pulsar-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] rdhabalia commented on a change in pull request #2981: Allow subscribers to access subscription admin-api
Date Mon, 19 Nov 2018 18:50:59 GMT
rdhabalia commented on a change in pull request #2981: Allow subscribers to access subscription
admin-api
URL: https://github.com/apache/pulsar/pull/2981#discussion_r234738487
 
 

 ##########
 File path: pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
 ##########
 @@ -109,6 +112,16 @@ public void initialize(ServiceConfiguration conf, ConfigurationCacheService
conf
                         log.debug("Policies node couldn't be found for topic : {}", topicName);
                     }
                 } else {
+                    // check if role is authorize to access subscription. (skip validatation
if authorization list is empty)     
+                    Set<String> roles = policies.get().auth_policies.subscription_auth_roles.get(subscription);
+                    if (roles != null && !roles.isEmpty() && !roles.contains(role))
{
 
 Review comment:
   @massakam yes, that's correct. that's what we want here right?
   - first broker validates subscription-permission (if it's configured) over namespace-auth
so, only authorized principal can access the subscription. and that will also cover "pre-fix"
sub usecase where only authorized sub can consume on specific subscription.
   
   @merlimat can you also review this PR one more time.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

Mime
View raw message