Important
This page only shows some frequently used operations.
For the latest and complete information about
Pulsar admin
, including commands, flags, descriptions, and more, see Pulsar admin docFor the latest and complete information about
REST API
, including parameters, responses, samples, and more, see {@inject: rest:REST:/} API doc.For the latest and complete information about
Java admin API
, including classes, methods, descriptions, and more, see Java admin API doc.
Pulsar allows you to grant namespace-level or topic-level permission to users.
If you grant a namespace-level permission to a user, then the user can access all the topics under the namespace.
If you grant a topic-level permission to a user, then the user can access only the topic.
The chapters below demonstrate how to grant namespace-level permissions to users. For how to grant topic-level permissions to users, see manage topics.
You can grant permissions to specific roles for lists of operations such as produce
and consume
.
Use the grant-permission
subcommand and specify a namespace, actions using the --actions
flag, and a role using the --role
flag:
$ pulsar-admin namespaces grant-permission test-tenant/ns1 \ --actions produce,consume \ --role admin10
Wildcard authorization can be performed when authorizationAllowWildcardsMatching
is set to true
in broker.conf
.
e.g.
$ pulsar-admin namespaces grant-permission test-tenant/ns1 \ --actions produce,consume \ --role 'my.role.*'
Then, roles my.role.1
, my.role.2
, my.role.foo
, my.role.bar
, etc. can produce and consume.
$ pulsar-admin namespaces grant-permission test-tenant/ns1 \ --actions produce,consume \ --role '*.role.my'
Then, roles 1.role.my
, 2.role.my
, foo.role.my
, bar.role.my
, etc. can produce and consume.
Note: A wildcard matching works at the beginning or end of the role name only.
e.g.
$ pulsar-admin namespaces grant-permission test-tenant/ns1 \ --actions produce,consume \ --role 'my.*.role'
In this case, only the role my.*.role
has permissions.
Roles my.1.role
, my.2.role
, my.foo.role
, my.bar.role
, etc. cannot produce and consume.
{@inject: endpoint|POST|/admin/v2/namespaces/:tenant/:namespace/permissions/:role|operation/grantPermissionOnNamespace?version=[[pulsar:version_number]]}
admin.namespaces().grantPermissionOnNamespace(namespace, role, getAuthActions(actions));
You can see which permissions have been granted to which roles in a namespace.
Use the permissions
subcommand and specify a namespace:
$ pulsar-admin namespaces permissions test-tenant/ns1 { "admin10": [ "produce", "consume" ] }
{@inject: endpoint|GET|/admin/v2/namespaces/:tenant/:namespace/permissions|operation/getPermissions?version=[[pulsar:version_number]]}
admin.namespaces().getPermissions(namespace);
You can revoke permissions from specific roles, which means that those roles will no longer have access to the specified namespace.
Use the revoke-permission
subcommand and specify a namespace and a role using the --role
flag:
$ pulsar-admin namespaces revoke-permission test-tenant/ns1 \ --role admin10
{@inject: endpoint|DELETE|/admin/v2/namespaces/:tenant/:namespace/permissions/:role|operation/revokePermissionsOnNamespace?version=[[pulsar:version_number]]}
admin.namespaces().revokePermissionsOnNamespace(namespace, role);