rdhabalia commented on a change in pull request #2981: Allow subscribers to
access subscription admin-api
URL: https://github.com/apache/pulsar/pull/2981#discussion_r234738487
##########
File path:
pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
##########
@@ -109,6 +112,16 @@ public void initialize(ServiceConfiguration conf,
ConfigurationCacheService conf
log.debug("Policies node couldn't be found for topic :
{}", topicName);
}
} else {
+ // check if role is authorize to access subscription.
(skip validatation if authorization list is empty)
+ Set<String> roles =
policies.get().auth_policies.subscription_auth_roles.get(subscription);
+ if (roles != null && !roles.isEmpty() &&
!roles.contains(role)) {
Review comment:
@massakam yes, that's correct. that's what we want here right?
- first broker validates subscription-permission (if it's configured) over
namespace-auth so, only authorized principal can access the subscription. and
that will also cover "pre-fix" sub usecase where only authorized sub can
consume on specific subscription.
@merlimat can you also review this PR one more time.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
