Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

authorize tenant level and namespace level access from the authorization provider

See original GitHub issue

Is your feature request related to a problem? Please describe. I am currently writing an authentication provider and an authorization provider, and the authorization API only provides the isSuperUser method for admin level usage. There is no way to authorise a client depending on the affected tenant or namespace. In my use case, I want my clients to have their own tenant, and be able to give limited access to some namespaces to their developers.

Describe the solution you’d like Adding new methods to AuthorizationProvider:

  • for tenant level access (different from superuser access: can’t create, delete or update a tenant, but manage every namespace under the tenant): CompletableFuture<Boolean> canManageNamespace(NamespaceName namespaceName, String role, NamespaceOperation operation, AuthenticationDataSource authenticationData)
    • NamespaceOperation is an enum that can be any of the namespace management tasks, like create, delete, grant-permissions, etc. The default implementation could ignore it, but other providers could manage more granular access (like, I can affect subscriptions, but not quotas and affinity). I think some operations should still require superuser access, like set-clustersor unload?
    • the default implementation would check that either we’re a super user, or the role is in the list returned by tenant.getAdminRoles()
    • maybe a separate function for list, since it would not take a namespace name as argument?
  • for namespace level access: CompletableFuture<Boolean> canManageTopic(TopicName topic, String role, TopicOperation operation, AuthenticationDataSource authenticationData)
    • same as tenant level access, TopicOperation is an enum listing all the possible operations
    • same as tenant level access, the default provider would ignore the operation argument, and check that either we’re a super user, or the role is in the list returned by tenant.getAdminRoles()

Add corresponding methods to PulsarWebResource. Right now it only has validateSuperUserAccess and validateAdminAccessForTenant. We must modify validateAdminAccessForTenant to add the operation, and add validateAdminAccessForTopic And the biggest part of the task: go through every usage of validateSuperUserAccess and validateAdminAccessForTenant and check if they can be replaced with finer grain access

Describe alternatives you’ve considered I do not know any alternative way to get more granular admin access authorization

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:8 (8 by maintainers)

github_iconTop GitHub Comments

1reaction
KannarFrcommented, Apr 3, 2020

Hi @zymap,

The way to add these features is done on https://github.com/apache/pulsar/pull/6428. It comes with its usage on Namespaces & ServerCnx.

1reaction
sijiecommented, Feb 5, 2020

@jiazhai @tuteng

I think the issue is asking for interfaces to be added to AuthorizationProvider. The default implementation can remain the same. The interfaces allow external parties to customize their own authorization implementation.

The authorization provider can be enhanced into an extensible interface. What an authorization provider provides is if a role is able to apply a verb/action to a given resource.

The resources are:

  • tenant
  • namespace
  • namespace_policy
  • topic
  • subscription
  • functions
  • connectors

For each resource, there are certain verbs and actions available for operating those resources. The authorization provider provides an implementation to check if a role is allowed to apply a certain verb over a resource.

If we can abstract the authorization provider, it allows people to customize its own authorization provider implementation to allow finer granularity access controls.

For the default implementation, Pulsar has, we can keep it as is due to the concerns raised around PIP-49.

Does that make sense?

Read more comments on GitHub >

github_iconTop Results From Across the Web

Authorize access with Azure Active Directory - Azure Event Hubs
This article provides information on authorizing access to Event Hubs resources using Azure Active Directory.
Read more >
Secure Multi-Tenancy with Namespaces | Vault
This tutorial provides guidance in creating a multi-tenant environment.
Read more >
Authorization Overview - Kubernetes
In Kubernetes, you must be authenticated (logged in) before your request can be authorized (granted permission to access). For information about ...
Read more >
Authorization and ACL | StreamNative Documentation
Authorize tenants · On the left navigation pane, in the Admin section, click Tenants. · Click New Tenant and a dialog box displays....
Read more >
Kubernetes Multi-Tenancy with RBAC and Namespace
SMASH THAT LIKE BUTTON and don't forget ‍♀️ to subscribe...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Provide raw counters metrics

Next page

Support Avro schema from Debezium source connector