This message was deleted.
# general
s
This message was deleted.
j
Still struggling with this. One extra bit of information, when setting
proxyUsers
to be
admin-user
in both broker.conf and functions_workers.yml (we run function workers on the broker), it's this which prevents the service starting
Copy code
Illegal combination of role [broker-client] and originalPrincipal [null]: originalPrincipal must be provided when connecting with a proxy role.
These messages are all logged by
AuthorizationService.isValidOriginalPrincipal
. So I'm a bit stuck between needing
proxyRoles
set in order to avoid the origin error when user sends to broker via proxy, but then not having a user /
originalPrincipal
when function worker connects to broker? Actually, should we even need auth between function worker and broker if they're on the same host?
m
Hi Jon, I am just signing off for the evening, but I'll come back to this later tonight. Thanks for your detailed question.
whether we need a completely new role/JWT just for communication between proxy & broker?
Yes, you will need a new token with a new role. The token's role will be in the
proxyRoles
list on the broker and the function worker. The role will also need sufficient permission to do whatever the proxied clients will attempt to do. The docs describe your options for authorization. I often see users make the proxy's role a super user to simplify the deployment, but that can add some risk. The motivation for the change to a stricter proxy role configuration in 3.0 is to prevent certain kinds of misconfiguration that could occur. The misconfigurations are primarily for mTLS, but can also occur in JWT based auth for certain edge cases.
In the interests of just "trying something", I set
proxyUsers=admin-user
but then the broker/function worker won't start.
This fails because any role that is in the
proxyRoles
set can only proxy other clients. It cannot connect directly to the broker as a standalone client.
Actually, should we even need auth between function worker and broker if they're on the same host?
This completely depends on your risk profile. One important detail is that the function worker connects to multiple brokers, so it isn't technically just connecting to the local host. Also, the broker connects to other brokers. Let me know if this helps.
Also, I can re-review the docs in my day tomorrow, but if you have specific feedback about anything that is confusing, I'd really appreciate your input.
j
And thank you Michael for your detailed response! I have made progress by introducing separate JWT for proxy-to-broker/broker-to-broker/functions-to-broker communication. Let me review your feedback and report back.
🙌 1