You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2020/06/30 13:43:57 UTC
[GitHub] [pulsar] frankjkelly commented on issue #7385: When `authorizationEnabled=true` in proxy.conf the proxy does not appear to perform Authorization check
frankjkelly commented on issue #7385:
URL: https://github.com/apache/pulsar/issues/7385#issuecomment-651799700
Hmmm I'm not sure. In proxy.conf we have the following for `brokerService`
```
root@pulsar-proxy-764f4b6569-flg8m:/pulsar/conf# grep broker proxy.conf | grep -v "#"
brokerServiceURL=http://pulsar-broker:6650
brokerServiceURLTLS=https://pulsar-broker:6651
brokerWebServiceURL=http://pulsar-broker:8080
brokerWebServiceURLTLS=https://pulsar-broker:8443
authorizationProvider=org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider
brokerClientAuthenticationPlugin=
brokerClientAuthenticationParameters=
brokerClientTrustCertsFilePath=
```
and the following zookeeper related
```
root@pulsar-proxy-764f4b6569-flg8m:/pulsar/conf# grep zoo proxy.conf
zookeeperServers=pulsar-zookeeper-0.pulsar-zookeeper
configurationStoreServers=pulsar-zookeeper-0.pulsar-zookeeper
# These settings are unnecessary if `zookeeperServers` is specified
zookeeperSessionTimeoutMs=30000
```
I see from this StreamNative documentation that by defining the `brokerServiceURL` we are effectively disabling Authorization.
The problem I have is that our JWT token contains custom claims that indicate whether a topic is accessible or not (it's not Role-based) so we need to pass the token along to the Authorization plugin for parsing. In standalone - when the Authentication and Authorization plugin are colocated this is fine but it seems that when the Proxy is doing Authentication and the Broker is doing Authorization the original token is no longer present at the Broker? I tried `forwardAuthorizationCredentials=true` but it did not seem to make a difference but perhaps I am missing something.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org