PulsarAuthorizationProvider (pulsar-broker-common 2.7.1.5-rc-202105062307 API)

java.lang.Object
- org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider

All Implemented Interfaces:

Closeable, AutoCloseable, AuthorizationProvider
```
public class PulsarAuthorizationProvider
extends Object
implements AuthorizationProvider
```
Default authorization provider that stores authorization policies under local-zookeeper.

Field Summary

Fields
Modifier and Type Field and Description

ServiceConfiguration conf

ConfigurationCacheService configCache

Fields
Modifier and Type	Field and Description
`ServiceConfiguration`	`conf`
`ConfigurationCacheService`	`configCache`

Constructor Summary

Constructors
Constructor and Description
`PulsarAuthorizationProvider()`
`PulsarAuthorizationProvider(ServiceConfiguration conf, ConfigurationCacheService configCache)`

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`CompletableFuture<Boolean>`	`allowFunctionOpsAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, String role, AuthenticationDataSource authenticationData)` Allow all function operations with in this namespace
`CompletableFuture<Boolean>`	`allowNamespaceOperationAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, String role, org.apache.pulsar.common.policies.data.NamespaceOperation operation, AuthenticationDataSource authData)` Check if a given `role` is allowed to execute a given `operation` on the namespace.
`CompletableFuture<Boolean>`	`allowNamespacePolicyOperationAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, org.apache.pulsar.common.policies.data.PolicyName policy, org.apache.pulsar.common.policies.data.PolicyOperation operation, String role, AuthenticationDataSource authData)` Check if a given `role` is allowed to execute a given policy `operation` on the namespace.
`CompletableFuture<Boolean>`	`allowSinkOpsAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, String role, AuthenticationDataSource authenticationData)` Allow all sink operations with in this namespace
`CompletableFuture<Boolean>`	`allowSourceOpsAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, String role, AuthenticationDataSource authenticationData)` Allow all source operations with in this namespace
`CompletableFuture<Boolean>`	`allowTenantOperationAsync(String tenantName, String role, org.apache.pulsar.common.policies.data.TenantOperation operation, AuthenticationDataSource authData)` Check if a given `role` is allowed to execute a given `operation` on the tenant.
`CompletableFuture<Boolean>`	`allowTopicOperationAsync(org.apache.pulsar.common.naming.TopicName topicName, String role, org.apache.pulsar.common.policies.data.TopicOperation operation, AuthenticationDataSource authData)` Check if a given `role` is allowed to execute a given topic `operation` on the topic.
`CompletableFuture<Boolean>`	`canConsumeAsync(org.apache.pulsar.common.naming.TopicName topicName, String role, AuthenticationDataSource authenticationData, String subscription)` Check if the specified role has permission to receive messages from the specified fully qualified topic name.
`CompletableFuture<Boolean>`	`canLookupAsync(org.apache.pulsar.common.naming.TopicName topicName, String role, AuthenticationDataSource authenticationData)` Check whether the specified role can perform a lookup for the specified topic.
`CompletableFuture<Boolean>`	`canProduceAsync(org.apache.pulsar.common.naming.TopicName topicName, String role, AuthenticationDataSource authenticationData)` Check if the specified role has permission to send messages to the specified fully qualified topic name.
`CompletableFuture<Boolean>`	`checkPermission(org.apache.pulsar.common.naming.TopicName topicName, String role, org.apache.pulsar.common.policies.data.AuthAction action)`
`void`	`close()`
`CompletableFuture<Void>`	`grantPermissionAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName, Set<org.apache.pulsar.common.policies.data.AuthAction> actions, String role, String authDataJson)` Grant authorization-action permission on a namespace to the given client
`CompletableFuture<Void>`	`grantPermissionAsync(org.apache.pulsar.common.naming.TopicName topicName, Set<org.apache.pulsar.common.policies.data.AuthAction> actions, String role, String authDataJson)` Grant authorization-action permission on a topic to the given client
`CompletableFuture<Void>`	`grantSubscriptionPermissionAsync(org.apache.pulsar.common.naming.NamespaceName namespace, String subscriptionName, Set<String> roles, String authDataJson)` Grant permission to roles that can access subscription-admin api
`void`	`initialize(ServiceConfiguration conf, ConfigurationCacheService configCache)` Perform initialization for the authorization provider
`CompletableFuture<Void>`	`revokeSubscriptionPermissionAsync(org.apache.pulsar.common.naming.NamespaceName namespace, String subscriptionName, String role, String authDataJson)` Revoke subscription admin-api access for a role

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.pulsar.broker.authorization.AuthorizationProvider
allowNamespaceOperation, allowNamespaceOperation, allowNamespaceOperationAsync, allowNamespacePolicyOperation, allowNamespacePolicyOperation, allowNamespacePolicyOperationAsync, allowTenantOperation, allowTenantOperation, allowTenantOperationAsync, allowTopicOperation, allowTopicOperation, allowTopicOperationAsync, isSuperUser, isSuperUser, isTenantAdmin

Field Detail

conf
```
public ServiceConfiguration conf
```

configCache

public ConfigurationCacheService configCache

Constructor Detail

PulsarAuthorizationProvider
```
public PulsarAuthorizationProvider()
```

PulsarAuthorizationProvider

public PulsarAuthorizationProvider(ServiceConfiguration conf,
                                   ConfigurationCacheService configCache)
                            throws IOException

Throws:: IOException

Method Detail

initialize
```
public void initialize(ServiceConfiguration conf,
                       ConfigurationCacheService configCache)
                throws IOException
```
Description copied from interface: AuthorizationProvider

Perform initialization for the authorization provider

Specified by:

initialize in interface AuthorizationProvider

Parameters:

conf - broker config object

configCache - pulsar zk configuration cache service

Throws:

IOException - if the initialization fails

canProduceAsync

public CompletableFuture<Boolean> canProduceAsync(org.apache.pulsar.common.naming.TopicName topicName,
                                                  String role,
                                                  AuthenticationDataSource authenticationData)

Check if the specified role has permission to send messages to the specified fully qualified topic name.

Specified by:: canProduceAsync in interface AuthorizationProvider
Parameters:: topicName - the fully qualified topic name associated with the topic.; role - the app id used to send messages to the topic.

canConsumeAsync

public CompletableFuture<Boolean> canConsumeAsync(org.apache.pulsar.common.naming.TopicName topicName,
                                                  String role,
                                                  AuthenticationDataSource authenticationData,
                                                  String subscription)

Check if the specified role has permission to receive messages from the specified fully qualified topic name.

Specified by:: canConsumeAsync in interface AuthorizationProvider
Parameters:: topicName - the fully qualified topic name associated with the topic.; role - the app id used to receive messages from the topic.; subscription - the subscription name defined by the client

canLookupAsync

public CompletableFuture<Boolean> canLookupAsync(org.apache.pulsar.common.naming.TopicName topicName,
                                                 String role,
                                                 AuthenticationDataSource authenticationData)

Check whether the specified role can perform a lookup for the specified topic. For that the caller needs to have producer or consumer permission.

Specified by:: canLookupAsync in interface AuthorizationProvider
Parameters:: topicName -; role -
Returns:
Throws:: Exception

allowFunctionOpsAsync
```
public CompletableFuture<Boolean> allowFunctionOpsAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName,
                                                        String role,
                                                        AuthenticationDataSource authenticationData)
```
Description copied from interface: AuthorizationProvider

Allow all function operations with in this namespace

Specified by:

allowFunctionOpsAsync in interface AuthorizationProvider

Parameters:

namespaceName - The namespace that the function operations can be executed in

role - The role to check

authenticationData - authentication data related to the role

Returns:

a boolean to determine whether authorized or not

allowSourceOpsAsync
```
public CompletableFuture<Boolean> allowSourceOpsAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName,
                                                      String role,
                                                      AuthenticationDataSource authenticationData)
```
Description copied from interface: AuthorizationProvider

Allow all source operations with in this namespace

Specified by:

allowSourceOpsAsync in interface AuthorizationProvider

Parameters:

namespaceName - The namespace that the sources operations can be executed in

role - The role to check

authenticationData - authentication data related to the role

Returns:

a boolean to determine whether authorized or not

allowSinkOpsAsync
```
public CompletableFuture<Boolean> allowSinkOpsAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName,
                                                    String role,
                                                    AuthenticationDataSource authenticationData)
```
Description copied from interface: AuthorizationProvider

Allow all sink operations with in this namespace

Specified by:

allowSinkOpsAsync in interface AuthorizationProvider

Parameters:

namespaceName - The namespace that the sink operations can be executed in

role - The role to check

authenticationData - authentication data related to the role

Returns:

a boolean to determine whether authorized or not

grantPermissionAsync

public CompletableFuture<Void> grantPermissionAsync(org.apache.pulsar.common.naming.TopicName topicName,
                                                    Set<org.apache.pulsar.common.policies.data.AuthAction> actions,
                                                    String role,
                                                    String authDataJson)

Description copied from interface: AuthorizationProvider

Grant authorization-action permission on a topic to the given client

Specified by:: grantPermissionAsync in interface AuthorizationProvider; authDataJson - additional authdata in json format
Returns:: CompletableFuture

grantPermissionAsync

public CompletableFuture<Void> grantPermissionAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName,
                                                    Set<org.apache.pulsar.common.policies.data.AuthAction> actions,
                                                    String role,
                                                    String authDataJson)

Description copied from interface: AuthorizationProvider

Grant authorization-action permission on a namespace to the given client

Specified by:: grantPermissionAsync in interface AuthorizationProvider; authDataJson - additional authdata in json format
Returns:: CompletableFuture

grantSubscriptionPermissionAsync

public CompletableFuture<Void> grantSubscriptionPermissionAsync(org.apache.pulsar.common.naming.NamespaceName namespace,
                                                                String subscriptionName,
                                                                Set<String> roles,
                                                                String authDataJson)

Description copied from interface: AuthorizationProvider

Grant permission to roles that can access subscription-admin api

Specified by:: grantSubscriptionPermissionAsync in interface AuthorizationProvider; authDataJson - additional authdata in json format
Returns:

revokeSubscriptionPermissionAsync

public CompletableFuture<Void> revokeSubscriptionPermissionAsync(org.apache.pulsar.common.naming.NamespaceName namespace,
                                                                 String subscriptionName,
                                                                 String role,
                                                                 String authDataJson)

Description copied from interface: AuthorizationProvider

Revoke subscription admin-api access for a role

Specified by:: revokeSubscriptionPermissionAsync in interface AuthorizationProvider
Returns:

checkPermission

public CompletableFuture<Boolean> checkPermission(org.apache.pulsar.common.naming.TopicName topicName,
                                                  String role,
                                                  org.apache.pulsar.common.policies.data.AuthAction action)

close
```
public void close()
           throws IOException
```
Specified by:

close in interface Closeable

Specified by:

close in interface AutoCloseable

Throws:

IOException

allowTenantOperationAsync

public CompletableFuture<Boolean> allowTenantOperationAsync(String tenantName,
                                                            String role,
                                                            org.apache.pulsar.common.policies.data.TenantOperation operation,
                                                            AuthenticationDataSource authData)

Description copied from interface: AuthorizationProvider

Check if a given role is allowed to execute a given operation on the tenant.

Specified by:: allowTenantOperationAsync in interface AuthorizationProvider
Parameters:: tenantName - tenant name; role - role name; operation - tenant operation; authData - authenticated data of the role
Returns:: a completable future represents check result

allowNamespaceOperationAsync

public CompletableFuture<Boolean> allowNamespaceOperationAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName,
                                                               String role,
                                                               org.apache.pulsar.common.policies.data.NamespaceOperation operation,
                                                               AuthenticationDataSource authData)

Description copied from interface: AuthorizationProvider

Check if a given role is allowed to execute a given operation on the namespace.

Specified by:: allowNamespaceOperationAsync in interface AuthorizationProvider
Parameters:: namespaceName - namespace name; role - role name; operation - namespace operation; authData - authenticated data
Returns:: a completable future represents check result

allowNamespacePolicyOperationAsync

public CompletableFuture<Boolean> allowNamespacePolicyOperationAsync(org.apache.pulsar.common.naming.NamespaceName namespaceName,
                                                                     org.apache.pulsar.common.policies.data.PolicyName policy,
                                                                     org.apache.pulsar.common.policies.data.PolicyOperation operation,
                                                                     String role,
                                                                     AuthenticationDataSource authData)

Description copied from interface: AuthorizationProvider

Check if a given role is allowed to execute a given policy operation on the namespace.

Specified by:: allowNamespacePolicyOperationAsync in interface AuthorizationProvider
Parameters:: namespaceName - namespace name; policy - policy name; operation - policy operation; role - role name; authData - authenticated data
Returns:: a completable future represents check result

allowTopicOperationAsync

public CompletableFuture<Boolean> allowTopicOperationAsync(org.apache.pulsar.common.naming.TopicName topicName,
                                                           String role,
                                                           org.apache.pulsar.common.policies.data.TopicOperation operation,
                                                           AuthenticationDataSource authData)

Description copied from interface: AuthorizationProvider

Check if a given role is allowed to execute a given topic operation on the topic.

Specified by:: allowTopicOperationAsync in interface AuthorizationProvider
Parameters:: topicName - topic name; role - role name; operation - topic operation; authData - authenticated data
Returns:: CompletableFuture

Class PulsarAuthorizationProvider

Field Summary

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Methods inherited from interface org.apache.pulsar.broker.authorization.AuthorizationProvider

Field Detail

conf

configCache

Constructor Detail

PulsarAuthorizationProvider

PulsarAuthorizationProvider

Method Detail

initialize

canProduceAsync

canConsumeAsync

canLookupAsync

allowFunctionOpsAsync

allowSourceOpsAsync

allowSinkOpsAsync

grantPermissionAsync

grantPermissionAsync

grantSubscriptionPermissionAsync

revokeSubscriptionPermissionAsync

checkPermission

close

allowTenantOperationAsync

allowNamespaceOperationAsync

allowNamespacePolicyOperationAsync

allowTopicOperationAsync