Package org.apache.pulsar.broker.authorization

Class PulsarAuthorizationProvider

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      java.util.concurrent.CompletableFuture<java.lang.Boolean> allowFunctionOpsAsync​(org.apache.pulsar.common.naming.NamespaceName namespaceName, java.lang.String role, AuthenticationDataSource authenticationData)
      Allow all function operations with in this namespace.
      java.util.concurrent.CompletableFuture<java.lang.Boolean> allowNamespaceOperationAsync​(org.apache.pulsar.common.naming.NamespaceName namespaceName, java.lang.String role, org.apache.pulsar.common.policies.data.NamespaceOperation operation, AuthenticationDataSource authData)
      Check if a given role is allowed to execute a given operation on the namespace.
      java.util.concurrent.CompletableFuture<java.lang.Boolean> allowNamespacePolicyOperationAsync​(org.apache.pulsar.common.naming.NamespaceName namespaceName, org.apache.pulsar.common.policies.data.PolicyName policy, org.apache.pulsar.common.policies.data.PolicyOperation operation, java.lang.String role, AuthenticationDataSource authData)
      Check if a given role is allowed to execute a given policy operation on the namespace.
      java.util.concurrent.CompletableFuture<java.lang.Boolean> allowSinkOpsAsync​(org.apache.pulsar.common.naming.NamespaceName namespaceName, java.lang.String role, AuthenticationDataSource authenticationData)
      Allow all sink operations with in this namespace.
      java.util.concurrent.CompletableFuture<java.lang.Boolean> allowSourceOpsAsync​(org.apache.pulsar.common.naming.NamespaceName namespaceName, java.lang.String role, AuthenticationDataSource authenticationData)
      Allow all source operations with in this namespace.
      java.util.concurrent.CompletableFuture<java.lang.Boolean> allowTenantOperationAsync​(java.lang.String tenantName, java.lang.String role, org.apache.pulsar.common.policies.data.TenantOperation operation, AuthenticationDataSource authData)
      Check if a given role is allowed to execute a given operation on the tenant.
      java.util.concurrent.CompletableFuture<java.lang.Boolean> allowTopicOperationAsync​(org.apache.pulsar.common.naming.TopicName topicName, java.lang.String role, org.apache.pulsar.common.policies.data.TopicOperation operation, AuthenticationDataSource authData)
      Check if a given role is allowed to execute a given topic operation on the topic.
      java.util.concurrent.CompletableFuture<java.lang.Boolean> allowTopicPolicyOperationAsync​(org.apache.pulsar.common.naming.TopicName topicName, java.lang.String role, org.apache.pulsar.common.policies.data.PolicyName policyName, org.apache.pulsar.common.policies.data.PolicyOperation policyOperation, AuthenticationDataSource authData)
      Check if a given role is allowed to execute a given topic operation on topic's policy.
      java.util.concurrent.CompletableFuture<java.lang.Boolean> canConsumeAsync​(org.apache.pulsar.common.naming.TopicName topicName, java.lang.String role, AuthenticationDataSource authenticationData, java.lang.String subscription)
      Check if the specified role has permission to receive messages from the specified fully qualified topic name.
      java.util.concurrent.CompletableFuture<java.lang.Boolean> canLookupAsync​(org.apache.pulsar.common.naming.TopicName topicName, java.lang.String role, AuthenticationDataSource authenticationData)
      Check whether the specified role can perform a lookup for the specified topic.
      java.util.concurrent.CompletableFuture<java.lang.Boolean> canProduceAsync​(org.apache.pulsar.common.naming.TopicName topicName, java.lang.String role, AuthenticationDataSource authenticationData)
      Check if the specified role has permission to send messages to the specified fully qualified topic name.
      java.util.concurrent.CompletableFuture<java.lang.Boolean> checkPermission​(org.apache.pulsar.common.naming.TopicName topicName, java.lang.String role, org.apache.pulsar.common.policies.data.AuthAction action)  
      void close()  
      java.util.concurrent.CompletableFuture<java.lang.Void> grantPermissionAsync​(org.apache.pulsar.common.naming.NamespaceName namespaceName, java.util.Set<org.apache.pulsar.common.policies.data.AuthAction> actions, java.lang.String role, java.lang.String authDataJson)
      Grant authorization-action permission on a namespace to the given client.
      java.util.concurrent.CompletableFuture<java.lang.Void> grantPermissionAsync​(org.apache.pulsar.common.naming.TopicName topicName, java.util.Set<org.apache.pulsar.common.policies.data.AuthAction> actions, java.lang.String role, java.lang.String authDataJson)
      Grant authorization-action permission on a topic to the given client.
      java.util.concurrent.CompletableFuture<java.lang.Void> grantSubscriptionPermissionAsync​(org.apache.pulsar.common.naming.NamespaceName namespace, java.lang.String subscriptionName, java.util.Set<java.lang.String> roles, java.lang.String authDataJson)
      Grant permission to roles that can access subscription-admin api.
      void initialize​(ServiceConfiguration conf, PulsarResources pulsarResources)
      Perform initialization for the authorization provider.
      java.util.concurrent.CompletableFuture<java.lang.Void> revokeSubscriptionPermissionAsync​(org.apache.pulsar.common.naming.NamespaceName namespace, java.lang.String subscriptionName, java.lang.String role, java.lang.String authDataJson)
      Revoke subscription admin-api access for a role.
      java.util.concurrent.CompletableFuture<java.lang.Boolean> validateTenantAdminAccess​(java.lang.String tenantName, java.lang.String role, AuthenticationDataSource authData)  

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Constructor Detail

      • PulsarAuthorizationProvider

        public PulsarAuthorizationProvider()

      • PulsarAuthorizationProvider

        public PulsarAuthorizationProvider​(ServiceConfiguration conf,
                                   PulsarResources resources)
                            throws java.io.IOException
        Throws:
        java.io.IOException

    • Method Detail

      • initialize

        public void initialize​(ServiceConfiguration conf,
                       PulsarResources pulsarResources)
                throws java.io.IOException
        Description copied from interface: AuthorizationProvider
        Perform initialization for the authorization provider.
        Specified by:
        initialize in interface AuthorizationProvider
        Parameters:
        conf - broker config object
        pulsarResources - Resources component for access to metadata
        Throws:
        java.io.IOException - if the initialization fails

      • canProduceAsync

        public java.util.concurrent.CompletableFuture<java.lang.Boolean> canProduceAsync​(org.apache.pulsar.common.naming.TopicName topicName,
                                                                                 java.lang.String role,
                                                                                 AuthenticationDataSource authenticationData)
        Check if the specified role has permission to send messages to the specified fully qualified topic name.
        Specified by:
        canProduceAsync in interface AuthorizationProvider
        Parameters:
        topicName - the fully qualified topic name associated with the topic.
        role - the app id used to send messages to the topic.

      • canConsumeAsync

        public java.util.concurrent.CompletableFuture<java.lang.Boolean> canConsumeAsync​(org.apache.pulsar.common.naming.TopicName topicName,
                                                                                 java.lang.String role,
                                                                                 AuthenticationDataSource authenticationData,
                                                                                 java.lang.String subscription)
        Check if the specified role has permission to receive messages from the specified fully qualified topic name.
        Specified by:
        canConsumeAsync in interface AuthorizationProvider
        Parameters:
        topicName - the fully qualified topic name associated with the topic.
        role - the app id used to receive messages from the topic.
        subscription - the subscription name defined by the client

      • canLookupAsync

        public java.util.concurrent.CompletableFuture<java.lang.Boolean> canLookupAsync​(org.apache.pulsar.common.naming.TopicName topicName,
                                                                                java.lang.String role,
                                                                                AuthenticationDataSource authenticationData)
        Check whether the specified role can perform a lookup for the specified topic. For that the caller needs to have producer or consumer permission.
        Specified by:
        canLookupAsync in interface AuthorizationProvider
        Parameters:
        topicName -
        role -
        Returns:
        Throws:
        java.lang.Exception

      • allowFunctionOpsAsync

        public java.util.concurrent.CompletableFuture<java.lang.Boolean> allowFunctionOpsAsync​(org.apache.pulsar.common.naming.NamespaceName namespaceName,
                                                                                       java.lang.String role,
                                                                                       AuthenticationDataSource authenticationData)
        Description copied from interface: AuthorizationProvider
        Allow all function operations with in this namespace.
        Specified by:
        allowFunctionOpsAsync in interface AuthorizationProvider
        Parameters:
        namespaceName - The namespace that the function operations can be executed in
        role - The role to check
        authenticationData - authentication data related to the role
        Returns:
        a boolean to determine whether authorized or not

      • allowSourceOpsAsync

        public java.util.concurrent.CompletableFuture<java.lang.Boolean> allowSourceOpsAsync​(org.apache.pulsar.common.naming.NamespaceName namespaceName,
                                                                                     java.lang.String role,
                                                                                     AuthenticationDataSource authenticationData)
        Description copied from interface: AuthorizationProvider
        Allow all source operations with in this namespace.
        Specified by:
        allowSourceOpsAsync in interface AuthorizationProvider
        Parameters:
        namespaceName - The namespace that the sources operations can be executed in
        role - The role to check
        authenticationData - authentication data related to the role
        Returns:
        a boolean to determine whether authorized or not

      • allowSinkOpsAsync

        public java.util.concurrent.CompletableFuture<java.lang.Boolean> allowSinkOpsAsync​(org.apache.pulsar.common.naming.NamespaceName namespaceName,
                                                                                   java.lang.String role,
                                                                                   AuthenticationDataSource authenticationData)
        Description copied from interface: AuthorizationProvider
        Allow all sink operations with in this namespace.
        Specified by:
        allowSinkOpsAsync in interface AuthorizationProvider
        Parameters:
        namespaceName - The namespace that the sink operations can be executed in
        role - The role to check
        authenticationData - authentication data related to the role
        Returns:
        a boolean to determine whether authorized or not

      • grantPermissionAsync

        public java.util.concurrent.CompletableFuture<java.lang.Void> grantPermissionAsync​(org.apache.pulsar.common.naming.TopicName topicName,
                                                                                   java.util.Set<org.apache.pulsar.common.policies.data.AuthAction> actions,
                                                                                   java.lang.String role,
                                                                                   java.lang.String authDataJson)
        Description copied from interface: AuthorizationProvider
        Grant authorization-action permission on a topic to the given client. NOTE: used to complete with IllegalArgumentException when namespace not found or with IllegalStateException when failed to grant permission. This behavior is now deprecated. Please use the appropriate MetadataStoreException.
        Specified by:
        grantPermissionAsync in interface AuthorizationProvider
        authDataJson - additional authdata in json format
        Returns:
        CompletableFuture

      • grantPermissionAsync

        public java.util.concurrent.CompletableFuture<java.lang.Void> grantPermissionAsync​(org.apache.pulsar.common.naming.NamespaceName namespaceName,
                                                                                   java.util.Set<org.apache.pulsar.common.policies.data.AuthAction> actions,
                                                                                   java.lang.String role,
                                                                                   java.lang.String authDataJson)
        Description copied from interface: AuthorizationProvider
        Grant authorization-action permission on a namespace to the given client. NOTE: used to complete with IllegalArgumentException when namespace not found or with IllegalStateException when failed to grant permission. This behavior is now deprecated. Please use the appropriate MetadataStoreException.
        Specified by:
        grantPermissionAsync in interface AuthorizationProvider
        authDataJson - additional authdata in json format
        Returns:
        CompletableFuture

      • grantSubscriptionPermissionAsync

        public java.util.concurrent.CompletableFuture<java.lang.Void> grantSubscriptionPermissionAsync​(org.apache.pulsar.common.naming.NamespaceName namespace,
                                                                                               java.lang.String subscriptionName,
                                                                                               java.util.Set<java.lang.String> roles,
                                                                                               java.lang.String authDataJson)
        Description copied from interface: AuthorizationProvider
        Grant permission to roles that can access subscription-admin api.
        Specified by:
        grantSubscriptionPermissionAsync in interface AuthorizationProvider
        authDataJson - additional authdata in json format
        Returns:

      • revokeSubscriptionPermissionAsync

        public java.util.concurrent.CompletableFuture<java.lang.Void> revokeSubscriptionPermissionAsync​(org.apache.pulsar.common.naming.NamespaceName namespace,
                                                                                                java.lang.String subscriptionName,
                                                                                                java.lang.String role,
                                                                                                java.lang.String authDataJson)
        Description copied from interface: AuthorizationProvider
        Revoke subscription admin-api access for a role.
        Specified by:
        revokeSubscriptionPermissionAsync in interface AuthorizationProvider
        Returns:

      • checkPermission

        public java.util.concurrent.CompletableFuture<java.lang.Boolean> checkPermission​(org.apache.pulsar.common.naming.TopicName topicName,
                                                                                 java.lang.String role,
                                                                                 org.apache.pulsar.common.policies.data.AuthAction action)

      • close

        public void close()
           throws java.io.IOException
        Specified by:
        close in interface java.lang.AutoCloseable
        Specified by:
        close in interface java.io.Closeable
        Throws:
        java.io.IOException

      • allowTenantOperationAsync

        public java.util.concurrent.CompletableFuture<java.lang.Boolean> allowTenantOperationAsync​(java.lang.String tenantName,
                                                                                           java.lang.String role,
                                                                                           org.apache.pulsar.common.policies.data.TenantOperation operation,
                                                                                           AuthenticationDataSource authData)
        Description copied from interface: AuthorizationProvider
        Check if a given role is allowed to execute a given operation on the tenant.
        Specified by:
        allowTenantOperationAsync in interface AuthorizationProvider
        Parameters:
        tenantName - tenant name
        role - role name
        operation - tenant operation
        authData - authenticated data of the role
        Returns:
        a completable future represents check result

      • allowNamespaceOperationAsync

        public java.util.concurrent.CompletableFuture<java.lang.Boolean> allowNamespaceOperationAsync​(org.apache.pulsar.common.naming.NamespaceName namespaceName,
                                                                                              java.lang.String role,
                                                                                              org.apache.pulsar.common.policies.data.NamespaceOperation operation,
                                                                                              AuthenticationDataSource authData)
        Description copied from interface: AuthorizationProvider
        Check if a given role is allowed to execute a given operation on the namespace.
        Specified by:
        allowNamespaceOperationAsync in interface AuthorizationProvider
        Parameters:
        namespaceName - namespace name
        role - role name
        operation - namespace operation
        authData - authenticated data
        Returns:
        a completable future represents check result

      • allowNamespacePolicyOperationAsync

        public java.util.concurrent.CompletableFuture<java.lang.Boolean> allowNamespacePolicyOperationAsync​(org.apache.pulsar.common.naming.NamespaceName namespaceName,
                                                                                                    org.apache.pulsar.common.policies.data.PolicyName policy,
                                                                                                    org.apache.pulsar.common.policies.data.PolicyOperation operation,
                                                                                                    java.lang.String role,
                                                                                                    AuthenticationDataSource authData)
        Description copied from interface: AuthorizationProvider
        Check if a given role is allowed to execute a given policy operation on the namespace.
        Specified by:
        allowNamespacePolicyOperationAsync in interface AuthorizationProvider
        Parameters:
        namespaceName - namespace name
        policy - policy name
        operation - policy operation
        role - role name
        authData - authenticated data
        Returns:
        a completable future represents check result

      • allowTopicOperationAsync

        public java.util.concurrent.CompletableFuture<java.lang.Boolean> allowTopicOperationAsync​(org.apache.pulsar.common.naming.TopicName topicName,
                                                                                          java.lang.String role,
                                                                                          org.apache.pulsar.common.policies.data.TopicOperation operation,
                                                                                          AuthenticationDataSource authData)
        Description copied from interface: AuthorizationProvider
        Check if a given role is allowed to execute a given topic operation on the topic.
        Specified by:
        allowTopicOperationAsync in interface AuthorizationProvider
        Parameters:
        topicName - topic name
        role - role name
        operation - topic operation
        authData - authenticated data
        Returns:
        CompletableFuture

      • allowTopicPolicyOperationAsync

        public java.util.concurrent.CompletableFuture<java.lang.Boolean> allowTopicPolicyOperationAsync​(org.apache.pulsar.common.naming.TopicName topicName,
                                                                                                java.lang.String role,
                                                                                                org.apache.pulsar.common.policies.data.PolicyName policyName,
                                                                                                org.apache.pulsar.common.policies.data.PolicyOperation policyOperation,
                                                                                                AuthenticationDataSource authData)
        Description copied from interface: AuthorizationProvider
        Check if a given role is allowed to execute a given topic operation on topic's policy.
        Specified by:
        allowTopicPolicyOperationAsync in interface AuthorizationProvider
        Parameters:
        topicName - topic name
        role - role name
        policyOperation - topic operation
        authData - authenticated data
        Returns:
        CompletableFuture

      • validateTenantAdminAccess

        public java.util.concurrent.CompletableFuture<java.lang.Boolean> validateTenantAdminAccess​(java.lang.String tenantName,
                                                                                           java.lang.String role,
                                                                                           AuthenticationDataSource authData)