[pulsar.wiki] branch master updated: Updated PIP 49: Permission levels and inheritance (markdown)

Sat, 02 Nov 2019 22:38:04 -0700 

This is an automated email from the ASF dual-hosted git repository.

rxl pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.wiki.git


The following commit(s) were added to refs/heads/master by this push:
     new d8b6003  Updated PIP 49: Permission levels and inheritance (markdown)
d8b6003 is described below

commit d8b60035dbe8675d2c8bb8d620015de7ae8cfcbb
Author: 冉小龙 <[email protected]>
AuthorDate: Sun Nov 3 13:37:34 2019 +0800

    Updated PIP 49: Permission levels and inheritance (markdown)
---
 PIP-49:-Permission-levels-and-inheritance.md | 303 ++++++++++++++-------------
 1 file changed, 156 insertions(+), 147 deletions(-)

diff --git a/PIP-49:-Permission-levels-and-inheritance.md 
b/PIP-49:-Permission-levels-and-inheritance.md
index 3bf6610..26ec2e8 100644
--- a/PIP-49:-Permission-levels-and-inheritance.md
+++ b/PIP-49:-Permission-levels-and-inheritance.md
@@ -10,7 +10,13 @@ Lacking permission levels and inheritance causing the 
permission check in Pulsar
 
 For example, currently Pulsar only allows a tenant administrator to retrieve 
the list of topics of a namespace. However, if you are a namespace 
administrator, you are not allowed to list the topics of it. This behavior is 
strange and uncommon compared to other RBAC systems.
 
-Also superuser permissions are misused in many places without clear thoughts.
+In fact, we can split the permissions management into two parts. One part is 
**operation**, which is mainly responsible for resource(cluster or broker) 
allocation and management. The other part is **user**, responsible for the 
specific operation. In the user's permissions, we can further split them into 
two parts: admin and client. The **admin** contains tenant admin and namespace 
admin with inheritance relationship between them. The **client**  contains 
produce, consume and function(if  [...]
+
+For different permissions, they have different read and write permissions. The 
**super user** has read and write access to the admin, but the admin can only 
read it. Similarly, The **admin** has read and write access to the client, but 
the client can only read it.
+
+> Note: The client can only read the permissions of the admin that it 
currently belongs to, and can not read other admin information.
+
+![pip49.png](https://upload-images.jianshu.io/upload_images/6967649-d8eae37481894c5e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
 
 This PIP proposes introducing permission levels and inheritance into Pulsar 
authorization system to make permission check clearer across Pulsar codebase.
 
@@ -24,40 +30,114 @@ The following table illustrates all the roles in Pulsar 
and their permission lev
 
 | Role| Permission Level
 |---|---
-| Super user| 1
-| Tenant admin | 2
-| Namespace admin | 3
-| Namespace function | 4 |
-| Namespace produce | 4 |
-| Namespace consume | 4 |
+| Tenant admin | 1
+| Namespace admin | 2
+| Namespace function | 3 |
+| Namespace produce | 3 |
+| Namespace consume | 3 |
 
 > Note: The `Namespace function`, `Namespace produce` and `Namespace consume` 
 > are at the same permission level. They can’t inherit the permissions from 
 > each other.
 ## Proposed Permission Changes
 
 
-This PIP proposes the following permission changes for each admin API.
+This PIP proposes the following permission changes for each admin API. 
+
+
+### operation
+
+
+#### clusters
+
+Command |Current Permissions | Proposed Permissions
+----|---|---
+get | super-user | super-user and admin(read)
+create | super-user | super-user
+update | super-user | super-user
+delete | super-user | super-user
+list | super-user | super-user
+update-peer-clusters | super-user | super-user
+get-peer-clusters | super-user | super-user
+get-failure-domain | super-user | super-user
+create-failure-domain | super-user | super-user
+update-failure-domain | super-user | super-user
+delete-failure-domain | super-user | super-user
+list-failure-domain | super-user | super-user
+
+#### brokers
+
+Command |Current Permissions | Proposed Permissions
+----|---|---
+list | super-user | super-user
+namespaces | super-user | super-user
+update-dynamic-config | super-user | super-user
+delete-dynamic-config | super-user | super-user
+list-dynamic-config | super-user | super-user
+get-all-dynamic-config | super-user | super-user
+get-internal-config | super-user | super-user admin(read)
+get-runtime-config | super-user | super-user and admin(read)
+healthcheck | super-user | super-user
+
+#### broker-stats
+
+Command |Current Permissions | Proposed Permissions
+----|---|---
+monitoring-metrics | super-user | super-user admin(read)
+mbeans | super-user | super-user
+topics | super-user | super-user
+allocator-stats | super-user | super-user
+load-report | super-user | super-user
+
+#### functions-worker
+
+Command |Current Permissions | Proposed Permissions
+----|---|---
+function-stats | super-user | super-user and admin(read)
+monitoring-metrics | super-user | super-user admin(read)
+get-cluster | super-user | super-user admin(read)
+get-cluster-leader | super-user | super-user and admin(read)
+get-function-assignments | super-user | super-user and admin(read)
+
+#### resource-quotas
+
+Command |Current Permissions | Proposed Permissions
+----|---|---
+get | super-user | super-user and admin(read)
+set | super-user | super-user
+reset-namespace-bundle-quota | super-user | super-user
 
-### tenants
+#### ns-isolation-policy
 
 Command |Current Permissions | Proposed Permissions
 ----|---|---
-get | super-user | >= tenant admin
+get | super-user | super-user and admin(read)
+set | super-user | super-user
+list | super-user | super-user
+delete | super-user | super-user
+brokers | super-user | super-user
+broker | super-user | super-user
+
+#### tenants
+
+Command |Current Permissions | Proposed Permissions
+----|---|---
+get | super-user | super-user and admin(read)
 create | super-user | super user
 update | super-user | super user
 delete | super-user | super user
 list | super-user | super user
 
-### schemas
+### user
+#### schemas
 
 Command |Current Permissions | Proposed Permissions
 ----|---|---
-get | tenant admin | >= namespace produce
-upload | tenant admin | >= namespace produce
-extract | tenant admin | >= namespace produce
-delete | tenant admin | >= namespace produce
+get | tenant admin | >= client produce
+upload | tenant admin | >= client produce
+extract | tenant admin | >= client produce
+delete | tenant admin | >= client produce
 
 
-### functions
+#### functions
 
 Command |Current Permissions | Proposed Permissions
 ----|---|---
@@ -76,7 +156,7 @@ querystate | super-user or tenant admin or namespace 
function | >= namespace fun
 trigger | super-user or tenant admin or namespace function | >= namespace 
function
 putstate | super-user or tenant admin or namespace function | >= namespace 
function
 
-### sources
+#### sources
 
 Command |Current Permissions | Proposed Permissions
 ----|---|---
@@ -91,7 +171,7 @@ start | super-user or tenant admin or namespace function | 
>= namespace function
 list | super-user or tenant admin or namespace function | >= namespace function
 restart | super-user or tenant admin or namespace function | >= namespace 
function
 
-### sinks
+#### sinks
 
 Command |Current Permissions | Proposed Permissions
 ----|---|---
@@ -106,7 +186,7 @@ start | super-user or tenant admin or namespace function | 
>= namespace function
 list | super-user or tenant admin or namespace function | >= namespace function
 restart | super-user or tenant admin or namespace function | >= namespace 
function
 
-### topics
+#### topics
 
 Command |Current Permissions | Proposed Permissions
 ----|---|---
@@ -117,34 +197,33 @@ offload-status | tenant admin | >= namespace admin
 create-partitioned-topic | tenant admin | >= namespace admin
 delete-partitioned-topic | tenant admin | >= namespace admin
 create | tenant admin | >= namespace admin
-get-partitioned-topic-metadata | tenant admin | >= (namespace produce or 
namespace consume)
+get-partitioned-topic-metadata | tenant admin | >= client (produce and consume)
 update-partitioned-topic | tenant admin | >= namespace admin
 list | tenant admin | >= namespace admin
 terminate | tenant admin | >= namespace admin
 permissions | tenant admin | >= namespace admin
 grant-permission | tenant admin | >= namespace admin
 revoke-permission | tenant admin | >= namespace admin
-lookup | namespace produce or namespace consume | >= (namespace produce or 
namespace consume)
-bundle-range | super-user |>=(namespace produce or namespace consume)
+lookup | namespace produce or namespace consume | >= client (produce and 
consume)
+bundle-range | super-user | >= namespace admin
 delete | tenant admin | >= namespace admin
 unload | super-user | >= namespace admin
-create-subscription | tenant admin | >= namespace consume
-stats | tenant admin | >= (namespace produce or namespace consume)
-stats-internal | tenant admin | >= (namespace produce or namespace consume)
-info-internal | tenant admin | >= (namespace produce or namespace consume)
-partitioned-stats | tenant admin | >= (namespace produce or namespace consume)
-skip-all | tenant admin | >= namespace consume
-expire-messages-all-subscriptions | tenant admin | >= namespace consume
-last-message-id | tenant admin | >= namespace consume
-create-subscription | tenant admin and namespace produce or consume | >= 
namespace consume
-unsubscribe | tenant admin and namespace consume | >= namespace consume
-skip | tenant admin or namespace consume | >= namespace consume
-expire-messages | teannt admin and namespace produce or consume | >= namespace 
consume
-peek-messages | teannt admin and namespace produce or consume | >= namespace 
consume
-reset-cursor | teannt admin and namespace produce or consume | >=  namespace 
consume
-subscriptions | teannt admin and namespace produce or consume | >= namespace 
consume
-
-### namespaces
+create-subscription | tenant admin | >= client consume
+stats | tenant admin | >= client (produce and consume)
+stats-internal | tenant admin | >= client (produce and consume)
+info-internal | tenant admin | >= client (produce and consume)
+partitioned-stats | tenant admin | >= client (produce and consume)
+skip-all | tenant admin | >= namespace admin
+expire-messages-all-subscriptions | tenant admin | >= namespace admin
+last-message-id | tenant admin | >= namespace admin
+create-subscription | tenant admin and namespace produce or consume | >= 
client consume
+unsubscribe | tenant admin and namespace consume | >= client consume
+skip | tenant admin or namespace consume | >= client consume
+expire-messages | tenant admin and namespace produce or consume | >= client 
consume
+peek-messages | tenant admin and namespace produce or consume | >= client 
consume
+reset-cursor | tenant admin and namespace produce or consume | >=  client 
consume
+subscriptions | tenant admin and namespace produce or consume | >= client 
consume
+#### namespaces
 
 Command |Current Permissions | Proposed Permissions
 ----|---|---
@@ -159,123 +238,53 @@ grant-permissions | tenant admin | >= namespace admin
 revoke-permissions | tenant admin | >= namespace admin
 grant-subscription-permission | tenant admin | >= namespace admin
 revoke-subscription-permission | tenant admin | >= namespace admin
-set-clusters | tenant admin | super-user
-get-clusters | tenant admin | >= (namespace produce or namespace consume or 
namespace function)
-get-backlog-quotas | tenant admin | >= (namespace produce or namespace consume 
or namespace function)
+set-clusters | tenant admin | namespace admin
+get-clusters | tenant admin | client admin
+get-backlog-quotas | tenant admin | client admin
 set-backlog-quota | tenant admin | >= namespace admin
 remove-backlog-quota | tenant admin | >= namespace admin
-get-persistence | tenant admin | >= (namespace produce or namespace consume or 
namespace function)
-get-backlog-quotas | tenant admin | >= (namespace produce or namespace consume 
or namespace function)
+get-persistence | tenant admin | client admin
+get-backlog-quotas | tenant admin | client admin
 set-backlog-quota | tenant admin | >= namespace admin
 remove-backlog-quota | tenant admin | >= namespace admin
-get-persistence | tenant admin | >= (namespace produce or namespace consume or 
namespace function)
+get-persistence | tenant admin | client admin
 set-persistence | tenant admin | >= namespace admin
-get-message-ttl | tenant admin | >= (namespace produce or namespace consume or 
namespace function)
+get-message-ttl | tenant admin | client admin
 set-message-ttl | tenant admin | >= namespace admin
-get-anti-affinity-group | tenant admin | >= (namespace produce or namespace 
consume or namespace function)
-set-anti-affinity-group | tenant admin | super-user
-delete-anti-affinity-group | tenant admin | super-user
-get-anti-affinity-namespaces | tenant admin | >= (namespace produce or 
namespace consume or namespace function)
-get-retention | tenant admin | >= (namespace produce or namespace consume or 
namespace function)
+get-anti-affinity-group | tenant admin | client admin
+set-anti-affinity-group | tenant admin | namespace admin
+delete-anti-affinity-group | tenant admin | namespace admin
+get-anti-affinity-namespaces | tenant admin | client admin
+get-retention | tenant admin | client admin
 set-retention | tenant admin | >= namespace admin
 unload | super-user | >= namespace admin
-set-replicator-dispatch-rate | super-user |  super-user
-get-replicator-dispatch-rate | tenant admin | >= (namespace produce or 
namespace consume or namespace function)
-split-bundle | super-user | >= namespace admin
-set-dispatch-rate | super-user | >= namespace admin
-get-dispatch-rate | tenant admin | >= (namespace produce or namespace consume 
or namespace function)
-get-subscribe-rate | tenant admin | >= (namespace produce or namespace consume 
or namespace function)
-set-subscribe-rate | super-user | >= namespace admin
-set-subscription-dispatch-rate | super-user | >= namespace admin
-get-subscription-dispatch-rate | tenant admin | >= (namespace produce or 
namespace consume or namespace function)
+set-replicator-dispatch-rate | super-user |  namespace admin
+get-replicator-dispatch-rate | tenant admin | namespace admin
+split-bundle | super-user | namespace admin
+set-dispatch-rate | super-user | namespace admin
+get-dispatch-rate | tenant admin | client admin
+get-subscribe-rate | tenant admin | client admin
+set-subscribe-rate | super-user | namespace admin
+set-subscription-dispatch-rate | super-user | namespace admin
+get-subscription-dispatch-rate | tenant admin | client admin
 clear-backlog | tenant admin | >= namespace admin
 unsubscribe | tenant admin | >= namespace admin
 set-encryption-required | tenant admin | >= namespace admin
 set-subscription-auth-mode | tenant admin | >= namespace admin
-get-max-producers-per-topic | tenant admin | >= (namespace produce or 
namespace consume or namespace function)
-set-max-producers-per-topic | super-user | >= namespace admin
-get-max-consumers-per-topic | tenant admin | >= (namespace produce or 
namespace consume or namespace function)
-set-max-consumers-per-topic | super-user | >= namespace admin
-get-max-consumers-per-subscription | tenant admin | >= (namespace produce or 
namespace consume or namespace function)
-set-max-consumers-per-subscription | super-user | >= namespace admin
-get-compaction-threshold | tenant admin | >= (namespace produce or namespace 
consume or namespace function)
-set-compaction-threshold | super-user | >= namespace admin
-get-offload-threshold | tenant admin | >= (namespace produce or namespace 
consume or namespace function)
-set-offload-threshold | super-user | >= namespace admin
-get-offload-deletion-lag | tenant admin | >= (namespace produce or namespace 
consume or namespace function)
-set-offload-deletion-lag | super-user | >= namespace admin
-clear-offload-deletion-lag | super-user | >= namespace admin
-get-schema-autoupdate-strategy | tenant admin | >= (namespace produce or 
namespace consume or namespace function)
-set-schema-autoupdate-strategy | super-user | >= namespace admin
-set-schema-validation-enforced | super-user | >= namespace admin
-get-schema-validation-enforced | tenant admin | >= (namespace produce or 
namespace consume or namespace function)
-
-### clusters
-
-Command |Current Permissions | Proposed Permissions
-----|---|---
-get | super-user | super-user
-create | super-user | super-user
-update | super-user | super-user
-delete | super-user | super-user
-list | super-user | super-user
-update-peer-clusters | super-user | super-user
-get-peer-clusters | super-user | super-user
-get-failure-domain | super-user | super-user
-create-failure-domain | super-user | super-user
-update-failure-domain | super-user | super-user
-delete-failure-domain | super-user | super-user
-list-failure-domain | super-user | super-user
-
-### brokers
-
-Command |Current Permissions | Proposed Permissions
-----|---|---
-list | super-user | super-user
-namespaces | super-user | super-user
-update-dynamic-config | super-user | super-user
-delete-dynamic-config | super-user | super-user
-list-dynamic-config | super-user | super-user
-get-all-dynamic-config | super-user | super-user
-get-internal-config | super-user | super-user
-get-runtime-config | super-user | super-user
-healthcheck | super-user | super-user
-
-### broker-stats
-
-Command |Current Permissions | Proposed Permissions
-----|---|---
-monitoring-metrics | super-user | super-user
-mbeans | super-user | super-user
-topics | super-user | super-user
-allocator-stats | super-user | super-user
-load-report | super-user | super-user
-
-### functions-worker
-
-Command |Current Permissions | Proposed Permissions
-----|---|---
-function-stats | super-user | super-user
-monitoring-metrics | super-user | super-user
-get-cluster | super-user | super-user
-get-cluster-leader | super-user | super-user
-get-function-assignments | super-user | super-user
-
-### resource-quotas
-
-Command |Current Permissions | Proposed Permissions
-----|---|---
-get | super-user | super-user
-set | super-user | super-user
-reset-namespace-bundle-quota | super-user | super-user
-
-### ns-isolation-policy
-
-Command |Current Permissions | Proposed Permissions
-----|---|---
-get | super-user | super-user
-set | super-user | super-user
-list | super-user | super-user
-delete | super-user | super-user
-brokers | super-user | super-user
-broker | super-user | super-user
+get-max-producers-per-topic | tenant admin | client admin
+set-max-producers-per-topic | super-user | namespace admin
+get-max-consumers-per-topic | tenant admin | client admin
+set-max-consumers-per-topic | super-user | namespace admin
+get-max-consumers-per-subscription | tenant admin |client admin
+get-compaction-threshold | tenant admin | client admin
+get-offload-threshold | tenant admin | client admin
+get-offload-deletion-lag | tenant admin | client admin
+get-schema-autoupdate-strategy | tenant admin | client admin
+get-schema-validation-enforced | tenant admin | client admin
+set-schema-autoupdate-strategy | super-user | namespace admin
+set-schema-validation-enforced | super-user | namespace admin
+set-offload-deletion-lag | super-user | namespace admin
+clear-offload-deletion-lag | super-user | namespace admin
+set-offload-threshold | super-user | namespace admin
+set-compaction-threshold | super-user | namespace admin
+set-max-consumers-per-subscription | super-user | namespace admin

Reply via email to