> This is already the case for both HTTP and pulsar protocols We have a flag to control the value of authentication data. See https://github.com/apache/pulsar/blob/82237d3684fe506bcb6426b3b23f413422e6e4fb/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConnection.java#L316-L322 .
> Is it sufficient to enable authenticateOriginalAuthData? We need to set the `forwardAuthorizationCredentials=true` in the `proxy.conf` and `authenticateOriginalAuthData` in the `broker.conf`. I suggest we remove this config to make logic clean, don't edit this by the user. Michael Marshall <mmarsh...@apache.org> 于2022年11月1日周二 04:25写道: > Thanks for starting this thread, Zixuan. > > For additional context, I provided some related feedback in comments > on this PR: https://github.com/apache/pulsar/pull/18130. > > > So I suggest the proxy should always forward the authentication data from > > the client. > > This is already the case for both HTTP and pulsar protocols: > > https://github.com/apache/pulsar/blob/82237d3684fe506bcb6426b3b23f413422e6e4fb/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/DirectProxyHandler.java#L327-L328 > > https://github.com/apache/pulsar/blob/82237d3684fe506bcb6426b3b23f413422e6e4fb/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyClientCnx.java#L62-L64 > > I investigated the code snippet referenced above (one example linked > here [0]), and I noticed that the main difference comes from this > broker setting "authenticateOriginalAuthData". > > When `authenticateOriginalAuthData` is set to false, > `originalAuthDataSource` is always null in the ServerCnx. This looks > like a consequence of how the `originalAuthDataSource` is built > because the authentication provider builds the `originalAuthState`, > which then builds the `originalAuthDataSource`. See [1]. > > Is it sufficient to enable authenticateOriginalAuthData? > > Thanks, > Michael > > [0] > https://github.com/apache/pulsar/blob/8f8637a75e05f271bdc8fa2081284d39bc5de972/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java#L407-L409 > [1] > https://github.com/apache/pulsar/blob/8f8637a75e05f271bdc8fa2081284d39bc5de972/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java#L906-L942 > > On Mon, Oct 31, 2022 at 5:29 AM Zixuan Liu <node...@gmail.com> wrote: > > > > Hi all, > > > > I want to discuss the authentication data issue, which affects the > > authorization operation. > > > > For the default to authorization provider, we only used the role to check > > the permission, the authentication data was ignored. When a user wants to > > customize an authorization provider, the user can care for the > > authentication data and role, sometimes the Pulsar cannot pass the > correct > > authentication data to the authorization provider. > > > > So like: > > ``` > > if (originalPrincipal != null) { > > isProxyAuthorizedFuture = > > service.getAuthorizationService().allowTopicOperationAsync( > > topicName, operation, originalPrincipal, > > originalAuthDataSource != null ? originalAuthDataSource : > > authDataSource); > > } > > ``` > > > > For the above code, when `originalAuthDataSource` is null, use the > > `authDataSource` instead. This results in a mismatch between the > > authentication data and the role. > > > > The `originalAuthDataSource` is the authentication data of the user > client > > forwarded by the proxy. When the proxy doesn't forward this > authentication > > data, we cannot get the correct authentication data in the authorization > > provider. > > > > So I suggest the proxy should always forward the authentication data from > > the client. Another important reason is that we usually check the > > permission of the user client, not the proxy client. > > > > Please let me know your idea. > > > > Thanks, > > Zixuan >
