rdhabalia commented on a change in pull request #2981: Allow subscribers to
access subscription admin-api
URL: https://github.com/apache/pulsar/pull/2981#discussion_r233606364
##########
File path:
pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationProvider.java
##########
@@ -71,6 +71,18 @@
CompletableFuture<Boolean> canConsumeAsync(TopicName topicName, String
role,
AuthenticationDataSource authenticationData, String subscription);
+ /**
+ * Returns authorized roles that can access admin-api for given
subscription
+ *
+ * @param topicName
+ * the fully qualified topic name associated with the topic.
+ * @param subscription
+ * the subscription name defined by the client
+ * @return
+ */
+ CompletableFuture<Set<String>> getAuthorizedRolesOnSubscription(TopicName
topicName,
Review comment:
> As long as a "principal" is granted permission on any level, it should be
allowed to consume messages and perform "consumer-related" admin operations.
No, for now, that's not exactly true for admin-api access because for
cursor-admin-api, we should make sure that it passes `Per-Subscription`
authorization so, one subscriber can't mess up other subscription using
CLI/Admin-api by mistake.
eg:
for namespace : if `role1` and `role2` are allowed for Namespace/Per-Topic
authorization `Consume`
[AuthAction](https://github.com/apache/pulsar/blob/master/pulsar-common/src/main/java/org/apache/pulsar/common/policies/data/AuthPolicies.java#L28)
then both roles can consume on any subscription for that namespace-topics. So,
if `subscription-level-authorization` is not present then still broker should
allow them to continue to consume (because sub-level-auth is introduced in this
PR and that will be empty for existing subscriptions so, we can't fail
Per-Subscription is not configured).
However, that's not the case for admin-api. Right now, cursor-admin-api can
be only accessed by tenant-admin. If "principal" has Namespace/Topic level
access then that principal can access other subscription as well and using CLI
by mistake, it will be easy to mess up things for other subscription.
So, I thought we can start enforcing sub-level-auth for admin-api.
So, do you think it makes sense to enforce "Per-Sub" authorization for
admin-api to prevent any incident due to user mistake.?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
