Hi Zixuan, From the perspective of interface implementation, for example, for `allowTopicOperationAsync`, we need to determine whether the role is admin or super user in PulsarAuthorizationProvider, not in AuthorizationService.
Regards Jiwei Guo (Tboy) On Fri, Jul 7, 2023 at 5:20 PM Zixuan Liu <node...@gmail.com> wrote: > Hello everyone, > > When a role wants to use the resource, the role needs to have resource > permissions. > > The process is to first check whether the role is the superuser or > tenant administrator. If yes, operations are allowed. Otherwise, check > the policies stored in zk. > > Right now, we have the AuthorizationService and AuthorizationProvider, > the AuthorizationService wraps the AuthorizationProvider call. When > you check the code, you will find that both classes have the > superuser/tenantAdmin checks in certain places, this may cause > confusion when developing the custom AuthorizationProvider, so I > suggest unifying superuser/tenantAdmin checks in the > `AuthorizationService`, and then the `AuthorizationProvider` only > needs to consider their business permissions. > > I created a PR a while ago, you can check it out: > https://github.com/apache/pulsar/pull/20145, > > Thanks, > Zixuan >
