This is an automated email from the ASF dual-hosted git repository.
rxl pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.wiki.git
The following commit(s) were added to refs/heads/master by this push:
new 12f3a09 Updated PIP 49: Permission levels and inheritance (markdown)
12f3a09 is described below
commit 12f3a0986bf23d1a22886b1284c214752ad8c5bd
Author: 冉小龙 <[email protected]>
AuthorDate: Mon Nov 11 11:38:58 2019 +0800
Updated PIP 49: Permission levels and inheritance (markdown)
---
PIP-49:-Permission-levels-and-inheritance.md | 358 ++++++++++++---------------
1 file changed, 161 insertions(+), 197 deletions(-)
diff --git a/PIP-49:-Permission-levels-and-inheritance.md
b/PIP-49:-Permission-levels-and-inheritance.md
index 26ec2e8..e5c2dec 100644
--- a/PIP-49:-Permission-levels-and-inheritance.md
+++ b/PIP-49:-Permission-levels-and-inheritance.md
@@ -6,51 +6,15 @@
## Motivation
-Lacking permission levels and inheritance causing the permission check in
Pulsar become very confused.
-
-For example, currently Pulsar only allows a tenant administrator to retrieve
the list of topics of a namespace. However, if you are a namespace
administrator, you are not allowed to list the topics of it. This behavior is
strange and uncommon compared to other RBAC systems.
-
-In fact, we can split the permissions management into two parts. One part is
**operation**, which is mainly responsible for resource(cluster or broker)
allocation and management. The other part is **user**, responsible for the
specific operation. In the user's permissions, we can further split them into
two parts: admin and client. The **admin** contains tenant admin and namespace
admin with inheritance relationship between them. The **client** contains
produce, consume and function(if [...]
-
-For different permissions, they have different read and write permissions. The
**super user** has read and write access to the admin, but the admin can only
read it. Similarly, The **admin** has read and write access to the client, but
the client can only read it.
-
-> Note: The client can only read the permissions of the admin that it
currently belongs to, and can not read other admin information.
-
-
-
-This PIP proposes introducing permission levels and inheritance into Pulsar
authorization system to make permission check clearer across Pulsar codebase.
-
-## Permission levels & inheritance
-
-This PIP proposes adding permission level for each role. The permission level
is determined by a number. The lower number gets higher permission. The role
with higher level permission will inherit all the permissions from lower level
roles. The roles at the same permission level can’t inherit the permissions
from others.
-
-
-The following table illustrates all the roles in Pulsar and their permission
levels.
-
-
-| Role| Permission Level
-|---|---
-| Tenant admin | 1
-| Namespace admin | 2
-| Namespace function | 3 |
-| Namespace produce | 3 |
-| Namespace consume | 3 |
-
-> Note: The `Namespace function`, `Namespace produce` and `Namespace consume`
are at the same permission level. They can’t inherit the permissions from each
other.
-## Proposed Permission Changes
-
+The current pulsar admin's permission mechanism is somewhat confusing. There
are some commands that have unreasonable permission verification, which causes
pulsar's permission management to be incorrectly applied in pulsar admin.
This PIP proposes the following permission changes for each admin API.
-
-### operation
-
-
-#### clusters
+### clusters
Command |Current Permissions | Proposed Permissions
----|---|---
-get | super-user | super-user and admin(read)
+get | super-user | super-user
create | super-user | super-user
update | super-user | super-user
delete | super-user | super-user
@@ -63,7 +27,7 @@ update-failure-domain | super-user | super-user
delete-failure-domain | super-user | super-user
list-failure-domain | super-user | super-user
-#### brokers
+### brokers
Command |Current Permissions | Proposed Permissions
----|---|---
@@ -73,218 +37,218 @@ update-dynamic-config | super-user | super-user
delete-dynamic-config | super-user | super-user
list-dynamic-config | super-user | super-user
get-all-dynamic-config | super-user | super-user
-get-internal-config | super-user | super-user admin(read)
-get-runtime-config | super-user | super-user and admin(read)
+get-internal-config | super-user | super-user
+get-runtime-config | super-user | super-user
healthcheck | super-user | super-user
-#### broker-stats
+### broker-stats
Command |Current Permissions | Proposed Permissions
----|---|---
-monitoring-metrics | super-user | super-user admin(read)
+monitoring-metrics | super-user | super-user
mbeans | super-user | super-user
topics | super-user | super-user
allocator-stats | super-user | super-user
load-report | super-user | super-user
-#### functions-worker
+### functions-worker
Command |Current Permissions | Proposed Permissions
----|---|---
-function-stats | super-user | super-user and admin(read)
-monitoring-metrics | super-user | super-user admin(read)
-get-cluster | super-user | super-user admin(read)
-get-cluster-leader | super-user | super-user and admin(read)
-get-function-assignments | super-user | super-user and admin(read)
+function-stats | super-user | super-user
+monitoring-metrics | super-user | super-user
+get-cluster | super-user | super-user
+get-cluster-leader | super-user | super-user
+get-function-assignments | super-user | super-user
-#### resource-quotas
+### resource-quotas
Command |Current Permissions | Proposed Permissions
----|---|---
-get | super-user | super-user and admin(read)
+get | super-user | super-user
set | super-user | super-user
reset-namespace-bundle-quota | super-user | super-user
-#### ns-isolation-policy
+### ns-isolation-policy
Command |Current Permissions | Proposed Permissions
----|---|---
-get | super-user | super-user and admin(read)
+get | super-user | super-user
set | super-user | super-user
list | super-user | super-user
delete | super-user | super-user
brokers | super-user | super-user
broker | super-user | super-user
-#### tenants
+### tenants
Command |Current Permissions | Proposed Permissions
----|---|---
-get | super-user | super-user and admin(read)
+get | super-user | super-user
create | super-user | super user
update | super-user | super user
delete | super-user | super user
list | super-user | super user
-### user
-#### schemas
+### schemas
Command |Current Permissions | Proposed Permissions
----|---|---
-get | tenant admin | >= client produce
-upload | tenant admin | >= client produce
-extract | tenant admin | >= client produce
-delete | tenant admin | >= client produce
+get | tenant admin | **super user and tenant admin and produce**
+upload | tenant admin | **super user and tenant admin and produce**
+extract | tenant admin | **super user and tenant admin and produce**
+delete | tenant admin | **super user and tenant admin and produce**
-#### functions
+### functions
Command |Current Permissions | Proposed Permissions
----|---|---
localrun | none | none
-create | super-user or tenant admin or namespace function | >= namespace
function
-delete | super-user or tenant admin or namespace function | >= namespace
function
-update | super-user or tenant admin or namespace function | >= namespace
function
-get | super-user or tenant admin or namespace function | >= namespace function
-restart | super-user or tenant admin or namespace function | >= namespace
function
-stop | super-user or tenant admin or namespace function | >= namespace function
-start | super-user or tenant admin or namespace function | >= namespace
function
-status | super-user or tenant admin or namespace function | >= namespace
function
-stats | super-user or tenant admin or namespace function | >= namespace
function
-list | super-user or tenant admin or namespace function | >= namespace function
-querystate | super-user or tenant admin or namespace function | >= namespace
function
-trigger | super-user or tenant admin or namespace function | >= namespace
function
-putstate | super-user or tenant admin or namespace function | >= namespace
function
-
-#### sources
+create | super-user and tenant admin and function | super-user and tenant
admin and function
+delete | super-user and tenant admin and function | super-user and tenant
admin and function
+update | super-user and tenant admin and function | super-user and tenant
admin and function
+get | super-user and tenant admin and function | super-user and tenant admin
and function
+restart | super-user and tenant admin and function | super-user and tenant
admin and function
+stop | super-user and tenant admin and function | super-user and tenant admin
and function
+start | super-user and tenant admin and function | super-user and tenant admin
and function
+status | super-user and tenant admin and function | super-user and tenant
admin and function
+stats | super-user and tenant admin and function | super-user and tenant admin
and function
+list | super-user and tenant admin and function | super-user and tenant admin
and function
+querystate | super-user and tenant admin and function | super-user and tenant
admin and function
+trigger | super-user and tenant admin and function | super-user and tenant
admin and function
+putstate | super-user and tenant admin and function | super-user and tenant
admin and function
+
+### sources
Command |Current Permissions | Proposed Permissions
----|---|---
localrun | none | none
-create | super-user or tenant admin or namespace function | >= namespace
function
-delete | super-user or tenant admin or namespace function | >= namespace
function
-update | super-user or tenant admin or namespace function | >= namespace
function
-get | none | >= namespace function
-status | super-user or tenant admin or namespace function | >= namespace
function
-stop | super-user or tenant admin or namespace function | >= namespace function
-start | super-user or tenant admin or namespace function | >= namespace
function
-list | super-user or tenant admin or namespace function | >= namespace function
-restart | super-user or tenant admin or namespace function | >= namespace
function
-
-#### sinks
+create | super-user and tenant admin and function | super-user and tenant
admin and function
+delete | super-user and tenant admin and function | super-user and tenant
admin and function
+update | super-user and tenant admin and function | super-user and tenant
admin and function
+get | none | **super-user and tenant admin and function**
+status | super-user and tenant admin and function | super-user and tenant
admin and function
+stop | super-user and tenant admin and function | super-user and tenant admin
and function
+start | super-user and tenant admin and function | super-user and tenant admin
and function
+list | super-user and tenant admin and function | super-user and tenant admin
and function
+restart | super-user and tenant admin and function | super-user and tenant
admin and function
+
+### sinks
Command |Current Permissions | Proposed Permissions
----|---|---
localrun | none | none
-create | super-user or tenant admin or namespace function | >= namespace
function
-delete | super-user or tenant admin or namespace function | >= namespace
function
-update | super-user or tenant admin or namespace function | >= namespace
function
-get | none | >= namespace function
-status | super-user or tenant admin or namespace function | >= namespace
function
-stop | super-user or tenant admin or namespace function | >= namespace function
-start | super-user or tenant admin or namespace function | >= namespace
function
-list | super-user or tenant admin or namespace function | >= namespace function
-restart | super-user or tenant admin or namespace function | >= namespace
function
-
-#### topics
-
-Command |Current Permissions | Proposed Permissions
+create | super-user and tenant admin and function | super-user and tenant
admin and function
+delete | super-user and tenant admin and function | super-user and tenant
admin and function
+update | super-user and tenant admin and function | super-user and tenant
admin and function
+get | none | **super-user and tenant admin and function**
+status | super-user and tenant admin and function | super-user and tenant
admin and function
+stop | super-user and tenant admin and function | super-user and tenant admin
and function
+start | super-user and tenant admin and function | super-user and tenant admin
and function
+list | super-user and tenant admin and function | super-user and tenant admin
and function
+restart | super-user and tenant admin and function| super-user and tenant
admin and function
+
+### topics
+
+Command | Current Permissions | Proposed Permissions
----|---|---
-compact | tenant admin | >= namespace admin
-compaction-status | tenant admin | >= namespace admin
-offload | tenant admin | >= namespace admin
-offload-status | tenant admin | >= namespace admin
-create-partitioned-topic | tenant admin | >= namespace admin
-delete-partitioned-topic | tenant admin | >= namespace admin
-create | tenant admin | >= namespace admin
-get-partitioned-topic-metadata | tenant admin | >= client (produce and consume)
-update-partitioned-topic | tenant admin | >= namespace admin
-list | tenant admin | >= namespace admin
-terminate | tenant admin | >= namespace admin
-permissions | tenant admin | >= namespace admin
-grant-permission | tenant admin | >= namespace admin
-revoke-permission | tenant admin | >= namespace admin
-lookup | namespace produce or namespace consume | >= client (produce and
consume)
-bundle-range | super-user | >= namespace admin
-delete | tenant admin | >= namespace admin
-unload | super-user | >= namespace admin
-create-subscription | tenant admin | >= client consume
-stats | tenant admin | >= client (produce and consume)
-stats-internal | tenant admin | >= client (produce and consume)
-info-internal | tenant admin | >= client (produce and consume)
-partitioned-stats | tenant admin | >= client (produce and consume)
-skip-all | tenant admin | >= namespace admin
-expire-messages-all-subscriptions | tenant admin | >= namespace admin
-last-message-id | tenant admin | >= namespace admin
-create-subscription | tenant admin and namespace produce or consume | >=
client consume
-unsubscribe | tenant admin and namespace consume | >= client consume
-skip | tenant admin or namespace consume | >= client consume
-expire-messages | tenant admin and namespace produce or consume | >= client
consume
-peek-messages | tenant admin and namespace produce or consume | >= client
consume
-reset-cursor | tenant admin and namespace produce or consume | >= client
consume
-subscriptions | tenant admin and namespace produce or consume | >= client
consume
-#### namespaces
+compact | tenant admin | **super user and tenant admin**
+compaction-status | tenant admin | **super user and tenant admin**
+offload | tenant admin | **super user and tenant admin**
+offload-status | tenant admin | **super user and tenant admin**
+create-partitioned-topic | tenant admin | **super user and tenant admin**
+delete-partitioned-topic | tenant admin | **super user and tenant admin**
+create | tenant admin | **super user and tenant admin**
+get-partitioned-topic-metadata | tenant admin | **super user and tenant admin
and produce and consume**
+update-partitioned-topic | tenant admin | **super user and tenant admin**
+list | tenant admin | **super user and tenant admin**
+terminate | tenant admin | **super user and tenant admin**
+permissions | tenant admin | **super user and tenant admin**
+grant-permission | tenant admin | **super user and tenant admin**
+revoke-permission | tenant admin | **super user and tenant admin**
+lookup | produce or consume | **super user and tenant admin and produce and
consume**
+bundle-range | super-user | super user
+delete | tenant admin | **super user and tenant admin**
+unload | super-user | super user
+create-subscription | tenant admin | **super user and tenant admin and
consume**
+stats | tenant admin | **super user and tenant admin and produce and consume**
+stats-internal | tenant admin | **super user and tenant admin and produce and
consume**
+info-internal | tenant admin | **super user and tenant admin and produce and
consume**
+partitioned-stats | tenant admin | **super user and tenant admin and produce
and consume**
+skip-all | tenant admin | **super user and tenant admin**
+expire-messages-all-subscriptions | tenant admin | **super user and tenant
admin**
+last-message-id | tenant admin | **super user and tenant admin**
+create-subscription | tenant admin and namespace produce or consume | **super
user and tenant admin and produce and consume**
+unsubscribe | tenant admin and consume | **super user and tenant admin and
consume**
+skip | tenant admin or consume | **super user and tenant admin and consume**
+expire-messages | tenant admin and produce or consume | **super user and
tenant admin and consume**
+peek-messages | tenant admin and produce or consume | **super user and tenant
admin and consume**
+reset-cursor | tenant admin and produce or consume | **super user and tenant
admin and consume**
+subscriptions | tenant admin and produce or consume | **super user and tenant
admin and consume**
+
+### namespaces
Command |Current Permissions | Proposed Permissions
----|---|---
-list | tenant admin | >= namespace admin
-topics | tenant admin | >= namespace admin
-policies | tenant admin | >= namespace admin
-create | tenant admin | >= namespace admin
-delete | tenant admin | >= namespace admin
-set-deduplication | tenant admin | >= namespace admin
-permissions | tenant admin | >= namespace admin
-grant-permissions | tenant admin | >= namespace admin
-revoke-permissions | tenant admin | >= namespace admin
-grant-subscription-permission | tenant admin | >= namespace admin
-revoke-subscription-permission | tenant admin | >= namespace admin
-set-clusters | tenant admin | namespace admin
-get-clusters | tenant admin | client admin
-get-backlog-quotas | tenant admin | client admin
-set-backlog-quota | tenant admin | >= namespace admin
-remove-backlog-quota | tenant admin | >= namespace admin
-get-persistence | tenant admin | client admin
-get-backlog-quotas | tenant admin | client admin
-set-backlog-quota | tenant admin | >= namespace admin
-remove-backlog-quota | tenant admin | >= namespace admin
-get-persistence | tenant admin | client admin
-set-persistence | tenant admin | >= namespace admin
-get-message-ttl | tenant admin | client admin
-set-message-ttl | tenant admin | >= namespace admin
-get-anti-affinity-group | tenant admin | client admin
-set-anti-affinity-group | tenant admin | namespace admin
-delete-anti-affinity-group | tenant admin | namespace admin
-get-anti-affinity-namespaces | tenant admin | client admin
-get-retention | tenant admin | client admin
-set-retention | tenant admin | >= namespace admin
-unload | super-user | >= namespace admin
-set-replicator-dispatch-rate | super-user | namespace admin
-get-replicator-dispatch-rate | tenant admin | namespace admin
-split-bundle | super-user | namespace admin
-set-dispatch-rate | super-user | namespace admin
-get-dispatch-rate | tenant admin | client admin
-get-subscribe-rate | tenant admin | client admin
-set-subscribe-rate | super-user | namespace admin
-set-subscription-dispatch-rate | super-user | namespace admin
-get-subscription-dispatch-rate | tenant admin | client admin
-clear-backlog | tenant admin | >= namespace admin
-unsubscribe | tenant admin | >= namespace admin
-set-encryption-required | tenant admin | >= namespace admin
-set-subscription-auth-mode | tenant admin | >= namespace admin
-get-max-producers-per-topic | tenant admin | client admin
-set-max-producers-per-topic | super-user | namespace admin
-get-max-consumers-per-topic | tenant admin | client admin
-set-max-consumers-per-topic | super-user | namespace admin
-get-max-consumers-per-subscription | tenant admin |client admin
-get-compaction-threshold | tenant admin | client admin
-get-offload-threshold | tenant admin | client admin
-get-offload-deletion-lag | tenant admin | client admin
-get-schema-autoupdate-strategy | tenant admin | client admin
-get-schema-validation-enforced | tenant admin | client admin
-set-schema-autoupdate-strategy | super-user | namespace admin
-set-schema-validation-enforced | super-user | namespace admin
-set-offload-deletion-lag | super-user | namespace admin
-clear-offload-deletion-lag | super-user | namespace admin
-set-offload-threshold | super-user | namespace admin
-set-compaction-threshold | super-user | namespace admin
-set-max-consumers-per-subscription | super-user | namespace admin
+list | tenant admin | **super user and tenant admin**
+topics | tenant admin | **super user and tenant admin**
+policies | tenant admin | **super user and tenant admin**
+create | tenant admin | **super user and tenant admin**
+delete | tenant admin | **super user and tenant admin**
+set-deduplication | tenant admin | **super user and tenant admin**
+permissions | tenant admin | **super user and tenant admin**
+grant-permissions | tenant admin | **super user and tenant admin**
+revoke-permissions | tenant admin | **super user and tenant admin**
+grant-subscription-permission | tenant admin | **super user and tenant admin**
+revoke-subscription-permission | tenant admin | **super user and tenant admin**
+set-clusters | tenant admin | **super user and tenant admin**
+get-clusters | tenant admin | **super user and tenant admin**
+get-backlog-quotas | tenant admin | **super user and tenant admin**
+set-backlog-quota | tenant admin | **super user and tenant admin**
+remove-backlog-quota | tenant admin | **super user and tenant admin**
+get-persistence | tenant admin | **super user and tenant admin**
+get-backlog-quotas | tenant admin | **super user and tenant admin**
+set-backlog-quota | tenant admin | **super user and tenant admin**
+remove-backlog-quota | tenant admin | **super user and tenant admin**
+get-persistence | tenant admin | **super user and tenant admin**
+set-persistence | tenant admin | **super user and tenant admin**
+get-message-ttl | tenant admin | **super user and tenant admin**
+set-message-ttl | tenant admin | **super user and tenant admin**
+get-anti-affinity-group | tenant admin | **super user and tenant admin**
+set-anti-affinity-group | tenant admin | **super user and tenant admin**
+delete-anti-affinity-group | tenant admin | **super user and tenant admin**
+get-anti-affinity-namespaces | tenant admin | **super user and tenant admin**
+get-retention | tenant admin | **super user and tenant admin**
+set-retention | tenant admin | **super user and tenant admin**
+unload | super-user | super user
+set-replicator-dispatch-rate | super-user | super user
+get-replicator-dispatch-rate | tenant admin | **super user and tenant admin**
+split-bundle | super-user | super user
+set-dispatch-rate | super-user | super user
+get-dispatch-rate | tenant admin | **super user and tenant admin**
+get-subscribe-rate | tenant admin | **super user and tenant admin**
+set-subscribe-rate | super-user | super user
+set-subscription-dispatch-rate | super-user | super user
+get-subscription-dispatch-rate | tenant admin | **super user and tenant admin**
+clear-backlog | tenant admin | **super user and tenant admin**
+unsubscribe | tenant admin | **super user and tenant admin**
+set-encryption-required | tenant admin | **super user and tenant admin**
+set-subscription-auth-mode | tenant admin | **super user and tenant admin**
+get-max-producers-per-topic | tenant admin | **super user and tenant admin**
+set-max-producers-per-topic | super-user | super user
+get-max-consumers-per-topic | tenant admin | **super user and tenant admin**
+set-max-consumers-per-topic | super-user | super user
+get-max-consumers-per-subscription | tenant admin |**super user and tenant
admin**
+get-compaction-threshold | tenant admin | **super user and tenant admin**
+get-offload-threshold | tenant admin | **super user and tenant admin**
+get-offload-deletion-lag | tenant admin | **super user and tenant admin**
+get-schema-autoupdate-strategy | tenant admin | **super user and tenant admin**
+get-schema-validation-enforced | tenant admin | **super user and tenant admin**
+set-schema-autoupdate-strategy | super-user | super user
+set-schema-validation-enforced | super-user | super user
+set-offload-deletion-lag | super-user | super user
+clear-offload-deletion-lag | super-user | super user
+set-offload-threshold | super-user | super user
+set-compaction-threshold | super-user | super user
+set-max-consumers-per-subscription | super-user | super user
