You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2018/01/10 18:26:27 UTC

[GitHub] merlimat commented on a change in pull request #899: Add subscription auth mode by prefix

merlimat commented on a change in pull request #899: Add subscription auth mode by prefix
URL: https://github.com/apache/incubator-pulsar/pull/899#discussion_r160759821
 
 

 ##########
 File path: pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationManager.java
 ##########
 @@ -78,14 +79,54 @@ public boolean canProduce(DestinationName destination, String role) throws Excep
      *            the fully qualified destination name associated with the destination.
      * @param role
      *            the app id used to receive messages from the destination.
+     * @param subscription
+     *            the subscription name defined by the client
      */
+    public CompletableFuture<Boolean> canConsumeAsync(DestinationName destination, String role, String subscription) {
+        CompletableFuture<Boolean> permissionFuture = new CompletableFuture<>();
+        try {
+            configCache.policiesCache().getAsync(POLICY_ROOT + destination.getNamespace()).thenAccept(policies -> {
+                if (!policies.isPresent()) {
+                    if (log.isDebugEnabled()) {
+                        log.debug("Policies node couldn't be found for destination : {}", destination);
+                    }
+                } else {
+                    if (isNotBlank(subscription)) {
+                        switch (policies.get().subscription_auth_mode) {
+                        case Prefix:
+                            if (!subscription.startsWith(role)) {
+                                permissionFuture.complete(false);
 
 Review comment:
   I think it's important to bubble back to user the exact reason for the consumer creation to fail. E.g.: In the exception thrown, it should include something like: 
   
   ```
   Failed to create consumer - The subscription name needs to be prefixed by the authentication role, like MY-ROLE-xxxx
   ```
   
   Including the actual role used by the consumer.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services