michaeljmarshall commented on PR #19830: URL: https://github.com/apache/pulsar/pull/19830#issuecomment-1492762813
> I saw that you [pushed a commit into `branch-2.10`](https://github.com/apache/pulsar/commit/7ea5f43feeef7d91d89cd187cecbd764c84db396) instead of cherry-picking #19830. I'm not sure what you mean here. This PR (#19830) was merged to `branch-2.11`, and the cherry pick was based exactly on this PR's commit (https://github.com/apache/pulsar/commit/6bc3530628344570cbd9171485e0478c6f01eab4). > But there was a mistake that caused `branch-master` and `branch-2.10` to be implemented differently That was not a mistake. `master` is implemented differently because it requires that only a proxy role can supply the original principal. > The user who has not super role can not operate the tenant API even if `authorization` is disabled (but `authentication` is enabled). I can see in the code why this is happening. It must just be a case that wasn't covered by any tests. I can try to put up a fix soon. > You can reproduce this issue like this: > > * enabled authentication > > * disabled authorization > > * call `pulsar-admin tenants list` with the non-super role. You also need to connect through a pulsar proxy for this to actually be an issue because the `X-Original-Principal` header is the real reason you're having an issue. Let me know if you have any questions. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
