You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2020/06/30 13:43:57 UTC

[GitHub] [pulsar] frankjkelly commented on issue #7385: When `authorizationEnabled=true` in proxy.conf the proxy does not appear to perform Authorization check

frankjkelly commented on issue #7385:
URL: https://github.com/apache/pulsar/issues/7385#issuecomment-651799700


   Hmmm I'm not sure.  In proxy.conf we have the following for `brokerService`
   ```
   root@pulsar-proxy-764f4b6569-flg8m:/pulsar/conf# grep broker proxy.conf  | grep -v "#"
   brokerServiceURL=http://pulsar-broker:6650
   brokerServiceURLTLS=https://pulsar-broker:6651
   brokerWebServiceURL=http://pulsar-broker:8080
   brokerWebServiceURLTLS=https://pulsar-broker:8443
   authorizationProvider=org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider
   brokerClientAuthenticationPlugin=
   brokerClientAuthenticationParameters=
   brokerClientTrustCertsFilePath=
   ```
   and the following zookeeper related
   ```
   root@pulsar-proxy-764f4b6569-flg8m:/pulsar/conf# grep zoo proxy.conf 
   zookeeperServers=pulsar-zookeeper-0.pulsar-zookeeper
   configurationStoreServers=pulsar-zookeeper-0.pulsar-zookeeper
   # These settings are unnecessary if `zookeeperServers` is specified
   zookeeperSessionTimeoutMs=30000
   ```
   I see from this StreamNative documentation that by defining the `brokerServiceURL` we are effectively disabling Authorization.
   
   The problem I have is that our JWT token contains custom claims that indicate whether a topic is accessible or not (it's not Role-based) so we need to pass the token along to the Authorization plugin for parsing. In standalone - when the Authentication and Authorization plugin are colocated this is fine but it seems that when the Proxy is doing Authentication and the Broker is doing Authorization the original token is no longer present at the Broker?  I tried `forwardAuthorizationCredentials=true` but it did not seem to make a difference but perhaps I am missing something.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org