nodece opened a new pull request, #19390: URL: https://github.com/apache/pulsar/pull/19390
### Motivation When `anonymousUserRole` is configured, and auth method is `none`, the broker only stores the `authRole`, ignores the original auth data and role forwarded by the proxy, see https://github.com/apache/pulsar/blob/b3432f4ed9c9c19eef4ed696253eb2c18ebbf59d/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java#L898-L904 We cannot ingore the original authentication data and original role forwarded by the proxy, the original authentication data from `CommandConnect#getOriginalAuthData`, and the original role from `CommandConnect#getOriginalPrincipal`. ### Modifications - Add `checkOriginalAuthDataForwardedByProxy` method to check the original authentication - When using anonymous role, we also check the original authentication ### Verifying this change - [x] Make sure that the change passes the CI checks. Added `ProxyAnonymousRoleTest` test. ### Documentation <!-- DO NOT REMOVE THIS SECTION. CHECK THE PROPER BOX ONLY. --> - [ ] `doc` <!-- Your PR contains doc changes. --> - [ ] `doc-required` <!-- Your PR changes impact docs and you will update later --> - [x] `doc-not-needed` <!-- Your PR changes do not impact docs --> - [ ] `doc-complete` <!-- Docs have been already added --> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
