[fix][broker] Fix MultiRolesTokenAuthorizationProvider error when subscription prefix doesn't match.

[dragonls]

Motivation

When using MultiRolesTokenAuthorizationProvider with multiple roles in a JWT token, if one of the roles fails the subscription prefix check in PulsarAuthorizationProvider#canConsumeAsync, it throws a PulsarServerException with the message "The subscription name needs to be prefixed by the authentication role".

This exception propagates up and causes the entire authorization to fail, even if another role in the token has valid permissions. This is problematic in multi-role scenarios where:

• A JWT token contains multiple roles (e.g., ["user-a", "user-b"])
• Only one role needs to have permission for the operation to succeed
• The FutureUtil.waitForAny mechanism should return success as soon as any role is authorized

Modifications

Modified MultiRolesTokenAuthorizationProvider#authorize method to handle exceptions differently based on the number of roles:

1. Single role: Keep the original behavior - exceptions are propagated as-is. This ensures backward compatibility and proper error reporting when there's only one role.
2. Multiple roles: Swallow all exceptions and convert them to false (authorization failed). This allows FutureUtil.waitForAny to work correctly - if any role succeeds, the overall authorization succeeds; only if all roles fail (return false or throw exceptions), the authorization fails.

if (roles.size() == 1) {
    roles.forEach(r -> futures.add(authorizeFunc.apply(r)));
} else {
    roles.forEach(r -> futures.add(authorizeFunc.apply(r).exceptionally(ex -> false)));
}

Verifying this change

• Make sure that the change passes the CI checks.

This change added new test cases in MultiRolesTokenAuthorizationProviderTest:

• testMultiRolesAuthzWithSubscriptionPrefixMismatchException: Tests multi-role scenarios where:
  • One role succeeds, another throws exception -> returns true
  • All roles throw exceptions -> returns false
• testSingleRoleAuthzWithSubscriptionPrefixMismatchException: Tests single-role scenario where:
  • Single role throws exception -> propagates the original exception

Does this pull request potentially affect one of the following parts:

If the box was checked, please highlight the changes

• Dependencies (add or upgrade a dependency)
• The public API
• The schema
• The default values of configurations
• The threading model
• The binary protocol
• The REST endpoints
• The admin CLI options
• The metrics
• Anything that affects deployment

Documentation

• doc
• doc-required
• doc-not-needed
• doc-complete

Matching PR in forked repository

PR in forked repository: dragonls#12

[lhotari]

LGTM

[Copilot]

Pull request overview

This PR fixes an authorization failure in MultiRolesTokenAuthorizationProvider that occurs when JWT tokens contain multiple roles and one role fails the subscription prefix check. Previously, a single role's prefix mismatch exception would cause the entire authorization to fail, even when another role had valid permissions.

Key Changes:

• Modified exception handling in the authorize method to differentiate between single-role and multi-role scenarios
• For multiple roles, exceptions are now converted to authorization failures (false), allowing FutureUtil.waitForAny to succeed if any role is authorized
• For single roles, the original exception propagation behavior is preserved for backward compatibility

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
MultiRolesTokenAuthorizationProvider.java	Added conditional exception handling based on role count - single roles propagate exceptions while multiple roles convert exceptions to false
MultiRolesTokenAuthorizationProviderTest.java	Added comprehensive test cases covering multi-role scenarios with exceptions and single-role exception propagation

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.47%. Comparing base (ff0d0eb) to head (6c5afe2).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff              @@
##             master   #25121      +/-   ##
============================================
- Coverage     74.82%   74.47%   -0.35%     
+ Complexity    33836    33659     -177     
============================================
  Files          1899     1899              
  Lines        149656   149658       +2     
  Branches      17393    17394       +1     
============================================
- Hits         111979   111457     -522     
- Misses        28892    29329     +437     
- Partials       8785     8872      +87     

Flag	Coverage Δ
inttests	26.37% <0.00%> (-0.52%)	⬇️
systests	23.11% <0.00%> (-0.10%)	⬇️
unittests	73.99% <100.00%> (-0.36%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...rization/MultiRolesTokenAuthorizationProvider.java	69.15% <100.00%> (+0.58%)	⬆️

... and 118 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.