I expected to get the messages of the topic in response to my successful connect.

What did you see instead?

2024-09-19 21:22:29 2024-09-19T19:22:29,149+0000 [pulsar-web-48-15] INFO org.apache.pulsar.websocket.AbstractWebSocketHandler -
[192.168.65.1:27567] Authenticated WebSocket client admin.test on topic persistent://test/node/health

2024-09-19 21:22:29 2024-09-19T19:22:29,149+0000 [pulsar-web-48-15] WARN org.apache.pulsar.websocket.AbstractWebSocketHandler -
[192.168.65.1:27567] WebSocket Client [admin.test] is not authorized on topic persistent://test/node/health

Anything else?

Without websocket the authentication and authorization works just fine. With websocket the authentication works fine but the authorization seems to be very wrong:
It looks like pulsar is using the first role as the username.

If I use a superuser name as the first role the authorization works and I get my messages. But if I add the superuser name as the second or third role it gets ignored and the error message appears.

The error message always shows the first role as the "client name" even though the client name does not matter at all. Instead the authorization should check alle roles against the namespace roles and recognize that the user is allowed to consume the topic in that namespace.

Are you willing to submit a PR?

  • I'm willing to submit a PR!
@pulsarfan pulsarfan added the type/bug The PR fixed a bug or issue reported a bug label Sep 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/bug The PR fixed a bug or issue reported a bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pulsarfan