rdhabalia commented on PR #23036: URL: https://github.com/apache/pulsar/pull/23036#issuecomment-2234143702
>. We verify both the proxy and the original role permission level on the binary protocol here: https://github.com/apache/pulsar/blob/53df683b0f78f5f7c12f87e6fbb4d73637ca5bd5/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java#L468-L494 No, that is incorrect as well. you can check the code and you will see that `isProxyAuthorizedFuture = service.getAuthorizationService().allowTopicOperationAsync` performs authorization on `originalPrincipal` and ProxyRole gets validated by checking if it's in proxyRole here https://github.com/apache/pulsar/blob/branch-2.10/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java#L667 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
