You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@pulsar.apache.org by Guangning E <eg...@gmail.com> on 2019/11/21 07:11:33 UTC

[Discuss] Authentication and Authorization in Pulsar Manager

Hi everyone,
The current pulsar-manager already supports basic JWT certification,
authorization and management, and we want to further integrate with
pulsar's multi-tenant system, so we drafted the following document on the
certification and authorization of the pulsar-manager. If you have any
ideas, you can comment directly on the document or reply to this email
https://docs.google.com/document/d/1wAErarwtXT5A2JeiSxuXyMuqSgPVN68d2t-pnmkSrDA/edit

Thanks,
Guangning

Re: [Discuss] Authentication and Authorization in Pulsar Manager

Posted by Guangning E <eg...@gmail.com>.

I update the document here
https://github.com/apache/pulsar-manager/wiki/Authentication-and-Authorization-in-Pulsar-Manager,
please reply to this email if you have any questions, then I will implement
this feature according to the document.

Thanks,
Guangning

Guangning E <eg...@gmail.com> 于2019年11月22日周五 上午11:10写道：

> I got it. I think the current architecture is ok, a developer will get a
> token, he has the token, he can produce and consume messages, after
> entering the platform, he can only see the topic bound with the token or
> some statistical information of namespace, he does not have any permission
> to change resources, I think this will be added by default, here we call
> this role the service API.
>
> Thanks,
> Guangning
>
> Yuva raj <uv...@gmail.com> 于2019年11月22日周五 上午10:50写道：
>
>> Readonly role at pulsar-manager level. In our case we allow developers
>> to access pulsar-manager to analyze topic metrics (produce /consume
>> rate, list of consumers & subscriptions etc ). But we don't want to
>> allow them to make any changes to the pulsar resources, such as
>> clusters, namespaces or topics.
>>
>> On Fri, 22 Nov 2019 at 07:46, Guangning E <eg...@gmail.com> wrote:
>> >
>> > I'd like to know what you mean by read-only role and what operations it
>> is
>> > mainly used for. At present, pulsar-manager manages the permissions that
>> > already exist in pulsar. I see that there are two PIP's on permission
>> > improvement in pulsar. On this basis, we can easily expand roles in
>> > pulsar-manager to adapt to pulsar's permissions.
>> >
>> > Yuva raj <uv...@gmail.com> 于2019年11月21日周四 下午8:07写道：
>> >
>> > > Hi Guangning, Overall looks good. I am looking forward for an example
>> how
>> > > can we create a read only role ? Can we please add an `read` action
>> also
>> > > into verb list ?
>> > >
>> > > On Thu, Nov 21, 2019, 12:40 PM Guangning E <eg...@gmail.com>
>> wrote:
>> > >
>> > > > Hi everyone,
>> > > > The current pulsar-manager already supports basic JWT certification,
>> > > > authorization and management, and we want to further integrate with
>> > > > pulsar's multi-tenant system, so we drafted the following document
>> on the
>> > > > certification and authorization of the pulsar-manager. If you have
>> any
>> > > > ideas, you can comment directly on the document or reply to this
>> email
>> > > >
>> > > >
>> > >
>> https://docs.google.com/document/d/1wAErarwtXT5A2JeiSxuXyMuqSgPVN68d2t-pnmkSrDA/edit
>> > > >
>> > > > Thanks,
>> > > > Guangning
>> > > >
>> > >
>>
>>
>>
>> --
>> Thanks
>>
>> Yuvaraj L
>>
>

Re: [Discuss] Authentication and Authorization in Pulsar Manager

Posted by Guangning E <eg...@gmail.com>.

I got it. I think the current architecture is ok, a developer will get a
token, he has the token, he can produce and consume messages, after
entering the platform, he can only see the topic bound with the token or
some statistical information of namespace, he does not have any permission
to change resources, I think this will be added by default, here we call
this role the service API.

Thanks,
Guangning

Yuva raj <uv...@gmail.com> 于2019年11月22日周五 上午10:50写道：

> Readonly role at pulsar-manager level. In our case we allow developers
> to access pulsar-manager to analyze topic metrics (produce /consume
> rate, list of consumers & subscriptions etc ). But we don't want to
> allow them to make any changes to the pulsar resources, such as
> clusters, namespaces or topics.
>
> On Fri, 22 Nov 2019 at 07:46, Guangning E <eg...@gmail.com> wrote:
> >
> > I'd like to know what you mean by read-only role and what operations it
> is
> > mainly used for. At present, pulsar-manager manages the permissions that
> > already exist in pulsar. I see that there are two PIP's on permission
> > improvement in pulsar. On this basis, we can easily expand roles in
> > pulsar-manager to adapt to pulsar's permissions.
> >
> > Yuva raj <uv...@gmail.com> 于2019年11月21日周四 下午8:07写道：
> >
> > > Hi Guangning, Overall looks good. I am looking forward for an example
> how
> > > can we create a read only role ? Can we please add an `read` action
> also
> > > into verb list ?
> > >
> > > On Thu, Nov 21, 2019, 12:40 PM Guangning E <eg...@gmail.com>
> wrote:
> > >
> > > > Hi everyone,
> > > > The current pulsar-manager already supports basic JWT certification,
> > > > authorization and management, and we want to further integrate with
> > > > pulsar's multi-tenant system, so we drafted the following document
> on the
> > > > certification and authorization of the pulsar-manager. If you have
> any
> > > > ideas, you can comment directly on the document or reply to this
> email
> > > >
> > > >
> > >
> https://docs.google.com/document/d/1wAErarwtXT5A2JeiSxuXyMuqSgPVN68d2t-pnmkSrDA/edit
> > > >
> > > > Thanks,
> > > > Guangning
> > > >
> > >
>
>
>
> --
> Thanks
>
> Yuvaraj L
>

Re: [Discuss] Authentication and Authorization in Pulsar Manager

Posted by Yuva raj <uv...@gmail.com>.

Readonly role at pulsar-manager level. In our case we allow developers
to access pulsar-manager to analyze topic metrics (produce /consume
rate, list of consumers & subscriptions etc ). But we don't want to
allow them to make any changes to the pulsar resources, such as
clusters, namespaces or topics.

On Fri, 22 Nov 2019 at 07:46, Guangning E <eg...@gmail.com> wrote:
>
> I'd like to know what you mean by read-only role and what operations it is
> mainly used for. At present, pulsar-manager manages the permissions that
> already exist in pulsar. I see that there are two PIP's on permission
> improvement in pulsar. On this basis, we can easily expand roles in
> pulsar-manager to adapt to pulsar's permissions.
>
> Yuva raj <uv...@gmail.com> 于2019年11月21日周四 下午8:07写道：
>
> > Hi Guangning, Overall looks good. I am looking forward for an example how
> > can we create a read only role ? Can we please add an `read` action also
> > into verb list ?
> >
> > On Thu, Nov 21, 2019, 12:40 PM Guangning E <eg...@gmail.com> wrote:
> >
> > > Hi everyone,
> > > The current pulsar-manager already supports basic JWT certification,
> > > authorization and management, and we want to further integrate with
> > > pulsar's multi-tenant system, so we drafted the following document on the
> > > certification and authorization of the pulsar-manager. If you have any
> > > ideas, you can comment directly on the document or reply to this email
> > >
> > >
> > https://docs.google.com/document/d/1wAErarwtXT5A2JeiSxuXyMuqSgPVN68d2t-pnmkSrDA/edit
> > >
> > > Thanks,
> > > Guangning
> > >
> >



-- 
Thanks

Yuvaraj L

Re: [Discuss] Authentication and Authorization in Pulsar Manager

Posted by Guangning E <eg...@gmail.com>.

I'd like to know what you mean by read-only role and what operations it is
mainly used for. At present, pulsar-manager manages the permissions that
already exist in pulsar. I see that there are two PIP's on permission
improvement in pulsar. On this basis, we can easily expand roles in
pulsar-manager to adapt to pulsar's permissions.

Yuva raj <uv...@gmail.com> 于2019年11月21日周四 下午8:07写道：

> Hi Guangning, Overall looks good. I am looking forward for an example how
> can we create a read only role ? Can we please add an `read` action also
> into verb list ?
>
> On Thu, Nov 21, 2019, 12:40 PM Guangning E <eg...@gmail.com> wrote:
>
> > Hi everyone,
> > The current pulsar-manager already supports basic JWT certification,
> > authorization and management, and we want to further integrate with
> > pulsar's multi-tenant system, so we drafted the following document on the
> > certification and authorization of the pulsar-manager. If you have any
> > ideas, you can comment directly on the document or reply to this email
> >
> >
> https://docs.google.com/document/d/1wAErarwtXT5A2JeiSxuXyMuqSgPVN68d2t-pnmkSrDA/edit
> >
> > Thanks,
> > Guangning
> >
>

Re: [Discuss] Authentication and Authorization in Pulsar Manager

Posted by Yuva raj <uv...@gmail.com>.

Hi Guangning, Overall looks good. I am looking forward for an example how
can we create a read only role ? Can we please add an `read` action also
into verb list ?

On Thu, Nov 21, 2019, 12:40 PM Guangning E <eg...@gmail.com> wrote:

> Hi everyone,
> The current pulsar-manager already supports basic JWT certification,
> authorization and management, and we want to further integrate with
> pulsar's multi-tenant system, so we drafted the following document on the
> certification and authorization of the pulsar-manager. If you have any
> ideas, you can comment directly on the document or reply to this email
>
> https://docs.google.com/document/d/1wAErarwtXT5A2JeiSxuXyMuqSgPVN68d2t-pnmkSrDA/edit
>
> Thanks,
> Guangning
>