rdhabalia commented on a change in pull request #2981: Allow subscribers to
access subscription admin-api
URL: https://github.com/apache/pulsar/pull/2981#discussion_r234120068
##########
File path:
pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
##########
@@ -109,6 +112,16 @@ public void initialize(ServiceConfiguration conf,
ConfigurationCacheService conf
log.debug("Policies node couldn't be found for topic :
{}", topicName);
}
} else {
+ // check if role is authorize to access subscription.
(skip validatation if authorization list is empty)
+ Set<String> roles =
policies.get().auth_policies.subscription_auth_roles.get(subscription);
+ if (roles != null && !roles.isEmpty() &&
!roles.contains(role)) {
Review comment:
> Even if the role is superuser, access will be denied
No, checkout [PersistentTopicsBase::
validateAdminAccessForSubscriber()](https://github.com/apache/pulsar/blob/775894a9f1738b00c8af609494e277203b0a04f6/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/PersistentTopicsBase.java#L241),
broker allows super-user/tenant to access any topic api and only validate on
subscription if user is not super-user/tenant.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
