Technoboy- opened a new issue #14639: URL: https://github.com/apache/pulsar/issues/14639
### Motivation As https://github.com/apache/pulsar/issues/14191 described, users may get confused about the current permission. First, we only define the below actions in the grant-permission interface: ``` produce,consume,sources,sinks,functions,packages ``` Though we grant all the actions to some roles like below (`myuser` is not admin, only a normal user): ``` $ pulsar-admin namespaces grant-permission public/default --role myuser --actions produce,consume,sources,sinks,functions,packages ``` But when we list topics under a namespace: ``` $ pulsar-admin --admin-url https://dev.pulsar.xyz.com:8081 --auth-plugin "org.apache.pulsar.client.impl.auth.AuthenticationToken" --auth-params "token:<token>" topics list public/default ``` We will get the below error message : ``` HTTP 500 Server Error Reason: HTTP 500 Server Error ``` After https://github.com/apache/pulsar/pull/14638, the user could get a better message : ``` HTTP 403 : Unauthorized to validateNamespaceOperation for operation [GET_BUNDLE] on namespace [mytenant/np1] ``` So what is `GET_BUNDLE` mean? And how to grant this permission? No interface and no docs were mentioned about this. After diving into the codes here : https://github.com/apache/pulsar/blob/4910519eb5c20249d982cab40813af3e870e4f90/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java#L564-L607 We can see from line-572, if the user role is not admin, it can't have the GET_BUNDLE permission. But here, are `operations`, not `actions` defined in the grant interface. So, what is the relationship between `operations` and `actions` ? No documentations. ### Goal Check up the existing permission logic, clarify the relationship between action and operation, and give detailed documentation. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
