Hi Ivan,
Assume a role/principal R has permissions to produce on a namespace. If
we don't authenticate at the proxy then anyone (attacker) can say that they
belong to role R and connect to the proxy, the proxy will forward the role
name to the broker which will authorize it and allow access. Instead, we
need to *authenticate* at the proxy and reject all connections which are
trying to falsify their credentials and then the broker will reject all
roles/principal which are not *authorized* to access the namespace.
Regards,
Jai
On Tue, Jan 8, 2019 at 1:42 AM Ivan Kelly <iv...@apache.org> wrote:
> Hi folks,
>
> The pulsar proxy allows authorization to be configured, which checks
> if a role has access to a resource it is trying to access. If it does,
> the request is forwarded to the broker. At the broker, authorization
> is checked again. So my question is, what is the point of having
> authorization at the proxy at all?
>
> Cheers,
> Ivan
>
