merlimat commented on a change in pull request #548: PIP-1 - Introduce Pulsar
proxy component
URL: https://github.com/apache/incubator-pulsar/pull/548#discussion_r126274693
##########
File path: pulsar-common/src/main/proto/PulsarApi.proto
##########
@@ -117,6 +118,15 @@ message CommandConnect {
optional string auth_method_name = 5;
optional bytes auth_data = 3;
optional int32 protocol_version = 4 [default = 0];
+
+ // Client can ask to be proxyied to a specific broker
+ // This is only honored by a Pulsar proxy
+ optional string proxy_to_broker_url = 6;
+
+ // Original principal that was verified by
+ // a Pulsar proxy. In this case the auth info above
+ // will the the auth of the proxy itself
+ optional string original_principal = 7;
Review comment:
Proxy is not doing authorization on the data connections. The reason is that
after the initial connect/connected it just forward everything on both sides.
The broker still needs to check whether that particular role is authorized
to pulblish on a specific topic. So the proxy relays the original client
principal, and that will be used by the broker for the authorization, trusting
that the proxy has already validated the authentication.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
