Class AuthorizationService
- java.lang.Object
-
- org.apache.pulsar.broker.authorization.AuthorizationService
-
public class AuthorizationService extends java.lang.ObjectAuthorization service that manages pluggable authorization provider and authorize requests accordingly.
-
-
Constructor Summary
Constructors Constructor Description AuthorizationService(ServiceConfiguration conf, PulsarResources pulsarResources)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description java.util.concurrent.CompletableFuture<java.lang.Boolean>allowFunctionOpsAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, java.lang.String role, AuthenticationDataSource authenticationData)java.util.concurrent.CompletableFuture<java.lang.Boolean>allowNamespaceOperationAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, org.apache.pulsar.common.policies.data.NamespaceOperation operation, java.lang.String originalRole, java.lang.String role, AuthenticationDataSource authData)java.util.concurrent.CompletableFuture<java.lang.Boolean>allowNamespaceOperationAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, org.apache.pulsar.common.policies.data.NamespaceOperation operation, java.lang.String role, AuthenticationDataSource authData)Grant authorization-action permission on a namespace to the given client.booleanallowNamespacePolicyOperation(org.apache.pulsar.common.naming.NamespaceName namespaceName, org.apache.pulsar.common.policies.data.PolicyName policy, org.apache.pulsar.common.policies.data.PolicyOperation operation, java.lang.String originalRole, java.lang.String role, AuthenticationDataSource authData)java.util.concurrent.CompletableFuture<java.lang.Boolean>allowNamespacePolicyOperationAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, org.apache.pulsar.common.policies.data.PolicyName policy, org.apache.pulsar.common.policies.data.PolicyOperation operation, java.lang.String originalRole, java.lang.String role, AuthenticationDataSource authData)java.util.concurrent.CompletableFuture<java.lang.Boolean>allowNamespacePolicyOperationAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, org.apache.pulsar.common.policies.data.PolicyName policy, org.apache.pulsar.common.policies.data.PolicyOperation operation, java.lang.String role, AuthenticationDataSource authData)Grant authorization-action permission on a namespace to the given client.java.util.concurrent.CompletableFuture<java.lang.Boolean>allowSinkOpsAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, java.lang.String role, AuthenticationDataSource authenticationData)java.util.concurrent.CompletableFuture<java.lang.Boolean>allowSourceOpsAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, java.lang.String role, AuthenticationDataSource authenticationData)booleanallowTenantOperation(java.lang.String tenantName, org.apache.pulsar.common.policies.data.TenantOperation operation, java.lang.String originalRole, java.lang.String role, AuthenticationDataSource authData)java.util.concurrent.CompletableFuture<java.lang.Boolean>allowTenantOperationAsync(java.lang.String tenantName, org.apache.pulsar.common.policies.data.TenantOperation operation, java.lang.String originalRole, java.lang.String role, AuthenticationDataSource authData)java.util.concurrent.CompletableFuture<java.lang.Boolean>allowTenantOperationAsync(java.lang.String tenantName, org.apache.pulsar.common.policies.data.TenantOperation operation, java.lang.String role, AuthenticationDataSource authData)Grant authorization-action permission on a tenant to the given client.java.lang.BooleanallowTopicOperation(org.apache.pulsar.common.naming.TopicName topicName, org.apache.pulsar.common.policies.data.TopicOperation operation, java.lang.String originalRole, java.lang.String role, AuthenticationDataSource authData)java.util.concurrent.CompletableFuture<java.lang.Boolean>allowTopicOperationAsync(org.apache.pulsar.common.naming.TopicName topicName, org.apache.pulsar.common.policies.data.TopicOperation operation, java.lang.String originalRole, java.lang.String role, AuthenticationDataSource authData)java.util.concurrent.CompletableFuture<java.lang.Boolean>allowTopicOperationAsync(org.apache.pulsar.common.naming.TopicName topicName, org.apache.pulsar.common.policies.data.TopicOperation operation, java.lang.String role, AuthenticationDataSource authData)Grant authorization-action permission on a topic to the given client.java.lang.BooleanallowTopicPolicyOperation(org.apache.pulsar.common.naming.TopicName topicName, org.apache.pulsar.common.policies.data.PolicyName policy, org.apache.pulsar.common.policies.data.PolicyOperation operation, java.lang.String originalRole, java.lang.String role, AuthenticationDataSource authData)java.util.concurrent.CompletableFuture<java.lang.Boolean>allowTopicPolicyOperationAsync(org.apache.pulsar.common.naming.TopicName topicName, org.apache.pulsar.common.policies.data.PolicyName policy, org.apache.pulsar.common.policies.data.PolicyOperation operation, java.lang.String originalRole, java.lang.String role, AuthenticationDataSource authData)java.util.concurrent.CompletableFuture<java.lang.Boolean>allowTopicPolicyOperationAsync(org.apache.pulsar.common.naming.TopicName topicName, org.apache.pulsar.common.policies.data.PolicyName policy, org.apache.pulsar.common.policies.data.PolicyOperation operation, java.lang.String role, AuthenticationDataSource authData)Grant authorization-action permission on a topic to the given client.booleancanConsume(org.apache.pulsar.common.naming.TopicName topicName, java.lang.String role, AuthenticationDataSource authenticationData, java.lang.String subscription)java.util.concurrent.CompletableFuture<java.lang.Boolean>canConsumeAsync(org.apache.pulsar.common.naming.TopicName topicName, java.lang.String role, AuthenticationDataSource authenticationData, java.lang.String subscription)Check if the specified role has permission to receive messages from the specified fully qualified topic name.booleancanLookup(org.apache.pulsar.common.naming.TopicName topicName, java.lang.String role, AuthenticationDataSource authenticationData)Check whether the specified role can perform a lookup for the specified topic.java.util.concurrent.CompletableFuture<java.lang.Boolean>canLookupAsync(org.apache.pulsar.common.naming.TopicName topicName, java.lang.String role, AuthenticationDataSource authenticationData)Check whether the specified role can perform a lookup for the specified topic.booleancanProduce(org.apache.pulsar.common.naming.TopicName topicName, java.lang.String role, AuthenticationDataSource authenticationData)java.util.concurrent.CompletableFuture<java.lang.Boolean>canProduceAsync(org.apache.pulsar.common.naming.TopicName topicName, java.lang.String role, AuthenticationDataSource authenticationData)Check if the specified role has permission to send messages to the specified fully qualified topic name.java.util.concurrent.CompletableFuture<java.lang.Void>grantPermissionAsync(org.apache.pulsar.common.naming.NamespaceName namespace, java.util.Set<org.apache.pulsar.common.policies.data.AuthAction> actions, java.lang.String role, java.lang.String authDataJson)Grant authorization-action permission on a namespace to the given client.java.util.concurrent.CompletableFuture<java.lang.Void>grantPermissionAsync(org.apache.pulsar.common.naming.TopicName topicname, java.util.Set<org.apache.pulsar.common.policies.data.AuthAction> actions, java.lang.String role, java.lang.String authDataJson)Grant authorization-action permission on a topic to the given client.java.util.concurrent.CompletableFuture<java.lang.Void>grantSubscriptionPermissionAsync(org.apache.pulsar.common.naming.NamespaceName namespace, java.lang.String subscriptionName, java.util.Set<java.lang.String> roles, java.lang.String authDataJson)Grant permission to roles that can access subscription-admin api.java.util.concurrent.CompletableFuture<java.lang.Boolean>isSuperUser(java.lang.String user, AuthenticationDataSource authenticationData)java.util.concurrent.CompletableFuture<java.lang.Boolean>isTenantAdmin(java.lang.String tenant, java.lang.String role, org.apache.pulsar.common.policies.data.TenantInfo tenantInfo, AuthenticationDataSource authenticationData)java.util.concurrent.CompletableFuture<java.lang.Void>revokeSubscriptionPermissionAsync(org.apache.pulsar.common.naming.NamespaceName namespace, java.lang.String subscriptionName, java.lang.String role, java.lang.String authDataJson)Revoke subscription admin-api access for a role.
-
-
-
Constructor Detail
-
AuthorizationService
public AuthorizationService(ServiceConfiguration conf, PulsarResources pulsarResources) throws PulsarServerException
- Throws:
PulsarServerException
-
-
Method Detail
-
isSuperUser
public java.util.concurrent.CompletableFuture<java.lang.Boolean> isSuperUser(java.lang.String user, AuthenticationDataSource authenticationData)
-
isTenantAdmin
public java.util.concurrent.CompletableFuture<java.lang.Boolean> isTenantAdmin(java.lang.String tenant, java.lang.String role, org.apache.pulsar.common.policies.data.TenantInfo tenantInfo, AuthenticationDataSource authenticationData)
-
grantPermissionAsync
public java.util.concurrent.CompletableFuture<java.lang.Void> grantPermissionAsync(org.apache.pulsar.common.naming.NamespaceName namespace, java.util.Set<org.apache.pulsar.common.policies.data.AuthAction> actions, java.lang.String role, java.lang.String authDataJson)Grant authorization-action permission on a namespace to the given client. NOTE: used to complete withIllegalArgumentExceptionwhen namespace not found or withIllegalStateExceptionwhen failed to grant permission.- Parameters:
namespace-actions-role-authDataJson- additional authdata in json for targeted authorization provider
-
grantSubscriptionPermissionAsync
public java.util.concurrent.CompletableFuture<java.lang.Void> grantSubscriptionPermissionAsync(org.apache.pulsar.common.naming.NamespaceName namespace, java.lang.String subscriptionName, java.util.Set<java.lang.String> roles, java.lang.String authDataJson)Grant permission to roles that can access subscription-admin api.- Parameters:
namespace-subscriptionName-roles-authDataJson- additional authdata in json for targeted authorization provider- Returns:
-
revokeSubscriptionPermissionAsync
public java.util.concurrent.CompletableFuture<java.lang.Void> revokeSubscriptionPermissionAsync(org.apache.pulsar.common.naming.NamespaceName namespace, java.lang.String subscriptionName, java.lang.String role, java.lang.String authDataJson)Revoke subscription admin-api access for a role.- Parameters:
namespace-subscriptionName-role-- Returns:
-
grantPermissionAsync
public java.util.concurrent.CompletableFuture<java.lang.Void> grantPermissionAsync(org.apache.pulsar.common.naming.TopicName topicname, java.util.Set<org.apache.pulsar.common.policies.data.AuthAction> actions, java.lang.String role, java.lang.String authDataJson)Grant authorization-action permission on a topic to the given client. NOTE: used to complete withIllegalArgumentExceptionwhen namespace not found or withIllegalStateExceptionwhen failed to grant permission.- Parameters:
topicname-role-authDataJson- additional authdata in json for targeted authorization provider
-
canProduceAsync
public java.util.concurrent.CompletableFuture<java.lang.Boolean> canProduceAsync(org.apache.pulsar.common.naming.TopicName topicName, java.lang.String role, AuthenticationDataSource authenticationData)Check if the specified role has permission to send messages to the specified fully qualified topic name.- Parameters:
topicName- the fully qualified topic name associated with the topic.role- the app id used to send messages to the topic.
-
canConsumeAsync
public java.util.concurrent.CompletableFuture<java.lang.Boolean> canConsumeAsync(org.apache.pulsar.common.naming.TopicName topicName, java.lang.String role, AuthenticationDataSource authenticationData, java.lang.String subscription)Check if the specified role has permission to receive messages from the specified fully qualified topic name.- Parameters:
topicName- the fully qualified topic name associated with the topic.role- the app id used to receive messages from the topic.subscription- the subscription name defined by the client
-
canProduce
public boolean canProduce(org.apache.pulsar.common.naming.TopicName topicName, java.lang.String role, AuthenticationDataSource authenticationData) throws java.lang.Exception- Throws:
java.lang.Exception
-
canConsume
public boolean canConsume(org.apache.pulsar.common.naming.TopicName topicName, java.lang.String role, AuthenticationDataSource authenticationData, java.lang.String subscription) throws java.lang.Exception- Throws:
java.lang.Exception
-
canLookup
public boolean canLookup(org.apache.pulsar.common.naming.TopicName topicName, java.lang.String role, AuthenticationDataSource authenticationData) throws java.lang.ExceptionCheck whether the specified role can perform a lookup for the specified topic. For that the caller needs to have producer or consumer permission.- Parameters:
topicName-role-- Returns:
- Throws:
java.lang.Exception
-
canLookupAsync
public java.util.concurrent.CompletableFuture<java.lang.Boolean> canLookupAsync(org.apache.pulsar.common.naming.TopicName topicName, java.lang.String role, AuthenticationDataSource authenticationData)Check whether the specified role can perform a lookup for the specified topic. For that the caller needs to have producer or consumer permission.- Parameters:
topicName-role-- Returns:
- Throws:
java.lang.Exception
-
allowFunctionOpsAsync
public java.util.concurrent.CompletableFuture<java.lang.Boolean> allowFunctionOpsAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, java.lang.String role, AuthenticationDataSource authenticationData)
-
allowSourceOpsAsync
public java.util.concurrent.CompletableFuture<java.lang.Boolean> allowSourceOpsAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, java.lang.String role, AuthenticationDataSource authenticationData)
-
allowSinkOpsAsync
public java.util.concurrent.CompletableFuture<java.lang.Boolean> allowSinkOpsAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, java.lang.String role, AuthenticationDataSource authenticationData)
-
allowTenantOperationAsync
public java.util.concurrent.CompletableFuture<java.lang.Boolean> allowTenantOperationAsync(java.lang.String tenantName, org.apache.pulsar.common.policies.data.TenantOperation operation, java.lang.String role, AuthenticationDataSource authData)Grant authorization-action permission on a tenant to the given client.- Parameters:
tenantName- tenant nameoperation- tenant operationrole- role nameauthData- additional authdata in json for targeted authorization provider- Returns:
- IllegalArgumentException when tenant not found
- Throws:
java.lang.IllegalStateException- when failed to grant permission
-
allowTenantOperationAsync
public java.util.concurrent.CompletableFuture<java.lang.Boolean> allowTenantOperationAsync(java.lang.String tenantName, org.apache.pulsar.common.policies.data.TenantOperation operation, java.lang.String originalRole, java.lang.String role, AuthenticationDataSource authData)
-
allowTenantOperation
public boolean allowTenantOperation(java.lang.String tenantName, org.apache.pulsar.common.policies.data.TenantOperation operation, java.lang.String originalRole, java.lang.String role, AuthenticationDataSource authData) throws java.lang.Exception- Throws:
java.lang.Exception
-
allowNamespaceOperationAsync
public java.util.concurrent.CompletableFuture<java.lang.Boolean> allowNamespaceOperationAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, org.apache.pulsar.common.policies.data.NamespaceOperation operation, java.lang.String role, AuthenticationDataSource authData)Grant authorization-action permission on a namespace to the given client.- Parameters:
namespaceName-operation-role-authData- additional authdata in json for targeted authorization provider- Returns:
- IllegalArgumentException when namespace not found
- Throws:
java.lang.IllegalStateException- when failed to grant permission
-
allowNamespaceOperationAsync
public java.util.concurrent.CompletableFuture<java.lang.Boolean> allowNamespaceOperationAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, org.apache.pulsar.common.policies.data.NamespaceOperation operation, java.lang.String originalRole, java.lang.String role, AuthenticationDataSource authData)
-
allowNamespacePolicyOperationAsync
public java.util.concurrent.CompletableFuture<java.lang.Boolean> allowNamespacePolicyOperationAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, org.apache.pulsar.common.policies.data.PolicyName policy, org.apache.pulsar.common.policies.data.PolicyOperation operation, java.lang.String role, AuthenticationDataSource authData)Grant authorization-action permission on a namespace to the given client.- Parameters:
namespaceName-operation-role-authData- additional authdata in json for targeted authorization provider- Returns:
- IllegalArgumentException when namespace not found
- Throws:
java.lang.IllegalStateException- when failed to grant permission
-
allowNamespacePolicyOperationAsync
public java.util.concurrent.CompletableFuture<java.lang.Boolean> allowNamespacePolicyOperationAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, org.apache.pulsar.common.policies.data.PolicyName policy, org.apache.pulsar.common.policies.data.PolicyOperation operation, java.lang.String originalRole, java.lang.String role, AuthenticationDataSource authData)
-
allowNamespacePolicyOperation
public boolean allowNamespacePolicyOperation(org.apache.pulsar.common.naming.NamespaceName namespaceName, org.apache.pulsar.common.policies.data.PolicyName policy, org.apache.pulsar.common.policies.data.PolicyOperation operation, java.lang.String originalRole, java.lang.String role, AuthenticationDataSource authData) throws java.lang.Exception- Throws:
java.lang.Exception
-
allowTopicPolicyOperationAsync
public java.util.concurrent.CompletableFuture<java.lang.Boolean> allowTopicPolicyOperationAsync(org.apache.pulsar.common.naming.TopicName topicName, org.apache.pulsar.common.policies.data.PolicyName policy, org.apache.pulsar.common.policies.data.PolicyOperation operation, java.lang.String role, AuthenticationDataSource authData)Grant authorization-action permission on a topic to the given client.- Parameters:
topicName-policy-operation-role-authData- additional authdata in json for targeted authorization provider- Throws:
java.lang.IllegalStateException- when failed to grant permission
-
allowTopicPolicyOperationAsync
public java.util.concurrent.CompletableFuture<java.lang.Boolean> allowTopicPolicyOperationAsync(org.apache.pulsar.common.naming.TopicName topicName, org.apache.pulsar.common.policies.data.PolicyName policy, org.apache.pulsar.common.policies.data.PolicyOperation operation, java.lang.String originalRole, java.lang.String role, AuthenticationDataSource authData)
-
allowTopicPolicyOperation
public java.lang.Boolean allowTopicPolicyOperation(org.apache.pulsar.common.naming.TopicName topicName, org.apache.pulsar.common.policies.data.PolicyName policy, org.apache.pulsar.common.policies.data.PolicyOperation operation, java.lang.String originalRole, java.lang.String role, AuthenticationDataSource authData) throws java.lang.Exception- Throws:
java.lang.Exception
-
allowTopicOperationAsync
public java.util.concurrent.CompletableFuture<java.lang.Boolean> allowTopicOperationAsync(org.apache.pulsar.common.naming.TopicName topicName, org.apache.pulsar.common.policies.data.TopicOperation operation, java.lang.String role, AuthenticationDataSource authData)Grant authorization-action permission on a topic to the given client.- Parameters:
topicName-operation-role-authData- additional authdata in json for targeted authorization provider- Returns:
- IllegalArgumentException when namespace not found
- Throws:
java.lang.IllegalStateException- when failed to grant permission
-
allowTopicOperationAsync
public java.util.concurrent.CompletableFuture<java.lang.Boolean> allowTopicOperationAsync(org.apache.pulsar.common.naming.TopicName topicName, org.apache.pulsar.common.policies.data.TopicOperation operation, java.lang.String originalRole, java.lang.String role, AuthenticationDataSource authData)
-
allowTopicOperation
public java.lang.Boolean allowTopicOperation(org.apache.pulsar.common.naming.TopicName topicName, org.apache.pulsar.common.policies.data.TopicOperation operation, java.lang.String originalRole, java.lang.String role, AuthenticationDataSource authData) throws java.lang.Exception- Throws:
java.lang.Exception
-
-