codelipenghui opened a new pull request, #24613:
URL: https://github.com/apache/pulsar/pull/24613
## Motivation
This is a follow-up fix to PR #24533 which addressed WebSocket authorization
issues by introducing a dummy original principal for binary protocol
connections, but missed the case where WebSocket proxy uses HTTP admin API
calls (web service URLs).
## Modifications
**Issue:**
When WebSocket proxy is configured to use web service URLs instead of broker
service URLs, it makes HTTP admin API calls for operations like topic lookup.
These HTTP requests were missing the `X-Original-Principal` header, causing
authorization failures with the error:
```
Illegal combination of role [websocket_proxy] and originalPrincipal [null]:
originalPrincipal must be provided when connecting with a proxy role.
```
**Root Cause:**
The `originalPrincipal` was correctly set for binary protocol connections
via `ClientBuilderImpl.originalPrincipal()`, but `HttpClient` did not include
this information as an `X-Original-Principal` header in HTTP requests to admin
APIs.
**Fix:**
- Modified `HttpClient` to store `ClientConfigurationData` and automatically
include `X-Original-Principal` header when `originalPrincipal` is configured
- Added `ProxyRoleAuthWebServiceURLTest` to verify the fix for web service
URL scenarios
## Verifying this change
- [x] Added new test `ProxyRoleAuthWebServiceURLTest` that reproduces the
issue and validates the fix
- [x] Verified existing `ProxyRoleAuthTest` continues to pass (binary
protocol scenarios)
- [x] The fix ensures WebSocket proxy authentication works correctly for
both:
1. Binary protocol (broker service URLs) - already fixed by #24533
2. HTTP admin API (web service URLs) - now fixed by this change
## Does this pull request potentially affect one of the following parts:
*If the box was checked, please highlight the changes*
- [x] Dependencies (add or upgrade a dependency)
- No new dependencies added, only modified existing HttpClient behavior
- [x] The public API
- No public API changes, internal HTTP client behavior only
- [x] The schema
- No schema changes
- [x] The default behavior
- Improved: WebSocket proxy now properly includes originalPrincipal in
HTTP requests when configured
- [x] The wire protocol
- No wire protocol changes
- [x] The REST endpoints
- No REST endpoint changes, but improves HTTP client behavior when calling
admin APIs
- [x] The admin CLI or the admin API
- No admin CLI/API changes, but fixes HTTP client calls to admin APIs
- [x] Anything that affects deployment
- No deployment changes
## Documentation
- [x] `doc-required`
- No documentation changes required, this is a bug fix that makes existing
functionality work correctly
- [x] `doc-not-needed`
- This is an internal fix for a missing feature from #24533
- [x] `doc-complete`
- No documentation needed
🤖 Generated with [Claude Code](https://claude.ai/code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
