You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2019/05/14 20:39:09 UTC

[GitHub] [pulsar] wmccarley opened a new issue #4275: Proxy Lookup for Partitioned Topics Requires Explicitly Granting Permissions on Each Partition

wmccarley opened a new issue #4275: Proxy Lookup for Partitioned Topics Requires Explicitly Granting Permissions on Each Partition
URL: https://github.com/apache/pulsar/issues/4275
 
 
   **Describe the bug**
   
   I have a cluster where all producers and consumers connect via a proxy instance (no direct connect to the brokers.)
   
   The brokers are configured with:
   proxyRoles=proxy@xyz
   
   The proxy is configured with:
   authorizationEnabled=true >>
   forwardAuthorizationCredentials=false
   authenticationEnabled=true
   
   For non-partitioned topics granting permission to
   proxy@xyz
   and
   original@xyz
   is sufficient to allow original@xyz to produce/consume via the proxy
   
   also if the two roles have permissions at the namespace level then explicitly granting at the topic level isn't even necessary (the config is inherited.)
   
   For partitioned topics granting permissions as above (either explicitly to the topic name or indirectly via namespace permissions) doesn't seem to cascade to the individual partitions, so lookups fail with: **Proxy Client is not authorized to Lookup**
   
   If you iterate over the partitions and grant the proxy role you can get past this error but then you will receive errors related to original role so you need to iterate over the partitions again and grant that role. So effectively the workaround is to explicitly issue 2N grant-permission calls (where N is the number of partitions)
   
   **Expected behavior**
   
   1. Any calls to lookup permissions for specific partitions should delegate to the permissions of the "parent" topic.
   
   2. API should prevent a user from explicitly grant permissions to individual partitions to avoid confusion
   
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services