Skip to content
This repository has been archived by the owner on Jan 24, 2024. It is now read-only.

[FEATURE] Super roles don't need to be granted permissions #571

Closed
BewareMyPower opened this issue Jun 15, 2021 · 1 comment
Closed

[FEATURE] Super roles don't need to be granted permissions #571

BewareMyPower opened this issue Jun 15, 2021 · 1 comment
Labels
type/feature Indicates new functionality

Comments

@BewareMyPower
Copy link
Collaborator

BewareMyPower commented Jun 15, 2021
edited
Loading

Is your feature request related to a problem? Please describe.
When KoP is configured with SASL/PLAIN authentication mechanism, it actually uses Pulsar's token authentication. However, for the roles of superUsersRoles configuration, they still need to be grant permissions currently.

Describe the solution you'd like
Reuse Pulsar's authorization implementation in KoP.

Describe alternatives you've considered
The simplest solution may be just ignoring the permission check for super user roles.

Additional context
Add any other context or screenshots about the feature request here.
@BewareMyPower BewareMyPower added the type/feature Indicates new functionality label Jun 15, 2021
@BewareMyPower BewareMyPower mentioned this issue Jun 18, 2021
Open
9 tasks
@Demogorgon314 Demogorgon314 mentioned this issue Aug 19, 2021
Merged
Demogorgon314 added a commit that referenced this issue Aug 21, 2021
@Demogorgon314
[FEATURE] Add authorization to handle topic metadata request (#662)
26dc138 
Add authorization to handleTopicMetadataRequest(#236 ).

Fix #415 and #571 

## Motivation
When client fetch metadata need check topic permission, so we need add authorization in handleTopicMetadataRequest, and do not perform role verification in authentication.

## Modifications
Add a common method in `KafkaRequestHandler#authorize` , this method use `authorizer` to authorization.
Modify the authentication behavior, and do not verify the role during authentication, verify the role in fetch metadata(#571  )
wangjialing218 pushed a commit to wangjialing218/kop that referenced this issue Aug 24, 2021
@Demogorgon314
[FEATURE] Add authorization to handle topic metadata request (streamn…
f251e76 
…ative#662)

Add authorization to handleTopicMetadataRequest(streamnative#236 ).

Fix streamnative#415 and streamnative#571 

## Motivation
When client fetch metadata need check topic permission, so we need add authorization in handleTopicMetadataRequest, and do not perform role verification in authentication.

## Modifications
Add a common method in `KafkaRequestHandler#authorize` , this method use `authorizer` to authorization.
Modify the authentication behavior, and do not verify the role during authentication, verify the role in fetch metadata(streamnative#571  )
BewareMyPower pushed a commit that referenced this issue Aug 25, 2021
@Demogorgon314 @BewareMyPower
[FEATURE] Add authorization to handle topic metadata request (#662)
6b69ec1 
Add authorization to handleTopicMetadataRequest(#236 ).

Fix #415 and #571 

## Motivation
When client fetch metadata need check topic permission, so we need add authorization in handleTopicMetadataRequest, and do not perform role verification in authentication.

## Modifications
Add a common method in `KafkaRequestHandler#authorize` , this method use `authorizer` to authorization.
Modify the authentication behavior, and do not verify the role during authentication, verify the role in fetch metadata(#571  )
@Demogorgon314
Copy link
Member

This issue is solve by #662 , and can be close now.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/feature Indicates new functionality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@BewareMyPower @Demogorgon314