Package org.apache.pulsar.broker.authorization

Class MultiRolesTokenAuthorizationProvider

java.lang.Object

org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider

org.apache.pulsar.broker.authorization.MultiRolesTokenAuthorizationProvider

All Implemented Interfaces:

Closeable, AutoCloseable, AuthorizationProvider

public class MultiRolesTokenAuthorizationProvider
extends PulsarAuthorizationProvider

Field Summary

Fields inherited from class org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider

conf, pulsarResources

Constructor Summary

Constructors

Constructor	Description
MultiRolesTokenAuthorizationProvider()

Method Summary

Modifier and Type	Method	Description
CompletableFuture<Boolean>	allowFunctionOpsAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, String role, AuthenticationDataSource authenticationData)	Allow all function operations with in this namespace.
CompletableFuture<Boolean>	allowNamespaceOperationAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, String role, org.apache.pulsar.common.policies.data.NamespaceOperation operation, AuthenticationDataSource authData)	Check if a given role is allowed to execute a given operation on the namespace.
CompletableFuture<Boolean>	allowNamespacePolicyOperationAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, org.apache.pulsar.common.policies.data.PolicyName policy, org.apache.pulsar.common.policies.data.PolicyOperation operation, String role, AuthenticationDataSource authData)	Check if a given role is allowed to execute a given policy operation on the namespace.
CompletableFuture<Boolean>	allowSinkOpsAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, String role, AuthenticationDataSource authenticationData)	Allow all sink operations with in this namespace.
CompletableFuture<Boolean>	allowSourceOpsAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, String role, AuthenticationDataSource authenticationData)	Allow all source operations with in this namespace.
CompletableFuture<Boolean>	allowTenantOperationAsync(String tenantName, String role, org.apache.pulsar.common.policies.data.TenantOperation operation, AuthenticationDataSource authData)	Check if a given role is allowed to execute a given operation on the tenant.
CompletableFuture<Boolean>	allowTopicOperationAsync(org.apache.pulsar.common.naming.TopicName topicName, String role, org.apache.pulsar.common.policies.data.TopicOperation operation, AuthenticationDataSource authData)	Check if a given role is allowed to execute a given topic operation on the topic.
CompletableFuture<Boolean>	allowTopicPolicyOperationAsync(org.apache.pulsar.common.naming.TopicName topicName, String role, org.apache.pulsar.common.policies.data.PolicyName policyName, org.apache.pulsar.common.policies.data.PolicyOperation policyOperation, AuthenticationDataSource authData)	Check if a given role is allowed to execute a given topic operation on topic's policy.
CompletableFuture<Boolean>	authorize(String role, AuthenticationDataSource authenticationData, Function<String,CompletableFuture<Boolean>> authorizeFunc)
CompletableFuture<Boolean>	canConsumeAsync(org.apache.pulsar.common.naming.TopicName topicName, String role, AuthenticationDataSource authenticationData, String subscription)	Check if the specified role has permission to receive messages from the specified fully qualified topic name.
CompletableFuture<Boolean>	canLookupAsync(org.apache.pulsar.common.naming.TopicName topicName, String role, AuthenticationDataSource authenticationData)	Check whether the specified role can perform a lookup for the specified topic.
CompletableFuture<Boolean>	canProduceAsync(org.apache.pulsar.common.naming.TopicName topicName, String role, AuthenticationDataSource authenticationData)	Check if the specified role has permission to send messages to the specified fully qualified topic name.
void	initialize(ServiceConfiguration conf, PulsarResources pulsarResources)	Perform initialization for the authorization provider.
CompletableFuture<Boolean>	isSuperUser(String role, AuthenticationDataSource authenticationData, ServiceConfiguration serviceConfiguration)	Check if specified role is a super user.
CompletableFuture<Boolean>	validateTenantAdminAccess(String tenantName, String role, AuthenticationDataSource authData)

Methods inherited from class org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider

checkPermission, close, grantPermissionAsync, grantPermissionAsync, grantSubscriptionPermissionAsync, revokeSubscriptionPermissionAsync

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.pulsar.broker.authorization.AuthorizationProvider

allowNamespaceOperation, allowNamespaceOperation, allowNamespaceOperationAsync, allowNamespacePolicyOperation, allowNamespacePolicyOperation, allowNamespacePolicyOperationAsync, allowTenantOperation, allowTenantOperation, allowTenantOperationAsync, allowTopicOperation, allowTopicOperation, allowTopicOperationAsync, allowTopicPolicyOperation, initialize, isSuperUser, isTenantAdmin

Constructor Details

MultiRolesTokenAuthorizationProvider

public MultiRolesTokenAuthorizationProvider()

Method Details

initialize

public void initialize(ServiceConfiguration conf,
 PulsarResources pulsarResources)
                throws IOException

Description copied from interface: AuthorizationProvider

Perform initialization for the authorization provider.

Specified by:

initialize in interface AuthorizationProvider

Overrides:

initialize in class PulsarAuthorizationProvider

Parameters:

conf - broker config object

pulsarResources - Resources component for access to metadata

Throws:

IOException - if the initialization fails

isSuperUser

public CompletableFuture<Boolean> isSuperUser(String role,
 AuthenticationDataSource authenticationData,
 ServiceConfiguration serviceConfiguration)

Description copied from interface: AuthorizationProvider

Check if specified role is a super user.

Parameters:

role - the role to check

authenticationData - authentication data related to the role

Returns:

a CompletableFuture containing a boolean in which true means the role is a super user and false if it is not

validateTenantAdminAccess

public CompletableFuture<Boolean> validateTenantAdminAccess(String tenantName,
 String role,
 AuthenticationDataSource authData)

Overrides:

validateTenantAdminAccess in class PulsarAuthorizationProvider

authorize

public CompletableFuture<Boolean> authorize(String role,
 AuthenticationDataSource authenticationData,
 Function<String,CompletableFuture<Boolean>> authorizeFunc)

canProduceAsync

public CompletableFuture<Boolean> canProduceAsync(org.apache.pulsar.common.naming.TopicName topicName,
 String role,
 AuthenticationDataSource authenticationData)

Check if the specified role has permission to send messages to the specified fully qualified topic name.

Specified by:

canProduceAsync in interface AuthorizationProvider

Overrides:

canProduceAsync in class PulsarAuthorizationProvider

Parameters:

topicName - the fully qualified topic name associated with the topic.

role - the app id used to send messages to the topic.

canConsumeAsync

public CompletableFuture<Boolean> canConsumeAsync(org.apache.pulsar.common.naming.TopicName topicName,
 String role,
 AuthenticationDataSource authenticationData,
 String subscription)

Check if the specified role has permission to receive messages from the specified fully qualified topic name.

Specified by:

canConsumeAsync in interface AuthorizationProvider

Overrides:

canConsumeAsync in class PulsarAuthorizationProvider

Parameters:

topicName - the fully qualified topic name associated with the topic.

role - the app id used to receive messages from the topic.

subscription - the subscription name defined by the client

canLookupAsync

public CompletableFuture<Boolean> canLookupAsync(org.apache.pulsar.common.naming.TopicName topicName,
 String role,
 AuthenticationDataSource authenticationData)

Check whether the specified role can perform a lookup for the specified topic.

For that the caller needs to have producer or consumer permission.

Specified by:

canLookupAsync in interface AuthorizationProvider

Overrides:

canLookupAsync in class PulsarAuthorizationProvider

Parameters:

topicName -

role -

Returns:

Throws:

Exception

allowFunctionOpsAsync

public CompletableFuture<Boolean> allowFunctionOpsAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName,
 String role,
 AuthenticationDataSource authenticationData)

Description copied from interface: AuthorizationProvider

Allow all function operations with in this namespace.

Specified by:

allowFunctionOpsAsync in interface AuthorizationProvider

Overrides:

allowFunctionOpsAsync in class PulsarAuthorizationProvider

Parameters:

namespaceName - The namespace that the function operations can be executed in

role - The role to check

authenticationData - authentication data related to the role

Returns:

a boolean to determine whether authorized or not

allowSourceOpsAsync

public CompletableFuture<Boolean> allowSourceOpsAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName,
 String role,
 AuthenticationDataSource authenticationData)

Description copied from interface: AuthorizationProvider

Allow all source operations with in this namespace.

Specified by:

allowSourceOpsAsync in interface AuthorizationProvider

Overrides:

allowSourceOpsAsync in class PulsarAuthorizationProvider

Parameters:

namespaceName - The namespace that the sources operations can be executed in

role - The role to check

authenticationData - authentication data related to the role

Returns:

a boolean to determine whether authorized or not

allowSinkOpsAsync

public CompletableFuture<Boolean> allowSinkOpsAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName,
 String role,
 AuthenticationDataSource authenticationData)

Description copied from interface: AuthorizationProvider

Allow all sink operations with in this namespace.

Specified by:

allowSinkOpsAsync in interface AuthorizationProvider

Overrides:

allowSinkOpsAsync in class PulsarAuthorizationProvider

Parameters:

namespaceName - The namespace that the sink operations can be executed in

role - The role to check

authenticationData - authentication data related to the role

Returns:

a boolean to determine whether authorized or not

allowTenantOperationAsync

public CompletableFuture<Boolean> allowTenantOperationAsync(String tenantName,
 String role,
 org.apache.pulsar.common.policies.data.TenantOperation operation,
 AuthenticationDataSource authData)

Description copied from interface: AuthorizationProvider

Check if a given role is allowed to execute a given operation on the tenant.

Specified by:

allowTenantOperationAsync in interface AuthorizationProvider

Overrides:

allowTenantOperationAsync in class PulsarAuthorizationProvider

Parameters:

tenantName - tenant name

role - role name

operation - tenant operation

authData - authenticated data of the role

Returns:

a completable future represents check result

allowNamespaceOperationAsync

public CompletableFuture<Boolean> allowNamespaceOperationAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName,
 String role,
 org.apache.pulsar.common.policies.data.NamespaceOperation operation,
 AuthenticationDataSource authData)

Description copied from interface: AuthorizationProvider

Check if a given role is allowed to execute a given operation on the namespace.

Specified by:

allowNamespaceOperationAsync in interface AuthorizationProvider

Overrides:

allowNamespaceOperationAsync in class PulsarAuthorizationProvider

Parameters:

namespaceName - namespace name

role - role name

operation - namespace operation

authData - authenticated data

Returns:

a completable future represents check result

allowNamespacePolicyOperationAsync

public CompletableFuture<Boolean> allowNamespacePolicyOperationAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName,
 org.apache.pulsar.common.policies.data.PolicyName policy,
 org.apache.pulsar.common.policies.data.PolicyOperation operation,
 String role,
 AuthenticationDataSource authData)

Description copied from interface: AuthorizationProvider

Check if a given role is allowed to execute a given policy operation on the namespace.

Specified by:

allowNamespacePolicyOperationAsync in interface AuthorizationProvider

Overrides:

allowNamespacePolicyOperationAsync in class PulsarAuthorizationProvider

Parameters:

namespaceName - namespace name

policy - policy name

operation - policy operation

role - role name

authData - authenticated data

Returns:

a completable future represents check result

allowTopicOperationAsync

public CompletableFuture<Boolean> allowTopicOperationAsync(org.apache.pulsar.common.naming.TopicName topicName,
 String role,
 org.apache.pulsar.common.policies.data.TopicOperation operation,
 AuthenticationDataSource authData)

Description copied from interface: AuthorizationProvider

Check if a given role is allowed to execute a given topic operation on the topic.

Specified by:

allowTopicOperationAsync in interface AuthorizationProvider

Overrides:

allowTopicOperationAsync in class PulsarAuthorizationProvider

Parameters:

topicName - topic name

role - role name

operation - topic operation

authData - authenticated data

Returns:

CompletableFuture

allowTopicPolicyOperationAsync

public CompletableFuture<Boolean> allowTopicPolicyOperationAsync(org.apache.pulsar.common.naming.TopicName topicName,
 String role,
 org.apache.pulsar.common.policies.data.PolicyName policyName,
 org.apache.pulsar.common.policies.data.PolicyOperation policyOperation,
 AuthenticationDataSource authData)

Description copied from interface: AuthorizationProvider

Check if a given role is allowed to execute a given topic operation on topic's policy.

Specified by:

allowTopicPolicyOperationAsync in interface AuthorizationProvider

Overrides:

allowTopicPolicyOperationAsync in class PulsarAuthorizationProvider

Parameters:

topicName - topic name

role - role name

policyOperation - topic operation

authData - authenticated data

Returns:

CompletableFuture