tuteng commented on PR #19455: URL: https://github.com/apache/pulsar/pull/19455#issuecomment-1463376940
> @tuteng - the proxy is supposed to connect using one of the `proxyRoles` configured in the `broker.conf`. This is somewhat documented here https://pulsar.apache.org/docs/2.11.x/security-authorization/#proxy-roles. If the proxy connects with something other than a proxy role when using TLS authentication, only the proxy's role will be used to verify authorization, and that will likely result in accidental elevation of privileges. In my opinion, this is not a breaking change because it is preventing a state that shouldn't have existed in the first place. However, I guess that conclusion is up for debate. I would like to confirm if it is possible to make it optional (enabled or disabled), in many user environments it can be trusted and there is no such risk, now is it a good option to have it on by default in all major versions and not be disabled? @michaeljmarshall -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
