You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2021/01/18 03:11:01 UTC

[GitHub] [pulsar] zymap commented on a change in pull request #7523: [Issue 5720][authz] - add topics authz granularity

zymap commented on a change in pull request #7523:
URL: https://github.com/apache/pulsar/pull/7523#discussion_r559294631



##########
File path: pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
##########
@@ -557,28 +557,65 @@ private void validatePoliciesReadOnlyAccess() {
                                                                AuthenticationDataSource authData) {
         CompletableFuture<Boolean> isAuthorizedFuture;
 
-        switch (operation) {
-            case LOOKUP: isAuthorizedFuture = canLookupAsync(topicName, role, authData);
-                break;
-            case PRODUCE: isAuthorizedFuture = canProduceAsync(topicName, role, authData);
-                break;
-            case CONSUME: isAuthorizedFuture = canConsumeAsync(topicName, role, authData, authData.getSubscription());
-                break;
-            default: isAuthorizedFuture = FutureUtil.failedFuture(
-                    new IllegalStateException("TopicOperation is not supported."));
-        }
+        try {
+            TenantInfo tenantInfo = configCache.propertiesCache().get(path(POLICIES, topicName.getTenant())).get();
+
+            switch (operation) {

Review comment:
       Can we merge some operations like this? For example:
   ```
   case CONSUME:
   case EXPIRE_MESAGES:
   ...
   case SKIP:
       isAuthorizedFuture = canConsumeAsync(topicName, role, authData, authData.getSubscription());
       break;
   ```
   

##########
File path: pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationProvider.java
##########
@@ -489,4 +490,36 @@ default Boolean allowTopicOperation(TopicName topicName,
             throw new RestException(e.getCause());
         }
     }
+
+    /**
+     * Check if a given <tt>role</tt> is allowed to execute a given topic <tt>operation</tt> on topic's <tt>policy</tt>.
+     *
+     * @param topic topic name
+     * @param role role name
+     * @param operation topic operation
+     * @param authData authenticated data
+     * @return CompletableFuture<Boolean>
+     */
+    default CompletableFuture<Boolean> allowTopicPolicyOperationAsync(TopicName topic,
+                                                                      String role,
+                                                                      PolicyName policy,
+                                                                      PolicyOperation operation,
+                                                                      AuthenticationDataSource authData) {
+        return FutureUtil.failedFuture(

Review comment:
       Overall looks good. This PR looks like only add the validation for the topic level authorization.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org