nodece commented on PR #23036: URL: https://github.com/apache/pulsar/pull/23036#issuecomment-2235256804
> How does it matter? `ServiceConfiguration::proxyRoles` is a list of proxy roles and broker can have multiple proxy roles to allow access. **`ServiceConfiguration::proxyRoles` checks if the authentication principal is a proxy role.** If you want to allow the proxy's principal to do anything, you can add the proxy's principal to `ServiceConfiguration::superUserRoles`. Proxy cases: - Proxy case1 - one proxy Usually, we add the proxy's principal to the super user list and proxy role list. When do authorization, the broker will check whether both the proxy's principal(superuser) and the original principal have been authorized. - Proxy case2 - multiple proxy Use multiple proxy to do fine-grained permission control. Assume, there are `proxy-a` and `proxy-b` proxies, and which has been added to the proxy role list, and not exits in super user list. We need to grant the permission for the `proxy-a` and `proxy-b`, otherwise, it is not allowed to pass. Your PR breaks the case2, and introduces the security risk: > If I understand it correctly, it implicitly elevates all proxy roles to super user privilege level. Users can currently configure proxy roles to lesser privileges, so that would present a problem for those users. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
