jai1 opened a new pull request #1168: Proxy roles enforcement URL: https://github.com/apache/incubator-pulsar/pull/1168 The broker should be able to distinguish between a proxy and a client so that no compromised proxy can impersonate a client. To be specific - once a proxy host is compromised it can choose to send originalPrincipal as null which will make the broker treat it as a normal client and authenticate/authorize the proxy as a normal client rather than demanding to authorize the originalPrincipal. So for example:- A client using topic T1 with roleToken R1 going through proxy with roleToken R3 will require granting AuthAction produce/consume on both R1 and R3 (proxy). Similarly, a client using topic T2 with roleToken R2 going through the same proxy will require granting AuthAction produce/consume on both R1 and R3 (proxy). Now with my current code if proxy is compromised it can access topics T1 and T2 without requiring client roleToken (R1 and R2) at all by passing originalPrincipal as null. If I add a broker side setting "proxyRoles=R3, R4", then as soon as I see that the roleToken (R3) extracted from the incoming cert is in proxyRoles (R3, R4) then I can return an error if originalPrincipal is null. Thanks to @msb-at-yahoo for suggesting this.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
