jai1 commented on issue #1002: Making Pulsar Proxy more secure URL: https://github.com/apache/incubator-pulsar/pull/1002#issuecomment-414568135 > was the proxy auth action ever added? No, and we don't need to > @jai1 <https://github.com/jai1> @merlimat <https://github.com/merlimat> is authRole correct here? Surely if we are coming from the proxy and originalPrincipal is set, we should be checking if the original principle which can access the resource? The code looks convoluted but I think it's correct so basically if, ' originalPrincipal != null' then check if both proxy role (authRole) and client role (original Principal) can lookup on the topic. So on line 251 (first call to canLookupAsync) we check whether the proxy (authRole) has permission to lookup then on line 261 (call to lookupTopicAsync) we check if client role (original Principal) has permission to lookup. Basic reasoning for this was that we don't want the proxy to have access to all Pulsar namespaces - we want to have a configuration where proxy X can only access namespace Y. On Mon, Aug 20, 2018 at 5:45 AM, Ivan Kelly <[email protected]> wrote: > @jai1 <https://github.com/jai1> was the proxy auth action ever added? > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > <https://github.com/apache/incubator-pulsar/pull/1002#issuecomment-414304153>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/AIQh_Miv5a2zuv0lQVmXYzdDyyADNbGtks5uSq-GgaJpZM4RKG7r> > . >
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
