Add topic permissions commands #48
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
zymap
force-pushed
the
topic-permission
branch
from
9cd82c0 to
bc433fd
Compare
sijie
requested changes
Sep 10, 2019
Member
sijie
left a comment
sijie
left a comment
There was a problem hiding this comment.
after thinking a bit more, the permissions related operations are spreading over multiple places. we should revisit it overall.
one solution is to move 'permissions' as the topic level command group. so the commands will be:
pulsarctl permissions grant --roles <roles> --actions <actions> <entity>pulsarctl permissions revoke --roles <roles> --actions <actions> <entity>pulsarctl permissions get <entity>.
pulsarctl should determine what entities (a namespace, a topic or a function) the operations apply to.
for example, tenant/ns is a namespace name. tenant/ns/topic is a topic name or a function name.
| return err | ||
| } | ||
|
|
||
| admin := cmdutils.NewPulsarClient() |
Member
There was a problem hiding this comment.
how do we close admin? If we don't close admin, it might be worth fixing this problem in a subsequent pull request.
Member
Author
There was a problem hiding this comment.
Why do we need to close admin?
Member
There was a problem hiding this comment.
why don't we need to close admin? releasing/closing a resource is always be the right practice to follow.
Member
Author
There was a problem hiding this comment.
I wonder is there has any resource we always keep with admin?
Member
There was a problem hiding this comment.
isn't PulsarAdmin client a network client? If it is a network client, doesn't it keep any network related resources?
| args := []string{"get-permissions"} | ||
| _, _, nameErr, _ := TestTopicCommands(GetPermissionsCmd, args) | ||
| assert.NotNil(t, nameErr) | ||
| assert.Equal(t, "only one argument is allowed to be used as a name", nameErr.Error()) |
Member
There was a problem hiding this comment.
Suggested change
| assert.Equal(t, "only one argument is allowed to be used as a name", nameErr.Error()) | |
| assert.Equal(t, "only one argument is allowed to be used as a topic name", nameErr.Error()) |
Member
Author
There was a problem hiding this comment.
It's a common output for all commands which need one argument. The description will show which arg types the command needed.
Member
There was a problem hiding this comment.
The error message is too generic. Users won’t be able to know what is the exact error. So you need to customize the error message for different commands.
Member
Author
There was a problem hiding this comment.
Okay. So maybe we can use a separate pull request to do this. It will modify all commands who use GetNameArg to ensure there is only one name argument.
| Out: "Invalid role name", | ||
| } | ||
|
|
||
| actionsError := Output{ |
Member
There was a problem hiding this comment.
it seems to me that this is a topic level permissions. I don't think it should accept functions permissions.
- we should prevent people from granting
functionspermissions for a topic. - if broker doesn't prevent, we should add a logic to reject granting
functionspermissions for a topic. please create a Pulsar issue to track adding the logic.
Member
Author
There was a problem hiding this comment.
So who will grant functions permission?
Member
There was a problem hiding this comment.
functions permission is only applied to namespace level.
Member
Author
@sijie Good idea. I will add a new command group. |
Member
Author
|
@sijie PTAL |
sijie
requested changes
Sep 19, 2019
Member
Author
|
@sijie PTAL. Thanks. |
sijie
approved these changes
Sep 19, 2019
tisonkun
pushed a commit
to tisonkun/pulsar-client-go
that referenced
this pull request
Aug 15, 2023
## OUTPUT
*get-permissions`*
```
➜ pulsarctl git:(topic-permission) ./pulsarctl topic get-permissions -h
USED FOR:
This command is used for getting the permissions on a topic.
REQUIRED PERMISSION:
This command requires namespace admin permissions.
EXAMPLES:
#Get the permissions on a topic <topic-name>
pulsarctl topic get-permissions <topic-name>
OUTPUT:
#normal output
{
"<role>": [
"<action>"
]
}
#the topic name is not specified
[✖] only one argument is allowed to be used as a name
#the topic name is not in the format of <tenant>/<namespace>/<topic> or <topic>
[✖] Invalid short topic name '<topic-name>', it should be in the format of <tenant>/<namespace>/<topic> or <topic>
#the topic name is not in the format of <domain>://<tenant>/<namespace>/<topic>
[✖] Invalid complete topic name '<topic-name>', it should be in the format of <domain>://<tenant>/<namespace>/<topic>
#the topic name is not in the format of <tenant>/<namespace>/<topic>
[✖] Invalid topic name '<topic-name>', it should be in the format of<tenant>/<namespace>/<topic>
#the namespace name is not in the format of <tenant>/<namespace>
[✖] The complete name of namespace is invalid. complete name : <namespace-complete-name>
#the tenant name and(or) namespace name is empty
[✖] Invalid tenant or namespace. [<tenant>/<namespace>]
#the tenant name contains unsupported special chars. the alphanumeric (a-zA-Z0-9) and the special chars (-=:.%) is allowed
[✖] Tenant name include unsupported special chars. tenant : [<namespace>]
#the namespace name contains unsupported special chars. the alphanumeric (a-zA-Z0-9) and the special chars (-=:.%) is allowed
[✖] Namespace name include unsupported special chars. namespace : [<namespace>]
Usage: pulsarctl topics get-permissions [flags]
Aliases: get-permissions, get
```
*grant-permissions*
```
➜ pulsarctl git:(topic-permission) ./pulsarctl topic grant-permissions -h
USED FOR:
This command is used for granting permissions to a client role on a single topic.
REQUIRED PERMISSION:
This command requires namespace admin permissions.
EXAMPLES:
#Grant permissions to a client on a single topic <topic-name>
pulsarctl topic grant-permissions --role <role> --actions <action-1> --actions <action-2> <topic-name>
OUTPUT:
#normal output
Grant role %s and actions %v to the topic %s successfully
#the topic name is not specified
[✖] only one argument is allowed to be used as a name
#the specified role is empty
Invalid role name
#the specified actions is not allowed.
The auth action only can be specified as 'produce', 'consume', or 'functions'. Invalid auth action '<actions>'
#the topic name is not in the format of <tenant>/<namespace>/<topic> or <topic>
[✖] Invalid short topic name '<topic-name>', it should be in the format of <tenant>/<namespace>/<topic> or <topic>
#the topic name is not in the format of <domain>://<tenant>/<namespace>/<topic>
[✖] Invalid complete topic name '<topic-name>', it should be in the format of <domain>://<tenant>/<namespace>/<topic>
#the topic name is not in the format of <tenant>/<namespace>/<topic>
[✖] Invalid topic name '<topic-name>', it should be in the format of<tenant>/<namespace>/<topic>
#the namespace name is not in the format of <tenant>/<namespace>
[✖] The complete name of namespace is invalid. complete name : <namespace-complete-name>
#the tenant name and(or) namespace name is empty
[✖] Invalid tenant or namespace. [<tenant>/<namespace>]
#the tenant name contains unsupported special chars. the alphanumeric (a-zA-Z0-9) and the special chars (-=:.%) is allowed
[✖] Tenant name include unsupported special chars. tenant : [<namespace>]
#the namespace name contains unsupported special chars. the alphanumeric (a-zA-Z0-9) and the special chars (-=:.%) is allowed
[✖] Namespace name include unsupported special chars. namespace : [<namespace>]
Usage: pulsarctl topics grant-permissions [flags]
Aliases: grant-permissions, grant
```
*revoke-permissions*
```
➜ pulsarctl git:(topic-permission) ./pulsarctl topic revoke-permissions -h
USED FOR:
This command is used for revoking permissions on a topic.
REQUIRED PERMISSION:
This command requires namespace admin permissions.
EXAMPLES:
OUTPUT:
#normal output
Revoke permissions for the role <role> to the topic <topic-name> successfully
#the specified role is empty
Invalid role name
#the topic name is not specified
[✖] only one argument is allowed to be used as a name
#the topic name is not in the format of <tenant>/<namespace>/<topic> or <topic>
[✖] Invalid short topic name '<topic-name>', it should be in the format of <tenant>/<namespace>/<topic> or <topic>
#the topic name is not in the format of <domain>://<tenant>/<namespace>/<topic>
[✖] Invalid complete topic name '<topic-name>', it should be in the format of <domain>://<tenant>/<namespace>/<topic>
#the topic name is not in the format of <tenant>/<namespace>/<topic>
[✖] Invalid topic name '<topic-name>', it should be in the format of<tenant>/<namespace>/<topic>
#the namespace name is not in the format of <tenant>/<namespace>
[✖] The complete name of namespace is invalid. complete name : <namespace-complete-name>
#the tenant name and(or) namespace name is empty
[✖] Invalid tenant or namespace. [<tenant>/<namespace>]
#the tenant name contains unsupported special chars. the alphanumeric (a-zA-Z0-9) and the special chars (-=:.%) is allowed
[✖] Tenant name include unsupported special chars. tenant : [<namespace>]
#the namespace name contains unsupported special chars. the alphanumeric (a-zA-Z0-9) and the special chars (-=:.%) is allowed
[✖] Namespace name include unsupported special chars. namespace : [<namespace>]
Usage: pulsarctl topics revoke-permissions [flags]
Aliases: revoke-permissions, revoke
```
tisonkun
pushed a commit
to apache/pulsar-client-go
that referenced
this pull request
Aug 16, 2023
## OUTPUT
*get-permissions`*
```
➜ pulsarctl git:(topic-permission) ./pulsarctl topic get-permissions -h
USED FOR:
This command is used for getting the permissions on a topic.
REQUIRED PERMISSION:
This command requires namespace admin permissions.
EXAMPLES:
#Get the permissions on a topic <topic-name>
pulsarctl topic get-permissions <topic-name>
OUTPUT:
#normal output
{
"<role>": [
"<action>"
]
}
#the topic name is not specified
[✖] only one argument is allowed to be used as a name
#the topic name is not in the format of <tenant>/<namespace>/<topic> or <topic>
[✖] Invalid short topic name '<topic-name>', it should be in the format of <tenant>/<namespace>/<topic> or <topic>
#the topic name is not in the format of <domain>://<tenant>/<namespace>/<topic>
[✖] Invalid complete topic name '<topic-name>', it should be in the format of <domain>://<tenant>/<namespace>/<topic>
#the topic name is not in the format of <tenant>/<namespace>/<topic>
[✖] Invalid topic name '<topic-name>', it should be in the format of<tenant>/<namespace>/<topic>
#the namespace name is not in the format of <tenant>/<namespace>
[✖] The complete name of namespace is invalid. complete name : <namespace-complete-name>
#the tenant name and(or) namespace name is empty
[✖] Invalid tenant or namespace. [<tenant>/<namespace>]
#the tenant name contains unsupported special chars. the alphanumeric (a-zA-Z0-9) and the special chars (-=:.%) is allowed
[✖] Tenant name include unsupported special chars. tenant : [<namespace>]
#the namespace name contains unsupported special chars. the alphanumeric (a-zA-Z0-9) and the special chars (-=:.%) is allowed
[✖] Namespace name include unsupported special chars. namespace : [<namespace>]
Usage: pulsarctl topics get-permissions [flags]
Aliases: get-permissions, get
```
*grant-permissions*
```
➜ pulsarctl git:(topic-permission) ./pulsarctl topic grant-permissions -h
USED FOR:
This command is used for granting permissions to a client role on a single topic.
REQUIRED PERMISSION:
This command requires namespace admin permissions.
EXAMPLES:
#Grant permissions to a client on a single topic <topic-name>
pulsarctl topic grant-permissions --role <role> --actions <action-1> --actions <action-2> <topic-name>
OUTPUT:
#normal output
Grant role %s and actions %v to the topic %s successfully
#the topic name is not specified
[✖] only one argument is allowed to be used as a name
#the specified role is empty
Invalid role name
#the specified actions is not allowed.
The auth action only can be specified as 'produce', 'consume', or 'functions'. Invalid auth action '<actions>'
#the topic name is not in the format of <tenant>/<namespace>/<topic> or <topic>
[✖] Invalid short topic name '<topic-name>', it should be in the format of <tenant>/<namespace>/<topic> or <topic>
#the topic name is not in the format of <domain>://<tenant>/<namespace>/<topic>
[✖] Invalid complete topic name '<topic-name>', it should be in the format of <domain>://<tenant>/<namespace>/<topic>
#the topic name is not in the format of <tenant>/<namespace>/<topic>
[✖] Invalid topic name '<topic-name>', it should be in the format of<tenant>/<namespace>/<topic>
#the namespace name is not in the format of <tenant>/<namespace>
[✖] The complete name of namespace is invalid. complete name : <namespace-complete-name>
#the tenant name and(or) namespace name is empty
[✖] Invalid tenant or namespace. [<tenant>/<namespace>]
#the tenant name contains unsupported special chars. the alphanumeric (a-zA-Z0-9) and the special chars (-=:.%) is allowed
[✖] Tenant name include unsupported special chars. tenant : [<namespace>]
#the namespace name contains unsupported special chars. the alphanumeric (a-zA-Z0-9) and the special chars (-=:.%) is allowed
[✖] Namespace name include unsupported special chars. namespace : [<namespace>]
Usage: pulsarctl topics grant-permissions [flags]
Aliases: grant-permissions, grant
```
*revoke-permissions*
```
➜ pulsarctl git:(topic-permission) ./pulsarctl topic revoke-permissions -h
USED FOR:
This command is used for revoking permissions on a topic.
REQUIRED PERMISSION:
This command requires namespace admin permissions.
EXAMPLES:
OUTPUT:
#normal output
Revoke permissions for the role <role> to the topic <topic-name> successfully
#the specified role is empty
Invalid role name
#the topic name is not specified
[✖] only one argument is allowed to be used as a name
#the topic name is not in the format of <tenant>/<namespace>/<topic> or <topic>
[✖] Invalid short topic name '<topic-name>', it should be in the format of <tenant>/<namespace>/<topic> or <topic>
#the topic name is not in the format of <domain>://<tenant>/<namespace>/<topic>
[✖] Invalid complete topic name '<topic-name>', it should be in the format of <domain>://<tenant>/<namespace>/<topic>
#the topic name is not in the format of <tenant>/<namespace>/<topic>
[✖] Invalid topic name '<topic-name>', it should be in the format of<tenant>/<namespace>/<topic>
#the namespace name is not in the format of <tenant>/<namespace>
[✖] The complete name of namespace is invalid. complete name : <namespace-complete-name>
#the tenant name and(or) namespace name is empty
[✖] Invalid tenant or namespace. [<tenant>/<namespace>]
#the tenant name contains unsupported special chars. the alphanumeric (a-zA-Z0-9) and the special chars (-=:.%) is allowed
[✖] Tenant name include unsupported special chars. tenant : [<namespace>]
#the namespace name contains unsupported special chars. the alphanumeric (a-zA-Z0-9) and the special chars (-=:.%) is allowed
[✖] Namespace name include unsupported special chars. namespace : [<namespace>]
Usage: pulsarctl topics revoke-permissions [flags]
Aliases: revoke-permissions, revoke
```
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
OUTPUT
get-permissions`
grant-permissions
revoke-permissions