michaeljmarshall opened a new pull request, #19830: URL: https://github.com/apache/pulsar/pull/19830
### Motivation In #19455, I made a change to require that only a role in the broker's `proxyRoles` configuration could provide an original principal. Because this change can break certain installations on patch upgrades, a better temporary solution is to always authorize the `originalPrincipal` when present and to allow non proxy roles to supply the original principal. ### Modifications * Update the `AuthorizationService#isValidOriginalPrincipal` to allow non proxy roles to supply an original principal. I added a log line in place of the previous failure. * Update all calls to `ServiceConfiguration#getProxyRoles()` to also check if the original principal is not blank. When it is not blank, we will authorize both roles. Note that this is consistent with the logic in the `AuthorizationService#isValidOriginalPrincipal` method that is already merged to master. * Update tests to allow for this new behavior. ### Verifying this change I modified existing tests to make this work, and I added a new test to cover mos of the relevant cases where we changed logic. I plan to copy the new tests to master since they will be valuable there too. ### Documentation - [x] `doc-required` I will follow up with docs for these proxy changes. ### Matching PR in forked repository PR in forked repository: in order to save time, we'll run tests directly in the pulsar repo. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
