2018-04-26 10:08:40 UTC - Harald Gustafsson: @Harald Gustafsson has joined the channel ---- 2018-04-26 15:49:11 UTC - Karthik Palanivelu: Team, Can you please guide me if you have any samples on to prove Multi-Tenant feature by using admin roles? ---- 2018-04-26 16:06:37 UTC - Matteo Merli: @Karthikeyan Palanivelu There is a doc page here with all the steps needed to enable authentication & authorization: <http://pulsar.apache.org/docs/v1.22.0-incubating/admin/Authz/> . Please tell us if there anything unclear or missing in that doc. ---- 2018-04-26 16:19:55 UTC - Karthik Palanivelu: @Matteo Merli Please pardon me if I am ignorant. I learnt from the link you provided and docs on Multi Tenant. I understand that I can create topic such as /my-property/dc1/my-namespace/my-topic on dc1 and dc2 with admin roles adminbk. If I were to produce and consume messages to this topic without adminbk, I should get Authorization exception. How do I pass this information(adminbk) via Producer and Consumer to access the topic to produce/consume messages? Please correct my understanding if I am wrong and let me know how I can isolate tenants? If you recommend TLS, then it is applicable for Namespace level and is not a differentiator. Intent is to showcase the advantage to migrate to Pulsar, I have developed samples for Geo Replication, TLS Auth. I am in process of creating for Multi-tenant. ---- 2018-04-26 17:03:40 UTC - Matteo Merli: > I understand that I can create topic such as /my-property/dc1/my-namespace/my-topic on dc1 and dc2 with admin roles adminbk
So, “admin roles” are relative to the property (tenant). These represents the “roles” (“principal”) that is allowed to perform administrative tasks for the tenant (eg: create namespaces, update configuration, grant permission) > If I were to produce and consume messages to this topic without adminbk, I should get Authorization exception That’s correct, if brokers have the `authorizationEnabled` flag that will fail unless you provide authentication credentials with a “principal” that was granted permission to publish/consume > If you recommend TLS, then it is applicable for Namespace level and is not a differentiator. With TLS, the “principal” is represented by the client TLS certificate “CommonName” record. This is what the authorization engine will check. The permission granularity has few levels: * Namespace level (grant some principal publish/consume permission on all topics for a given namespace) * Topic level (augment namespace level permission with per-topic ad-hoc) * Super-user — Principals that are marked as “super-user” can administrate and publish/consume from all topics. This is generally used for broker-to-broker geo-replication or to have system-admin control shells. > Please correct my understanding if I am wrong and let me know how I can isolate tenants? You can isolate some tenants or namespaces by setting a policy that restricts them to a subset of brokers. We don’t have yet a tutorial for that, though it’s done through the `pulsar-admin` CLI tool: <http://pulsar.apache.org/docs/v1.22.0-incubating/reference/CliTools/#ns-isolation-policy-ibq32> ---- 2018-04-26 17:21:31 UTC - Igor Zubchenok: Hello. I have an issue, all namespaces are disappeared in some of properties. How can I investigate the reason? (3 pulsar nodes, one cluster) ---- 2018-04-26 17:23:12 UTC - Vasily Yanov: @Sijie Guo sorry, just saw you message. no session expired messages ---- 2018-04-26 18:18:32 UTC - Karthik Palanivelu: @Matteo Merli Thanks so much for descriptive response. I am planning to use one enterprise cluster for different Lines of Business within my company like card, bank etc. My properties would be like card and bank. If I get the common name within TLS matches to card/bank will work? Or let me know how I can make it to work? Intent is Card data and processing should be isolated from Bank. ---- 2018-04-26 18:33:16 UTC - Matteo Merli: @Igor Zubchenok disappeared in the “namespaces list” command? heavy_plus_sign : Igor Zubchenok ---- 2018-04-26 18:34:14 UTC - Matteo Merli: you can double-check on with the zookeeper-shell at `/admin/policies/my-property/..` ---- 2018-04-26 18:37:19 UTC - Matteo Merli: > If I get the common name within TLS matches to card/bank will work? Yes, in the simplest case, you could create 2 client certificates with “card” and “bank” common names. These will be used by each team, then you just need to grant permission to these principals on the appropriate namespaces ---- 2018-04-26 18:52:54 UTC - Karthik Palanivelu: Cool Thanks @Matteo Merli I will try and keep you posted ----
