nodece commented on PR #23036: URL: https://github.com/apache/pulsar/pull/23036#issuecomment-2232445203
> Broker performs authorization for both proxy's principal name and original principal name and both principal names must be present in namespace authorization policy. When using a proxy, the broker must check the proxy's principal name and original principal name, regardless of the protocol you are using. > It means if client wants to access Pulsar-Broker via proxy then proxy's role must be added into namespace policies and if proxy server's certs are compromised then client data can be in risk. This behavior is incorrect, insecure and not compatible with existing binary authentication. Do you mean that the client uses the proxy's principal name? - In the binary protocol, the broker doesn't allow the proxy's principal name and original principal name to be the same(https://github.com/apache/pulsar/pull/19455). - In the HTTP protocol, the broker allows the proxy's principal name and original principal name to be the same( https://github.com/apache/pulsar/pull/19557). I forgot why I approved to #19557, which maybe introduces the security risk on http-proxy authorization. This PR changes the authorization logic, right now you only check the original principal name, and the proxy's principal name was ignored. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
