Hello everyone, When a role wants to use the resource, the role needs to have resource permissions.
The process is to first check whether the role is the superuser or tenant administrator. If yes, operations are allowed. Otherwise, check the policies stored in zk. Right now, we have the AuthorizationService and AuthorizationProvider, the AuthorizationService wraps the AuthorizationProvider call. When you check the code, you will find that both classes have the superuser/tenantAdmin checks in certain places, this may cause confusion when developing the custom AuthorizationProvider, so I suggest unifying superuser/tenantAdmin checks in the `AuthorizationService`, and then the `AuthorizationProvider` only needs to consider their business permissions. I created a PR a while ago, you can check it out: https://github.com/apache/pulsar/pull/20145, Thanks, Zixuan