Skip to content

[ISSUE #8100]♻️Preserve broker auth error boundaries#8101

Merged
mxsm merged 1 commit into
mainfrom
mxsm/broker-auth-error-boundary
Jul 6, 2026
Merged

[ISSUE #8100]♻️Preserve broker auth error boundaries#8101
mxsm merged 1 commit into
mainfrom
mxsm/broker-auth-error-boundary

Conversation

@mxsm

@mxsm mxsm commented Jul 6, 2026

Copy link
Copy Markdown
Owner

Which Issue(s) This PR Fixes(Closes)

Brief Description

  • Preserves broker admin authorization denials as BrokerPermissionDenied at the AuthAdminService boundary.
  • Keeps concrete auth rejection remarks when BrokerRequestProcessor rejects remoting requests before dispatch.

How Did You Test This Change?

  • cargo fmt --all
  • cargo test -p rocketmq-broker auth::auth_admin_service::tests::map_authz_error_preserves_admin_error_category --all-features -- --exact --nocapture
  • cargo test -p rocketmq-broker processor::tests::broker_request_processor_checks_auth_before_dispatch --all-features -- --exact --nocapture
  • cargo test -p rocketmq-broker --all-features
  • cargo clippy --workspace --no-deps --all-targets --all-features -- -D warnings with a temporary Cargo target directory outside the repository.

Summary by CodeRabbit

  • Bug Fixes
    • Improved broker permission-denied handling so authorization failures now return a clearer, specific error.
    • Authentication failures during request processing now include the error message in the response, making issues easier to diagnose.

@mxsm mxsm merged commit 521a502 into main Jul 6, 2026
5 of 7 checks passed
@mxsm mxsm deleted the mxsm/broker-auth-error-boundary branch July 6, 2026 18:10
@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d4d8fbae-234d-4946-b93f-3cb513ac1f30

📥 Commits

Reviewing files that changed from the base of the PR and between 598d052 and d5eb07e.

📒 Files selected for processing (2)
  • rocketmq-broker/src/auth/auth_admin_service.rs
  • rocketmq-broker/src/processor.rs

Walkthrough

This change preserves broker-specific error boundaries: AuthAdminService::map_authz_error now explicitly maps AuthorizationError::PermissionDenied to a broker permission-denied error, and BrokerRequestProcessor::process_request now includes the authentication error string as a remark alongside the preserved opaque value in the error response.

Changes

Broker auth error boundary preservation

Layer / File(s) Summary
Authorization error category mapping
rocketmq-broker/src/auth/auth_admin_service.rs
map_authz_error special-cases AuthorizationError::PermissionDenied to return permission_denied(error.to_string()), keeping other variants on the existing RocketMQError::from path.
Authentication failure remark preservation
rocketmq-broker/src/processor.rs
process_request now builds the error response via command_from_error_with_remark_and_opaque, passing the stringified error as remark plus the original opaque value, instead of an opaque-only response.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Possibly related PRs

  • mxsm/rocketmq-rust#7364: Also refactors map_authz_error to preserve authorization error categories including PermissionDenied.
  • mxsm/rocketmq-rust#7926: Modifies the same process_request auth-check-failure path to preserve remark and opaque via error-response encoding.
  • mxsm/rocketmq-rust#7974: Also touches AuthorizationError::PermissionDenied conversion, in a different mapping location.

Suggested labels: refactor♻️, AI review first, ready to review

Suggested reviewers: rocketmq-rust-bot, SpaceXCN, TeslaRustor

Poem

A denied hop kept its true name,
No more lost in a generic frame,
The opaque token rides along too,
With the reason spelled out, clear and true,
This rabbit thumps twice for boundaries tame. 🐇

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch mxsm/broker-auth-error-boundary

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@rocketmq-rust-bot

Copy link
Copy Markdown
Collaborator

🔊@mxsm 🚀Thanks for your contribution🎉!

💡CodeRabbit(AI) will review your code first🔥!

Note

🚨The code review suggestions from CodeRabbit are to be used as a reference only, and the PR submitter can decide whether to make changes based on their own judgment. Ultimately, the project management personnel will conduct the final code review💥.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

AI review first Ai review pr first approved PR has approved auto merge ready to review refactor♻️ refactor code waiting-review waiting review this PR

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Refactor♻️] Preserve broker auth error boundaries

3 participants