sijie commented on a change in pull request #6798: URL: https://github.com/apache/pulsar/pull/6798#discussion_r413535462
########## File path: pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java ########## @@ -935,6 +937,38 @@ private SchemaData getSchema(PulsarApi.Schema protocolSchema) { )).build(); } + private CompletableFuture<Boolean> canProduce(TopicName topicName, String role) { + return computeAuthorizedFuture(topicName, role, null, true); + } + + private CompletableFuture<Boolean> canConsume(TopicName topicName, String role, String subscription) { + return computeAuthorizedFuture(topicName, role, subscription, false); + } + + private CompletableFuture<Boolean> computeAuthorizedFuture(TopicName topicName, String role, String subscription, boolean produce) { + String path = PulsarWebResource.path(ConfigurationCacheService.POLICIES, topicName.getTenant()); + try { + TenantInfo tenantInfo = service.getPulsar().getConfigurationCache().propertiesCache().get(path) + .orElseThrow(() -> new PulsarServerException.NotFoundException("Tenant does not exist")); + CompletableFuture<Boolean> isTenantAdminFuture = service.getAuthorizationService().isTenantAdmin(topicName.getTenant(), role, tenantInfo, authenticationData); + return isTenantAdminFuture.thenCompose(isTenantAdmin -> { + if (isTenantAdmin) { return CompletableFuture.completedFuture(true); } Review comment: what is the motivation of this change? This seems to change the behavior of the current authorization system. It allows tenant admin to produce and consume messages. In general, this is a breaking change. There is also an attempt to change the authorization system in PIP-49. It was pushed back. We shouldn't change the existing authorization system. If you want to allow TenantAdmin to produce and consume messages, you should implement a new AuthorizationProvider. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org