thomasechen edited a comment on pull request #13771:
URL: https://github.com/apache/pulsar/pull/13771#issuecomment-1020908067
@liudezhi2098
I have done the testing about producing the message through REST client.
The HTTP could produce the message successfully if I granted the authorization
in the namespace or topic level. However, if I use the token which belongs to
the tenant admin and there are no any permissions setting in the namespace and
the topics level ,the system will refuse to produce the message to the topic
and show the message under below.
"**Unauthorized to produce to topic persistent://tls/demo3/hello_thomas with
clientAppId [tls] and authdata
org.apache.pulsar.broker.authentication.AuthenticationDataHttps@318c6550"}**"
Actually, if we use the client library (Java, Node), we can produce the
message to the topic using the tenant admin token (the tenant admin role was
set ) without granting additional permission to namespace and topics.
**Reproduce :**
1. I have a tenant called tls which admin role is also called "tls"
2. There is no permission settings related to the namespace tls/demo4
3. We use the token of the role "tls" to produce a message and succeed
4. We use "POSTMAN" to produce a message to the same topic
4.1 Authorization Settings:
4.2 Message Body Detail
5. The system will give me the unauthorized message
6. If we grant the permission allowing producing message to the namespace
tls/demo4, then we can successfully produce the message
6.1 Grant the permission to the role tls
6.2 Produce the message successfully
**Conclusion:**
REST authorization mechanism should be as same as the other clients (JAVA,
NODEJS ......)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
