Skip to content

[ISSUE #8102]🐛Preserve ACL permission denied semantics#8103

Merged
rocketmq-rust-bot merged 4 commits into
mainfrom
mxsm/fix-auth-permission-denied-8102
Jul 7, 2026
Merged

[ISSUE #8102]🐛Preserve ACL permission denied semantics#8103
rocketmq-rust-bot merged 4 commits into
mainfrom
mxsm/fix-auth-permission-denied-8102

Conversation

@mxsm

@mxsm mxsm commented Jul 7, 2026

Copy link
Copy Markdown
Owner

Which Issue(s) This PR Fixes(Closes)

Brief Description

Map AuthorizationError::PermissionDenied to RocketMQError::BrokerPermissionDenied instead of an authentication authorization failure. This preserves ACL denial semantics for proxy auth, remoting auth, and gRPC status mapping so authenticated users without permissions receive forbidden responses.

The auth unit test expectation was updated to match the central error category used by the proxy regression tests.

How Did You Test This Change?

  • cargo test -p rocketmq-auth --lib test_authorization_error_rocketmq_mapping_categories -- --nocapture
  • cargo test -p rocketmq-proxy --lib -- --nocapture
  • cargo fmt --all
  • cargo clippy --workspace --no-deps --all-targets --all-features -- -D warnings
  • cargo fmt --all --check
  • git diff --check

Summary by CodeRabbit

  • Bug Fixes
    • Permission-denied authorization responses now surface as a broker permission error, making the reported failure more accurate.
    • Updated error handling so denied access no longer appears as an authentication failure.
    • Adjusted error-mapping checks to match the new behavior.

@rocketmq-rust-bot

Copy link
Copy Markdown
Collaborator

🔊@mxsm 🚀Thanks for your contribution🎉!

💡CodeRabbit(AI) will review your code first🔥!

Note

🚨The code review suggestions from CodeRabbit are to be used as a reference only, and the PR submitter can decide whether to make changes based on their own judgment. Ultimately, the project management personnel will conduct the final code review💥.

@rocketmq-rust-robot rocketmq-rust-robot added the bug🐛 Something isn't working label Jul 7, 2026
@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 418486fa-da69-4c5d-bce0-840b13419e83

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Walkthrough

The conversion of AuthorizationError::PermissionDenied into RocketMQError now produces RocketMQError::BrokerPermissionDenied instead of RocketMQError::Authentication(AuthError::AuthorizationFailed(_)). The associated unit test assertion was updated to match the new expected error variant.

Changes

Error mapping fix

Layer / File(s) Summary
PermissionDenied maps to BrokerPermissionDenied
rocketmq-auth/src/authorization/provider.rs
The From<AuthorizationError> for RocketMQError conversion now maps PermissionDenied to BrokerPermissionDenied, and the corresponding unit test expectation is updated to match.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Possibly related PRs

  • mxsm/rocketmq-rust#7974: Modifies the same conversion logic in provider.rs, previously changing PermissionDenied mapping to AuthorizationFailed.
  • mxsm/rocketmq-rust#8034: Modifies the same AuthorizationError to RocketMQError conversion and its mapping tests.
  • mxsm/rocketmq-rust#8101: Adjusts the same PermissionDenied to BrokerPermissionDenied mapping at auth boundaries.

Suggested reviewers: rocketmq-rust-bot, SpaceXCN, TeslaRustor

Poem

A hop, a fix, a tiny leap,
PermissionDenied no longer sleeps
as "unauthorized" in disguise—
now Forbidden greets your eyes!
🐇 Thump-thump, the errors align. 🥕

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise and accurately states the ACL permission-denied semantics change.
Linked Issues check ✅ Passed The provider conversion now maps PermissionDenied to BrokerPermissionDenied, matching the linked issue's required forbidden semantics.
Out of Scope Changes check ✅ Passed The only change is the requested error mapping and its test update, with no unrelated code added.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch mxsm/fix-auth-permission-denied-8102

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@codecov

codecov Bot commented Jul 7, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 82.75862% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 70.44%. Comparing base (4984719) to head (cce538c).
⚠️ Report is 68 commits behind head on main.

Files with missing lines Patch % Lines
rocketmq-auth/src/lib.rs 79.16% 5 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #8103      +/-   ##
==========================================
+ Coverage   70.15%   70.44%   +0.29%     
==========================================
  Files        1259     1261       +2     
  Lines      280708   282344    +1636     
==========================================
+ Hits       196923   198903    +1980     
+ Misses      83785    83441     -344     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@rocketmq-rust-bot rocketmq-rust-bot left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - All CI checks passed ✅

@rocketmq-rust-bot rocketmq-rust-bot merged commit 4f43188 into main Jul 7, 2026
21 of 22 checks passed
@rocketmq-rust-bot rocketmq-rust-bot added approved PR has approved and removed ready to review waiting-review waiting review this PR labels Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

AI review first Ai review pr first approved PR has approved auto merge bug🐛 Something isn't working

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Bug🐛] Preserve ACL permission denied errors as forbidden proxy responses

3 participants