-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Issue 5720][authz] - add topics authz granularity #7523
Conversation
b1c7751
to
ed4a34f
Compare
089b529
to
359a44a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm new to Pulsar but had some comments that might be of help I hope? Thanks!
pulsar-broker/src/main/java/org/apache/pulsar/broker/web/PulsarWebResource.java
Show resolved
Hide resolved
pulsar-broker/src/main/java/org/apache/pulsar/broker/web/PulsarWebResource.java
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you changed the behavior of the existing authorization plugin a lot. That doesn't sound like a good approach. We need to keep backward compatibility.
...roker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationProvider.java
Show resolved
Hide resolved
...broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationService.java
Outdated
Show resolved
Hide resolved
...common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
Outdated
Show resolved
Hide resolved
...common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
Outdated
Show resolved
Hide resolved
...common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
Outdated
Show resolved
Hide resolved
...common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
Outdated
Show resolved
Hide resolved
...common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
Outdated
Show resolved
Hide resolved
...common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
Outdated
Show resolved
Hide resolved
...common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
Outdated
Show resolved
Hide resolved
...common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
Outdated
Show resolved
Hide resolved
0f0ec40
to
aa43845
Compare
5ff9d17
to
6cc8f6d
Compare
a223b0f
to
d17dab9
Compare
...common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
Outdated
Show resolved
Hide resolved
...roker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationProvider.java
Show resolved
Hide resolved
c8008c6
to
6ea53cd
Compare
99f9510
to
db618d6
Compare
@codelipenghui Can you review too? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a little difficult to review this PR. It's related to the Pulsar permissions so we need to be careful of changing them. And this PR changed too many APIs so it needs to take some time to review it.
...common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
Outdated
Show resolved
Hide resolved
727b7a9
to
4dd0653
Compare
Rebased to support 889b9b8. |
a395c70
to
3546f72
Compare
@zymap ? |
@sijie @zymap hey, is there anything really blocking this PR, except a review? How can we help you get it merged? This PR has been going on for over a year now, with @KannarFr spending significant time rebasing it over and over. And we identified the need for Pulsar to get truly multitenant more than 2 years ago ( #5720 ). So this is getting a bit long for a feature that is advertised on Pulsar's website from day one. The fact is that it has been running fine on our systems for a long time, where we manage very fine rights, so there is much less risks in merging it that you might think. |
Sorry for the delay. I will take a look soon. |
} catch (Exception e) { | ||
checkConnect(topic); | ||
// unknown error marked as internal server error | ||
log.warn("Unexpected error while authorizing TopicOperation.LOOKUP. topic={}, role={}. Error: {}", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to log here? The exception would be expected if the client is not authorized and since it's already bubbled up, we would end up logging that twice.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Dropped in 596d85f.
PR rebased due to a recent conflict.
Fixes a part of apache#5720 ### Motivation add granularity in topics api authz
Fixes a part of #5720
Motivation
add granularity in topics api authz