[GitHub] [pulsar] dragonls edited a comment on issue #10221: Failed to create consumer while using proxy and `Prefix` Subscription Authentication Mode

[GitBox <gi...@apache.org>]

dragonls edited a comment on issue #10221:
URL: https://github.com/apache/pulsar/issues/10221#issuecomment-819207592


   Dig into the code, the broker will check the operation in [org.apache.pulsar.broker.service.ServerCnx#isTopicOperationAllowed](https://github.com/apache/pulsar/blob/master/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java#L305)
   
   In this case:
   `service.isAuthorizationEnabled()` is `true`, `originalPrincipal` is `roleA`, `authRole` is `proxy-admin`.
   `isProxyAuthorizedFuture` will be `true`, `isAuthorizedFuture` will throw the `PulsarServerException`(actually throws in [org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider#canConsumeAsync](https://github.com/apache/pulsar/blob/master/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java#L135), passing `proxy-admin` as role will throw the exception), which results the failure of consumer.
   
   One simple solution is that, `permissionFuture.complete(false)` instead of `permissionFuture.completeExceptionally(ex)`, not throwing the exception in [org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider#canConsumeAsync](https://github.com/apache/pulsar/blob/master/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java#L135).
   But this solution may change the error message for those consumers using invalid role to subscribe, e.g., `roleB` to subscribe `persistent://test/auth/topic` with subscription `roleA-test`.
   
   Welcome to propose better solutions.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org