joefk edited a comment on issue #6428: [Issue 5720][authorization provider] (WIP) Add more granularity URL: https://github.com/apache/pulsar/pull/6428#issuecomment-592807888 @KannarF > I think every permissions should be granted by authz provider. Some of them are not grantable. How did your arrive at that conclusion? That is a very simplistic view of the system. After going through PIP-49 and the discussions about that, what is your take? As, you state in the description of your PR.. >And the biggest part of the task: go through every usage of validateSuperUserAccess and validateAdminAccessForTenant and check if they can be replaced with finer grain access Can you share your findings for that? I did not see any My concern is this. How can I, as a Pulsar operator (NOT a tenant) decide which of these operations I will delegate to my tenants for finer control ? Operators should not be put in a position where if they were to deploy this authz provider, they would have to go and turn off/on certain actions for all fine-grained resources every time someone creates a namespace or topic. And the things you are proposing to delegate here in this proposal are an operators nightmare for a large cluster. Hence my ask. Put the list of the things that can be delegated into a config file, so that operators can decide ONCE when they DEPLOY Pulsar, about what can be potentially delegated. Don't hardcode it into the server, and create runtime maintenance work for operators
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
