mattisonchao opened a new issue, #25285:
URL: https://github.com/apache/pulsar/issues/25285
### Motivation
Currently, Pulsar's list operations (list tenants, namespaces, clusters,
topics) use an all-or-nothing authorization model — if the user is authorized
for the LIST operation, they see all resources; otherwise they get 403.
There is no way for an `AuthorizationProvider` to filter list results
per-item (e.g., only return tenants/namespaces the user has access to).
The JAX-RS `ContainerResponseFilter` API is synchronous — it cannot perform
async authorization checks without blocking. If a response filter performs
blocking metadata operations, it risks deadlocking the thread pool (see #25284).
### Proposal
Add a default method to `AuthorizationProvider` that allows async per-item
filtering of list results:
```java
default CompletableFuture<List<String>> filterAsync(
FilterContext context, List<String> resources, String role,
AuthenticationDataSource authData) {
return CompletableFuture.completedFuture(resources);
}
```
Where `FilterContext` contains:
- Resource type (cluster, tenant, namespace, topic)
- Parent resource (e.g., tenant name when listing namespaces, namespace name
when listing topics)
The default implementation returns the full list (no filtering), preserving
backward compatibility. Custom `AuthorizationProvider` implementations can
override this to implement per-item authorization filtering.
This method would be called inside the endpoint method (where async is
natural) rather than in a synchronous response filter.
### Related
- #25284 — Offload web response from metadata thread for list
tenants/namespaces/clusters
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
