dongyikuan919 commented on issue #10370: URL: https://github.com/apache/rocketmq/issues/10370#issuecomment-4534409353
From the description, I think the key is to separate two identities: 1. the end user identity used by producer/consumer when talking to Proxy; 2. the internal identity used by Proxy when it talks to Broker or touches system resources such as `TBW102` and `CLIENT_INNER_PRODUCER`. If the Proxy-to-Broker path is expected to use the built-in AK/SK, then normal users probably should not need explicit permission for these system topics/groups. Otherwise every business user has to be granted internal resource permissions, which makes ACL rules harder to reason about. For the next check, it would help to confirm from the error log whether the denied request is evaluated with the normal user AK or with Proxy internal AK. If it is still using the normal user AK when accessing system resources, the fix may belong in the Proxy ACL hook/context switching path rather than in user-side ACL configuration. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
