This is an automated email from the ASF dual-hosted git repository. rxl pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/pulsar.wiki.git
The following commit(s) were added to refs/heads/master by this push: new 12f3a09 Updated PIP 49: Permission levels and inheritance (markdown) 12f3a09 is described below commit 12f3a0986bf23d1a22886b1284c214752ad8c5bd Author: 冉小龙 <rxl5555...@qq.com> AuthorDate: Mon Nov 11 11:38:58 2019 +0800 Updated PIP 49: Permission levels and inheritance (markdown) --- PIP-49:-Permission-levels-and-inheritance.md | 358 ++++++++++++--------------- 1 file changed, 161 insertions(+), 197 deletions(-) diff --git a/PIP-49:-Permission-levels-and-inheritance.md b/PIP-49:-Permission-levels-and-inheritance.md index 26ec2e8..e5c2dec 100644 --- a/PIP-49:-Permission-levels-and-inheritance.md +++ b/PIP-49:-Permission-levels-and-inheritance.md @@ -6,51 +6,15 @@ ## Motivation -Lacking permission levels and inheritance causing the permission check in Pulsar become very confused. - -For example, currently Pulsar only allows a tenant administrator to retrieve the list of topics of a namespace. However, if you are a namespace administrator, you are not allowed to list the topics of it. This behavior is strange and uncommon compared to other RBAC systems. - -In fact, we can split the permissions management into two parts. One part is **operation**, which is mainly responsible for resource(cluster or broker) allocation and management. The other part is **user**, responsible for the specific operation. In the user's permissions, we can further split them into two parts: admin and client. The **admin** contains tenant admin and namespace admin with inheritance relationship between them. The **client** contains produce, consume and function(if [...] - -For different permissions, they have different read and write permissions. The **super user** has read and write access to the admin, but the admin can only read it. Similarly, The **admin** has read and write access to the client, but the client can only read it. - -> Note: The client can only read the permissions of the admin that it currently belongs to, and can not read other admin information. - -![pip49.png](https://upload-images.jianshu.io/upload_images/6967649-d8eae37481894c5e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240) - -This PIP proposes introducing permission levels and inheritance into Pulsar authorization system to make permission check clearer across Pulsar codebase. - -## Permission levels & inheritance - -This PIP proposes adding permission level for each role. The permission level is determined by a number. The lower number gets higher permission. The role with higher level permission will inherit all the permissions from lower level roles. The roles at the same permission level can’t inherit the permissions from others. - - -The following table illustrates all the roles in Pulsar and their permission levels. - - -| Role| Permission Level -|---|--- -| Tenant admin | 1 -| Namespace admin | 2 -| Namespace function | 3 | -| Namespace produce | 3 | -| Namespace consume | 3 | - -> Note: The `Namespace function`, `Namespace produce` and `Namespace consume` are at the same permission level. They can’t inherit the permissions from each other. -## Proposed Permission Changes - +The current pulsar admin's permission mechanism is somewhat confusing. There are some commands that have unreasonable permission verification, which causes pulsar's permission management to be incorrectly applied in pulsar admin. This PIP proposes the following permission changes for each admin API. - -### operation - - -#### clusters +### clusters Command |Current Permissions | Proposed Permissions ----|---|--- -get | super-user | super-user and admin(read) +get | super-user | super-user create | super-user | super-user update | super-user | super-user delete | super-user | super-user @@ -63,7 +27,7 @@ update-failure-domain | super-user | super-user delete-failure-domain | super-user | super-user list-failure-domain | super-user | super-user -#### brokers +### brokers Command |Current Permissions | Proposed Permissions ----|---|--- @@ -73,218 +37,218 @@ update-dynamic-config | super-user | super-user delete-dynamic-config | super-user | super-user list-dynamic-config | super-user | super-user get-all-dynamic-config | super-user | super-user -get-internal-config | super-user | super-user admin(read) -get-runtime-config | super-user | super-user and admin(read) +get-internal-config | super-user | super-user +get-runtime-config | super-user | super-user healthcheck | super-user | super-user -#### broker-stats +### broker-stats Command |Current Permissions | Proposed Permissions ----|---|--- -monitoring-metrics | super-user | super-user admin(read) +monitoring-metrics | super-user | super-user mbeans | super-user | super-user topics | super-user | super-user allocator-stats | super-user | super-user load-report | super-user | super-user -#### functions-worker +### functions-worker Command |Current Permissions | Proposed Permissions ----|---|--- -function-stats | super-user | super-user and admin(read) -monitoring-metrics | super-user | super-user admin(read) -get-cluster | super-user | super-user admin(read) -get-cluster-leader | super-user | super-user and admin(read) -get-function-assignments | super-user | super-user and admin(read) +function-stats | super-user | super-user +monitoring-metrics | super-user | super-user +get-cluster | super-user | super-user +get-cluster-leader | super-user | super-user +get-function-assignments | super-user | super-user -#### resource-quotas +### resource-quotas Command |Current Permissions | Proposed Permissions ----|---|--- -get | super-user | super-user and admin(read) +get | super-user | super-user set | super-user | super-user reset-namespace-bundle-quota | super-user | super-user -#### ns-isolation-policy +### ns-isolation-policy Command |Current Permissions | Proposed Permissions ----|---|--- -get | super-user | super-user and admin(read) +get | super-user | super-user set | super-user | super-user list | super-user | super-user delete | super-user | super-user brokers | super-user | super-user broker | super-user | super-user -#### tenants +### tenants Command |Current Permissions | Proposed Permissions ----|---|--- -get | super-user | super-user and admin(read) +get | super-user | super-user create | super-user | super user update | super-user | super user delete | super-user | super user list | super-user | super user -### user -#### schemas +### schemas Command |Current Permissions | Proposed Permissions ----|---|--- -get | tenant admin | >= client produce -upload | tenant admin | >= client produce -extract | tenant admin | >= client produce -delete | tenant admin | >= client produce +get | tenant admin | **super user and tenant admin and produce** +upload | tenant admin | **super user and tenant admin and produce** +extract | tenant admin | **super user and tenant admin and produce** +delete | tenant admin | **super user and tenant admin and produce** -#### functions +### functions Command |Current Permissions | Proposed Permissions ----|---|--- localrun | none | none -create | super-user or tenant admin or namespace function | >= namespace function -delete | super-user or tenant admin or namespace function | >= namespace function -update | super-user or tenant admin or namespace function | >= namespace function -get | super-user or tenant admin or namespace function | >= namespace function -restart | super-user or tenant admin or namespace function | >= namespace function -stop | super-user or tenant admin or namespace function | >= namespace function -start | super-user or tenant admin or namespace function | >= namespace function -status | super-user or tenant admin or namespace function | >= namespace function -stats | super-user or tenant admin or namespace function | >= namespace function -list | super-user or tenant admin or namespace function | >= namespace function -querystate | super-user or tenant admin or namespace function | >= namespace function -trigger | super-user or tenant admin or namespace function | >= namespace function -putstate | super-user or tenant admin or namespace function | >= namespace function - -#### sources +create | super-user and tenant admin and function | super-user and tenant admin and function +delete | super-user and tenant admin and function | super-user and tenant admin and function +update | super-user and tenant admin and function | super-user and tenant admin and function +get | super-user and tenant admin and function | super-user and tenant admin and function +restart | super-user and tenant admin and function | super-user and tenant admin and function +stop | super-user and tenant admin and function | super-user and tenant admin and function +start | super-user and tenant admin and function | super-user and tenant admin and function +status | super-user and tenant admin and function | super-user and tenant admin and function +stats | super-user and tenant admin and function | super-user and tenant admin and function +list | super-user and tenant admin and function | super-user and tenant admin and function +querystate | super-user and tenant admin and function | super-user and tenant admin and function +trigger | super-user and tenant admin and function | super-user and tenant admin and function +putstate | super-user and tenant admin and function | super-user and tenant admin and function + +### sources Command |Current Permissions | Proposed Permissions ----|---|--- localrun | none | none -create | super-user or tenant admin or namespace function | >= namespace function -delete | super-user or tenant admin or namespace function | >= namespace function -update | super-user or tenant admin or namespace function | >= namespace function -get | none | >= namespace function -status | super-user or tenant admin or namespace function | >= namespace function -stop | super-user or tenant admin or namespace function | >= namespace function -start | super-user or tenant admin or namespace function | >= namespace function -list | super-user or tenant admin or namespace function | >= namespace function -restart | super-user or tenant admin or namespace function | >= namespace function - -#### sinks +create | super-user and tenant admin and function | super-user and tenant admin and function +delete | super-user and tenant admin and function | super-user and tenant admin and function +update | super-user and tenant admin and function | super-user and tenant admin and function +get | none | **super-user and tenant admin and function** +status | super-user and tenant admin and function | super-user and tenant admin and function +stop | super-user and tenant admin and function | super-user and tenant admin and function +start | super-user and tenant admin and function | super-user and tenant admin and function +list | super-user and tenant admin and function | super-user and tenant admin and function +restart | super-user and tenant admin and function | super-user and tenant admin and function + +### sinks Command |Current Permissions | Proposed Permissions ----|---|--- localrun | none | none -create | super-user or tenant admin or namespace function | >= namespace function -delete | super-user or tenant admin or namespace function | >= namespace function -update | super-user or tenant admin or namespace function | >= namespace function -get | none | >= namespace function -status | super-user or tenant admin or namespace function | >= namespace function -stop | super-user or tenant admin or namespace function | >= namespace function -start | super-user or tenant admin or namespace function | >= namespace function -list | super-user or tenant admin or namespace function | >= namespace function -restart | super-user or tenant admin or namespace function | >= namespace function - -#### topics - -Command |Current Permissions | Proposed Permissions +create | super-user and tenant admin and function | super-user and tenant admin and function +delete | super-user and tenant admin and function | super-user and tenant admin and function +update | super-user and tenant admin and function | super-user and tenant admin and function +get | none | **super-user and tenant admin and function** +status | super-user and tenant admin and function | super-user and tenant admin and function +stop | super-user and tenant admin and function | super-user and tenant admin and function +start | super-user and tenant admin and function | super-user and tenant admin and function +list | super-user and tenant admin and function | super-user and tenant admin and function +restart | super-user and tenant admin and function| super-user and tenant admin and function + +### topics + +Command | Current Permissions | Proposed Permissions ----|---|--- -compact | tenant admin | >= namespace admin -compaction-status | tenant admin | >= namespace admin -offload | tenant admin | >= namespace admin -offload-status | tenant admin | >= namespace admin -create-partitioned-topic | tenant admin | >= namespace admin -delete-partitioned-topic | tenant admin | >= namespace admin -create | tenant admin | >= namespace admin -get-partitioned-topic-metadata | tenant admin | >= client (produce and consume) -update-partitioned-topic | tenant admin | >= namespace admin -list | tenant admin | >= namespace admin -terminate | tenant admin | >= namespace admin -permissions | tenant admin | >= namespace admin -grant-permission | tenant admin | >= namespace admin -revoke-permission | tenant admin | >= namespace admin -lookup | namespace produce or namespace consume | >= client (produce and consume) -bundle-range | super-user | >= namespace admin -delete | tenant admin | >= namespace admin -unload | super-user | >= namespace admin -create-subscription | tenant admin | >= client consume -stats | tenant admin | >= client (produce and consume) -stats-internal | tenant admin | >= client (produce and consume) -info-internal | tenant admin | >= client (produce and consume) -partitioned-stats | tenant admin | >= client (produce and consume) -skip-all | tenant admin | >= namespace admin -expire-messages-all-subscriptions | tenant admin | >= namespace admin -last-message-id | tenant admin | >= namespace admin -create-subscription | tenant admin and namespace produce or consume | >= client consume -unsubscribe | tenant admin and namespace consume | >= client consume -skip | tenant admin or namespace consume | >= client consume -expire-messages | tenant admin and namespace produce or consume | >= client consume -peek-messages | tenant admin and namespace produce or consume | >= client consume -reset-cursor | tenant admin and namespace produce or consume | >= client consume -subscriptions | tenant admin and namespace produce or consume | >= client consume -#### namespaces +compact | tenant admin | **super user and tenant admin** +compaction-status | tenant admin | **super user and tenant admin** +offload | tenant admin | **super user and tenant admin** +offload-status | tenant admin | **super user and tenant admin** +create-partitioned-topic | tenant admin | **super user and tenant admin** +delete-partitioned-topic | tenant admin | **super user and tenant admin** +create | tenant admin | **super user and tenant admin** +get-partitioned-topic-metadata | tenant admin | **super user and tenant admin and produce and consume** +update-partitioned-topic | tenant admin | **super user and tenant admin** +list | tenant admin | **super user and tenant admin** +terminate | tenant admin | **super user and tenant admin** +permissions | tenant admin | **super user and tenant admin** +grant-permission | tenant admin | **super user and tenant admin** +revoke-permission | tenant admin | **super user and tenant admin** +lookup | produce or consume | **super user and tenant admin and produce and consume** +bundle-range | super-user | super user +delete | tenant admin | **super user and tenant admin** +unload | super-user | super user +create-subscription | tenant admin | **super user and tenant admin and consume** +stats | tenant admin | **super user and tenant admin and produce and consume** +stats-internal | tenant admin | **super user and tenant admin and produce and consume** +info-internal | tenant admin | **super user and tenant admin and produce and consume** +partitioned-stats | tenant admin | **super user and tenant admin and produce and consume** +skip-all | tenant admin | **super user and tenant admin** +expire-messages-all-subscriptions | tenant admin | **super user and tenant admin** +last-message-id | tenant admin | **super user and tenant admin** +create-subscription | tenant admin and namespace produce or consume | **super user and tenant admin and produce and consume** +unsubscribe | tenant admin and consume | **super user and tenant admin and consume** +skip | tenant admin or consume | **super user and tenant admin and consume** +expire-messages | tenant admin and produce or consume | **super user and tenant admin and consume** +peek-messages | tenant admin and produce or consume | **super user and tenant admin and consume** +reset-cursor | tenant admin and produce or consume | **super user and tenant admin and consume** +subscriptions | tenant admin and produce or consume | **super user and tenant admin and consume** + +### namespaces Command |Current Permissions | Proposed Permissions ----|---|--- -list | tenant admin | >= namespace admin -topics | tenant admin | >= namespace admin -policies | tenant admin | >= namespace admin -create | tenant admin | >= namespace admin -delete | tenant admin | >= namespace admin -set-deduplication | tenant admin | >= namespace admin -permissions | tenant admin | >= namespace admin -grant-permissions | tenant admin | >= namespace admin -revoke-permissions | tenant admin | >= namespace admin -grant-subscription-permission | tenant admin | >= namespace admin -revoke-subscription-permission | tenant admin | >= namespace admin -set-clusters | tenant admin | namespace admin -get-clusters | tenant admin | client admin -get-backlog-quotas | tenant admin | client admin -set-backlog-quota | tenant admin | >= namespace admin -remove-backlog-quota | tenant admin | >= namespace admin -get-persistence | tenant admin | client admin -get-backlog-quotas | tenant admin | client admin -set-backlog-quota | tenant admin | >= namespace admin -remove-backlog-quota | tenant admin | >= namespace admin -get-persistence | tenant admin | client admin -set-persistence | tenant admin | >= namespace admin -get-message-ttl | tenant admin | client admin -set-message-ttl | tenant admin | >= namespace admin -get-anti-affinity-group | tenant admin | client admin -set-anti-affinity-group | tenant admin | namespace admin -delete-anti-affinity-group | tenant admin | namespace admin -get-anti-affinity-namespaces | tenant admin | client admin -get-retention | tenant admin | client admin -set-retention | tenant admin | >= namespace admin -unload | super-user | >= namespace admin -set-replicator-dispatch-rate | super-user | namespace admin -get-replicator-dispatch-rate | tenant admin | namespace admin -split-bundle | super-user | namespace admin -set-dispatch-rate | super-user | namespace admin -get-dispatch-rate | tenant admin | client admin -get-subscribe-rate | tenant admin | client admin -set-subscribe-rate | super-user | namespace admin -set-subscription-dispatch-rate | super-user | namespace admin -get-subscription-dispatch-rate | tenant admin | client admin -clear-backlog | tenant admin | >= namespace admin -unsubscribe | tenant admin | >= namespace admin -set-encryption-required | tenant admin | >= namespace admin -set-subscription-auth-mode | tenant admin | >= namespace admin -get-max-producers-per-topic | tenant admin | client admin -set-max-producers-per-topic | super-user | namespace admin -get-max-consumers-per-topic | tenant admin | client admin -set-max-consumers-per-topic | super-user | namespace admin -get-max-consumers-per-subscription | tenant admin |client admin -get-compaction-threshold | tenant admin | client admin -get-offload-threshold | tenant admin | client admin -get-offload-deletion-lag | tenant admin | client admin -get-schema-autoupdate-strategy | tenant admin | client admin -get-schema-validation-enforced | tenant admin | client admin -set-schema-autoupdate-strategy | super-user | namespace admin -set-schema-validation-enforced | super-user | namespace admin -set-offload-deletion-lag | super-user | namespace admin -clear-offload-deletion-lag | super-user | namespace admin -set-offload-threshold | super-user | namespace admin -set-compaction-threshold | super-user | namespace admin -set-max-consumers-per-subscription | super-user | namespace admin +list | tenant admin | **super user and tenant admin** +topics | tenant admin | **super user and tenant admin** +policies | tenant admin | **super user and tenant admin** +create | tenant admin | **super user and tenant admin** +delete | tenant admin | **super user and tenant admin** +set-deduplication | tenant admin | **super user and tenant admin** +permissions | tenant admin | **super user and tenant admin** +grant-permissions | tenant admin | **super user and tenant admin** +revoke-permissions | tenant admin | **super user and tenant admin** +grant-subscription-permission | tenant admin | **super user and tenant admin** +revoke-subscription-permission | tenant admin | **super user and tenant admin** +set-clusters | tenant admin | **super user and tenant admin** +get-clusters | tenant admin | **super user and tenant admin** +get-backlog-quotas | tenant admin | **super user and tenant admin** +set-backlog-quota | tenant admin | **super user and tenant admin** +remove-backlog-quota | tenant admin | **super user and tenant admin** +get-persistence | tenant admin | **super user and tenant admin** +get-backlog-quotas | tenant admin | **super user and tenant admin** +set-backlog-quota | tenant admin | **super user and tenant admin** +remove-backlog-quota | tenant admin | **super user and tenant admin** +get-persistence | tenant admin | **super user and tenant admin** +set-persistence | tenant admin | **super user and tenant admin** +get-message-ttl | tenant admin | **super user and tenant admin** +set-message-ttl | tenant admin | **super user and tenant admin** +get-anti-affinity-group | tenant admin | **super user and tenant admin** +set-anti-affinity-group | tenant admin | **super user and tenant admin** +delete-anti-affinity-group | tenant admin | **super user and tenant admin** +get-anti-affinity-namespaces | tenant admin | **super user and tenant admin** +get-retention | tenant admin | **super user and tenant admin** +set-retention | tenant admin | **super user and tenant admin** +unload | super-user | super user +set-replicator-dispatch-rate | super-user | super user +get-replicator-dispatch-rate | tenant admin | **super user and tenant admin** +split-bundle | super-user | super user +set-dispatch-rate | super-user | super user +get-dispatch-rate | tenant admin | **super user and tenant admin** +get-subscribe-rate | tenant admin | **super user and tenant admin** +set-subscribe-rate | super-user | super user +set-subscription-dispatch-rate | super-user | super user +get-subscription-dispatch-rate | tenant admin | **super user and tenant admin** +clear-backlog | tenant admin | **super user and tenant admin** +unsubscribe | tenant admin | **super user and tenant admin** +set-encryption-required | tenant admin | **super user and tenant admin** +set-subscription-auth-mode | tenant admin | **super user and tenant admin** +get-max-producers-per-topic | tenant admin | **super user and tenant admin** +set-max-producers-per-topic | super-user | super user +get-max-consumers-per-topic | tenant admin | **super user and tenant admin** +set-max-consumers-per-topic | super-user | super user +get-max-consumers-per-subscription | tenant admin |**super user and tenant admin** +get-compaction-threshold | tenant admin | **super user and tenant admin** +get-offload-threshold | tenant admin | **super user and tenant admin** +get-offload-deletion-lag | tenant admin | **super user and tenant admin** +get-schema-autoupdate-strategy | tenant admin | **super user and tenant admin** +get-schema-validation-enforced | tenant admin | **super user and tenant admin** +set-schema-autoupdate-strategy | super-user | super user +set-schema-validation-enforced | super-user | super user +set-offload-deletion-lag | super-user | super user +clear-offload-deletion-lag | super-user | super user +set-offload-threshold | super-user | super user +set-compaction-threshold | super-user | super user +set-max-consumers-per-subscription | super-user | super user