Technoboy- commented on PR #23036: URL: https://github.com/apache/pulsar/pull/23036#issuecomment-2232622292
> > When using a proxy, the broker must check the proxy's principal name and original principal name, regardless of the protocol you are using. > > Of course, yes but proxy role must not be part of the namespace policy authorization and client doesn't have to explicitly grant permission to proxy-role. Broker checks proxy role by checking authenticating proxy request and proxy's principal name must be part of `ServiceConfiguration::proxyRoles`. Binary Protocol does it correctly because that's we have introduced when it first implemented proxy and authentication. but later on someone implemented this model incorrectly for HTTP requests. agree, could you help add a test for this ? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
