Interface AuthorizationProvider
-
- All Superinterfaces:
java.lang.AutoCloseable,java.io.Closeable
- All Known Implementing Classes:
MultiRolesTokenAuthorizationProvider,PulsarAuthorizationProvider
public interface AuthorizationProvider extends java.io.CloseableProvider of authorization mechanism.
-
-
Method Summary
All Methods Instance Methods Abstract Methods Default Methods Deprecated Methods Modifier and Type Method Description java.util.concurrent.CompletableFuture<java.lang.Boolean>allowFunctionOpsAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, java.lang.String role, AuthenticationDataSource authenticationData)Allow all function operations with in this namespace.default java.lang.BooleanallowNamespaceOperation(org.apache.pulsar.common.naming.NamespaceName namespaceName, java.lang.String originalRole, java.lang.String role, org.apache.pulsar.common.policies.data.NamespaceOperation operation, AuthenticationDataSource authData)Deprecated.default java.lang.BooleanallowNamespaceOperation(org.apache.pulsar.common.naming.NamespaceName namespaceName, java.lang.String role, org.apache.pulsar.common.policies.data.NamespaceOperation operation, AuthenticationDataSource authData)default java.util.concurrent.CompletableFuture<java.lang.Boolean>allowNamespaceOperationAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, java.lang.String originalRole, java.lang.String role, org.apache.pulsar.common.policies.data.NamespaceOperation operation, AuthenticationDataSource authData)Deprecated.default java.util.concurrent.CompletableFuture<java.lang.Boolean>allowNamespaceOperationAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, java.lang.String role, org.apache.pulsar.common.policies.data.NamespaceOperation operation, AuthenticationDataSource authData)Check if a given role is allowed to execute a given operation on the namespace.default java.lang.BooleanallowNamespacePolicyOperation(org.apache.pulsar.common.naming.NamespaceName namespaceName, org.apache.pulsar.common.policies.data.PolicyName policy, org.apache.pulsar.common.policies.data.PolicyOperation operation, java.lang.String originalRole, java.lang.String role, AuthenticationDataSource authData)Deprecated.default java.lang.BooleanallowNamespacePolicyOperation(org.apache.pulsar.common.naming.NamespaceName namespaceName, org.apache.pulsar.common.policies.data.PolicyName policy, org.apache.pulsar.common.policies.data.PolicyOperation operation, java.lang.String role, AuthenticationDataSource authData)default java.util.concurrent.CompletableFuture<java.lang.Boolean>allowNamespacePolicyOperationAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, org.apache.pulsar.common.policies.data.PolicyName policy, org.apache.pulsar.common.policies.data.PolicyOperation operation, java.lang.String originalRole, java.lang.String role, AuthenticationDataSource authData)Deprecated.default java.util.concurrent.CompletableFuture<java.lang.Boolean>allowNamespacePolicyOperationAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, org.apache.pulsar.common.policies.data.PolicyName policy, org.apache.pulsar.common.policies.data.PolicyOperation operation, java.lang.String role, AuthenticationDataSource authData)Check if a given role is allowed to execute a given policy operation on the namespace.java.util.concurrent.CompletableFuture<java.lang.Boolean>allowSinkOpsAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, java.lang.String role, AuthenticationDataSource authenticationData)Allow all sink operations with in this namespace.java.util.concurrent.CompletableFuture<java.lang.Boolean>allowSourceOpsAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, java.lang.String role, AuthenticationDataSource authenticationData)Allow all source operations with in this namespace.default java.lang.BooleanallowTenantOperation(java.lang.String tenantName, java.lang.String originalRole, java.lang.String role, org.apache.pulsar.common.policies.data.TenantOperation operation, AuthenticationDataSource authData)Deprecated.default java.lang.BooleanallowTenantOperation(java.lang.String tenantName, java.lang.String role, org.apache.pulsar.common.policies.data.TenantOperation operation, AuthenticationDataSource authData)default java.util.concurrent.CompletableFuture<java.lang.Boolean>allowTenantOperationAsync(java.lang.String tenantName, java.lang.String originalRole, java.lang.String role, org.apache.pulsar.common.policies.data.TenantOperation operation, AuthenticationDataSource authData)Deprecated.default java.util.concurrent.CompletableFuture<java.lang.Boolean>allowTenantOperationAsync(java.lang.String tenantName, java.lang.String role, org.apache.pulsar.common.policies.data.TenantOperation operation, AuthenticationDataSource authData)Check if a given role is allowed to execute a given operation on the tenant.default java.lang.BooleanallowTopicOperation(org.apache.pulsar.common.naming.TopicName topicName, java.lang.String originalRole, java.lang.String role, org.apache.pulsar.common.policies.data.TopicOperation operation, AuthenticationDataSource authData)Deprecated.default java.lang.BooleanallowTopicOperation(org.apache.pulsar.common.naming.TopicName topicName, java.lang.String role, org.apache.pulsar.common.policies.data.TopicOperation operation, AuthenticationDataSource authData)default java.util.concurrent.CompletableFuture<java.lang.Boolean>allowTopicOperationAsync(org.apache.pulsar.common.naming.TopicName topic, java.lang.String originalRole, java.lang.String role, org.apache.pulsar.common.policies.data.TopicOperation operation, AuthenticationDataSource authData)Deprecated.default java.util.concurrent.CompletableFuture<java.lang.Boolean>allowTopicOperationAsync(org.apache.pulsar.common.naming.TopicName topic, java.lang.String role, org.apache.pulsar.common.policies.data.TopicOperation operation, AuthenticationDataSource authData)Check if a given role is allowed to execute a given topic operation on the topic.default java.lang.BooleanallowTopicPolicyOperation(org.apache.pulsar.common.naming.TopicName topicName, java.lang.String role, org.apache.pulsar.common.policies.data.PolicyName policy, org.apache.pulsar.common.policies.data.PolicyOperation operation, AuthenticationDataSource authData)default java.util.concurrent.CompletableFuture<java.lang.Boolean>allowTopicPolicyOperationAsync(org.apache.pulsar.common.naming.TopicName topic, java.lang.String role, org.apache.pulsar.common.policies.data.PolicyName policy, org.apache.pulsar.common.policies.data.PolicyOperation operation, AuthenticationDataSource authData)Check if a given role is allowed to execute a given topic operation on topic's policy.java.util.concurrent.CompletableFuture<java.lang.Boolean>canConsumeAsync(org.apache.pulsar.common.naming.TopicName topicName, java.lang.String role, AuthenticationDataSource authenticationData, java.lang.String subscription)Check if the specified role has permission to receive messages from the specified fully qualified topic name.java.util.concurrent.CompletableFuture<java.lang.Boolean>canLookupAsync(org.apache.pulsar.common.naming.TopicName topicName, java.lang.String role, AuthenticationDataSource authenticationData)Check whether the specified role can perform a lookup for the specified topic.java.util.concurrent.CompletableFuture<java.lang.Boolean>canProduceAsync(org.apache.pulsar.common.naming.TopicName topicName, java.lang.String role, AuthenticationDataSource authenticationData)Check if the specified role has permission to send messages to the specified fully qualified topic name.java.util.concurrent.CompletableFuture<java.lang.Void>grantPermissionAsync(org.apache.pulsar.common.naming.NamespaceName namespace, java.util.Set<org.apache.pulsar.common.policies.data.AuthAction> actions, java.lang.String role, java.lang.String authDataJson)Grant authorization-action permission on a namespace to the given client.java.util.concurrent.CompletableFuture<java.lang.Void>grantPermissionAsync(org.apache.pulsar.common.naming.TopicName topicName, java.util.Set<org.apache.pulsar.common.policies.data.AuthAction> actions, java.lang.String role, java.lang.String authDataJson)Grant authorization-action permission on a topic to the given client.java.util.concurrent.CompletableFuture<java.lang.Void>grantSubscriptionPermissionAsync(org.apache.pulsar.common.naming.NamespaceName namespace, java.lang.String subscriptionName, java.util.Set<java.lang.String> roles, java.lang.String authDataJson)Grant permission to roles that can access subscription-admin api.default voidinitialize(ServiceConfiguration conf, ConfigurationCacheService configCache)Deprecated.ConfigurationCacheService is not supported anymore as a way to get access to metadata.default voidinitialize(ServiceConfiguration conf, PulsarResources pulsarResources)Perform initialization for the authorization provider.default java.util.concurrent.CompletableFuture<java.lang.Boolean>isSuperUser(java.lang.String role, AuthenticationDataSource authenticationData, ServiceConfiguration serviceConfiguration)Check if specified role is a super user.default java.util.concurrent.CompletableFuture<java.lang.Boolean>isSuperUser(java.lang.String role, ServiceConfiguration serviceConfiguration)Deprecated.Use methodisSuperUser(String, AuthenticationDataSource, ServiceConfiguration)Check if specified role is a super userdefault java.util.concurrent.CompletableFuture<java.lang.Boolean>isTenantAdmin(java.lang.String tenant, java.lang.String role, org.apache.pulsar.common.policies.data.TenantInfo tenantInfo, AuthenticationDataSource authenticationData)Check if specified role is an admin of the tenant.java.util.concurrent.CompletableFuture<java.lang.Void>revokeSubscriptionPermissionAsync(org.apache.pulsar.common.naming.NamespaceName namespace, java.lang.String subscriptionName, java.lang.String role, java.lang.String authDataJson)Revoke subscription admin-api access for a role.
-
-
-
Method Detail
-
isSuperUser
default java.util.concurrent.CompletableFuture<java.lang.Boolean> isSuperUser(java.lang.String role, AuthenticationDataSource authenticationData, ServiceConfiguration serviceConfiguration)Check if specified role is a super user.- Parameters:
role- the role to checkauthenticationData- authentication data related to the role- Returns:
- a CompletableFuture containing a boolean in which true means the role is a super user and false if it is not
-
isSuperUser
default java.util.concurrent.CompletableFuture<java.lang.Boolean> isSuperUser(java.lang.String role, ServiceConfiguration serviceConfiguration)Deprecated.Use methodisSuperUser(String, AuthenticationDataSource, ServiceConfiguration)Check if specified role is a super user- Parameters:
role- the role to check- Returns:
- a CompletableFuture containing a boolean in which true means the role is a super user and false if it is not
-
isTenantAdmin
default java.util.concurrent.CompletableFuture<java.lang.Boolean> isTenantAdmin(java.lang.String tenant, java.lang.String role, org.apache.pulsar.common.policies.data.TenantInfo tenantInfo, AuthenticationDataSource authenticationData)Check if specified role is an admin of the tenant.- Parameters:
tenant- the tenant to checkrole- the role to check- Returns:
- a CompletableFuture containing a boolean in which true means the role is an admin user and false if it is not
-
initialize
@Deprecated default void initialize(ServiceConfiguration conf, ConfigurationCacheService configCache) throws java.io.IOException
Deprecated.ConfigurationCacheService is not supported anymore as a way to get access to metadata.Perform initialization for the authorization provider.- Parameters:
conf- broker config objectconfigCache- pulsar zk configuration cache service- Throws:
java.io.IOException- if the initialization fails- See Also:
initialize(ServiceConfiguration, PulsarResources)
-
initialize
default void initialize(ServiceConfiguration conf, PulsarResources pulsarResources) throws java.io.IOException
Perform initialization for the authorization provider.- Parameters:
conf- broker config objectpulsarResources- Resources component for access to metadata- Throws:
java.io.IOException- if the initialization fails
-
canProduceAsync
java.util.concurrent.CompletableFuture<java.lang.Boolean> canProduceAsync(org.apache.pulsar.common.naming.TopicName topicName, java.lang.String role, AuthenticationDataSource authenticationData)Check if the specified role has permission to send messages to the specified fully qualified topic name.- Parameters:
topicName- the fully qualified topic name associated with the topic.role- the app id used to send messages to the topic.
-
canConsumeAsync
java.util.concurrent.CompletableFuture<java.lang.Boolean> canConsumeAsync(org.apache.pulsar.common.naming.TopicName topicName, java.lang.String role, AuthenticationDataSource authenticationData, java.lang.String subscription)Check if the specified role has permission to receive messages from the specified fully qualified topic name.- Parameters:
topicName- the fully qualified topic name associated with the topic.role- the app id used to receive messages from the topic.subscription- the subscription name defined by the client
-
canLookupAsync
java.util.concurrent.CompletableFuture<java.lang.Boolean> canLookupAsync(org.apache.pulsar.common.naming.TopicName topicName, java.lang.String role, AuthenticationDataSource authenticationData)Check whether the specified role can perform a lookup for the specified topic. For that the caller needs to have producer or consumer permission.- Parameters:
topicName-role-- Returns:
- Throws:
java.lang.Exception
-
allowFunctionOpsAsync
java.util.concurrent.CompletableFuture<java.lang.Boolean> allowFunctionOpsAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, java.lang.String role, AuthenticationDataSource authenticationData)Allow all function operations with in this namespace.- Parameters:
namespaceName- The namespace that the function operations can be executed inrole- The role to checkauthenticationData- authentication data related to the role- Returns:
- a boolean to determine whether authorized or not
-
allowSourceOpsAsync
java.util.concurrent.CompletableFuture<java.lang.Boolean> allowSourceOpsAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, java.lang.String role, AuthenticationDataSource authenticationData)Allow all source operations with in this namespace.- Parameters:
namespaceName- The namespace that the sources operations can be executed inrole- The role to checkauthenticationData- authentication data related to the role- Returns:
- a boolean to determine whether authorized or not
-
allowSinkOpsAsync
java.util.concurrent.CompletableFuture<java.lang.Boolean> allowSinkOpsAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, java.lang.String role, AuthenticationDataSource authenticationData)Allow all sink operations with in this namespace.- Parameters:
namespaceName- The namespace that the sink operations can be executed inrole- The role to checkauthenticationData- authentication data related to the role- Returns:
- a boolean to determine whether authorized or not
-
grantPermissionAsync
java.util.concurrent.CompletableFuture<java.lang.Void> grantPermissionAsync(org.apache.pulsar.common.naming.NamespaceName namespace, java.util.Set<org.apache.pulsar.common.policies.data.AuthAction> actions, java.lang.String role, java.lang.String authDataJson)Grant authorization-action permission on a namespace to the given client. NOTE: used to complete withIllegalArgumentExceptionwhen namespace not found or withIllegalStateExceptionwhen failed to grant permission. This behavior is now deprecated. Please use the appropriateMetadataStoreException.- Parameters:
namespace-actions-role-authDataJson- additional authdata in json format- Returns:
- CompletableFuture
-
grantSubscriptionPermissionAsync
java.util.concurrent.CompletableFuture<java.lang.Void> grantSubscriptionPermissionAsync(org.apache.pulsar.common.naming.NamespaceName namespace, java.lang.String subscriptionName, java.util.Set<java.lang.String> roles, java.lang.String authDataJson)Grant permission to roles that can access subscription-admin api.- Parameters:
namespace-subscriptionName-roles-authDataJson- additional authdata in json format- Returns:
-
revokeSubscriptionPermissionAsync
java.util.concurrent.CompletableFuture<java.lang.Void> revokeSubscriptionPermissionAsync(org.apache.pulsar.common.naming.NamespaceName namespace, java.lang.String subscriptionName, java.lang.String role, java.lang.String authDataJson)Revoke subscription admin-api access for a role.- Parameters:
namespace-subscriptionName-role-- Returns:
-
grantPermissionAsync
java.util.concurrent.CompletableFuture<java.lang.Void> grantPermissionAsync(org.apache.pulsar.common.naming.TopicName topicName, java.util.Set<org.apache.pulsar.common.policies.data.AuthAction> actions, java.lang.String role, java.lang.String authDataJson)Grant authorization-action permission on a topic to the given client. NOTE: used to complete withIllegalArgumentExceptionwhen namespace not found or withIllegalStateExceptionwhen failed to grant permission. This behavior is now deprecated. Please use the appropriateMetadataStoreException.- Parameters:
topicName-role-authDataJson- additional authdata in json format- Returns:
- CompletableFuture
-
allowTenantOperationAsync
@Deprecated default java.util.concurrent.CompletableFuture<java.lang.Boolean> allowTenantOperationAsync(java.lang.String tenantName, java.lang.String originalRole, java.lang.String role, org.apache.pulsar.common.policies.data.TenantOperation operation, AuthenticationDataSource authData)Deprecated.Grant authorization-action permission on a tenant to the given client.- Parameters:
tenantName-originalRole- role not overriden by proxy role if request do pass through proxyrole- originalRole | proxyRole if the request didn't pass through proxyoperation-authData-- Returns:
- CompletableFuture
-
allowTenantOperation
@Deprecated default java.lang.Boolean allowTenantOperation(java.lang.String tenantName, java.lang.String originalRole, java.lang.String role, org.apache.pulsar.common.policies.data.TenantOperation operation, AuthenticationDataSource authData)Deprecated.
-
allowTenantOperationAsync
default java.util.concurrent.CompletableFuture<java.lang.Boolean> allowTenantOperationAsync(java.lang.String tenantName, java.lang.String role, org.apache.pulsar.common.policies.data.TenantOperation operation, AuthenticationDataSource authData)Check if a given role is allowed to execute a given operation on the tenant.- Parameters:
tenantName- tenant namerole- role nameoperation- tenant operationauthData- authenticated data of the role- Returns:
- a completable future represents check result
-
allowTenantOperation
default java.lang.Boolean allowTenantOperation(java.lang.String tenantName, java.lang.String role, org.apache.pulsar.common.policies.data.TenantOperation operation, AuthenticationDataSource authData)
-
allowNamespaceOperationAsync
default java.util.concurrent.CompletableFuture<java.lang.Boolean> allowNamespaceOperationAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, java.lang.String role, org.apache.pulsar.common.policies.data.NamespaceOperation operation, AuthenticationDataSource authData)Check if a given role is allowed to execute a given operation on the namespace.- Parameters:
namespaceName- namespace namerole- role nameoperation- namespace operationauthData- authenticated data- Returns:
- a completable future represents check result
-
allowNamespaceOperation
default java.lang.Boolean allowNamespaceOperation(org.apache.pulsar.common.naming.NamespaceName namespaceName, java.lang.String role, org.apache.pulsar.common.policies.data.NamespaceOperation operation, AuthenticationDataSource authData)
-
allowNamespaceOperationAsync
@Deprecated default java.util.concurrent.CompletableFuture<java.lang.Boolean> allowNamespaceOperationAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, java.lang.String originalRole, java.lang.String role, org.apache.pulsar.common.policies.data.NamespaceOperation operation, AuthenticationDataSource authData)Deprecated.Grant authorization-action permission on a namespace to the given client.- Parameters:
namespaceName-role-operation-authData-- Returns:
- CompletableFuture
-
allowNamespaceOperation
@Deprecated default java.lang.Boolean allowNamespaceOperation(org.apache.pulsar.common.naming.NamespaceName namespaceName, java.lang.String originalRole, java.lang.String role, org.apache.pulsar.common.policies.data.NamespaceOperation operation, AuthenticationDataSource authData)Deprecated.
-
allowNamespacePolicyOperationAsync
default java.util.concurrent.CompletableFuture<java.lang.Boolean> allowNamespacePolicyOperationAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, org.apache.pulsar.common.policies.data.PolicyName policy, org.apache.pulsar.common.policies.data.PolicyOperation operation, java.lang.String role, AuthenticationDataSource authData)Check if a given role is allowed to execute a given policy operation on the namespace.- Parameters:
namespaceName- namespace namepolicy- policy nameoperation- policy operationrole- role nameauthData- authenticated data- Returns:
- a completable future represents check result
-
allowNamespacePolicyOperation
default java.lang.Boolean allowNamespacePolicyOperation(org.apache.pulsar.common.naming.NamespaceName namespaceName, org.apache.pulsar.common.policies.data.PolicyName policy, org.apache.pulsar.common.policies.data.PolicyOperation operation, java.lang.String role, AuthenticationDataSource authData)
-
allowNamespacePolicyOperationAsync
@Deprecated default java.util.concurrent.CompletableFuture<java.lang.Boolean> allowNamespacePolicyOperationAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, org.apache.pulsar.common.policies.data.PolicyName policy, org.apache.pulsar.common.policies.data.PolicyOperation operation, java.lang.String originalRole, java.lang.String role, AuthenticationDataSource authData)Deprecated.Grant authorization-action permission on a namespace to the given client.- Parameters:
namespaceName-originalRole- role not overriden by proxy role if request do pass through proxyrole- originalRole | proxyRole if the request didn't pass through proxyoperation-authData-- Returns:
- CompletableFuture
-
allowNamespacePolicyOperation
@Deprecated default java.lang.Boolean allowNamespacePolicyOperation(org.apache.pulsar.common.naming.NamespaceName namespaceName, org.apache.pulsar.common.policies.data.PolicyName policy, org.apache.pulsar.common.policies.data.PolicyOperation operation, java.lang.String originalRole, java.lang.String role, AuthenticationDataSource authData)Deprecated.
-
allowTopicOperationAsync
default java.util.concurrent.CompletableFuture<java.lang.Boolean> allowTopicOperationAsync(org.apache.pulsar.common.naming.TopicName topic, java.lang.String role, org.apache.pulsar.common.policies.data.TopicOperation operation, AuthenticationDataSource authData)Check if a given role is allowed to execute a given topic operation on the topic.- Parameters:
topic- topic namerole- role nameoperation- topic operationauthData- authenticated data- Returns:
- CompletableFuture
-
allowTopicOperation
default java.lang.Boolean allowTopicOperation(org.apache.pulsar.common.naming.TopicName topicName, java.lang.String role, org.apache.pulsar.common.policies.data.TopicOperation operation, AuthenticationDataSource authData)
-
allowTopicOperationAsync
@Deprecated default java.util.concurrent.CompletableFuture<java.lang.Boolean> allowTopicOperationAsync(org.apache.pulsar.common.naming.TopicName topic, java.lang.String originalRole, java.lang.String role, org.apache.pulsar.common.policies.data.TopicOperation operation, AuthenticationDataSource authData)Deprecated.Grant authorization-action permission on a topic to the given client.- Parameters:
topic-originalRole- role not overriden by proxy role if request do pass through proxyrole- originalRole | proxyRole if the request didn't pass through proxyoperation-authData-- Returns:
- CompletableFuture
-
allowTopicOperation
@Deprecated default java.lang.Boolean allowTopicOperation(org.apache.pulsar.common.naming.TopicName topicName, java.lang.String originalRole, java.lang.String role, org.apache.pulsar.common.policies.data.TopicOperation operation, AuthenticationDataSource authData)Deprecated.
-
allowTopicPolicyOperationAsync
default java.util.concurrent.CompletableFuture<java.lang.Boolean> allowTopicPolicyOperationAsync(org.apache.pulsar.common.naming.TopicName topic, java.lang.String role, org.apache.pulsar.common.policies.data.PolicyName policy, org.apache.pulsar.common.policies.data.PolicyOperation operation, AuthenticationDataSource authData)Check if a given role is allowed to execute a given topic operation on topic's policy.- Parameters:
topic- topic namerole- role nameoperation- topic operationauthData- authenticated data- Returns:
- CompletableFuture
-
allowTopicPolicyOperation
default java.lang.Boolean allowTopicPolicyOperation(org.apache.pulsar.common.naming.TopicName topicName, java.lang.String role, org.apache.pulsar.common.policies.data.PolicyName policy, org.apache.pulsar.common.policies.data.PolicyOperation operation, AuthenticationDataSource authData)
-
-