Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
apache
pulsar
提交
52db0e94
pulsar
项目概览
apache
/
pulsar
通知
129
Star
40
Fork
3
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Wiki
1
Wiki
分析
仓库
DevOps
项目成员
Pages
pulsar
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Pages
分析
分析
仓库分析
DevOps
Wiki
1
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
提交
体验新版 GitCode,发现更多精彩内容 >>
提交
52db0e94
编写于
7月 25, 2017
作者:
Y
Yuki Shiga
提交者:
Matteo Merli
7月 25, 2017
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Added documents for wildcard matching in authorization (#543)
上级
87b8944f
变更
6
隐藏空白更改
内联
并排
Showing
6 changed file
with
46 addition
and
8 deletion
+46
-8
conf/broker.conf
conf/broker.conf
+3
-2
conf/standalone.conf
conf/standalone.conf
+3
-2
conf/websocket.conf
conf/websocket.conf
+3
-2
pulsar-broker-common/src/main/java/org/apache/pulsar/broker/ServiceConfiguration.java
...n/java/org/apache/pulsar/broker/ServiceConfiguration.java
+3
-1
pulsar-websocket/src/main/java/org/apache/pulsar/websocket/service/WebSocketProxyConfiguration.java
...pulsar/websocket/service/WebSocketProxyConfiguration.java
+3
-1
site/_includes/explanations/permissions.md
site/_includes/explanations/permissions.md
+31
-0
未找到文件。
conf/broker.conf
浏览文件 @
52db0e94
...
...
@@ -140,8 +140,9 @@ authenticationProviders=
# Enforce authorization
authorizationEnabled
=
false
# Actions that can be authorized by using permitted role name which contains wildcard
# e.g. pulsar.service.*
# Allow wildcard matching in authorization
# (wildcard matching only applicable if wildcard-char:
# * presents at first or last position eg: *.pulsar.service, pulsar.service.*)
authorizationAllowWildcardsMatching
=
false
# Role names that are treated as "super-user", meaning they will be able to do all admin
...
...
conf/standalone.conf
浏览文件 @
52db0e94
...
...
@@ -106,8 +106,9 @@ authenticationProviders=false
# Enforce authorization
authorizationEnabled
=
false
# Actions that can be authorized by using permitted role name which contains wildcard
# e.g. pulsar.service.*
# Allow wildcard matching in authorization
# (wildcard matching only applicable if wildcard-char:
# * presents at first or last position eg: *.pulsar.service, pulsar.service.*)
authorizationAllowWildcardsMatching
=
false
# Role names that are treated as "super-user", meaning they will be able to do all admin
...
...
conf/websocket.conf
浏览文件 @
52db0e94
...
...
@@ -59,8 +59,9 @@ authenticationProviders=
# Enforce authorization
authorizationEnabled
=
false
# Actions that can be authorized by using permitted role name which contains wildcard
# e.g. pulsar.service.*
# Allow wildcard matching in authorization
# (wildcard matching only applicable if wildcard-char:
# * presents at first or last position eg: *.pulsar.service, pulsar.service.*)
authorizationAllowWildcardsMatching
=
false
# Role names that are treated as "super-user", meaning they will be able to do all admin
...
...
pulsar-broker-common/src/main/java/org/apache/pulsar/broker/ServiceConfiguration.java
浏览文件 @
52db0e94
...
...
@@ -137,7 +137,9 @@ public class ServiceConfiguration implements PulsarConfiguration {
// do all admin operations and publish/consume from all topics
private
Set
<
String
>
superUserRoles
=
Sets
.
newTreeSet
();
// Actions that can be authorized by using permitted role name which contains wildcard
// Allow wildcard matching in authorization
// (wildcard matching only applicable if wildcard-char:
// * presents at first or last position eg: *.pulsar.service, pulsar.service.*)
private
boolean
authorizationAllowWildcardsMatching
=
false
;
// Authentication settings of the broker itself. Used when the broker connects
...
...
pulsar-websocket/src/main/java/org/apache/pulsar/websocket/service/WebSocketProxyConfiguration.java
浏览文件 @
52db0e94
...
...
@@ -67,7 +67,9 @@ public class WebSocketProxyConfiguration implements PulsarConfiguration {
// do all admin operations and publish/consume from all topics
private
Set
<
String
>
superUserRoles
=
Sets
.
newTreeSet
();
// Actions that can be authorized by using permitted role name which contains wildcard
// Allow wildcard matching in authorization
// (wildcard matching only applicable if wildcard-char:
// * presents at first or last position eg: *.pulsar.service, pulsar.service.*)
private
boolean
authorizationAllowWildcardsMatching
=
false
;
// Authentication settings of the proxy itself. Used to connect to brokers
...
...
site/_includes/explanations/permissions.md
浏览文件 @
52db0e94
...
...
@@ -14,6 +14,37 @@ $ pulsar-admin namespaces grant-permission test-property/cl1/ns1 \
--role
admin10
```
Wildcard authorization can be performed when
`authorizationAllowWildcardsMatching`
is set to
`true`
in
`broker.conf`
.
e.g.
```
shell
$
pulsar-admin namespaces grant-permission test-property/cl1/ns1
\
--actions
produce,consume
\
--role
'my.role.*'
```
Then, roles
`my.role.1`
,
`my.role.2`
,
`my.role.foo`
,
`my.role.bar`
, etc. can produce and consume.
```
shell
$
pulsar-admin namespaces grant-permission test-property/cl1/ns1
\
--actions
produce,consume
\
--role
'*.role.my'
```
Then, roles
`1.role.my`
,
`2.role.my`
,
`foo.role.my`
,
`bar.role.my`
, etc. can produce and consume.
**Note**
: A wildcard matching works at
**the beginning or end of the role name only**
.
e.g.
```
shell
$
pulsar-admin namespaces grant-permission test-property/cl1/ns1
\
--actions
produce,consume
\
--role
'my.*.role'
```
In this case, only the role
`my.*.role`
has permissions.
Roles
`my.1.role`
,
`my.2.role`
,
`my.foo.role`
,
`my.bar.role`
, etc.
**cannot**
produce and consume.
#### REST API
{% endpoint POST /admin/namespaces/:property/:cluster/:namespace/permissions/:role %}
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录