jai1 commented on issue #1991: TLS auth cannot be used between proxy and brokers URL: https://github.com/apache/incubator-pulsar/issues/1991#issuecomment-400220446 Hi Ivan, Since proxy was meant to be on a public IP we have added extra authentication checks to prevent MITM attacks and safeguard against compromised proxies. - but all these extra checks are configurable and are turned off by default. a. You can set disable authentication and authorization and proxy to disable all checks. (Not recommended for production) b. If authentication and authorization is enabled on Proxy and Broker, and if a consume or produce action is via a proxy the - originalPrincipal - will contain Client role name (aka principal) - authRole - will contain Proxy role name, extracted from authenticationData and authMethod sent by the proxy - Both the Proxy and the end Client *should* have the appropriate consume or produce permissions or else a compromised proxy can mimic any client by just sending a stolen originalPrincipal (string). Or in other words a compromised proxy should not be able to access more data than a compromised client. b. OriginalPrincipal is just a string and can easily be remanufactured by a compromised proxy, so in order to safeguard the service you can enable " *forwardAuthorizationCredentials*" on the proxy and enable " *authenticateOriginalAuthData*" on the broker. - The proxy will forward the client authenticationData (digital signature with TTL) and authenticationData instead of a string and the broker will authenticate the end client and extract originalPrincipal from client authenticationData. c. Another scenario could be that the proxy mimics the client by setting originalPrincipal as NULL - In order to prevent that you can set "*proxyRoles*" in the broker configuration. Below are some links to the configurations you can set. This weekend I will go through the documentation and add any missing pieces (if any). https://github.com/apache/incubator-pulsar/blob/master/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/ServiceConfiguration.java#L247 https://github.com/apache/incubator-pulsar/blob/master/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/ServiceConfiguration.java#L251 https://github.com/apache/incubator-pulsar/blob/master/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConfiguration.java#L79 Regards, Jai On Mon, Jun 25, 2018 at 12:42 PM, Ivan Kelly <[email protected]> wrote: > @pckeyan <https://github.com/pckeyan> I'd like to talk to @merlimat > <https://github.com/merlimat> & @jai1 <https://github.com/jai1> since > they've worked on similar stuff, but the planned fix is to send the > original authenticated rolename with the proxied requests, similiar to how > we do for the data protocol. Then we'd need to document all this stuff, > because there's no documentation right now. Hopefully I can knock out the > fix tomorrow. > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > <https://github.com/apache/incubator-pulsar/issues/1991#issuecomment-400070934>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/AIQh_P5TUcQOTSF6L1RUVVOac5QyD1ILks5uAT1DgaJpZM4UtYek> > . >
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
