[server] Add authorization to Replication Control RPCs (notifyLeaderAndIsr, updateMetadata, stopReplica, adjustIsr)#3299
Open
vaibhavk1992 wants to merge 3 commits into
Conversation
Implements authorization checks for internal replication control RPC operations as part of issue apache#3249. These are server-to-server RPCs used by the CoordinatorServer to manage replication state across TabletServers. Changes: - Added CLUSTER/WRITE authorization to notifyLeaderAndIsr() in TabletService - Added CLUSTER/WRITE authorization to updateMetadata() in TabletService - Added CLUSTER/WRITE authorization to stopReplica() in TabletService - Added CLUSTER/WRITE authorization to adjustIsr() in CoordinatorService - Added comprehensive tests in FlussAuthorizationITCase Authorization Implementation: All four methods now check for CLUSTER/WRITE permission using the pattern: if (authorizer != null) { authorizer.authorize(currentSession(), WRITE, Resource.cluster()); } The existing AbstractAuthorizer automatically allows internal sessions (via session.isInternal() check), so internal server-to-server calls continue working while blocking external clients. Test Coverage: - Tests verify external clients are blocked without CLUSTER/WRITE permission - Tests verify internal sessions bypass authorization checks - Tests ensure proper AuthorizationException messages Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
…n control RPCs This commit enhances testInternalReplicationControlAuthorization() to include comprehensive test coverage: 1. Test authorization denial (no permission) - verifies AuthorizationException 2. Grant CLUSTER/WRITE permission via ACL binding 3. Test authorization success (with permission) - verifies operations succeed 4. Test internal session bypass - verifies internal server calls allowed The authorization success test creates ACL binding granting guestPrincipal CLUSTER/WRITE permission, waits for ACL sync, then verifies all 4 internal replication control operations (notifyLeaderAndIsr, updateMetadata, stopReplica, adjustIsr) do NOT throw AuthorizationException when permission is granted. This addresses feedback to test "during auth present things are working as expected". Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements authorization checks for internal replication control RPC operations as part of issue #3249.
These are server-to-server RPCs used by the CoordinatorServer to manage replication state across TabletServers. Currently, these critical operations have no authorization checks, allowing any client to potentially call internal cluster management APIs.
Changes
Authorization Added to 4 Internal RPCs:
notifyLeaderAndIsrupdateMetadatastopReplicaadjustIsrImplementation Pattern:
Files Modified:
TabletService.javanotifyLeaderAndIsr,updateMetadata,stopReplicaCoordinatorService.javaOperationType.WRITEadjustIsrFlussAuthorizationITCase.javatestInternalReplicationControlAuthorizationNotifyLeaderAndIsrRequest,UpdateMetadataRequest,StopReplicaRequest,AdjustIsrRequestKey Design Decisions
CLUSTER/WRITE Permission: These operations modify cluster replication state, consistent with other cluster control operations like
rebalance()andcancelRebalance()Internal Session Bypass: The
AbstractAuthorizer.isAuthorized()method automatically allowssession.isInternal()requests, so internal server-to-server calls continue working seamlesslyNo Explicit isInternal() Check: No need to add explicit checks - the authorization framework handles it automatically
External Client Protection: External clients attempting to call these internal RPCs will now receive
AuthorizationExceptionTest Coverage
The new test
testInternalReplicationControlAuthorization()verifies:✅ External clients blocked: All 4 methods throw
AuthorizationExceptionwhen called by external clients without CLUSTER/WRITE permission✅ Internal sessions bypass: Internal server-to-server calls do NOT throw
AuthorizationException(they may fail for other reasons like invalid data, but not authorization)✅ Proper error messages: Authorization failures include the correct principal, operation type (WRITE), and resource (CLUSTER)
Security Impact
Before: External clients could call internal replication control RPCs ❌
After: Only internal servers or authorized clients with CLUSTER/WRITE permission can call these RPCs ✅
Backward Compatibility
Related Issue
Closes #3249