Package org.apache.pulsar.broker.authorization

Class MultiRolesTokenAuthorizationProvider

    • Constructor Detail

      • MultiRolesTokenAuthorizationProvider

        public MultiRolesTokenAuthorizationProvider()

    • Method Detail

      • isSuperUser

        public java.util.concurrent.CompletableFuture<java.lang.Boolean> isSuperUser​(java.lang.String role,
                                                                             AuthenticationDataSource authenticationData,
                                                                             ServiceConfiguration serviceConfiguration)
        Description copied from interface: AuthorizationProvider
        Check if specified role is a super user.
        Parameters:
        role - the role to check
        authenticationData - authentication data related to the role
        Returns:
        a CompletableFuture containing a boolean in which true means the role is a super user and false if it is not

      • authorize

        public java.util.concurrent.CompletableFuture<java.lang.Boolean> authorize​(AuthenticationDataSource authenticationData,
                                                                           java.util.function.Function<java.lang.String,​java.util.concurrent.CompletableFuture<java.lang.Boolean>> authorizeFunc)

      • canProduceAsync

        public java.util.concurrent.CompletableFuture<java.lang.Boolean> canProduceAsync​(org.apache.pulsar.common.naming.TopicName topicName,
                                                                                 java.lang.String role,
                                                                                 AuthenticationDataSource authenticationData)
        Check if the specified role has permission to send messages to the specified fully qualified topic name.
        Specified by:
        canProduceAsync in interface AuthorizationProvider
        Overrides:
        canProduceAsync in class PulsarAuthorizationProvider
        Parameters:
        topicName - the fully qualified topic name associated with the topic.
        role - the app id used to send messages to the topic.

      • canConsumeAsync

        public java.util.concurrent.CompletableFuture<java.lang.Boolean> canConsumeAsync​(org.apache.pulsar.common.naming.TopicName topicName,
                                                                                 java.lang.String role,
                                                                                 AuthenticationDataSource authenticationData,
                                                                                 java.lang.String subscription)
        Check if the specified role has permission to receive messages from the specified fully qualified topic name.
        Specified by:
        canConsumeAsync in interface AuthorizationProvider
        Overrides:
        canConsumeAsync in class PulsarAuthorizationProvider
        Parameters:
        topicName - the fully qualified topic name associated with the topic.
        role - the app id used to receive messages from the topic.
        subscription - the subscription name defined by the client

      • canLookupAsync

        public java.util.concurrent.CompletableFuture<java.lang.Boolean> canLookupAsync​(org.apache.pulsar.common.naming.TopicName topicName,
                                                                                java.lang.String role,
                                                                                AuthenticationDataSource authenticationData)
        Check whether the specified role can perform a lookup for the specified topic.

        For that the caller needs to have producer or consumer permission.

        Specified by:
        canLookupAsync in interface AuthorizationProvider
        Overrides:
        canLookupAsync in class PulsarAuthorizationProvider
        Parameters:
        topicName -
        role -
        Returns:
        Throws:
        java.lang.Exception

      • allowFunctionOpsAsync

        public java.util.concurrent.CompletableFuture<java.lang.Boolean> allowFunctionOpsAsync​(org.apache.pulsar.common.naming.NamespaceName namespaceName,
                                                                                       java.lang.String role,
                                                                                       AuthenticationDataSource authenticationData)
        Description copied from interface: AuthorizationProvider
        Allow all function operations with in this namespace.
        Specified by:
        allowFunctionOpsAsync in interface AuthorizationProvider
        Overrides:
        allowFunctionOpsAsync in class PulsarAuthorizationProvider
        Parameters:
        namespaceName - The namespace that the function operations can be executed in
        role - The role to check
        authenticationData - authentication data related to the role
        Returns:
        a boolean to determine whether authorized or not

      • allowSourceOpsAsync

        public java.util.concurrent.CompletableFuture<java.lang.Boolean> allowSourceOpsAsync​(org.apache.pulsar.common.naming.NamespaceName namespaceName,
                                                                                     java.lang.String role,
                                                                                     AuthenticationDataSource authenticationData)
        Description copied from interface: AuthorizationProvider
        Allow all source operations with in this namespace.
        Specified by:
        allowSourceOpsAsync in interface AuthorizationProvider
        Overrides:
        allowSourceOpsAsync in class PulsarAuthorizationProvider
        Parameters:
        namespaceName - The namespace that the sources operations can be executed in
        role - The role to check
        authenticationData - authentication data related to the role
        Returns:
        a boolean to determine whether authorized or not

      • allowSinkOpsAsync

        public java.util.concurrent.CompletableFuture<java.lang.Boolean> allowSinkOpsAsync​(org.apache.pulsar.common.naming.NamespaceName namespaceName,
                                                                                   java.lang.String role,
                                                                                   AuthenticationDataSource authenticationData)
        Description copied from interface: AuthorizationProvider
        Allow all sink operations with in this namespace.
        Specified by:
        allowSinkOpsAsync in interface AuthorizationProvider
        Overrides:
        allowSinkOpsAsync in class PulsarAuthorizationProvider
        Parameters:
        namespaceName - The namespace that the sink operations can be executed in
        role - The role to check
        authenticationData - authentication data related to the role
        Returns:
        a boolean to determine whether authorized or not

      • allowTenantOperationAsync

        public java.util.concurrent.CompletableFuture<java.lang.Boolean> allowTenantOperationAsync​(java.lang.String tenantName,
                                                                                           java.lang.String role,
                                                                                           org.apache.pulsar.common.policies.data.TenantOperation operation,
                                                                                           AuthenticationDataSource authData)
        Description copied from interface: AuthorizationProvider
        Check if a given role is allowed to execute a given operation on the tenant.
        Specified by:
        allowTenantOperationAsync in interface AuthorizationProvider
        Overrides:
        allowTenantOperationAsync in class PulsarAuthorizationProvider
        Parameters:
        tenantName - tenant name
        role - role name
        operation - tenant operation
        authData - authenticated data of the role
        Returns:
        a completable future represents check result

      • allowNamespaceOperationAsync

        public java.util.concurrent.CompletableFuture<java.lang.Boolean> allowNamespaceOperationAsync​(org.apache.pulsar.common.naming.NamespaceName namespaceName,
                                                                                              java.lang.String role,
                                                                                              org.apache.pulsar.common.policies.data.NamespaceOperation operation,
                                                                                              AuthenticationDataSource authData)
        Description copied from interface: AuthorizationProvider
        Check if a given role is allowed to execute a given operation on the namespace.
        Specified by:
        allowNamespaceOperationAsync in interface AuthorizationProvider
        Overrides:
        allowNamespaceOperationAsync in class PulsarAuthorizationProvider
        Parameters:
        namespaceName - namespace name
        role - role name
        operation - namespace operation
        authData - authenticated data
        Returns:
        a completable future represents check result

      • allowNamespacePolicyOperationAsync

        public java.util.concurrent.CompletableFuture<java.lang.Boolean> allowNamespacePolicyOperationAsync​(org.apache.pulsar.common.naming.NamespaceName namespaceName,
                                                                                                    org.apache.pulsar.common.policies.data.PolicyName policy,
                                                                                                    org.apache.pulsar.common.policies.data.PolicyOperation operation,
                                                                                                    java.lang.String role,
                                                                                                    AuthenticationDataSource authData)
        Description copied from interface: AuthorizationProvider
        Check if a given role is allowed to execute a given policy operation on the namespace.
        Specified by:
        allowNamespacePolicyOperationAsync in interface AuthorizationProvider
        Overrides:
        allowNamespacePolicyOperationAsync in class PulsarAuthorizationProvider
        Parameters:
        namespaceName - namespace name
        policy - policy name
        operation - policy operation
        role - role name
        authData - authenticated data
        Returns:
        a completable future represents check result

      • allowTopicOperationAsync

        public java.util.concurrent.CompletableFuture<java.lang.Boolean> allowTopicOperationAsync​(org.apache.pulsar.common.naming.TopicName topicName,
                                                                                          java.lang.String role,
                                                                                          org.apache.pulsar.common.policies.data.TopicOperation operation,
                                                                                          AuthenticationDataSource authData)
        Description copied from interface: AuthorizationProvider
        Check if a given role is allowed to execute a given topic operation on the topic.
        Specified by:
        allowTopicOperationAsync in interface AuthorizationProvider
        Overrides:
        allowTopicOperationAsync in class PulsarAuthorizationProvider
        Parameters:
        topicName - topic name
        role - role name
        operation - topic operation
        authData - authenticated data
        Returns:
        CompletableFuture

      • allowTopicPolicyOperationAsync

        public java.util.concurrent.CompletableFuture<java.lang.Boolean> allowTopicPolicyOperationAsync​(org.apache.pulsar.common.naming.TopicName topicName,
                                                                                                java.lang.String role,
                                                                                                org.apache.pulsar.common.policies.data.PolicyName policyName,
                                                                                                org.apache.pulsar.common.policies.data.PolicyOperation policyOperation,
                                                                                                AuthenticationDataSource authData)
        Description copied from interface: AuthorizationProvider
        Check if a given role is allowed to execute a given topic operation on topic's policy.
        Specified by:
        allowTopicPolicyOperationAsync in interface AuthorizationProvider
        Overrides:
        allowTopicPolicyOperationAsync in class PulsarAuthorizationProvider
        Parameters:
        topicName - topic name
        role - role name
        policyOperation - topic operation
        authData - authenticated data
        Returns:
        CompletableFuture