Class PulsarAuthorizationProvider
java.lang.Object
org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider
- All Implemented Interfaces:
Closeable,AutoCloseable,AuthorizationProvider
- Direct Known Subclasses:
MultiRolesTokenAuthorizationProvider
Default authorization provider that stores authorization policies under local-zookeeper.
-
Field Summary
Fields -
Constructor Summary
ConstructorsConstructorDescriptionPulsarAuthorizationProvider(ServiceConfiguration conf, PulsarResources resources) -
Method Summary
Modifier and TypeMethodDescriptionallowFunctionOpsAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, String role, AuthenticationDataSource authenticationData) Allow all function operations with in this namespace.allowNamespaceOperationAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, String role, org.apache.pulsar.common.policies.data.NamespaceOperation operation, AuthenticationDataSource authData) Check if a given role is allowed to execute a given operation on the namespace.allowNamespacePolicyOperationAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, org.apache.pulsar.common.policies.data.PolicyName policy, org.apache.pulsar.common.policies.data.PolicyOperation operation, String role, AuthenticationDataSource authData) Check if a given role is allowed to execute a given policy operation on the namespace.allowSinkOpsAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, String role, AuthenticationDataSource authenticationData) Allow all sink operations with in this namespace.allowSourceOpsAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, String role, AuthenticationDataSource authenticationData) Allow all source operations with in this namespace.allowTenantOperationAsync(String tenantName, String role, org.apache.pulsar.common.policies.data.TenantOperation operation, AuthenticationDataSource authData) Check if a given role is allowed to execute a given operation on the tenant.allowTopicOperationAsync(org.apache.pulsar.common.naming.TopicName topicName, String role, org.apache.pulsar.common.policies.data.TopicOperation operation, AuthenticationDataSource authData) Check if a given role is allowed to execute a given topic operation on the topic.allowTopicPolicyOperationAsync(org.apache.pulsar.common.naming.TopicName topicName, String role, org.apache.pulsar.common.policies.data.PolicyName policyName, org.apache.pulsar.common.policies.data.PolicyOperation policyOperation, AuthenticationDataSource authData) Check if a given role is allowed to execute a given topic operation on topic's policy.canConsumeAsync(org.apache.pulsar.common.naming.TopicName topicName, String role, AuthenticationDataSource authenticationData, String subscription) Check if the specified role has permission to receive messages from the specified fully qualified topic name.canLookupAsync(org.apache.pulsar.common.naming.TopicName topicName, String role, AuthenticationDataSource authenticationData) Check whether the specified role can perform a lookup for the specified topic.canProduceAsync(org.apache.pulsar.common.naming.TopicName topicName, String role, AuthenticationDataSource authenticationData) Check if the specified role has permission to send messages to the specified fully qualified topic name.checkPermission(org.apache.pulsar.common.naming.TopicName topicName, String role, org.apache.pulsar.common.policies.data.AuthAction action) voidclose()grantPermissionAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, Set<org.apache.pulsar.common.policies.data.AuthAction> actions, String role, String authDataJson) Grant authorization-action permission on a namespace to the given client.grantPermissionAsync(org.apache.pulsar.common.naming.TopicName topicName, Set<org.apache.pulsar.common.policies.data.AuthAction> actions, String role, String authDataJson) Grant authorization-action permission on a topic to the given client.grantSubscriptionPermissionAsync(org.apache.pulsar.common.naming.NamespaceName namespace, String subscriptionName, Set<String> roles, String authDataJson) Grant permission to roles that can access subscription-admin api.voidinitialize(ServiceConfiguration conf, PulsarResources pulsarResources) Perform initialization for the authorization provider.revokeSubscriptionPermissionAsync(org.apache.pulsar.common.naming.NamespaceName namespace, String subscriptionName, String role, String authDataJson) Revoke subscription admin-api access for a role.validateTenantAdminAccess(String tenantName, String role, AuthenticationDataSource authData) Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface org.apache.pulsar.broker.authorization.AuthorizationProvider
allowNamespaceOperation, allowNamespaceOperation, allowNamespaceOperationAsync, allowNamespacePolicyOperation, allowNamespacePolicyOperation, allowNamespacePolicyOperationAsync, allowTenantOperation, allowTenantOperation, allowTenantOperationAsync, allowTopicOperation, allowTopicOperation, allowTopicOperationAsync, allowTopicPolicyOperation, initialize, isSuperUser, isSuperUser, isTenantAdmin
-
Field Details
-
conf
-
pulsarResources
-
-
Constructor Details
-
PulsarAuthorizationProvider
public PulsarAuthorizationProvider() -
PulsarAuthorizationProvider
public PulsarAuthorizationProvider(ServiceConfiguration conf, PulsarResources resources) throws IOException - Throws:
IOException
-
-
Method Details
-
initialize
public void initialize(ServiceConfiguration conf, PulsarResources pulsarResources) throws IOException Description copied from interface:AuthorizationProviderPerform initialization for the authorization provider.- Specified by:
initializein interfaceAuthorizationProvider- Parameters:
conf- broker config objectpulsarResources- Resources component for access to metadata- Throws:
IOException- if the initialization fails
-
canProduceAsync
public CompletableFuture<Boolean> canProduceAsync(org.apache.pulsar.common.naming.TopicName topicName, String role, AuthenticationDataSource authenticationData) Check if the specified role has permission to send messages to the specified fully qualified topic name.- Specified by:
canProduceAsyncin interfaceAuthorizationProvider- Parameters:
topicName- the fully qualified topic name associated with the topic.role- the app id used to send messages to the topic.
-
canConsumeAsync
public CompletableFuture<Boolean> canConsumeAsync(org.apache.pulsar.common.naming.TopicName topicName, String role, AuthenticationDataSource authenticationData, String subscription) Check if the specified role has permission to receive messages from the specified fully qualified topic name.- Specified by:
canConsumeAsyncin interfaceAuthorizationProvider- Parameters:
topicName- the fully qualified topic name associated with the topic.role- the app id used to receive messages from the topic.subscription- the subscription name defined by the client
-
canLookupAsync
public CompletableFuture<Boolean> canLookupAsync(org.apache.pulsar.common.naming.TopicName topicName, String role, AuthenticationDataSource authenticationData) Check whether the specified role can perform a lookup for the specified topic. For that the caller needs to have producer or consumer permission.- Specified by:
canLookupAsyncin interfaceAuthorizationProvider- Parameters:
topicName-role-- Returns:
- Throws:
Exception
-
allowFunctionOpsAsync
public CompletableFuture<Boolean> allowFunctionOpsAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, String role, AuthenticationDataSource authenticationData) Description copied from interface:AuthorizationProviderAllow all function operations with in this namespace.- Specified by:
allowFunctionOpsAsyncin interfaceAuthorizationProvider- Parameters:
namespaceName- The namespace that the function operations can be executed inrole- The role to checkauthenticationData- authentication data related to the role- Returns:
- a boolean to determine whether authorized or not
-
allowSourceOpsAsync
public CompletableFuture<Boolean> allowSourceOpsAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, String role, AuthenticationDataSource authenticationData) Description copied from interface:AuthorizationProviderAllow all source operations with in this namespace.- Specified by:
allowSourceOpsAsyncin interfaceAuthorizationProvider- Parameters:
namespaceName- The namespace that the sources operations can be executed inrole- The role to checkauthenticationData- authentication data related to the role- Returns:
- a boolean to determine whether authorized or not
-
allowSinkOpsAsync
public CompletableFuture<Boolean> allowSinkOpsAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, String role, AuthenticationDataSource authenticationData) Description copied from interface:AuthorizationProviderAllow all sink operations with in this namespace.- Specified by:
allowSinkOpsAsyncin interfaceAuthorizationProvider- Parameters:
namespaceName- The namespace that the sink operations can be executed inrole- The role to checkauthenticationData- authentication data related to the role- Returns:
- a boolean to determine whether authorized or not
-
grantPermissionAsync
public CompletableFuture<Void> grantPermissionAsync(org.apache.pulsar.common.naming.TopicName topicName, Set<org.apache.pulsar.common.policies.data.AuthAction> actions, String role, String authDataJson) Description copied from interface:AuthorizationProviderGrant authorization-action permission on a topic to the given client. NOTE: used to complete withIllegalArgumentExceptionwhen namespace not found or withIllegalStateExceptionwhen failed to grant permission. This behavior is now deprecated. Please use the appropriateMetadataStoreException.- Specified by:
grantPermissionAsyncin interfaceAuthorizationProviderauthDataJson- additional authdata in json format- Returns:
- CompletableFuture
-
grantPermissionAsync
public CompletableFuture<Void> grantPermissionAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, Set<org.apache.pulsar.common.policies.data.AuthAction> actions, String role, String authDataJson) Description copied from interface:AuthorizationProviderGrant authorization-action permission on a namespace to the given client. NOTE: used to complete withIllegalArgumentExceptionwhen namespace not found or withIllegalStateExceptionwhen failed to grant permission. This behavior is now deprecated. Please use the appropriateMetadataStoreException.- Specified by:
grantPermissionAsyncin interfaceAuthorizationProviderauthDataJson- additional authdata in json format- Returns:
- CompletableFuture
-
grantSubscriptionPermissionAsync
public CompletableFuture<Void> grantSubscriptionPermissionAsync(org.apache.pulsar.common.naming.NamespaceName namespace, String subscriptionName, Set<String> roles, String authDataJson) Description copied from interface:AuthorizationProviderGrant permission to roles that can access subscription-admin api.- Specified by:
grantSubscriptionPermissionAsyncin interfaceAuthorizationProviderauthDataJson- additional authdata in json format- Returns:
-
revokeSubscriptionPermissionAsync
public CompletableFuture<Void> revokeSubscriptionPermissionAsync(org.apache.pulsar.common.naming.NamespaceName namespace, String subscriptionName, String role, String authDataJson) Description copied from interface:AuthorizationProviderRevoke subscription admin-api access for a role.- Specified by:
revokeSubscriptionPermissionAsyncin interfaceAuthorizationProvider- Returns:
-
checkPermission
public CompletableFuture<Boolean> checkPermission(org.apache.pulsar.common.naming.TopicName topicName, String role, org.apache.pulsar.common.policies.data.AuthAction action) -
close
- Specified by:
closein interfaceAutoCloseable- Specified by:
closein interfaceCloseable- Throws:
IOException
-
allowTenantOperationAsync
public CompletableFuture<Boolean> allowTenantOperationAsync(String tenantName, String role, org.apache.pulsar.common.policies.data.TenantOperation operation, AuthenticationDataSource authData) Description copied from interface:AuthorizationProviderCheck if a given role is allowed to execute a given operation on the tenant.- Specified by:
allowTenantOperationAsyncin interfaceAuthorizationProvider- Parameters:
tenantName- tenant namerole- role nameoperation- tenant operationauthData- authenticated data of the role- Returns:
- a completable future represents check result
-
allowNamespaceOperationAsync
public CompletableFuture<Boolean> allowNamespaceOperationAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, String role, org.apache.pulsar.common.policies.data.NamespaceOperation operation, AuthenticationDataSource authData) Description copied from interface:AuthorizationProviderCheck if a given role is allowed to execute a given operation on the namespace.- Specified by:
allowNamespaceOperationAsyncin interfaceAuthorizationProvider- Parameters:
namespaceName- namespace namerole- role nameoperation- namespace operationauthData- authenticated data- Returns:
- a completable future represents check result
-
allowNamespacePolicyOperationAsync
public CompletableFuture<Boolean> allowNamespacePolicyOperationAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, org.apache.pulsar.common.policies.data.PolicyName policy, org.apache.pulsar.common.policies.data.PolicyOperation operation, String role, AuthenticationDataSource authData) Description copied from interface:AuthorizationProviderCheck if a given role is allowed to execute a given policy operation on the namespace.- Specified by:
allowNamespacePolicyOperationAsyncin interfaceAuthorizationProvider- Parameters:
namespaceName- namespace namepolicy- policy nameoperation- policy operationrole- role nameauthData- authenticated data- Returns:
- a completable future represents check result
-
allowTopicOperationAsync
public CompletableFuture<Boolean> allowTopicOperationAsync(org.apache.pulsar.common.naming.TopicName topicName, String role, org.apache.pulsar.common.policies.data.TopicOperation operation, AuthenticationDataSource authData) Description copied from interface:AuthorizationProviderCheck if a given role is allowed to execute a given topic operation on the topic.- Specified by:
allowTopicOperationAsyncin interfaceAuthorizationProvider- Parameters:
topicName- topic namerole- role nameoperation- topic operationauthData- authenticated data- Returns:
- CompletableFuture
-
allowTopicPolicyOperationAsync
public CompletableFuture<Boolean> allowTopicPolicyOperationAsync(org.apache.pulsar.common.naming.TopicName topicName, String role, org.apache.pulsar.common.policies.data.PolicyName policyName, org.apache.pulsar.common.policies.data.PolicyOperation policyOperation, AuthenticationDataSource authData) Description copied from interface:AuthorizationProviderCheck if a given role is allowed to execute a given topic operation on topic's policy.- Specified by:
allowTopicPolicyOperationAsyncin interfaceAuthorizationProvider- Parameters:
topicName- topic namerole- role namepolicyOperation- topic operationauthData- authenticated data- Returns:
- CompletableFuture
-
validateTenantAdminAccess
public CompletableFuture<Boolean> validateTenantAdminAccess(String tenantName, String role, AuthenticationDataSource authData)
-