EronWright commented on issue #19771: URL: https://github.com/apache/pulsar/issues/19771#issuecomment-1481695646
On the topic of authorization: as you've shown, the `sub` claim conveys the name of the KSA, and that would assumedly be used as the Pulsar role name. One would then set Pulsar permissions based on the name, for example in broker.conf: ``` authorizationEnabled=true superUserRoles=system:serviceaccount:michael-test:default ``` Using the KSA name in this way is actually quite convenient, but may benefit from an authorization plugin that would allow for group-based policies, e.g. based on the `namespace` claim. Here's how it would work in a multi-k8s-cluster environment. Imagine that the broker was configured to trust the tokens from a number of Kubernetes clusters, collectively known as a _cluster-set_. By the principle of [namespace sameness](https://github.com/kubernetes/community/blob/master/sig-multicluster/namespace-sameness-position-statement.md), a service account with a given name would be considered equivalent across the whole cluster-set. That's a Good Thing, in my opinion. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
