dongyikuan919 commented on issue #10370:
URL: https://github.com/apache/rocketmq/issues/10370#issuecomment-4534409353

   From the description, I think the key is to separate two identities:
   
   1. the end user identity used by producer/consumer when talking to Proxy;
   2. the internal identity used by Proxy when it talks to Broker or touches 
system resources such as `TBW102` and `CLIENT_INNER_PRODUCER`.
   
   If the Proxy-to-Broker path is expected to use the built-in AK/SK, then 
normal users probably should not need explicit permission for these system 
topics/groups. Otherwise every business user has to be granted internal 
resource permissions, which makes ACL rules harder to reason about.
   
   For the next check, it would help to confirm from the error log whether the 
denied request is evaluated with the normal user AK or with Proxy internal AK. 
If it is still using the normal user AK when accessing system resources, the 
fix may belong in the Proxy ACL hook/context switching path rather than in 
user-side ACL configuration.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to