Managing permissions

tip

This page only shows some frequently used operations.

• For the latest and complete information about Pulsar admin, including commands, flags, descriptions, and more, see Pulsar admin docs.

• For the latest and complete information about REST API, including parameters, responses, samples, and more, see REST API doc.

• For the latest and complete information about Java admin API, including classes, methods, descriptions, and more, see Java admin API doc.

Pulsar allows you to grant namespace-level or topic-level permission to users.

• If you grant namespace-level permission to a user, then the user can access all the topics under the namespace.

• If you grant topic-level permission to a user, then the user can access only the topic.

The chapters below demonstrate how to grant namespace-level permissions to users. For how to grant topic-level permissions to users, see manage topics.

Grant permissions

You can grant permissions to specific roles for lists of operations such as produce and consume.

pulsar-admin

Use the grant-permission subcommand and specify a namespace, actions using the --actions flag, and a role using the --role flag:

pulsar-admin namespaces grant-permission test-tenant/namespace1 \
    --actions produce,consume \
    --role admin10

Wildcard authorization can be performed when authorizationAllowWildcardsMatching is set to true in broker.conf.

Example

pulsar-admin namespaces grant-permission test-tenant/namespace1 \
      --actions produce,consume \
      --role 'my.role.*'

Then, roles my.role.1, my.role.2, my.role.foo, my.role.bar, etc. can produce and consume.

pulsar-admin namespaces grant-permission test-tenant/namespace1 \
      --actions produce,consume \
      --role '*.role.my'

Then, roles 1.role.my, 2.role.my, foo.role.my, bar.role.my, etc. can produce and consume.

note

A wildcard matching works at the beginning or end of the role name only.

Example

pulsar-admin namespaces grant-permission test-tenant/namespace1 \
      --actions produce,consume \
      --role 'my.*.role'

In this case, only the role my.*.role has permissions. Roles my.1.role, my.2.role, my.foo.role, my.bar.role, etc. cannot produce and consume.

REST API

POST /admin/v2/namespaces/{tenant}/{namespace}/permissions/{role}

Java

admin.namespaces().grantPermissionOnNamespace(namespace, role, getAuthActions(actions));

Get permissions

You can see which permissions have been granted to which roles in a namespace.

pulsar-admin

Use the permissions subcommand and specify a namespace:

pulsar-admin namespaces permissions test-tenant/namespace1

Example output:

my.role.*    [produce, consume]

REST API

GET /admin/v2/namespaces/{tenant}/{namespace}/permissions

Java

admin.namespaces().getPermissions(namespace);

Revoke permissions

You can revoke permissions from specific roles, which means that those roles will no longer have access to the specified namespace.

pulsar-admin

Use the revoke-permission subcommand and specify a namespace and a role using the --role flag:

pulsar-admin namespaces revoke-permission test-tenant/namespace1 \
      --role admin10

REST API

DELETE /admin/v2/namespaces/{tenant}/{namespace}/permissions/{role}

Java

admin.namespaces().revokePermissionsOnNamespace(namespace, role);