Jennifer88huang commented on a change in pull request #7297: URL: https://github.com/apache/pulsar/pull/7297#discussion_r442217594
########## File path: site2/docs/administration-proxy.md ########## @@ -1,30 +1,32 @@ --- id: administration-proxy -title: The Pulsar proxy +title: Pulsar proxy sidebar_label: Pulsar proxy --- -The [Pulsar proxy](concepts-architecture-overview.md#pulsar-proxy) is an optional gateway that you can run in front of the brokers in a Pulsar cluster. You can run a Pulsar proxy in cases when direction connections between clients and Pulsar brokers are either infeasible, undesirable, or both, for example when you run Pulsar in a cloud environment or on [Kubernetes](https://kubernetes.io) or an analogous platform. +Pulsar proxy is an optional gateway. Pulsar proxy is used when direction connections between clients and Pulsar brokers are either infeasible or undesirable. For example, when you run Pulsar in a cloud environment or on [Kubernetes](https://kubernetes.io) or an analogous platform, you can run Pulsar proxy. ## Configure the proxy -The proxy must have some way to find the addresses of the brokers of the cluster. You can do this by either configuring the proxy to connect directly to service discovery or by specifying a broker URL in the configuration. +Before using the proxy, you need to configure it with the brokers addresses in the cluster. You can configure the proxy to connect directly to service discovery, or specify a broker URL in the configuration. -### Option 1: Use service discovery +### Use service discovery Pulsar uses [ZooKeeper](https://zookeeper.apache.org) for service discovery. To connect the proxy to ZooKeeper, specify the following in `conf/proxy.conf`. ```properties zookeeperServers=zk-0,zk-1,zk-2 configurationStoreServers=zk-0:2184,zk-remote:2184 ``` -> If you use service discovery, the network ACL must allow the proxy to talk to the ZooKeeper nodes on the zookeeper client port, which is usually 2181, and on the configuration store client port, which is 2184 by default. Opening the network ACLs means that if someone compromises a proxy, they have full access to ZooKeeper. For this reason, using broker URLs to configure the proxy is more secure. +> To use service discovery, you need to open the network ACLs, so the proxy can connects to the ZooKeeper nodes on the ZooKeeper client port(the default is `2181`) and the configuration store client port(the default is `2184`). -### Option 2: Use broker URLs +> However, it is not secure to use service discovery. Because if the network ACL is open, when someone compromises a proxy, they have full access to ZooKeeper. -The more secure method of configuring the proxy is to specify a URL to connect to the brokers. +### Use broker URLs -> [Authorization](security-authorization#enable-authorization-and-assign-superusers) at the proxy requires access to ZooKeeper, so if you use these broker URLs to connect to the brokers, you should disable the Proxy level authorization. Brokers still authorize requests after the proxy forwards them. +It is more secure to specify a URL to connect to the brokers. + +Proxy authorization requires access to ZooKeeper, so if you use these broker URLs to connect to the brokers, you need disable authorization at Proxy level. Brokers still authorize requests after the proxy forwards them. Review comment: thank you very much for your refinement~ ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
