From commits-return-48127-archive-asf-public=cust-asf.ponee.io@pulsar.apache.org Tue Feb 4 20:42:13 2020 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id CD04018064E for ; Tue, 4 Feb 2020 21:42:12 +0100 (CET) Received: (qmail 85500 invoked by uid 500); 4 Feb 2020 20:42:12 -0000 Mailing-List: contact commits-help@pulsar.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@pulsar.apache.org Delivered-To: mailing list commits@pulsar.apache.org Received: (qmail 85490 invoked by uid 99); 4 Feb 2020 20:42:12 -0000 Received: from ec2-52-202-80-70.compute-1.amazonaws.com (HELO gitbox.apache.org) (52.202.80.70) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 04 Feb 2020 20:42:12 +0000 From: GitBox To: commits@pulsar.apache.org Subject: [GitHub] [pulsar] sijie commented on issue #5720: authorize tenant level and namespace level access from the authorization provider Message-ID: <158084893211.7180.7881562751675445488.gitbox@gitbox.apache.org> References: In-Reply-To: Date: Tue, 04 Feb 2020 20:42:12 -0000 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit sijie commented on issue #5720: authorize tenant level and namespace level access from the authorization provider URL: https://github.com/apache/pulsar/issues/5720#issuecomment-582105461 @jiazhai @tuteng I think the issue is asking for interfaces to be added to AuthorizationProvider. The default implementation can remain the same. The interfaces allow external parties to customize their own authorization implementation. The authorization provider can be enhanced into an extensible interface. What an authorization provider provides is if a `role` is able to apply a `verb`/`action` to a given `resource`. The resources are: - `tenant` - `namespace` - `topic` - `subscription` - `functions` - `connectors` For each resource, there are certain verbs and actions available for operating those resources. The authorization provider provides an implementation to check if a `role` is allowed to apply a certain `verb` over a `resource`. If we can abstract the authorization provider, it allows people to customize its own authorization provider implementation to allow finer granularity access controls. For the default implementation, Pulsar has, we can keep it as is due to the concerns raised around PIP-49. Does that make sense? ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: users@infra.apache.org With regards, Apache Git Services