New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[feature][broker] Allow to configure the entry filters per namespace and per topic #17153
Conversation
e543c18
to
4ed0066
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a great work!
thank you very much for providing this implementation.
I have left some feedback:
- do not set the directory, it is broker specific (and not all the brokers may have the same filesystem layout)
- do not add a description, we never do that in Pulsar, and it is for very low benefit
- still keep the global list of EntryFilters configured on broker.conf (otherwise local caches won't work)
you can see this production implementation of a EntryFilter
pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/v2/Namespaces.java
Show resolved
Hide resolved
pulsar-broker/src/main/java/org/apache/pulsar/broker/service/BrokerService.java
Outdated
Show resolved
Hide resolved
pulsar-broker/src/test/java/org/apache/pulsar/broker/service/AbstractBaseDispatcherTest.java
Outdated
Show resolved
Hide resolved
pulsar-client-admin-api/src/main/java/org/apache/pulsar/common/policies/data/EntryFilters.java
Outdated
Show resolved
Hide resolved
pulsar-client-admin-api/src/main/java/org/apache/pulsar/common/policies/data/EntryFilters.java
Outdated
Show resolved
Hide resolved
pulsar-client-tools/src/main/java/org/apache/pulsar/admin/cli/CmdTopicPolicies.java
Outdated
Show resolved
Hide resolved
pulsar-client-tools/src/main/java/org/apache/pulsar/admin/cli/CmdTopicPolicies.java
Outdated
Show resolved
Hide resolved
4ed0066
to
728bba5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have two questions.
It seems to me that with this patch the entryFilters cannot be configured in broker.conf anymore, is this correct ? (in that case we have to restore such support, otherwise existing users that upgrade will have problems)
Ideally I would like to see that in a topic the entryFilters that are applied are the sum of: per-broker entry filters + per-namespace entry filters and per-topic entry filters.
This way in a multi-tenant environment the administrator can have control over what is happening.
Also we should add a flag to allow setting per-namespace and per-topic entry filters.
in some environments the system administrator doesn't want to let the users activate custom behaviour to the users (tenant/namespace operators)
@gaozhangmin we can chat on slack if you want |
@Jason918 PTAL, Thx |
1、it's still supported configuring filters via broker.conf, default value is initialized in |
@gaozhangmin thanks for your clarification. it makes sense to me. I have two remaining points:
The broker filters may have been set by the system administrator to enforce some rules and if a user (tenant admin?) is able to override the list of filters that that would be some kind of security hole. If you feel strong that we should keep the behaviour of this patch, then I would ask you to add a configuration parameter to make this behaviour configurable, in order to allow system administrators to enforce some entry filters |
@eolivelli Add a configuration parameter |
728bba5
to
d7d9e53
Compare
@gaozhangmin thank you for adding the parameter. One last comment: we are missing tests for the new option: we need tests that validate that the option is really working. |
pulsar-broker/src/main/java/org/apache/pulsar/broker/service/EntryFilterSupport.java
Show resolved
Hide resolved
@eolivelli What you mean for new option is the configuration |
correct |
d7d9e53
to
3603f94
Compare
pulsar-broker/src/test/java/org/apache/pulsar/broker/service/plugin/FilterEntryTest.java
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
pulsar-broker/src/test/java/org/apache/pulsar/broker/auth/MockedPulsarServiceBaseTest.java
Outdated
Show resolved
Hide resolved
5d7e6a0
to
594d2d9
Compare
594d2d9
to
8cced27
Compare
…and per topic (apache#17153) (cherry picked from commit 2f4af65)
Fixes #16870
Motivation
Allow to configure the filters per namespace and per topic
Modifications
Support config namespace and topic level entry filter policy through admin api.
Verifying this change
org.apache.pulsar.broker.service.plugin.FilterEntryTest
org.apache.pulsar.broker.service.AbstractBaseDispatcherTest#testFilterEntriesForConsumerOfEntryFilter
org.apache.pulsar.broker.admin.AdminApi2Test#testSetNamespaceEntryFilters
org.apache.pulsar.broker.admin.AdminApi2Test#testSetTopicLevelEntryFilters
Documentation
Check the box below or label this PR directly.
Need to update docs?
doc-required
(Your PR needs to update docs and you will update later)
doc-not-needed
(Please explain why)
doc
(Your PR contains doc changes)
doc-complete
(Docs have been already added)