sijie commented on issue #6122: [pulsar-admin] allow tenant admin to manage subscription permission URL: https://github.com/apache/pulsar/pull/6122#issuecomment-581306158 @rdhabalia I understand the original concern about why only super-users can grant permission. However, that was the behavior released in the previous version. Writing a comment in code is different from writing that in the documentation and release notes. I am happy to see how other people feel about from the security perspective. There are a lot of good articles on the internet talking about what is a breaking change for an API. (e.g. https://www.bennadel.com/blog/3501-when-is-a-change-a-breaking-change-for-an-api.htm) At a minimum, changing a return code is commonly treated as a breaking change. In this case, when using versions older than 2.6.0, if non-super-user issues an HTTP request to this endpoint, the error is 401. After this change, if a tenant admin (who is not a super-user) issues an HTTP request to this endpoint, this returned code is 200. The return code is different. This should be treated as a breaking change. At a minimum, it should be highlighted in the release notes. I think we should bring this conversation to the mailing thread to settle down a practice about how to define what are the breaking changes and how do we deal with them.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
