> Assume a role/principal R has permissions to produce on a namespace. If > we don't authenticate at the proxy then anyone (attacker) can say that they > belong to role R and connect to the proxy, the proxy will forward the role > name to the broker which will authorize it and allow access. Instead, we > need to *authenticate* at the proxy and reject all connections which are > trying to falsify their credentials and then the broker will reject all > roles/principal which are not *authorized* to access the namespace.
Well, yes, that's what I would expect to happen. So what is the point of have auth*ORIZATION* in the proxy? If the broker is going to apply the authorization anyhow, shouldn't we do authentication at the proxy level? -Ivan
