Hi all,
I want to discuss the authentication data issue, which affects the
authorization operation.
For the default to authorization provider, we only used the role to check
the permission, the authentication data was ignored. When a user wants to
customize an authorization provider, the user can care for the
authentication data and role, sometimes the Pulsar cannot pass the correct
authentication data to the authorization provider.
So like:
```
if (originalPrincipal != null) {
isProxyAuthorizedFuture =
service.getAuthorizationService().allowTopicOperationAsync(
topicName, operation, originalPrincipal,
originalAuthDataSource != null ? originalAuthDataSource :
authDataSource);
}
```
For the above code, when `originalAuthDataSource` is null, use the
`authDataSource` instead. This results in a mismatch between the
authentication data and the role.
The `originalAuthDataSource` is the authentication data of the user client
forwarded by the proxy. When the proxy doesn't forward this authentication
data, we cannot get the correct authentication data in the authorization
provider.
So I suggest the proxy should always forward the authentication data from
the client. Another important reason is that we usually check the
permission of the user client, not the proxy client.
Please let me know your idea.
Thanks,
Zixuan
