Managing permissions
Permissions in Pulsar are managed at the namespace level (that is, within tenants and clusters).
Grant permissions
You can grant permissions to specific roles for lists of operations such as produce
and consume
.
- pulsar-admin
- REST API
- Java
Use the grant-permission
subcommand and specify a namespace, actions using the --actions
flag, and a role using the --role
flag:
$ pulsar-admin namespaces grant-permission test-tenant/ns1 \
--actions produce,consume \
--role admin10
Wildcard authorization can be performed when authorizationAllowWildcardsMatching
is set to true
in broker.conf
.
e.g.
$ pulsar-admin namespaces grant-permission test-tenant/ns1 \
--actions produce,consume \
--role 'my.role.*'
Then, roles my.role.1
, my.role.2
, my.role.foo
, my.role.bar
, etc. can produce and consume.
$ pulsar-admin namespaces grant-permission test-tenant/ns1 \
--actions produce,consume \
--role '*.role.my'
Then, roles 1.role.my
, 2.role.my
, foo.role.my
, bar.role.my
, etc. can produce and consume.
Note: A wildcard matching works at the beginning or end of the role name only.
e.g.
$ pulsar-admin namespaces grant-permission test-tenant/ns1 \
--actions produce,consume \
--role 'my.*.role'
In this case, only the role my.*.role
has permissions.
Roles my.1.role
, my.2.role
, my.foo.role
, my.bar.role
, etc. cannot produce and consume.
admin.namespaces().grantPermissionOnNamespace(namespace, role, getAuthActions(actions));
Get permissions
You can see which permissions have been granted to which roles in a namespace.
- pulsar-admin
- REST API
- Java
Use the permissions
subcommand and specify a namespace:
$ pulsar-admin namespaces permissions test-tenant/ns1
{
"admin10": [
"produce",
"consume"
]
}
admin.namespaces().getPermissions(namespace);
Revoke permissions
You can revoke permissions from specific roles, which means that those roles will no longer have access to the specified namespace.
- pulsar-admin
- REST API
- Java
Use the revoke-permission
subcommand and specify a namespace and a role using the --role
flag:
$ pulsar-admin namespaces revoke-permission test-tenant/ns1 \
--role admin10
admin.namespaces().revokePermissionsOnNamespace(namespace, role);