nicoloboschi commented on PR #19455: URL: https://github.com/apache/pulsar/pull/19455#issuecomment-1422192933
> > I think we should add a paramter in the config file, and when this paramter is enabled, we perform the strict checks. > > My primary concern with making this requirement configurable is that it is prone to error. For me, the justification comes here: > > https://github.com/apache/pulsar/blob/d7c4e373ac8cb60f234c9c231e5dce5bf7c9b50e/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationService.java#L344-L353 > > A proxy that forwards an admin call without being configured as a `proxyRole` will only be authorized based on the role supplied by the proxy. Since these `proxyRoles` are often also `superUsers`, this is extremely problematic and easy to misconfigure, especially because everything will "work" when the proxy's auth role is a super user. However, it will work because the proxy is over provisioned and the misconfiguration could lead to elevated permissions by the client. @michaeljmarshall good work! IIUC if the proxy uses a role not included in `proxyRoles` the `originalPrincipal` authorization checks are skipped completely? so if the proxy uses a super user which is not correctly set in the broker's `proxyRoles`, any client connected through the proxy is considered a superuser by the broker? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
