我的书签
添加书签
移除书签Managing permissions
Pulsar allows you to grant namespace-level or topic-level permission to users.
If you grant a namespace-level permission to a user, then the user can access all the topics under the namespace.
If you grant a topic-level permission to a user, then the user can access only the topic.
You can grant permissions to specific roles for lists of operations such as produce and consume.
- pulsar-admin
- REST API
- Java
Use the grant-permission subcommand and specify a namespace, actions using the --actions flag, and a role using the --role flag:
Wildcard authorization can be performed when authorizationAllowWildcardsMatching is set to true in broker.conf.
e.g.
--actions produce,consume \--role 'my.role.*'
Then, roles my.role.1, , my.role.foo, my.role.bar, etc. can produce and consume.
$ pulsar-admin namespaces grant-permission test-tenant/ns1 \--actions produce,consume \--role '*.role.my'
Then, roles 1.role.my, 2.role.my, foo.role.my, bar.role.my, etc. can produce and consume.
Note: A wildcard matching works at the beginning or end of the role name only.
In this case, only the role my.*.role has permissions.
Roles my.1.role, my.2.role, my.foo.role, , etc. cannot produce and consume.
admin.namespaces().grantPermissionOnNamespace(namespace, role, getAuthActions(actions));
You can see which permissions have been granted to which roles in a namespace.
- pulsar-admin
- REST API
- Java
Use the permissions subcommand and specify a namespace:
{"admin10": ["produce","consume"]}
You can revoke permissions from specific roles, which means that those roles will no longer have access to the specified namespace.
- pulsar-admin
- REST API
- Java
Use the revoke-permission subcommand and specify a namespace and a role using the --role flag:
$ pulsar-admin namespaces revoke-permission test-tenant/ns1 \--role admin10
admin.namespaces().revokePermissionsOnNamespace(namespace, role);
