You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2022/09/29 08:37:26 UTC

[GitHub] [pulsar] prodigy91 opened a new issue, #17886: Update Schema APIs requires Tenant Admin Permissions which is a much broader than required.

prodigy91 opened a new issue, #17886:
URL: https://github.com/apache/pulsar/issues/17886

   ### Search before asking
   
   - [X] I searched in the [issues](https://github.com/apache/pulsar/issues) and found nothing similar.
   
   
   ### Motivation
   
   Quite recently the GET /schema API has been made to work with Topic's GET_METADATA check. The POST and DELETE still requires tenant admin validation to succeed.
   
   Tenant Admin has a very wide capabilities where it can be used to manage & modify every namespace and topics under it. 
   
   In the case where pulsar is managed centrally and users are given restricted permissions just to be able to produce, consume & get metadata around their topics and namespaces, we see that such users are not able to use Create & Update Schema apis. This is leading to issues when using pulsar-spark & debezium connectors which may call such apis.
   
   Till now we were relying on the namespace's isAllowAutoUpdateSchema policy to allow the producer to apply schema on the topic. but such approach is working out with pulsar-spark specially which explicitly calls schema api.
   
   I am creating this ticket to track the ideal approach & its implementation for checking authorization for schema apis. 
   
   ### Solution
   
   Since schema pertains to the topic and we already have TopicOperation enum for checking all actions being performed on the topic, on the first glance it makes sense for TopicOperation to  have schema related operation too.
   But I am not sure of the wider impact of doing this.
   
   ### Alternatives
   
   -
   
   ### Anything else?
   
   -
   
   ### Are you willing to submit a PR?
   
   - [ ] I'm willing to submit a PR!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] codelipenghui commented on issue #17886: Update Schema APIs requires Tenant Admin Permissions which is a much broader than required.

Posted by GitBox <gi...@apache.org>.
codelipenghui commented on issue #17886:
URL: https://github.com/apache/pulsar/issues/17886#issuecomment-1288471458

   @gaurav-ashok https://github.com/apache/pulsar/pull/18074 is fixed the issue. Close the issue first.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] Technoboy- commented on issue #17886: Update Schema APIs requires Tenant Admin Permissions which is a much broader than required.

Posted by GitBox <gi...@apache.org>.
Technoboy- commented on issue #17886:
URL: https://github.com/apache/pulsar/issues/17886#issuecomment-1263008338

   We have fixed this by https://github.com/apache/pulsar/pull/15956


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] gauravAshok commented on issue #17886: Update Schema APIs requires Tenant Admin Permissions which is a much broader than required.

Posted by GitBox <gi...@apache.org>.
gauravAshok commented on issue #17886:
URL: https://github.com/apache/pulsar/issues/17886#issuecomment-1279155099

   No, #15956 only fixes the GET /schema api. The update api is still under tenant admin authorization.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] codelipenghui closed issue #17886: Update Schema APIs requires Tenant Admin Permissions which is a much broader than required.

Posted by GitBox <gi...@apache.org>.
codelipenghui closed issue #17886: Update Schema APIs requires Tenant Admin Permissions which is a much broader than required.
URL: https://github.com/apache/pulsar/issues/17886


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org