ivankelly edited a comment on issue #1991: TLS auth cannot be used between proxy and brokers URL: https://github.com/apache/incubator-pulsar/issues/1991#issuecomment-400237543 > " *forwardAuthorizationCredentials*" on the proxy and enable " *authenticateOriginalAuthData*" I assume this only applies to Athenz, as TLS doesn't use the auth data AFAICS. > This weekend I will go through the documentation and add any missing pieces (if any) There's quite a bit missing, in particular for the TLS auth context, which most people will be using. Once I've solved this issue, I'll take a pass over the docs too. In terms of this issue, my plan is to make the admin api respect originalPrincipal and proxyRoles also, carrying it in a header ("X-Original-Principal"). This does mean that proxy would have to be added as admin role for each tenant that wants to use admin api through the proxy. In some usecases though, I think proxy will have to be a superuser at the broker.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
