Hi,
CREATE_TOPIC authorization check is not performed when trying to
PRODUCE/CONSUME a topic, it has been referenced:
https://github.com/apache/pulsar/issues/17406.
I opened a PR to fix it https://github.com/apache/pulsar/pull/17411, but
Michael reported issues about backward compatibility (which is totally
correct). Adding support of CREATE_TOPIC authorization as-is will break
current authorization system. I noticed that HTTP Admin API verifies the
CREATE_TOPIC right when creating topic, so we have inconsistencies
between pulsar binary protocol and the HTTP admin API on this.
Also, the AuthorizationProvider is an interface exposing the
CREATE_TOPIC feature for authZ plugins. But it is inconsistent too.
Michael suggested to fix this interface to support the CREATE_TOPIC
check and adapt the pulsar's DefaultAuthzProvider to continue as-is.
I'd like to know what do you think?
Thanks,
Kannar