-
Notifications
You must be signed in to change notification settings - Fork 3.6k
PIP 9: Adding more Security checks to Pulsar Proxy
Status: Adopted Author: Jai Asher Pull Request: #1002
Reference: https://github.com/apache/incubator-pulsar/wiki/PIP-1:-Pulsar-Proxy
The machine hosting the Pulsar proxy will have a public IP and susceptible to all kinds of web attacks. The aim of this PIP is to minimize the damage caused by a compromised proxy on the entire service. Specifically, we want to make the following changes:-
The current implementation of Pulsar proxy requires access to zookeeper in order to find the next available broker and Authorize the client. If the Proxy is compromised and the attacker has access to zookeeper machines then the entire service is compromised and can be brought down. In order to prevent this, the proxy will no longer talk directly to zookeeper.
Currently, if a proxy is compromised and the attacker has knowledge of the Athens principal name of a topic/admin - the proxy can produce/consume from any topic. In order to prevent this, the proxy will be authorized to access only specific topic (AuthAction - proxy). In the worse case scenario if the compromised and the attacker has knowledge of the Athens principal name of a topic/admin - the proxy can produce/consume from only specific topics - just like any other client.
Following has been done to make the Pulsar Proxy more secure:-
The proxy can now connect to broker service URL for lookups if discovery service is disabled in the proxy.
A new auth action is added which allows admin to restrict whether a topic is proxyable or not
The proxy only authenticates the client and passes along the client's role/principal name (athens) to the broker. The broker authenticates and authorizes the proxy and authorizes the client role/principal name.
- During Producer/Consumer Creation - if the request is via a proxy the proxy is authorized as well as the original principal
- During lookups and getPartitionMetaData - since the proxy uses shared connection pool for lookup and getPartitionMetaData we will pass the original principal as a part of the request and authorize the proxy and client role/principal name.
- Added a new optional field original principal to the lookup and getPartitionMetaData request.
- New class to handle lookups via discovery service url