wmccarley opened a new issue #4275: Proxy Lookup for Partitioned Topics Requires Explicitly Granting Permissions on Each Partition URL: https://github.com/apache/pulsar/issues/4275 **Describe the bug** I have a cluster where all producers and consumers connect via a proxy instance (no direct connect to the brokers.) The brokers are configured with: proxyRoles=proxy@xyz The proxy is configured with: authorizationEnabled=true >> forwardAuthorizationCredentials=false authenticationEnabled=true For non-partitioned topics granting permission to proxy@xyz and original@xyz is sufficient to allow original@xyz to produce/consume via the proxy also if the two roles have permissions at the namespace level then explicitly granting at the topic level isn't even necessary (the config is inherited.) For partitioned topics granting permissions as above (either explicitly to the topic name or indirectly via namespace permissions) doesn't seem to cascade to the individual partitions, so lookups fail with: **Proxy Client is not authorized to Lookup** If you iterate over the partitions and grant the proxy role you can get past this error but then you will receive errors related to original role so you need to iterate over the partitions again and grant that role. So effectively the workaround is to explicitly issue 2N grant-permission calls (where N is the number of partitions) **Expected behavior** 1. Any calls to lookup permissions for specific partitions should delegate to the permissions of the "parent" topic. 2. API should prevent a user from explicitly grant permissions to individual partitions to avoid confusion
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
