momo-jun commented on code in PR #18343: URL: https://github.com/apache/pulsar/pull/18343#discussion_r1021017101
########## site2/docs/security-overview.md: ########## @@ -38,13 +38,15 @@ The way how each client passes its authentication data to brokers varies dependi - If a client supports authentication refreshing and the credential is expired, brokers send the `CommandAuthChallenge` command to exchange the authentication data with the client. If the next check finds that the previous authentication exchange has not been returned, brokers disconnect the client. - If a client does not support authentication refreshing and the credential is expired, brokers disconnect the client. -:::note +### Authentication data limitations on the proxies -When you use proxies between clients and brokers, brokers only authenticate proxies (known as **self-authentication**) by default. To forward the authentication data from clients to brokers for client authentication (known as **original authentication**), you need to: -1. Set `forwardAuthorizationCredentials` to `true` in the `conf/proxy.conf` file. -2. Set `authenticateOriginalAuthData` to `true` in the `conf/broker.conf` file, which ensures that brokers recheck the client authentication. +When you use proxies between clients and brokers, there are two authentication data, one from proxies, one from clients, brokers only authenticate proxies (known as **self-authentication**) by default. To forward the authentication data from clients to brokers for client authentication (known as **original authentication**). Review Comment: ```suggestion When you use proxies between clients and brokers, there are two authentication data: * authentication data from proxies that brokers only authenticate by default - known as **self-authentication**. * authentication data from clients - known as **original authentication**. ``` Is this what you mean? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
