nodece commented on code in PR #18343: URL: https://github.com/apache/pulsar/pull/18343#discussion_r1021091892
########## site2/docs/security-overview.md: ########## @@ -38,13 +38,15 @@ The way how each client passes its authentication data to brokers varies dependi - If a client supports authentication refreshing and the credential is expired, brokers send the `CommandAuthChallenge` command to exchange the authentication data with the client. If the next check finds that the previous authentication exchange has not been returned, brokers disconnect the client. - If a client does not support authentication refreshing and the credential is expired, brokers disconnect the client. -:::note +### Authentication data limitations on the proxies -When you use proxies between clients and brokers, brokers only authenticate proxies (known as **self-authentication**) by default. To forward the authentication data from clients to brokers for client authentication (known as **original authentication**), you need to: -1. Set `forwardAuthorizationCredentials` to `true` in the `conf/proxy.conf` file. -2. Set `authenticateOriginalAuthData` to `true` in the `conf/broker.conf` file, which ensures that brokers recheck the client authentication. +When you use proxies between clients and brokers, there are two authentication data, one from proxies, one from clients, brokers only authenticate proxies (known as **self-authentication**) by default. To forward the authentication data from clients to brokers for client authentication (known as **original authentication**). -::: +**Important:** If your authentication data contains an expiration time, or your authorization provider depends on the authentication data, you must to: + +1. Ensure your authentication data of proxies no expiration time, brokers don't support refreshing this authentication data. Review Comment: This is a reason. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
