[pulsar-admin] allow tenant admin to manage subscription permission (a…

…pache#6122) ### Motivation In apache#2981, we have added support to grant subscriber-permission to manage subscription based apis. However, grant-subscription-permission api requires super-user access and it creates too much dependency on system-admin when many tenants want to grant subscription permission. So, allow each tenant to manage subscription permission in order to reduce administrative efforts for super user.
jiazhai · Mar 18, 2020 · 254e54b · 254e54b
1 parent 40995a0
commit 254e54b
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 5 deletions.
diff --git a/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/NamespacesBase.java b/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/NamespacesBase.java
@@ -375,8 +375,7 @@ protected void internalGrantPermissionOnNamespace(String role, Set<AuthAction> a
 
 
     protected void internalGrantPermissionOnSubscription(String subscription, Set<String> roles) {
-        /** controlled by system-admin(super-user) to prevent metadata footprint size */
-        validateSuperUserAccess();
+        validateAdminAccessForTenant(namespaceName.getTenant());
 
         try {
             AuthorizationService authService = pulsar().getBrokerService().getAuthorizationService();

diff --git a/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/v1/Namespaces.java b/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/v1/Namespaces.java
@@ -248,7 +248,8 @@ public void grantPermissionOnNamespace(@PathParam("property") String property, @
 
     @POST
     @Path("/{property}/{cluster}/{namespace}/permissions/subscription/{subscription}")
-    @ApiOperation(hidden = true, value = "Grant a new permission to roles for a subscription.")
+    @ApiOperation(hidden = true, value = "Grant a new permission to roles for a subscription. "
+            + "[Tenant admin is allowed to perform this operation]")
     @ApiResponses(value = { @ApiResponse(code = 403, message = "Don't have admin permission"),
             @ApiResponse(code = 404, message = "Property or cluster or namespace doesn't exist"),
             @ApiResponse(code = 409, message = "Concurrent modification"),

diff --git a/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/v2/Namespaces.java b/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/v2/Namespaces.java
@@ -198,7 +198,8 @@ public void grantPermissionOnNamespace(@PathParam("tenant") String tenant,
 
     @POST
     @Path("/{property}/{namespace}/permissions/subscription/{subscription}")
-    @ApiOperation(hidden = true, value = "Grant a new permission to roles for a subscription.")
+    @ApiOperation(hidden = true, value = "Grant a new permission to roles for a subscription."
+            + "[Tenant admin is allowed to perform this operation]")
     @ApiResponses(value = { @ApiResponse(code = 403, message = "Don't have admin permission"),
             @ApiResponse(code = 404, message = "Property or cluster or namespace doesn't exist"),
             @ApiResponse(code = 409, message = "Concurrent modification"),

diff --git a/...-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java b/...-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
@@ -226,7 +226,7 @@ public void testSubscriberPermission() throws Exception {
 
         // grant subscription access to specific different role and only that role can access the subscription
         String otherPrincipal = "Principal-1-to-access-sub";
-        superAdmin.namespaces().grantPermissionOnSubscription(namespace, subscriptionName,
+        tenantAdmin.namespaces().grantPermissionOnSubscription(namespace, subscriptionName,
                 Collections.singleton(otherPrincipal));
 
         // now, subscriptionRole doesn't have subscription level access so, it will fail to access subscription