michaeljmarshall opened a new pull request, #15576:
URL: https://github.com/apache/pulsar/pull/15576
### Motivation
This is a draft PR for a forth coming PIP. At a high level, this PR seeks to
make it possible to enable strict subscription level authorization for
namespaces where implicit subscription permission is disabled.
### Modifications
* Update the `PulsarAuthorizationProvider#canConsume` logic so that when
implicit subscription permission is disabled, it will reject all roles that do
not explicitly have permission to consume from a subscription.
* Update the `AuthPolicies` and the `AuthPoliciesImpl` classes to store a
new boolean field named `implicit_subscription_permission`.
* Add new endpoints for getting permission, granting permission, and
revoking permission to the Admin API server for both v1 and v2 APIs.
* Similarly, update the Admin Java Client and the Admin CLI tool to use call
those new API endpoints.
### Verifying this change
Once the design is solidified, I will add tests to the
`pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java`
class.
### Does this pull request potentially affect one of the following parts:
- Dependencies (does it add or upgrade a dependency): no
- The public API: yes
- The schema: no
- The default values of configurations: no
- The wire protocol: no
- The rest endpoints: yes
- The admin cli options: yes
- Anything that affects deployment: no
This change adds a new feature discussed in the associated PIP.
### Documentation
- [x] `doc-required`
I will add docs as a part of this work, but I haven't yet because the design
isn't solidified.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
