sijie edited a comment on issue #5720: authorize tenant level and namespace level access from the authorization provider URL: https://github.com/apache/pulsar/issues/5720#issuecomment-582105461 @jiazhai @tuteng I think the issue is asking for interfaces to be added to AuthorizationProvider. The default implementation can remain the same. The interfaces allow external parties to customize their own authorization implementation. The authorization provider can be enhanced into an extensible interface. What an authorization provider provides is if a `role` is able to apply a `verb`/`action` to a given `resource`. The resources are: - `tenant` - `namespace` - `namespace_policy` - `topic` - `subscription` - `functions` - `connectors` For each resource, there are certain verbs and actions available for operating those resources. The authorization provider provides an implementation to check if a `role` is allowed to apply a certain `verb` over a `resource`. If we can abstract the authorization provider, it allows people to customize its own authorization provider implementation to allow finer granularity access controls. For the default implementation, Pulsar has, we can keep it as is due to the concerns raised around PIP-49. Does that make sense?
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
