You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by rx...@apache.org on 2019/10/30 10:06:30 UTC

[pulsar.wiki] branch master updated: Add PIP-49: Permission levels and inheritance for project

This is an automated email from the ASF dual-hosted git repository.

rxl pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.wiki.git


The following commit(s) were added to refs/heads/master by this push:
     new e4f2606  Add PIP-49: Permission levels and inheritance for project
e4f2606 is described below

commit e4f2606153cfdd2fdeb88cb16e9239d5613c921d
Author: 冉小龙 <rx...@qq.com>
AuthorDate: Wed Oct 30 18:06:27 2019 +0800

    Add PIP-49: Permission levels and inheritance for project
---
 PIP-49:-Permission-levels-and-inheritance.md | 283 +++++++++++++++++++++++++++
 1 file changed, 283 insertions(+)

diff --git a/PIP-49:-Permission-levels-and-inheritance.md b/PIP-49:-Permission-levels-and-inheritance.md
new file mode 100644
index 0000000..f08fd73
--- /dev/null
+++ b/PIP-49:-Permission-levels-and-inheritance.md
@@ -0,0 +1,283 @@
+# PIP 49: Permission levels and inheritance
+
+- Status: Draft
+- Author: Xiaolong Ran
+- Pull request:
+- Mailing list discussion:
+- Release:
+
+## Motivation
+
+Lacking permission levels and inheritance causing the permission check in Pulsar become very confused.
+
+For example, currently Pulsar only allows a tenant administrator to retrieve the list of topics of a namespace. However, if you are a namespace administrator, you are not allowed to list the topics of it. This behavior is strange and uncommon compared to other RBAC systems.
+
+Also superuser permissions are misused in many places without clear thoughts.
+
+This PIP proposes introducing permission levels and inheritance into Pulsar authorization system to make permission check clearer across Pulsar codebase.
+
+## Permission levels & inheritance
+
+This PIP proposes adding permission level for each role. The permission level is determined by a number. The lower number gets higher permission. The role with higher level permission will inherit all the permissions from lower level roles. The roles at the same permission level can’t inherit the permissions from others. 
+
+
+The following table illustrates all the roles in Pulsar and their permission levels.
+
+
+| Role| Permission Level
+|---|---
+| Super user| 1
+| Tenant admin | 2
+| Namespace admin | 3
+| Namespace function | 4 |
+| Namespace produce | 4 |
+| Namespace consume | 4 |
+
+> Note: The `Namespace function`, `Namespace produce` and `Namespace consume` are at the same permission level. They can’t inherit the permissions from each other.
+## Proposed Permission Changes
+
+
+This PIP proposes the following permission changes for each admin API.
+
+### tenants
+
+Command |Current Permissions | Proposed Permissions
+----|---|---
+get | super-user | >= tenant admin
+create | super-user | super user
+update | super-user | super user
+delete | super-user | super user
+list | super-user | super user
+
+### schemas
+
+Command |Current Permissions | Proposed Permissions
+----|---|---
+get | tenant admin | >= namespace produce
+upload | tenant admin | >= namespace produce
+extract | tenant admin | >= namespace produce
+delete | tenant admin | >= namespace produce
+
+
+### functions
+
+Command |Current Permissions | Proposed Permissions
+----|---|---
+localrun | none | none
+create | super-user or tenant admin or namespace function | >= namespace function
+delete | super-user or tenant admin or namespace function | >= namespace function
+update | super-user or tenant admin or namespace function | >= namespace function
+get | super-user or tenant admin or namespace function | >= namespace function
+restart | super-user or tenant admin or namespace function | >= namespace function
+stop | super-user or tenant admin or namespace function | >= namespace function
+start | super-user or tenant admin or namespace function | >= namespace function
+status | super-user or tenant admin or namespace function | >= namespace function
+stats | super-user or tenant admin or namespace function | >= namespace function
+list | super-user or tenant admin or namespace function | >= namespace function
+querystate | super-user or tenant admin or namespace function | >= namespace function
+trigger | super-user or tenant admin or namespace function | >= namespace function
+putstate | super-user or tenant admin or namespace function | >= namespace function
+
+### sources
+
+Command |Current Permissions | Proposed Permissions
+----|---|---
+localrun | none | none
+create | super-user or tenant admin or namespace function | >= namespace function
+delete | super-user or tenant admin or namespace function | >= namespace function
+update | super-user or tenant admin or namespace function | >= namespace function
+get | none | >= namespace function
+status | super-user or tenant admin or namespace function | >= namespace function
+stop | super-user or tenant admin or namespace function | >= namespace function
+start | super-user or tenant admin or namespace function | >= namespace function
+list | super-user or tenant admin or namespace function | >= namespace function
+restart | super-user or tenant admin or namespace function | >= namespace function
+
+### sinks
+
+Command |Current Permissions | Proposed Permissions
+----|---|---
+localrun | none | none
+create | super-user or tenant admin or namespace function | >= namespace function
+delete | super-user or tenant admin or namespace function | >= namespace function
+update | super-user or tenant admin or namespace function | >= namespace function
+get | none | >= namespace function
+status | super-user or tenant admin or namespace function | >= namespace function
+stop | super-user or tenant admin or namespace function | >= namespace function
+start | super-user or tenant admin or namespace function | >= namespace function
+list | super-user or tenant admin or namespace function | >= namespace function
+restart | super-user or tenant admin or namespace function | >= namespace function
+
+### topics
+
+Command |Current Permissions | Proposed Permissions
+----|---|---
+compact | tenant admin | >= namespace admin
+compaction-status | tenant admin | >= namespace admin
+offload | tenant admin | >= namespace admin
+offload-status | tenant admin | >= namespace admin
+create-partitioned-topic | tenant admin | >= namespace admin
+delete-partitioned-topic | tenant admin | >= namespace admin
+create | tenant admin | >= namespace admin
+get-partitioned-topic-metadata | tenant admin | >= (namespace produce or namespace consume)
+update-partitioned-topic | tenant admin | >= namespace admin
+list | tenant admin | >= namespace admin
+terminate | tenant admin | >= namespace admin
+permissions | tenant admin | >= namespace admin
+grant-permission | tenant admin | >= namespace admin
+revoke-permission | tenant admin | >= namespace admin
+lookup | namespace produce or namespace consume | >= (namespace produce or namespace consume)
+bundle-range | super-user |>=(namespace produce or namespace consume)
+delete | tenant admin | >= namespace admin
+unload | super-user | >= namespace admin
+create-subscription | tenant admin | >= namespace consume
+stats | tenant admin | >= (namespace produce or namespace consume)
+stats-internal | tenant admin | >= (namespace produce or namespace consume)
+info-internal | tenant admin | >= (namespace produce or namespace consume)
+partitioned-stats | tenant admin | >= (namespace produce or namespace consume)
+skip-all | tenant admin | >= namespace consume
+expire-messages-all-subscriptions | tenant admin | >= namespace consume
+last-message-id | tenant admin | >= namespace consume
+create-subscription | tenant admin and namespace produce or consume | >= namespace consume
+unsubscribe | tenant admin and namespace consume | >= namespace consume
+skip | tenant admin or namespace consume | >= namespace consume
+expire-messages | teannt admin and namespace produce or consume | >= namespace consume
+peek-messages | teannt admin and namespace produce or consume | >= namespace consume
+reset-cursor | teannt admin and namespace produce or consume | >=  namespace consume
+subscriptions | teannt admin and namespace produce or consume | >= namespace consume
+
+### namespaces
+
+Command |Current Permissions | Proposed Permissions
+----|---|---
+list | tenant admin | >= namespace admin
+topics | tenant admin | >= namespace admin
+policies | tenant admin | >= namespace admin
+create | tenant admin | >= namespace admin
+delete | tenant admin | >= namespace admin
+set-deduplication | tenant admin | >= namespace admin
+permissions | tenant admin | >= namespace admin
+grant-permissions | tenant admin | >= namespace admin
+revoke-permissions | tenant admin | >= namespace admin
+grant-subscription-permission | tenant admin | >= namespace admin
+revoke-subscription-permission | tenant admin | >= namespace admin
+set-clusters | tenant admin | super-user
+get-clusters | tenant admin | >= (namespace produce or namespace consume or namespace function)
+get-backlog-quotas | tenant admin | >= (namespace produce or namespace consume or namespace function)
+set-backlog-quota | tenant admin | >= namespace admin
+remove-backlog-quota | tenant admin | >= namespace admin
+get-persistence | tenant admin | >= (namespace produce or namespace consume or namespace function)
+get-backlog-quotas | tenant admin | >= (namespace produce or namespace consume or namespace function)
+set-backlog-quota | tenant admin | >= namespace admin
+remove-backlog-quota | tenant admin | >= namespace admin
+get-persistence | tenant admin | >= (namespace produce or namespace consume or namespace function)
+set-persistence | tenant admin | >= namespace admin
+get-message-ttl | tenant admin | >= (namespace produce or namespace consume or namespace function)
+set-message-ttl | tenant admin | >= namespace admin
+get-anti-affinity-group | tenant admin | >= (namespace produce or namespace consume or namespace function)
+set-anti-affinity-group | tenant admin | super-user
+delete-anti-affinity-group | tenant admin | super-user
+get-anti-affinity-namespaces | tenant admin | >= (namespace produce or namespace consume or namespace function)
+get-retention | tenant admin | >= (namespace produce or namespace consume or namespace function)
+set-retention | tenant admin | >= namespace admin
+unload | super-user | >= namespace admin
+set-replicator-dispatch-rate | super-user |  super-user
+get-replicator-dispatch-rate | tenant admin | >= (namespace produce or namespace consume or namespace function)
+split-bundle | super-user | >= namespace admin
+set-dispatch-rate | super-user | >= namespace admin
+get-dispatch-rate | tenant admin | >= (namespace produce or namespace consume or namespace function)
+get-subscribe-rate | tenant admin | >= (namespace produce or namespace consume or namespace function)
+set-subscribe-rate | super-user | >= namespace admin
+set-subscription-dispatch-rate | super-user | >= namespace admin
+get-subscription-dispatch-rate | tenant admin | >= (namespace produce or namespace consume or namespace function)
+clear-backlog | tenant admin | >= namespace admin
+unsubscribe | tenant admin | >= namespace admin
+set-encryption-required | tenant admin | >= namespace admin
+set-subscription-auth-mode | tenant admin | >= namespace admin
+get-max-producers-per-topic | tenant admin | >= (namespace produce or namespace consume or namespace function)
+set-max-producers-per-topic | super-user | >= namespace admin
+get-max-consumers-per-topic | tenant admin | >= (namespace produce or namespace consume or namespace function)
+set-max-consumers-per-topic | super-user | >= namespace admin
+get-max-consumers-per-subscription | tenant admin | >= (namespace produce or namespace consume or namespace function)
+set-max-consumers-per-subscription | super-user | >= namespace admin
+get-compaction-threshold | tenant admin | >= (namespace produce or namespace consume or namespace function)
+set-compaction-threshold | super-user | >= namespace admin
+get-offload-threshold | tenant admin | >= (namespace produce or namespace consume or namespace function)
+set-offload-threshold | super-user | >= namespace admin
+get-offload-deletion-lag | tenant admin | >= (namespace produce or namespace consume or namespace function)
+set-offload-deletion-lag | super-user | >= namespace admin
+clear-offload-deletion-lag | super-user | >= namespace admin
+get-schema-autoupdate-strategy | tenant admin | >= (namespace produce or namespace consume or namespace function)
+set-schema-autoupdate-strategy | super-user | >= namespace admin
+set-schema-validation-enforced | super-user | >= namespace admin
+get-schema-validation-enforced | tenant admin | >= (namespace produce or namespace consume or namespace function)
+
+### clusters
+
+Command |Current Permissions | Proposed Permissions
+----|---|---
+get | super-user | super-user
+create | super-user | super-user
+update | super-user | super-user
+delete | super-user | super-user
+list | super-user | super-user
+update-peer-clusters | super-user | super-user
+get-peer-clusters | super-user | super-user
+get-failure-domain | super-user | super-user
+create-failure-domain | super-user | super-user
+update-failure-domain | super-user | super-user
+delete-failure-domain | super-user | super-user
+list-failure-domain | super-user | super-user
+
+### brokers
+
+Command |Current Permissions | Proposed Permissions
+----|---|---
+list | super-user | super-user
+namespaces | super-user | super-user
+update-dynamic-config | super-user | super-user
+delete-dynamic-config | super-user | super-user
+list-dynamic-config | super-user | super-user
+get-all-dynamic-config | super-user | super-user
+get-internal-config | super-user | super-user
+get-runtime-config | super-user | super-user
+healthcheck | super-user | super-user
+
+### broker-stats
+
+Command |Current Permissions | Proposed Permissions
+----|---|---
+monitoring-metrics | super-user | super-user
+mbeans | super-user | super-user
+topics | super-user | super-user
+allocator-stats | super-user | super-user
+load-report | super-user | super-user
+
+### functions-worker
+
+Command |Current Permissions | Proposed Permissions
+----|---|---
+function-stats | super-user | super-user
+monitoring-metrics | super-user | super-user
+get-cluster | super-user | super-user
+get-cluster-leader | super-user | super-user
+get-function-assignments | super-user | super-user
+
+### resource-quotas
+
+Command |Current Permissions | Proposed Permissions
+----|---|---
+get | super-user | super-user
+set | super-user | super-user
+reset-namespace-bundle-quota | super-user | super-user
+
+### ns-isolation-policy
+
+Command |Current Permissions | Proposed Permissions
+----|---|---
+get | super-user | super-user
+set | super-user | super-user
+list | super-user | super-user
+delete | super-user | super-user
+brokers | super-user | super-user
+broker | super-user | super-user