Managing permissions
Permissions in Pulsar are managed at the namespace level (that is, within tenants and clusters).
Grant permissions
You can grant permissions to specific roles for lists of operations such as produce
and consume
.
pulsar-admin
Use the grant-permission
subcommand and specify a namespace, actions using the --actions
flag, and a role using the --role
flag:
$ pulsar-admin namespaces grant-permission test-tenant/ns1 \
--actions produce,consume \
--role admin10
Wildcard authorization can be performed when authorizationAllowWildcardsMatching
is set to true
in broker.conf
.
e.g.
$ pulsar-admin namespaces grant-permission test-tenant/ns1 \
--actions produce,consume \
--role 'my.role.*'
Then, roles my.role.1
, my.role.2
, my.role.foo
, my.role.bar
, etc. can produce and consume.
$ pulsar-admin namespaces grant-permission test-tenant/ns1 \
--actions produce,consume \
--role '*.role.my'
Then, roles 1.role.my
, 2.role.my
, foo.role.my
, bar.role.my
, etc. can produce and consume.
Note: A wildcard matching works at the beginning or end of the role name only.
e.g.
$ pulsar-admin namespaces grant-permission test-tenant/ns1 \
--actions produce,consume \
--role 'my.*.role'
In this case, only the role my.*.role
has permissions.
Roles my.1.role
, my.2.role
, my.foo.role
, my.bar.role
, etc. cannot produce and consume.
REST API
POST /admin/v2/namespaces/:tenant/:namespace/permissions/:role/grantPermissionOnNamespace
Java
admin.namespaces().grantPermissionOnNamespace(namespace, role, getAuthActions(actions));
Get permissions
You can see which permissions have been granted to which roles in a namespace.
pulsar-admin
Use the permissions
subcommand and specify a namespace:
$ pulsar-admin namespaces permissions test-tenant/ns1
{
"admin10": [
"produce",
"consume"
]
}
REST API
GET /admin/v2/namespaces/:tenant/:namespace/permissions/getPermissions
Java
admin.namespaces().getPermissions(namespace);
Revoke permissions
You can revoke permissions from specific roles, which means that those roles will no longer have access to the specified namespace.
pulsar-admin
Use the revoke-permission
subcommand and specify a namespace and a role using the --role
flag:
$ pulsar-admin namespaces revoke-permission test-tenant/ns1 \
--role admin10
REST API
DELETE /admin/v2/namespaces/:tenant/:namespace/permissions/:role/revokePermissionsOnNamespace
Java
admin.namespaces().revokePermissionsOnNamespace(namespace, role);