-
Notifications
You must be signed in to change notification settings - Fork 3.6k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add pluggable authorization mechanism (#1200)
* Add pluggable authorization service fix: move FutureUtils to common and fix import add grantpermission api take default auth method pass authData to authorization provider keep single authorization provider * fix rebase change
- Loading branch information
Showing
72 changed files
with
1,682 additions
and
777 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
120 changes: 120 additions & 0 deletions
120
...er-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationProvider.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,120 @@ | ||
/** | ||
* Licensed to the Apache Software Foundation (ASF) under one | ||
* or more contributor license agreements. See the NOTICE file | ||
* distributed with this work for additional information | ||
* regarding copyright ownership. The ASF licenses this file | ||
* to you under the Apache License, Version 2.0 (the | ||
* "License"); you may not use this file except in compliance | ||
* with the License. You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, | ||
* software distributed under the License is distributed on an | ||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
* KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations | ||
* under the License. | ||
*/ | ||
package org.apache.pulsar.broker.authorization; | ||
|
||
import java.io.Closeable; | ||
import java.io.IOException; | ||
import java.util.Set; | ||
import java.util.concurrent.CompletableFuture; | ||
|
||
import org.apache.pulsar.broker.ServiceConfiguration; | ||
import org.apache.pulsar.broker.authentication.AuthenticationDataSource; | ||
import org.apache.pulsar.broker.cache.ConfigurationCacheService; | ||
import org.apache.pulsar.common.naming.DestinationName; | ||
import org.apache.pulsar.common.naming.NamespaceName; | ||
import org.apache.pulsar.common.policies.data.AuthAction; | ||
|
||
/** | ||
* Provider of authorization mechanism | ||
*/ | ||
public interface AuthorizationProvider extends Closeable { | ||
|
||
/** | ||
* Perform initialization for the authorization provider | ||
* | ||
* @param config | ||
* broker config object | ||
* @param configCache | ||
* pulsar zk configuration cache service | ||
* @throws IOException | ||
* if the initialization fails | ||
*/ | ||
void initialize(ServiceConfiguration conf, ConfigurationCacheService configCache) throws IOException; | ||
|
||
/** | ||
* Check if the specified role has permission to send messages to the specified fully qualified destination name. | ||
* | ||
* @param destination | ||
* the fully qualified destination name associated with the destination. | ||
* @param role | ||
* the app id used to send messages to the destination. | ||
*/ | ||
CompletableFuture<Boolean> canProduceAsync(DestinationName destination, String role, | ||
AuthenticationDataSource authenticationData); | ||
|
||
/** | ||
* Check if the specified role has permission to receive messages from the specified fully qualified destination | ||
* name. | ||
* | ||
* @param destination | ||
* the fully qualified destination name associated with the destination. | ||
* @param role | ||
* the app id used to receive messages from the destination. | ||
* @param subscription | ||
* the subscription name defined by the client | ||
*/ | ||
CompletableFuture<Boolean> canConsumeAsync(DestinationName destination, String role, | ||
AuthenticationDataSource authenticationData, String subscription); | ||
|
||
/** | ||
* Check whether the specified role can perform a lookup for the specified destination. | ||
* | ||
* For that the caller needs to have producer or consumer permission. | ||
* | ||
* @param destination | ||
* @param role | ||
* @return | ||
* @throws Exception | ||
*/ | ||
CompletableFuture<Boolean> canLookupAsync(DestinationName destination, String role, | ||
AuthenticationDataSource authenticationData); | ||
|
||
/** | ||
* | ||
* Grant authorization-action permission on a namespace to the given client | ||
* | ||
* @param namespace | ||
* @param actions | ||
* @param role | ||
* @param authDataJson | ||
* additional authdata in json format | ||
* @return CompletableFuture | ||
* @completesWith <br/> | ||
* IllegalArgumentException when namespace not found<br/> | ||
* IllegalStateException when failed to grant permission | ||
*/ | ||
CompletableFuture<Void> grantPermissionAsync(NamespaceName namespace, Set<AuthAction> actions, String role, | ||
String authDataJson); | ||
|
||
/** | ||
* Grant authorization-action permission on a topic to the given client | ||
* | ||
* @param topicname | ||
* @param role | ||
* @param authDataJson | ||
* additional authdata in json format | ||
* @return CompletableFuture | ||
* @completesWith <br/> | ||
* IllegalArgumentException when namespace not found<br/> | ||
* IllegalStateException when failed to grant permission | ||
*/ | ||
CompletableFuture<Void> grantPermissionAsync(DestinationName topicname, Set<AuthAction> actions, String role, | ||
String authDataJson); | ||
|
||
} |
Oops, something went wrong.