Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Pulsar Function Authorization

See original GitHub issue

After Pulsar Function Authentication is implemented, we also need to implement the authorization model for functions.

I propose we add the following methods to the AuthorizationProvider (https://github.com/apache/pulsar/blob/master/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationProvider.java) interface:

/**
* Allow all function operations with in this namespace
* @param namespaceName The namespace that the function operations can be executed in
* @param role The role to check
* @param authenticationData authentication data related to the role
* @return a boolean to determine whether authorized or not
*/
CompletableFuture<Boolean> allowFunctionOps(NamespaceName namespaceName, String role,
                                           AuthenticationDataSource authenticationData);

We should also add an action to AuthAction for functions:

public enum AuthAction {
   /** Permission to produce/publish messages */
   produce,

   /** Permission to consume messages */
   consume,
  
   /** Permissions for functions ops **/
   functions,
}

And admins and tenant admins can grant the permission “functions” to users for a namespace and they can perform all function operations(create, update, delete, get) within that namespace.

I also think if a user has the permissions to perform all function operations within a namespace, he or she should also be able to consume and produce to a any topic within that namespace

Issue Analytics

State:
Created 5 years ago
Comments:9 (9 by maintainers)

Top GitHub Comments

1reaction

jerrypengcommented, Mar 6, 2019

@sijie I propose that if a user has the permissions to CRUD functions in a namespace, he or she should automatically also be able to consume and produce messages to any topic in that namespace as well.

1reaction

jerrypengcommented, Mar 6, 2019

@rdhabalia would there be a problem storing the function authorization data in zk? It will be basically the same as the other authorization data right? I would rather not complicate the implementation and store the function specific authorization data somewhere else.

Top Results From Across the Web

Authentication and authorization in Pulsar

In Pulsar, the authentication provider is responsible for properly identifying clients and associating the clients with role tokens.

Authorization and ACL | StreamNative Documentation

In Pulsar, the authentication provider is responsible for properly identifying clients and associating the clients with role tokens.

Pulsar: conf/functions_worker.yml - Fossies

As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Ansible YAML source code syntax...

Security Best Practices for Apache Pulsar | RTInsights

Likewise, authorization failures are captured by the following class / log level: ... Apache Pulsar includes a capability known as Pulsar Functions for ......

Json Web Token (JWT) Client Authentication - YouTube

In this video, we'll provide an in-depth explanation of how Apache Pulsar's JWT authentication works. Learn more about failover ...