Skip to main content

Managing permissions

Important

This page only shows some frequently used operations.

  • For the latest and complete information about Pulsar admin, including commands, flags, descriptions, and more, see Pulsar admin doc.

  • For the latest and complete information about REST API, including parameters, responses, samples, and more, see REST API doc.

  • For the latest and complete information about Java admin API, including classes, methods, descriptions, and more, see Java admin API doc.

Permissions in Pulsar are managed at the namespace level (that is, within tenants and clusters).

Grant permissions​

You can grant permissions to specific roles for lists of operations such as produce and consume.

Use the grant-permission subcommand and specify a namespace, actions using the --actions flag, and a role using the --role flag:


$ pulsar-admin namespaces grant-permission test-tenant/ns1 \
  --actions produce,consume \
  --role admin10

Wildcard authorization can be performed when authorizationAllowWildcardsMatching is set to true in broker.conf.

e.g.


$ pulsar-admin namespaces grant-permission test-tenant/ns1 \
                        --actions produce,consume \
                        --role 'my.role.*'

Then, roles my.role.1, my.role.2, my.role.foo, my.role.bar, etc. can produce and consume.


$ pulsar-admin namespaces grant-permission test-tenant/ns1 \
                        --actions produce,consume \
                        --role '*.role.my'

Then, roles 1.role.my, 2.role.my, foo.role.my, bar.role.my, etc. can produce and consume.

Note: A wildcard matching works at the beginning or end of the role name only.

e.g.


$ pulsar-admin namespaces grant-permission test-tenant/ns1 \
                        --actions produce,consume \
                        --role 'my.*.role'

In this case, only the role my.*.role has permissions. Roles my.1.role, my.2.role, my.foo.role, my.bar.role, etc. cannot produce and consume.

Get permissions​

You can see which permissions have been granted to which roles in a namespace.

Use the permissions subcommand and specify a namespace:


$ pulsar-admin namespaces permissions test-tenant/ns1
{
  "admin10": [
    "produce",
    "consume"
  ]
}

Revoke permissions​

You can revoke permissions from specific roles, which means that those roles will no longer have access to the specified namespace.

Use the revoke-permission subcommand and specify a namespace and a role using the --role flag:


$ pulsar-admin namespaces revoke-permission test-tenant/ns1 \
  --role admin10

Was this helpful?
💡 Suggest changes🛟 Get support