Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[improve][pip] PIP-347: add role field in consumer's stat #22564

Merged
merged 7 commits into from
May 14, 2024
Merged

[improve][pip] PIP-347: add role field in consumer's stat #22564

merged 7 commits into from
May 14, 2024

Conversation

thetumbled
Copy link
Member

@thetumbled thetumbled commented Apr 23, 2024
edited
Loading

Motivation

pip-347
implementation pr:#22562

Modifications

Verifying this change

  • Make sure that the change passes the CI checks.

(Please pick either of the following options)

This change is a trivial rework / code cleanup without any test coverage.

(or)

This change is already covered by existing tests, such as (please describe tests).

(or)

This change added tests and can be verified as follows:

(example:)

  • Added integration tests for end-to-end deployment with large payloads (10MB)
  • Extended integration test for recovery after broker failure

Does this pull request potentially affect one of the following parts:

If the box was checked, please highlight the changes

  • Dependencies (add or upgrade a dependency)
  • The public API
  • The schema
  • The default values of configurations
  • The threading model
  • The binary protocol
  • The REST endpoints
  • The admin CLI options
  • The metrics
  • Anything that affects deployment

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

Matching PR in forked repository

PR in forked repository:

@github-actions github-actions bot added PIP doc-not-needed Your PR changes do not impact docs labels Apr 23, 2024
@thetumbled thetumbled mentioned this pull request Apr 23, 2024
Merged
15 tasks
@thetumbled
Copy link
Member Author

PTAL, thanks. @BewareMyPower @lhotari @codelipenghui @poorbarcode @Technoboy-

This was referenced Apr 25, 2024
Closed
Open
michaeljmarshall
michaeljmarshall reviewed Apr 25, 2024
View reviewed changes
Copy link
Member

@michaeljmarshall michaeljmarshall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your PIP. I agree that there is a gap here, but I think the solution requires a more nuanced approach to accommodate existing use cases.

pip/pip-347.md Show resolved Hide resolved
@nodece
Copy link
Member

nodece commented Apr 25, 2024

Leaving aside the issue above.

It looks like you want to add role to the consumer stats, that is a good idea to track the relationship between subscriptions and users.

There are times when the role is more sensitive information and I would recommend adding a configuration to expose the role.

@thetumbled
Copy link
Member Author

thetumbled commented Apr 29, 2024
edited
Loading

May be we can prioritize reaching consensus on this PIP? We do need this pip to handle the problem we meet, anyone who use Subscription Permission Control Mechanism will also need this.
@michaeljmarshall @nodece @dao-jun @codelipenghui @BewareMyPower @Technoboy-

@dao-jun
Copy link
Member

dao-jun commented Apr 29, 2024

@thetumbled After @michaeljmarshall think it's OK, you can sent a vote thread to the mail list

@thetumbled

This comment was marked as outdated.

Sign in to view
eolivelli
eolivelli requested changes May 6, 2024
View reviewed changes
Copy link
Contributor

@eolivelli eolivelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that this PIP is telling too much about some kind of security vulnerability and I would shrink it a lot.
You should mention only the need for administrators to bind a consumer to a role, that is definitely useful.

Regarding the auto creation of subscriptions, we should tackle the problem as a separate work, and not a PIP

pip/pip-347.md Outdated Show resolved Hide resolved
@thetumbled
Copy link
Member Author

I think that this PIP is telling too much about some kind of security vulnerability and I would shrink it a lot. You should mention only the need for administrators to bind a consumer to a role, that is definitely useful.

Regarding the auto creation of subscriptions, we should tackle the problem as a separate work, and not a PIP

Agree, i have updated the motivation, PTAL, thanks. @eolivelli @nodece

nodece
nodece approved these changes May 6, 2024
View reviewed changes
Copy link
Member

@nodece nodece left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point.

nodece
nodece reviewed May 6, 2024
View reviewed changes
pip/pip-347.md Outdated Show resolved Hide resolved
@dao-jun
Copy link
Member

dao-jun commented May 7, 2024
edited
Loading

Leaving aside the issue above.

It looks like you want to add role to the consumer stats, that is a good idea to track the relationship between subscriptions and users.

There are times when the role is more sensitive information and I would recommend adding a configuration to expose the role.

@nodece I don't understand why role name can be sensitive.
It's not accessKey or username or token or something else, it is just a role name, users cannot accessed in by the role name at all. Like us, we are Software engineer, is Software engineer sensitive?
The PIP is a simple change, let's keep it simple, I don't think add a exposeRole param is reasonable.

/cc @eolivelli

@nodece
Copy link
Member

nodece commented May 7, 2024

In other words, I just don't want to expose the role to the regular users.

@dao-jun
Copy link
Member

dao-jun commented May 7, 2024

@nodece I think it doesn't matter, expose role name will not affect anything

@thetumbled
Copy link
Member Author

WDYT, should we expose it to regular users(not everyone actually, but those who own the lookup permission of this topic)? @eolivelli @lhotari @codelipenghui @Technoboy- @michaeljmarshall

codelipenghui
codelipenghui reviewed May 13, 2024
View reviewed changes
pip/pip-347.md Outdated Show resolved Hide resolved
@codelipenghui
Copy link
Contributor

There are times when the role is more sensitive information and I would recommend adding a configuration to expose the role.

It should be fine since we already exposed the sub name, consumer name and more information for users who has LOOKUP permission with default Pulsar authorization. And Pulsar can also support fine-grained access control by authorization plugin.

eolivelli
eolivelli approved these changes May 14, 2024
View reviewed changes
Copy link
Contributor

@eolivelli eolivelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@dao-jun
Copy link
Member

dao-jun commented May 14, 2024

PIP approved, merging...

@dao-jun dao-jun added this to the 3.4.0 milestone May 14, 2024
@dao-jun dao-jun merged commit 3d26079 into apache:master May 14, 2024
20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michaeljmarshall michaeljmarshall michaeljmarshall left review comments

@nodece nodece nodece approved these changes

@dao-jun dao-jun dao-jun approved these changes

@RobertIndie RobertIndie RobertIndie approved these changes

@codelipenghui codelipenghui codelipenghui approved these changes

@eolivelli eolivelli eolivelli approved these changes

Assignees

@thetumbled thetumbled

Labels
doc-not-needed Your PR changes do not impact docs PIP
Projects
None yet
Milestone
4.0.0
Development

Successfully merging this pull request may close these issues.
7 participants
@thetumbled @nodece @dao-jun @codelipenghui @eolivelli @RobertIndie @michaeljmarshall