michaeljmarshall commented on code in PR #20861:
URL: https://github.com/apache/pulsar/pull/20861#discussion_r1272845465
##########
pulsar-broker/src/main/java/org/apache/pulsar/broker/web/PulsarWebResource.java:
##########
@@ -1302,4 +1302,23 @@ protected static void
resumeAsyncResponseExceptionally(AsyncResponse asyncRespon
asyncResponse.resume(new RestException(realCause));
}
}
+
+ /**
+ * Gets the real client role.<br/>
+ *
+ * When authentication is enabled, if the original principal (the role
forwarded by the proxy) is not null,
+ * the original principal is returned, otherwise the client ID is
returned.<br/>
+ *
+ * When authentication is disabled, returns null.
+ */
+ protected String getRealClientRole() {
+ if (!pulsar().getConfiguration().isAuthorizationEnabled()) {
+ return null;
+ }
+ String original = originalPrincipal();
+ if (original != null) {
+ return original;
+ }
+ return clientAppId();
+ }
Review Comment:
If we do move forward with this PR, one short coming for this notion of
"real client role" is that the `AuthorizationProvider` won't know if the
`clientAuthData` is from the proxy or from the client. An alternative that
would maintain the references correctly is the `AuthenticationParameters` class.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
