From 69b95b790d8dc4f0f85593572ac0a8e1bda533ec Mon Sep 17 00:00:00 2001 From: Roman Koval Date: Sun, 23 Jul 2023 16:19:45 -0400 Subject: [PATCH 1/3] document protected pub/sub topics Signed-off-by: Roman Koval --- .../building-blocks/pubsub/pubsub-scopes.md | 49 ++++++++++++++++++- 1 file changed, 48 insertions(+), 1 deletion(-) diff --git a/daprdocs/content/en/developing-applications/building-blocks/pubsub/pubsub-scopes.md b/daprdocs/content/en/developing-applications/building-blocks/pubsub/pubsub-scopes.md index a81c7d7d9..2e3cd9fec 100644 --- a/daprdocs/content/en/developing-applications/building-blocks/pubsub/pubsub-scopes.md +++ b/daprdocs/content/en/developing-applications/building-blocks/pubsub/pubsub-scopes.md @@ -11,7 +11,7 @@ description: "Use scopes to limit pub/sub topics to specific applications" [Namespaces or component scopes]({{< ref component-scopes.md >}}) can be used to limit component access to particular applications. These application scopes added to a component limit only the applications with specific IDs to be able to use the component. In addition to this general component scope, the following can be limited for pub/sub components: -- Which topics which can be used (published or subscribed) +- Which topics can be used (published or subscribed) - Which applications are allowed to publish to specific topics - Which applications are allowed to subscribe to specific topics @@ -33,6 +33,9 @@ To use this topic scoping three metadata properties can be set for a pub/sub com - A comma-separated list of allowed topics for all applications. - If `allowedTopics` is not set (default behavior), all topics are valid. `subscriptionScopes` and `publishingScopes` still take place if present. - `publishingScopes` or `subscriptionScopes` can be used in conjunction with `allowedTopics` to add granular limitations +- `spec.metadata.protectedTopics` + - A comma-separated list of protected topics for all applications. + - If a topic is marked as protected then an application must be explicitly granted publish or subscribe permissions through `publishingScopes` or `subscriptionScopes` to publish/subscribe to it. These metadata properties can be used for all pub/sub components. The following examples use Redis as pub/sub component. @@ -152,6 +155,50 @@ The table below shows which application is allowed to subscribe to the topics: | app2 | X | | | | app3 | X | X | | +## Example 4: Mark topics as protected + +If your topic involves sensitive data, each new application must be explicitly listed in the `publishingScopes` and `subscriptionScopes` to ensure it cannot read from or write to that topic. Alternatively, you can designate the topic as 'protected' and grant access only to specific applications that genuinely require it. + +Here is an example of three applications and three topics, two of which are protected: +```yaml +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: pubsub +spec: + type: pubsub.redis + version: v1 + metadata: + - name: redisHost + value: "localhost:6379" + - name: redisPassword + value: "" + - name: protectedTopics + value: "A,B" + - name: publishingScopes + value: "app1=A,B;app2=B" + - name: subscriptionScopes + value: "app1=A,B;app2=B" +``` + +> Note that topics A and B are marked as protected. As a result, even though app3 is not listed under `publishingScopes` or `subscriptionScopes` it cannot interact with these topics. + +The table below shows which application is allowed to publish into the topics: + +| | A | B | C | +|------|---|---|---| +| app1 | X | X | | +| app2 | | X | | +| app3 | | | X | + +The table below shows which application is allowed to subscribe to the topics: + +| | A | B | C | +|------|---|---|---| +| app1 | X | X | | +| app2 | | X | | +| app3 | | | X | + ## Demo From 2a418ed7fe7fd7ed6c04960c591b015c95f17ef7 Mon Sep 17 00:00:00 2001 From: kovalromank Date: Mon, 24 Jul 2023 16:00:47 -0400 Subject: [PATCH 2/3] Update daprdocs/content/en/developing-applications/building-blocks/pubsub/pubsub-scopes.md Co-authored-by: Hannah Hunter <94493363+hhunter-ms@users.noreply.github.com> Signed-off-by: kovalromank --- .../building-blocks/pubsub/pubsub-scopes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/developing-applications/building-blocks/pubsub/pubsub-scopes.md b/daprdocs/content/en/developing-applications/building-blocks/pubsub/pubsub-scopes.md index 2e3cd9fec..82bc6a28a 100644 --- a/daprdocs/content/en/developing-applications/building-blocks/pubsub/pubsub-scopes.md +++ b/daprdocs/content/en/developing-applications/building-blocks/pubsub/pubsub-scopes.md @@ -157,7 +157,7 @@ The table below shows which application is allowed to subscribe to the topics: ## Example 4: Mark topics as protected -If your topic involves sensitive data, each new application must be explicitly listed in the `publishingScopes` and `subscriptionScopes` to ensure it cannot read from or write to that topic. Alternatively, you can designate the topic as 'protected' and grant access only to specific applications that genuinely require it. +If your topic involves sensitive data, each new application must be explicitly listed in the `publishingScopes` and `subscriptionScopes` to ensure it cannot read from or write to that topic. Alternatively, you can designate the topic as 'protected' (using `protectedTopics`) and grant access only to specific applications that genuinely require it. Here is an example of three applications and three topics, two of which are protected: ```yaml From f05808af11c9ea4068819e14cfaefdbb48e3bdf1 Mon Sep 17 00:00:00 2001 From: kovalromank Date: Mon, 24 Jul 2023 16:00:56 -0400 Subject: [PATCH 3/3] Update daprdocs/content/en/developing-applications/building-blocks/pubsub/pubsub-scopes.md Co-authored-by: Hannah Hunter <94493363+hhunter-ms@users.noreply.github.com> Signed-off-by: kovalromank --- .../building-blocks/pubsub/pubsub-scopes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daprdocs/content/en/developing-applications/building-blocks/pubsub/pubsub-scopes.md b/daprdocs/content/en/developing-applications/building-blocks/pubsub/pubsub-scopes.md index 82bc6a28a..300724247 100644 --- a/daprdocs/content/en/developing-applications/building-blocks/pubsub/pubsub-scopes.md +++ b/daprdocs/content/en/developing-applications/building-blocks/pubsub/pubsub-scopes.md @@ -181,7 +181,7 @@ spec: value: "app1=A,B;app2=B" ``` -> Note that topics A and B are marked as protected. As a result, even though app3 is not listed under `publishingScopes` or `subscriptionScopes` it cannot interact with these topics. +In the example above, topics A and B are marked as protected. As a result, even though `app3` is not listed under `publishingScopes` or `subscriptionScopes`, it cannot interact with these topics. The table below shows which application is allowed to publish into the topics: