pulsar-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] rdhabalia commented on issue #2964: Allow subscriber to access cursor admin-api
Date Mon, 19 Nov 2018 21:46:45 GMT
rdhabalia commented on issue #2964: Allow subscriber to access cursor admin-api 
URL: https://github.com/apache/pulsar/issues/2964#issuecomment-440053070
 
 
   we also want to address subscription-ownership usecase where pulsar enforces subscription
access (consume, ack, admin-api) by only subscription-owner. One of the solution to configure
sub-permission at namespace level implemented at #2981
   however, it still doesn't enforce unless admin explicitly grants sub-permission to set
of principals at namespace level. 
   
   Alternate solution to store subscription's principal-role at topic level in the topic-stat
(`managed-cursor`) and whichever principal connects first to this sub will be the owner the
subscription. So, whenever any principal connects to broker to access cursor, broker authorize
connected principal against the role stored into cursor's stat (`managed-cursor`). 
   Also whenever, a subscriber application wants to change the subscription-owner there will
be two options:
   1. create separate subscription for newly changed role and drop old subscription
   2. provide admin-api to change authorized role at `managed-cursor` , broker updates it
and disconnect the existing connected consumers.
   
   Enforcing subscription-ownership authorization can be configured at namespace policies
by adding flag : `enableSubAuthorization`. Broker stores "role-name" and performs "sub-authorization"
only if flag is enabled for the namespace so, by default this feature will be disabled and
can be enabled when user requires sub-authorization across different sub in the topic.
   So, it will be super-set of #2981 and #899 so, we don't need #2981 with this feature.
   
   @merlimat @massakam any thoughts?

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

Mime
View raw message