import Tabs from ‘@theme/Tabs’; import TabItem from ‘@theme/TabItem’;
Important
This page only shows some frequently used operations.
For the latest and complete information about
Pulsar admin, including commands, flags, descriptions, and more information, see Pulsar admin doc.For the latest and complete information about
REST API, including parameters, responses, samples, and more, see {@inject: rest:REST:/} API doc.For the latest and complete information about
Java admin API, including classes, methods, descriptions, and more, see Java admin API doc.
Pulsar allows you to grant namespace-level or topic-level permission to users.
If you grant a namespace-level permission to a user, then the user can access all the topics under the namespace.
If you grant a topic-level permission to a user, then the user can access only the topic.
The chapters below demonstrate how to grant namespace-level permissions to users. For how to grant topic-level permissions to users, see manage topics.
You can grant permissions to specific roles for lists of operations such as produce and consume.
<Tabs defaultValue=“pulsar-admin” values={[{“label”:“pulsar-admin”,“value”:“pulsar-admin”},{“label”:“REST API”,“value”:“REST API”},{“label”:“Java”,“value”:“Java”}]}>
Use the grant-permission subcommand and specify a namespace, actions using the --actions flag, and a role using the --role flag:
$ pulsar-admin namespaces grant-permission test-tenant/ns1 \ --actions produce,consume \ --role admin10
Wildcard authorization can be performed when authorizationAllowWildcardsMatching is set to true in broker.conf.
e.g.
$ pulsar-admin namespaces grant-permission test-tenant/ns1 \ --actions produce,consume \ --role 'my.role.*'
Then, roles my.role.1, my.role.2, my.role.foo, my.role.bar, etc. can produce and consume.
$ pulsar-admin namespaces grant-permission test-tenant/ns1 \ --actions produce,consume \ --role '*.role.my'
Then, roles 1.role.my, 2.role.my, foo.role.my, bar.role.my, etc. can produce and consume.
Note: A wildcard matching works at the beginning or end of the role name only.
e.g.
$ pulsar-admin namespaces grant-permission test-tenant/ns1 \ --actions produce,consume \ --role 'my.*.role'
In this case, only the role my.*.role has permissions.
Roles my.1.role, my.2.role, my.foo.role, my.bar.role, etc. cannot produce and consume.
{@inject: endpoint|POST|/admin/v2/namespaces/:tenant/:namespace/permissions/:role|operation/grantPermissionOnNamespace?version=@pulsar:version_number@}
admin.namespaces().grantPermissionOnNamespace(namespace, role, getAuthActions(actions));
You can see which permissions have been granted to which roles in a namespace.
<Tabs defaultValue=“pulsar-admin” values={[{“label”:“pulsar-admin”,“value”:“pulsar-admin”},{“label”:“REST API”,“value”:“REST API”},{“label”:“Java”,“value”:“Java”}]}>
Use the permissions subcommand and specify a namespace:
$ pulsar-admin namespaces permissions test-tenant/ns1 { "admin10": [ "produce", "consume" ] }
{@inject: endpoint|GET|/admin/v2/namespaces/:tenant/:namespace/permissions|operation/getPermissions?version=@pulsar:version_number@}
admin.namespaces().getPermissions(namespace);
You can revoke permissions from specific roles, which means that those roles will no longer have access to the specified namespace.
<Tabs defaultValue=“pulsar-admin” values={[{“label”:“pulsar-admin”,“value”:“pulsar-admin”},{“label”:“REST API”,“value”:“REST API”},{“label”:“Java”,“value”:“Java”}]}>
Use the revoke-permission subcommand and specify a namespace and a role using the --role flag:
$ pulsar-admin namespaces revoke-permission test-tenant/ns1 \ --role admin10
{@inject: endpoint|DELETE|/admin/v2/namespaces/:tenant/:namespace/permissions/:role|operation/revokePermissionsOnNamespace?version=@pulsar:version_number@}
admin.namespaces().revokePermissionsOnNamespace(namespace, role);