You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2020/07/08 13:30:23 UTC

[GitHub] [pulsar] vzhikserg commented on issue #7385: When `authorizationEnabled=true` in proxy.conf the proxy does not appear to perform Authorization check

vzhikserg commented on issue #7385:
URL: https://github.com/apache/pulsar/issues/7385#issuecomment-655521061


   We see the same behavior using 2.6.0 on AKS deployment when connecting (jwt) via proxy with authentication and authorization enabled (using zookeeper):
   
   - Client has no permissions an a topic the client is rejected, as expected
   
   - Client has been granted for example only produce, then the client is able to consume as well (besides producing) I assume because the superUserRole is being used.
   
   When we configure the proxyRoles and apply the same permissions as the client it works, however this implies that proxy clients get the proxyRoles or superUserRoles. 
   
   Meaning that in case we have 2 clients connecting to the same topic: one with consume and the other with produce permissions, then proxyRole would need produce and consume permissions, which leads to that both clients can produce and consume.
   
   P.S. we watched the video twice ;)


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org