Apache Pulsar Unauthorized to validateTopicPolicyOperation for operation [WRITE] on topic

Question

We've been trying to add JWT auth on our 2.8.1 Apache Pulsar cluster and it seems to be working properly, except for permissions. So basically, the state we are right now is that:

• Without token, client gets a 401
• With a token, it can access but has a trouble producing or consuming, so we added this :

./bin/pulsar-admin --admin-url https://pulsar-xxx-broker.pulsar-xx.svc.cluster.local:8443 --auth-plugin org.apache.pulsar.client.impl.auth.AuthenticationToken --auth-params file:///pulsar/tokens/broker/token namespaces grant-permission "xxx-dev-FR/lol" --role pulsar-token- --actions produce,consume

And it was better, permissions seems to be pretty straightforward on namespaces and only consume,produce are allowed seeing the code. But then we hit that error:

org.apache.pulsar.client.admin.PulsarAdminException$NotAuthorizedException: Unauthorized to validateTopicPolicyOperation for operation [WRITE] on topic [persistent://xxx-dev-FR/ns-common-0.8.0/workflow-tag-new: com.xxx.xxx.commons.engine.workflow.xxxEngine] on policy [PARTITION]

So apparently we need some more permissions, so we looked into adding an admin role when creating the tenant and this is what we've done but unfortunately, it's not better.

Pulsar permissions schema

Do I miss something here?

Thanks a lot.

Kin

Answer 1

@Kin, from your example it seems you granting permission on one namespace xxx-dev-FR/lol but then trying to use a topic in a different namespace xxx-dev-FR/ns-common-0.8.0.

Answer 2

Yes it's true, but this was just an example sorry. I did launch the query grant permission command on the right namespace afterwards.

I feel like the grant-permission command is missing some permissions as only those two are available:

• consume
• produce

But apparently it doesn't work for changing a topic or namespace policy. Is there a way to make this work without being full admin?

edit : just in case it's not clear in my first post, while creating the tenants in pulsar-manager, we used the equivalent of this command:

./bin/pulsar-admin tenants create test --admin-roles <my_app_role>

Answer 3

You can validate below params are configured in broker.conf for all brokers, these are used when broker connects to other brokers

authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderToken

(for below configs, subject of token and superUser should match)
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationToken
brokerClientAuthenticationParameters={token}

superUserRoles={super-user}

Configure one from below, based on the key(symmetric or asymmetric) you have used to generate the token, this will be used to decode the token

tokenSecretKey=

tokenPublicKey=

Answer 4

I managed to fix the issue which was not working because of the Token subject not being the same as the role input in the tenant admin permissions. For instance in CLI it meant:

pulsarctl token create -a HS256 --secret-key-file SECRETKEY --subject xxx-admin 2> pulsar-token-xxx-admin

kubectl exec -it pulsar-xxxx-broker-0 -- bash ./bin/pulsar-admin --tls-allow-insecure --admin-url https://pulsar-xxx-broker.pulsar-xxxx.svc.cluster.local:8443 --auth-plugin org.apache.pulsar.client.impl.auth.AuthenticationToken --auth-params file:///pulsar/tokens/broker/token tenants create <my_tenant> --admin-roles xxx-admin

We also had to add the following in the broker's configuration:

    "topicLevelPoliciesEnabled": "true"
    "systemTopicEnabled": "true"    

Bye and thanks for your help.