You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by ti...@apache.org on 2022/12/11 05:51:13 UTC
[pulsar] branch master updated: Revert "[PIP-167][Authorization] Make it Configurable to Require Subscription Permission" (#18867)
This is an automated email from the ASF dual-hosted git repository.
tison pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/master by this push:
new 3180a4aa04d Revert "[PIP-167][Authorization] Make it Configurable to Require Subscription Permission" (#18867)
3180a4aa04d is described below
commit 3180a4aa04d518fa401a781d646545221c4d1fa6
Author: tison <wa...@gmail.com>
AuthorDate: Sun Dec 11 13:51:04 2022 +0800
Revert "[PIP-167][Authorization] Make it Configurable to Require Subscription Permission" (#18867)
---
.../authorization/PulsarAuthorizationProvider.java | 14 +---
.../pulsar/broker/admin/impl/NamespacesBase.java | 35 ----------
.../apache/pulsar/broker/admin/v1/Namespaces.java | 31 ---------
.../apache/pulsar/broker/admin/v2/Namespaces.java | 30 ---------
.../api/AuthorizationProducerConsumerTest.java | 78 ----------------------
.../org/apache/pulsar/client/admin/Namespaces.java | 36 ----------
.../pulsar/common/policies/data/AuthPolicies.java | 9 ---
.../client/admin/internal/NamespacesImpl.java | 39 -----------
.../org/apache/pulsar/admin/cli/CmdNamespaces.java | 39 -----------
.../admin/internal/data/AuthPoliciesImpl.java | 15 +----
10 files changed, 5 insertions(+), 321 deletions(-)
diff --git a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
index 406417dc779..a43591dd1d9 100644
--- a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
+++ b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
@@ -108,21 +108,16 @@ public class PulsarAuthorizationProvider implements AuthorizationProvider {
return pulsarResources.getNamespaceResources().getPoliciesAsync(topicName.getNamespaceObject())
.thenCompose(policies -> {
if (!policies.isPresent()) {
- // TODO this case seems like it could bypass authorization checks.
if (log.isDebugEnabled()) {
log.debug("Policies node couldn't be found for topic : {}", topicName);
}
} else {
if (isNotBlank(subscription)) {
- // Reject request if role is unauthorized to access subscription.
- // If subscriptionAuthRequired is enabled, role must be in the set of roles.
- // Otherwise, set of roles must be null or empty, or role must be in set of roles.
+ // validate if role is authorized to access subscription. (skip validation if authorization
+ // list is empty)
Set<String> roles = policies.get().auth_policies
.getSubscriptionAuthentication().get(subscription);
- boolean isUnauthorized = policies.get().auth_policies.isSubscriptionAuthRequired()
- ? (roles == null || roles.isEmpty() || !roles.contains(role))
- : (roles != null && !roles.isEmpty() && !roles.contains(role));
- if (isUnauthorized) {
+ if (roles != null && !roles.isEmpty() && !roles.contains(role)) {
log.warn("[{}] is not authorized to subscribe on {}-{}", role, topicName, subscription);
return CompletableFuture.completedFuture(false);
}
@@ -488,8 +483,6 @@ public class PulsarAuthorizationProvider implements AuthorizationProvider {
case GET_TOPICS:
case GET_BUNDLE:
return allowConsumeOrProduceOpsAsync(namespaceName, role, authData);
- // TODO these only require ability to consume on namespace; ignore namespace's subscription
- // permission.
case UNSUBSCRIBE:
case CLEAR_BACKLOG:
return allowTheSpecifiedActionOpsAsync(
@@ -544,7 +537,6 @@ public class PulsarAuthorizationProvider implements AuthorizationProvider {
return canLookupAsync(topicName, role, authData);
case PRODUCE:
return canProduceAsync(topicName, role, authData);
- // TODO consume from single subscription lets role view all subscriptions on a topic
case GET_SUBSCRIPTIONS:
case CONSUME:
case SUBSCRIBE:
diff --git a/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/NamespacesBase.java b/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/NamespacesBase.java
index c3011069176..b33b84e5aed 100644
--- a/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/NamespacesBase.java
+++ b/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/NamespacesBase.java
@@ -2561,39 +2561,4 @@ public abstract class NamespacesBase extends AdminResource {
return null;
});
}
-
- protected void getPermissionOnSubscriptionRequired(AsyncResponse asyncResponse) {
- validateNamespaceOperationAsync(namespaceName, NamespaceOperation.GET_PERMISSION)
- .thenCompose(__ -> getNamespacePoliciesAsync(namespaceName).thenApply(policies ->
- asyncResponse.resume(Response.ok(policies.auth_policies.isSubscriptionAuthRequired()).build())
- )).exceptionally(ex -> {
- log.error("[{}] Failed to get PermissionOnSubscriptionRequired", clientAppId(), ex);
- resumeAsyncResponseExceptionally(asyncResponse, ex);
- return null;
- });
- }
-
- protected void internalSetPermissionOnSubscriptionRequired(AsyncResponse asyncResponse,
- boolean permissionOnSubscriptionRequired) {
- CompletableFuture<Void> isAuthorized;
- if (permissionOnSubscriptionRequired) {
- isAuthorized = validateNamespaceOperationAsync(namespaceName, NamespaceOperation.REVOKE_PERMISSION);
- } else {
- isAuthorized = validateNamespaceOperationAsync(namespaceName, NamespaceOperation.GRANT_PERMISSION);
- }
- isAuthorized
- .thenCompose(__ -> validatePoliciesReadOnlyAccessAsync())
- .thenCompose(__ -> updatePoliciesAsync(namespaceName, policies -> {
- policies.auth_policies.setSubscriptionAuthRequired(permissionOnSubscriptionRequired);
- return policies;
- })).thenAccept(__ -> {
- log.info("[{}] Updated PermissionOnSubscriptionRequired for namespace {} to {}", clientAppId(),
- namespaceName, permissionOnSubscriptionRequired);
- asyncResponse.resume(Response.ok().build());
- }).exceptionally(ex -> {
- log.error("[{}] Failed to update PermissionOnSubscriptionRequired", clientAppId(), ex);
- resumeAsyncResponseExceptionally(asyncResponse, ex);
- return null;
- });
- }
}
diff --git a/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/v1/Namespaces.java b/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/v1/Namespaces.java
index 346c13ccce9..ffb0e49d365 100644
--- a/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/v1/Namespaces.java
+++ b/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/v1/Namespaces.java
@@ -419,37 +419,6 @@ public class Namespaces extends NamespacesBase {
});
}
- @POST
- @Path("/{property}/{cluster}/{namespace}/permissionOnSubscriptionRequired")
- @ApiOperation(hidden = true, value = "Set whether a role requires explicit permission to consume from a "
- + "subscription that has no subscription permission defined in the namespace.")
- @ApiResponses(value = {@ApiResponse(code = 403, message = "Don't have admin permission"),
- @ApiResponse(code = 404, message = "Property or cluster or namespace doesn't exist"),
- @ApiResponse(code = 409, message = "Concurrent modification"),
- @ApiResponse(code = 501, message = "Authorization is not enabled")})
- public void setPermissionOnSubscriptionRequired(
- @Suspended final AsyncResponse asyncResponse, @PathParam("property") String property,
- @PathParam("cluster") String cluster, @PathParam("namespace") String namespace,
- boolean permissionOnSubscriptionRequired) {
- validateNamespaceName(property, cluster, namespace);
- internalSetPermissionOnSubscriptionRequired(asyncResponse, permissionOnSubscriptionRequired);
- }
-
- @GET
- @Path("/{property}/{cluster}/{namespace}/permissionOnSubscriptionRequired")
- @ApiOperation(value = "Get whether a role requires explicit permission to consume from a "
- + "subscription that has no subscription permission defined in the namespace.")
- @ApiResponses(value = {@ApiResponse(code = 403, message = "Don't have admin permission"),
- @ApiResponse(code = 404, message = "Property or cluster or namespace doesn't exist"),
- @ApiResponse(code = 409, message = "Namespace is not empty")})
- public void getPermissionOnSubscriptionRequired(@Suspended final AsyncResponse asyncResponse,
- @PathParam("property") String property,
- @PathParam("cluster") String cluster,
- @PathParam("namespace") String namespace) {
- validateNamespaceName(property, cluster, namespace);
- getPermissionOnSubscriptionRequired(asyncResponse);
- }
-
@GET
@Path("/{property}/{cluster}/{namespace}/replication")
@ApiOperation(hidden = true, value = "Get the replication clusters for a namespace.",
diff --git a/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/v2/Namespaces.java b/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/v2/Namespaces.java
index 5e8d12bb8b9..b6bf1f0927c 100644
--- a/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/v2/Namespaces.java
+++ b/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/v2/Namespaces.java
@@ -365,36 +365,6 @@ public class Namespaces extends NamespacesBase {
});
}
- @POST
- @Path("/{property}/{namespace}/permissionOnSubscriptionRequired")
- @ApiOperation(hidden = true, value = "Allow a consumer's role to have implicit permission to consume from a"
- + " subscription.")
- @ApiResponses(value = {@ApiResponse(code = 403, message = "Don't have admin permission"),
- @ApiResponse(code = 404, message = "Property or cluster or namespace doesn't exist"),
- @ApiResponse(code = 409, message = "Concurrent modification"),
- @ApiResponse(code = 501, message = "Authorization is not enabled")})
- public void setPermissionOnSubscriptionRequired(
- @Suspended final AsyncResponse asyncResponse,
- @PathParam("property") String property,
- @PathParam("namespace") String namespace,
- boolean required) {
- validateNamespaceName(property, namespace);
- internalSetPermissionOnSubscriptionRequired(asyncResponse, required);
- }
-
- @GET
- @Path("/{property}/{namespace}/permissionOnSubscriptionRequired")
- @ApiOperation(value = "Get permission on subscription required for namespace.")
- @ApiResponses(value = {@ApiResponse(code = 403, message = "Don't have admin permission"),
- @ApiResponse(code = 404, message = "Property or cluster or namespace doesn't exist"),
- @ApiResponse(code = 409, message = "Namespace is not empty")})
- public void getPermissionOnSubscriptionRequired(@Suspended final AsyncResponse asyncResponse,
- @PathParam("property") String property,
- @PathParam("namespace") String namespace) {
- validateNamespaceName(property, namespace);
- getPermissionOnSubscriptionRequired(asyncResponse);
- }
-
@GET
@Path("/{tenant}/{namespace}/replication")
@ApiOperation(value = "Get the replication clusters for a namespace.",
diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
index b179c45d564..0ce3b7df07d 100644
--- a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
+++ b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
@@ -21,7 +21,6 @@ package org.apache.pulsar.client.api;
import static org.apache.commons.lang3.StringUtils.isNotBlank;
import static org.mockito.Mockito.spy;
import static org.testng.Assert.assertEquals;
-import static org.testng.Assert.assertFalse;
import static org.testng.Assert.assertNotNull;
import static org.testng.Assert.assertNull;
import static org.testng.Assert.assertTrue;
@@ -366,83 +365,6 @@ public class AuthorizationProducerConsumerTest extends ProducerConsumerBase {
log.info("-- Exiting {} test --", methodName);
}
- @Test
- public void testSubscriberPermissionRequired() throws Exception {
- log.info("-- Starting {} test --", methodName);
-
- conf.setAuthorizationProvider(PulsarAuthorizationProvider.class.getName());
- setup();
-
- final String tenantRole = "tenant-role";
- final String subscriptionRole = "sub-role";
- final String subscriptionName = "sub";
- final String namespace = "my-property/ns-sub-auth-req";
- final String topicName = "persistent://" + namespace + "/my-topic";
- Authentication adminAuthentication = new ClientAuthentication("superUser");
-
- clientAuthProviderSupportedRoles.add(subscriptionRole);
-
- @Cleanup
- PulsarAdmin superAdmin = spy(
- PulsarAdmin.builder().serviceHttpUrl(brokerUrl.toString()).authentication(adminAuthentication).build());
-
- Authentication tenantAdminAuthentication = new ClientAuthentication(tenantRole);
- @Cleanup
- PulsarAdmin tenantAdmin = spy(PulsarAdmin.builder().serviceHttpUrl(brokerUrl.toString())
- .authentication(tenantAdminAuthentication).build());
-
- Authentication subAdminAuthentication = new ClientAuthentication(subscriptionRole);
- @Cleanup
- PulsarAdmin sub1Admin = spy(PulsarAdmin.builder().serviceHttpUrl(brokerUrl.toString())
- .authentication(subAdminAuthentication).build());
-
- Authentication authentication = new ClientAuthentication(subscriptionRole);
-
- superAdmin.clusters().createCluster("test", ClusterData.builder().serviceUrl(brokerUrl.toString()).build());
-
- // Initialize cluster and configure namespace to require permission on subscription
- superAdmin.tenants().createTenant("my-property",
- new TenantInfoImpl(Sets.newHashSet(tenantRole), Sets.newHashSet("test")));
- superAdmin.namespaces().createNamespace(namespace, Sets.newHashSet("test"));
- assertFalse(superAdmin.namespaces().getPermissionOnSubscriptionRequired(namespace), "Defaults to false.");
- superAdmin.namespaces().setPermissionOnSubscriptionRequired(namespace, true);
- tenantAdmin.topics().createNonPartitionedTopic(topicName);
- tenantAdmin.topics().grantPermission(topicName, subscriptionRole,
- Collections.singleton(AuthAction.consume));
- assertNull(superAdmin.namespaces().getPublishRate(namespace));
- assertTrue(superAdmin.namespaces().getPermissionOnSubscriptionRequired(namespace));
- replacePulsarClient(PulsarClient.builder()
- .serviceUrl(pulsar.getBrokerServiceUrl())
- .authentication(authentication));
-
- // Cluster is initialized; the subscriptionRole has permission consume on the topic, but doesn't have
- // explicit subscription permission. Verify that several operations which rely on subscription permission fail.
- try {
- sub1Admin.topics().resetCursor(topicName, subscriptionName, 0);
- fail("should have failed with authorization exception");
- } catch (Exception e) {
- assertTrue(e.getMessage().startsWith(
- "Unauthorized to validateTopicOperation for operation [RESET_CURSOR]"));
- }
- try {
- pulsarClient.newConsumer().topic(topicName).subscriptionName(subscriptionName).subscribe();
- fail("should have failed with authorization exception");
- } catch (Exception e) {
- assertTrue(e.getMessage().contains("Client is not authorized to subscribe"), e.getMessage());
- }
-
- // Grant the role permission.
- tenantAdmin.namespaces().grantPermissionOnSubscription(namespace, subscriptionName, Set.of(subscriptionRole));
-
- // Verify the role now has permission to consume (reset cursor second to avoid 404 on subscription)
- Consumer<byte[]> consumer = pulsarClient.newConsumer().topic(topicName).subscriptionName(subscriptionName)
- .subscribe();
- consumer.close();
- sub1Admin.topics().resetCursor(topicName, subscriptionName, 0);
-
- log.info("-- Exiting {} test --", methodName);
- }
-
@Test
public void testClearBacklogPermission() throws Exception {
log.info("-- Starting {} test --", methodName);
diff --git a/pulsar-client-admin-api/src/main/java/org/apache/pulsar/client/admin/Namespaces.java b/pulsar-client-admin-api/src/main/java/org/apache/pulsar/client/admin/Namespaces.java
index 5cbd28d05f6..f4c284bb484 100644
--- a/pulsar-client-admin-api/src/main/java/org/apache/pulsar/client/admin/Namespaces.java
+++ b/pulsar-client-admin-api/src/main/java/org/apache/pulsar/client/admin/Namespaces.java
@@ -783,42 +783,6 @@ public interface Namespaces {
*/
CompletableFuture<Void> revokePermissionOnSubscriptionAsync(String namespace, String subscription, String role);
- /**
- * Get whether a role requires explicit permission to consume from a subscription that has no subscription
- * permission defined in the namespace.
- *
- * @param namespace Pulsar namespace name
- * @return
- * @throws PulsarAdminException
- */
- boolean getPermissionOnSubscriptionRequired(String namespace) throws PulsarAdminException;
-
- /**
- * Get whether a role requires explicit permission to consume from a subscription that has no subscription
- * permission defined in the namespace.
- * @param namespace Pulsar namespace name
- * @return
- */
- CompletableFuture<Boolean> getPermissionOnSubscriptionRequiredAsync(String namespace);
-
- /**
- * Set whether a role requires explicit permission to consume from a subscription that has no subscription
- * permission defined in the namespace.
- * @param namespace Pulsar namespace name
- * @throws PulsarAdminException
- */
- void setPermissionOnSubscriptionRequired(String namespace, boolean permissionOnSubscriptionRequired)
- throws PulsarAdminException;
-
- /**
- * Set whether a role requires explicit permission to consume from a subscription that has no subscription
- * permission defined in the namespace.
- * @param namespace Pulsar namespace name
- * @return
- */
- CompletableFuture<Void> setPermissionOnSubscriptionRequiredAsync(String namespace,
- boolean permissionOnSubscriptionRequired);
-
/**
* Get the replication clusters for a namespace.
* <p/>
diff --git a/pulsar-client-admin-api/src/main/java/org/apache/pulsar/common/policies/data/AuthPolicies.java b/pulsar-client-admin-api/src/main/java/org/apache/pulsar/common/policies/data/AuthPolicies.java
index c7924059cbc..5f8bc82a53b 100644
--- a/pulsar-client-admin-api/src/main/java/org/apache/pulsar/common/policies/data/AuthPolicies.java
+++ b/pulsar-client-admin-api/src/main/java/org/apache/pulsar/common/policies/data/AuthPolicies.java
@@ -30,14 +30,6 @@ public interface AuthPolicies {
Map<String, Map<String, Set<AuthAction>>> getTopicAuthentication();
Map<String, Set<String>> getSubscriptionAuthentication();
- /**
- * Whether an empty set of subscription authentication roles returned by {@link #getSubscriptionAuthentication()}
- * requires explicit permission to consume from the target subscription.
- * @return
- */
- boolean isSubscriptionAuthRequired();
- void setSubscriptionAuthRequired(boolean subscriptionAuthRequired);
-
static Builder builder() {
return ReflectionUtils.newBuilder("org.apache.pulsar.client.admin.internal.data.AuthPoliciesImpl");
}
@@ -47,6 +39,5 @@ public interface AuthPolicies {
Builder namespaceAuthentication(Map<String, Set<AuthAction>> namespaceAuthentication);
Builder topicAuthentication(Map<String, Map<String, Set<AuthAction>>> topicAuthentication);
Builder subscriptionAuthentication(Map<String, Set<String>> subscriptionAuthentication);
- Builder subscriptionAuthRequired(boolean subscriptionAuthRequired);
}
}
diff --git a/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/NamespacesImpl.java b/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/NamespacesImpl.java
index a61827844f1..6d4889a751d 100644
--- a/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/NamespacesImpl.java
+++ b/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/NamespacesImpl.java
@@ -342,45 +342,6 @@ public class NamespacesImpl extends BaseResource implements Namespaces {
return asyncDeleteRequest(path);
}
- @Override
- public void setPermissionOnSubscriptionRequired(String namespace, boolean permissionOnSubscriptionRequired)
- throws PulsarAdminException {
- sync(() -> setPermissionOnSubscriptionRequiredAsync(namespace, permissionOnSubscriptionRequired));
- }
-
- @Override
- public CompletableFuture<Void> setPermissionOnSubscriptionRequiredAsync(String namespace,
- boolean permissionOnSubscriptionRequired) {
- NamespaceName ns = NamespaceName.get(namespace);
- WebTarget path = namespacePath(ns, "permissionOnSubscriptionRequired");
- return asyncPostRequest(path, Entity.entity(permissionOnSubscriptionRequired, MediaType.APPLICATION_JSON));
- }
-
- @Override
- public boolean getPermissionOnSubscriptionRequired(String namespace) throws PulsarAdminException {
- return sync(() -> getPermissionOnSubscriptionRequiredAsync(namespace));
- }
-
- @Override
- public CompletableFuture<Boolean> getPermissionOnSubscriptionRequiredAsync(String namespace) {
- NamespaceName ns = NamespaceName.get(namespace);
- WebTarget path = namespacePath(ns, "permissionOnSubscriptionRequired");
- final CompletableFuture<Boolean> future = new CompletableFuture<>();
- asyncGetRequest(path,
- new InvocationCallback<Boolean>() {
- @Override
- public void completed(Boolean enabled) {
- future.complete(enabled);
- }
-
- @Override
- public void failed(Throwable throwable) {
- future.completeExceptionally(getApiException(throwable.getCause()));
- }
- });
- return future;
- }
-
@Override
public List<String> getNamespaceReplicationClusters(String namespace) throws PulsarAdminException {
return sync(() -> getNamespaceReplicationClustersAsync(namespace));
diff --git a/pulsar-client-tools/src/main/java/org/apache/pulsar/admin/cli/CmdNamespaces.java b/pulsar-client-tools/src/main/java/org/apache/pulsar/admin/cli/CmdNamespaces.java
index 6bcbc4e522b..b64df272b44 100644
--- a/pulsar-client-tools/src/main/java/org/apache/pulsar/admin/cli/CmdNamespaces.java
+++ b/pulsar-client-tools/src/main/java/org/apache/pulsar/admin/cli/CmdNamespaces.java
@@ -304,42 +304,6 @@ public class CmdNamespaces extends CmdBase {
}
}
- @Parameters(commandDescription =
- "Get whether a namespace requires explicit permission to consume from a subscription when no permission is "
- + "defined.")
- private class GetSubscriptionPermissionRequired extends CliCommand {
- @Parameter(description = "tenant/namespace", required = true)
- private java.util.List<String> params;
-
- @Override
- void run() throws PulsarAdminException {
- String namespace = validateNamespace(params);
- print(getAdmin().namespaces().getPermissionOnSubscriptionRequired(namespace));
- }
- }
-
- @Parameters(commandDescription = "Set whether a role requires explicit permission to consume from a subscription "
- + "that has no subscription permission defined in the namespace.")
- private class SetSubscriptionPermissionRequired extends CliCommand {
- @Parameter(description = "tenant/namespace", required = true)
- private java.util.List<String> params;
-
- @Parameter(names = { "--enable", "-e" }, description = "Enable message encryption required")
- private boolean enable = false;
-
- @Parameter(names = { "--disable", "-d" }, description = "Disable message encryption required")
- private boolean disable = false;
-
- @Override
- void run() throws PulsarAdminException {
- String namespace = validateNamespace(params);
- if (enable == disable) {
- throw new ParameterException("Need to specify either --enable or --disable");
- }
- getAdmin().namespaces().setPermissionOnSubscriptionRequired(namespace, enable);
- }
- }
-
@Parameters(commandDescription = "Get the permissions on a namespace")
private class Permissions extends CliCommand {
@Parameter(description = "tenant/namespace", required = true)
@@ -2706,9 +2670,6 @@ public class CmdNamespaces extends CmdBase {
jcommander.addCommand("grant-subscription-permission", new GrantSubscriptionPermissions());
jcommander.addCommand("revoke-subscription-permission", new RevokeSubscriptionPermissions());
- jcommander.addCommand("get-subscription-permission-required", new GetSubscriptionPermissionRequired());
- jcommander.addCommand("set-subscription-permission-required", new SetSubscriptionPermissionRequired());
-
jcommander.addCommand("set-clusters", new SetReplicationClusters());
jcommander.addCommand("get-clusters", new GetReplicationClusters());
diff --git a/pulsar-common/src/main/java/org/apache/pulsar/client/admin/internal/data/AuthPoliciesImpl.java b/pulsar-common/src/main/java/org/apache/pulsar/client/admin/internal/data/AuthPoliciesImpl.java
index 1256e9015ec..985c86295f6 100644
--- a/pulsar-common/src/main/java/org/apache/pulsar/client/admin/internal/data/AuthPoliciesImpl.java
+++ b/pulsar-common/src/main/java/org/apache/pulsar/client/admin/internal/data/AuthPoliciesImpl.java
@@ -42,9 +42,6 @@ public final class AuthPoliciesImpl implements AuthPolicies {
@JsonProperty("subscription_auth_roles")
private Map<String, Set<String>> subscriptionAuthentication = new TreeMap<>();
- @JsonProperty(value = "subscription_auth_required")
- private boolean subscriptionAuthRequired;
-
public static AuthPolicies.Builder builder() {
return new AuthPoliciesImplBuilder();
}
@@ -54,7 +51,6 @@ public final class AuthPoliciesImpl implements AuthPolicies {
private Map<String, Set<AuthAction>> namespaceAuthentication = new TreeMap<>();
private Map<String, Map<String, Set<AuthAction>>> topicAuthentication = new TreeMap<>();;
private Map<String, Set<String>> subscriptionAuthentication = new TreeMap<>();;
- private boolean subscriptionAuthRequired = false;
AuthPoliciesImplBuilder() {
}
@@ -77,21 +73,14 @@ public final class AuthPoliciesImpl implements AuthPolicies {
return this;
}
- public AuthPoliciesImplBuilder subscriptionAuthRequired(boolean explicitSubscriptionAuth) {
- this.subscriptionAuthRequired = explicitSubscriptionAuth;
- return this;
- }
-
public AuthPoliciesImpl build() {
- return new AuthPoliciesImpl(namespaceAuthentication, topicAuthentication, subscriptionAuthentication,
- subscriptionAuthRequired);
+ return new AuthPoliciesImpl(namespaceAuthentication, topicAuthentication, subscriptionAuthentication);
}
public String toString() {
return "AuthPoliciesImpl.AuthPoliciesImplBuilder(namespaceAuthentication=" + this.namespaceAuthentication
+ ", topicAuthentication=" + this.topicAuthentication + ", subscriptionAuthentication="
- + this.subscriptionAuthentication + ", subscriptionAuthRequired="
- + this.subscriptionAuthRequired + ")";
+ + this.subscriptionAuthentication + ")";
}
}
}