michaeljmarshall opened a new pull request, #19455: URL: https://github.com/apache/pulsar/pull/19455
### Motivation While working on https://github.com/apache/pulsar/pull/19270, I noticed we do not set any strict rules on which roles can supply the `originalPrincipal` or `originalAuthData` fields on the `ConnectCommand`: https://github.com/apache/pulsar/blob/b0945d1d45d1e911d24151a23cf284e476203ba7/pulsar-common/src/main/proto/PulsarApi.proto#L279-L288 The goal is to prevent connections where the `originalPrincipal` is set with an `authRole` that is not a proxy role. This is an invalid state that was allowed to persist before. It was not, strictly speaking, a vulnerability because the `isTopicOperationAllowed` validates that both the `originalPrincipal` and the `authRole` have permission to perform any operation the client attempts. This is technically a breaking change in that upgrading existing proxies will not work if the `proxyRoles` is not correctly configured in the `broker.conf`. ### Modifications * Update the `ServerCnx#isValidRoleAndOriginalPrincipal` method to require that when `originalPrincipal` is set, the `authRole` must be in the `proxyRoles` set. Because we run this check after authenticating the `originalAuthData`, we will correctly fail calls that pass and do not pass the `originalAuthData`. ### Verifying this change An existing test is updated to cover the added logic. ### Does this pull request potentially affect one of the following parts: - [x] The binary protocol This change affects the binary protocol's usage without changing the binary protocol itself. ### Documentation - [x] `doc-required` If we accept this change, I'll follow up with a docs PR to make sure all documentation is up to date. ### Matching PR in forked repository PR in forked repository: https://github.com/michaeljmarshall/pulsar/pull/25 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
