Hi Matteo,
Thanks for your time and the constructive feedback.
Yes, I agree that AuthAction Proxy doesn't gel well with produce and
consume.
What I want to do on a high level is to make Proxy as secure (or
insecure) as a client - allowAccessThroughProxy flag can allow the
Namespace to be accessed via a *any* proxy but what I want to do is to
allow the namespace to be accessed by a particular proxy only (not all).
So what I propose is that we authorize the proxy like a normal client
against AuthAction consume/produce/admin. In other words, if a client has a
roleToken which is Authorized to produce but the Proxy roleToken doesn't
have AuthAction produce on it - then the request is denied.
This solution kind of addresses both our concerns and is not much of a
code change on top of my existing PR.
Let me know what you think of this new proposal.
-- Jai
On Thu, Jan 18, 2018 at 4:37 PM, Matteo Merli <mme...@apache.org> wrote:
> Hi Jai,
>
> the proposal looks good to me. My only concern is around the "proxy" action
> for restricting the proxy access to some topics.
>
> I completely agree that restricting access is a very option to have
> available, but I don't think we should put "proxy" on the same level as
> "produce" and "consume".
>
> Produce and consume are action that are tied to a specific user/principal.
>
> Eg; grant permission to "user-1" to publish on topics in namespace X
>
> For proxy, it would be more like: "enable these topics to be exposed
> through proxy"
>
> That's why I feel "proxy" is not the same as an authorization action.
>
> My suggestion here would be:
> * Have a broker setting to set the default behavior
> "allowAccessThroughProxy=true" (or similar name)
> * Add a flag at the namespace level that can override the default
> system-wide setting
>
>
> Matteo
>
>
> On Tue, Jan 2, 2018 at 12:04 PM Jai Asher <jai.ashe...@gmail.com> wrote:
>
> > Hi all,
> > I've created PIP for Adding more Security checks to Pulsar Proxy.
> > High-level description:
> > * The machine hosting the Pulsar proxy will have a public IP and
> > susceptible to all kinds of web attacks. The aim of this PIP is to
> minimize
> > the damage caused by a compromised proxy on the entire service.*
> >
> > PIP:- https://github.com/apache/incubator-pulsar/wiki/PIP-9:-Addin
> > g-more-Security-checks-to-Pulsar-Proxy
> > <https://github.com/apache/incubator-pulsar/wiki/PIP-9:-
> Adding-more-Security-checks-to-Pulsar-Proxy>
> > PR:- https://github.com/apache/incubator-pulsar/pull/1002
> > Issue:- https://github.com/apache/incubator-pulsar/issues/858
> >
> > Can you please review and provide your feedback/comments.
> >
> > Regards,
> > Jai
> >
>
>
> --
> Matteo Merli
> <mme...@apache.org>
>
