use of org.apache.pulsar.common.api.proto.PulsarApi.CommandLookupTopic in project incubator-pulsar by apache.
the class ServerCnx method handleLookup.
// ////
// // Incoming commands handling
// ////
@Override
protected void handleLookup(CommandLookupTopic lookup) {
final long requestId = lookup.getRequestId();
final boolean authoritative = lookup.getAuthoritative();
if (log.isDebugEnabled()) {
log.debug("[{}] Received Lookup from {} for {}", lookup.getTopic(), remoteAddress, requestId);
}
TopicName topicName = validateTopicName(lookup.getTopic(), requestId, lookup);
if (topicName == null) {
return;
}
String originalPrincipal = null;
if (authenticateOriginalAuthData && lookup.hasOriginalAuthData()) {
originalPrincipal = validateOriginalPrincipal(lookup.hasOriginalAuthData() ? lookup.getOriginalAuthData() : null, lookup.hasOriginalAuthMethod() ? lookup.getOriginalAuthMethod() : null, lookup.hasOriginalPrincipal() ? lookup.getOriginalPrincipal() : this.originalPrincipal, requestId, lookup);
if (originalPrincipal == null) {
return;
}
} else {
originalPrincipal = lookup.hasOriginalPrincipal() ? lookup.getOriginalPrincipal() : this.originalPrincipal;
}
final Semaphore lookupSemaphore = service.getLookupRequestSemaphore();
if (lookupSemaphore.tryAcquire()) {
if (invalidOriginalPrincipal(originalPrincipal)) {
final String msg = "Valid Proxy Client role should be provided for lookup ";
log.warn("[{}] {} with role {} and proxyClientAuthRole {} on topic {}", remoteAddress, msg, authRole, originalPrincipal, topicName);
ctx.writeAndFlush(newLookupErrorResponse(ServerError.AuthorizationError, msg, requestId));
lookupSemaphore.release();
return;
}
CompletableFuture<Boolean> isProxyAuthorizedFuture;
if (service.isAuthorizationEnabled() && originalPrincipal != null) {
isProxyAuthorizedFuture = service.getAuthorizationService().canLookupAsync(topicName, authRole, authenticationData);
} else {
isProxyAuthorizedFuture = CompletableFuture.completedFuture(true);
}
String finalOriginalPrincipal = originalPrincipal;
isProxyAuthorizedFuture.thenApply(isProxyAuthorized -> {
if (isProxyAuthorized) {
lookupTopicAsync(getBrokerService().pulsar(), topicName, authoritative, finalOriginalPrincipal != null ? finalOriginalPrincipal : authRole, authenticationData, requestId).handle((lookupResponse, ex) -> {
if (ex == null) {
ctx.writeAndFlush(lookupResponse);
} else {
// it should never happen
log.warn("[{}] lookup failed with error {}, {}", remoteAddress, topicName, ex.getMessage(), ex);
ctx.writeAndFlush(newLookupErrorResponse(ServerError.ServiceNotReady, ex.getMessage(), requestId));
}
lookupSemaphore.release();
return null;
});
} else {
final String msg = "Proxy Client is not authorized to Lookup";
log.warn("[{}] {} with role {} on topic {}", remoteAddress, msg, authRole, topicName);
ctx.writeAndFlush(newLookupErrorResponse(ServerError.AuthorizationError, msg, requestId));
lookupSemaphore.release();
}
return null;
}).exceptionally(ex -> {
final String msg = "Exception occured while trying to authorize lookup";
log.warn("[{}] {} with role {} on topic {}", remoteAddress, msg, authRole, topicName, ex);
ctx.writeAndFlush(newLookupErrorResponse(ServerError.AuthorizationError, msg, requestId));
lookupSemaphore.release();
return null;
});
} else {
if (log.isDebugEnabled()) {
log.debug("[{}] Failed lookup due to too many lookup-requests {}", remoteAddress, topicName);
}
ctx.writeAndFlush(newLookupErrorResponse(ServerError.TooManyRequests, "Failed due to too many pending lookup requests", requestId));
}
}
use of org.apache.pulsar.common.api.proto.PulsarApi.CommandLookupTopic in project incubator-pulsar by apache.
the class Commands method newLookup.
public static ByteBuf newLookup(String topic, boolean authoritative, String originalAuthRole, String originalAuthData, String originalAuthMethod, long requestId) {
CommandLookupTopic.Builder lookupTopicBuilder = CommandLookupTopic.newBuilder();
lookupTopicBuilder.setTopic(topic);
lookupTopicBuilder.setRequestId(requestId);
lookupTopicBuilder.setAuthoritative(authoritative);
if (originalAuthRole != null) {
lookupTopicBuilder.setOriginalPrincipal(originalAuthRole);
}
if (originalAuthData != null) {
lookupTopicBuilder.setOriginalAuthData(originalAuthData);
}
if (originalAuthMethod != null) {
lookupTopicBuilder.setOriginalAuthMethod(originalAuthMethod);
}
CommandLookupTopic lookupBroker = lookupTopicBuilder.build();
ByteBuf res = serializeWithSize(BaseCommand.newBuilder().setType(Type.LOOKUP).setLookupTopic(lookupBroker));
lookupTopicBuilder.recycle();
lookupBroker.recycle();
return res;
}
use of org.apache.pulsar.common.api.proto.PulsarApi.CommandLookupTopic in project incubator-pulsar by apache.
the class ServerCnx method validateOriginalPrincipal.
private String validateOriginalPrincipal(String originalAuthData, String originalAuthMethod, String originalPrincipal, Long requestId, GeneratedMessageLite request) {
ChannelHandler sslHandler = ctx.channel().pipeline().get(PulsarChannelInitializer.TLS_HANDLER);
SSLSession sslSession = null;
if (sslHandler != null) {
sslSession = ((SslHandler) sslHandler).engine().getSession();
}
try {
return getOriginalPrincipal(originalAuthData, originalAuthMethod, originalPrincipal, sslSession);
} catch (AuthenticationException e) {
String msg = "Unable to authenticate original authdata ";
log.warn("[{}] {}: {}", remoteAddress, msg, e.getMessage());
if (request instanceof CommandLookupTopic) {
ctx.writeAndFlush(newLookupErrorResponse(ServerError.AuthenticationError, msg, requestId));
} else if (request instanceof CommandPartitionedTopicMetadata) {
ctx.writeAndFlush(Commands.newPartitionMetadataResponse(ServerError.AuthenticationError, msg, requestId));
}
return null;
}
}
Aggregations