Slackbot
05/15/2023, 11:16 AMJon P
05/16/2023, 10:42 AMproxyUsers
to be admin-user
in both broker.conf and functions_workers.yml (we run function workers on the broker), it's this which prevents the service starting
Illegal combination of role [broker-client] and originalPrincipal [null]: originalPrincipal must be provided when connecting with a proxy role.
These messages are all logged by AuthorizationService.isValidOriginalPrincipal
. So I'm a bit stuck between needing proxyRoles
set in order to avoid the origin error when user sends to broker via proxy, but then not having a user / originalPrincipal
when function worker connects to broker? Actually, should we even need auth between function worker and broker if they're on the same host?Michael Marshall
05/17/2023, 10:22 PMMichael Marshall
05/18/2023, 5:14 AMwhether we need a completely new role/JWT just for communication between proxy & broker?Yes, you will need a new token with a new role. The token's role will be in the
proxyRoles
list on the broker and the function worker. The role will also need sufficient permission to do whatever the proxied clients will attempt to do. The docs describe your options for authorization. I often see users make the proxy's role a super user to simplify the deployment, but that can add some risk.
The motivation for the change to a stricter proxy role configuration in 3.0 is to prevent certain kinds of misconfiguration that could occur. The misconfigurations are primarily for mTLS, but can also occur in JWT based auth for certain edge cases.
In the interests of just "trying something", I setThis fails because any role that is in thebut then the broker/function worker won't start.proxyUsers=admin-user
proxyRoles
set can only proxy other clients. It cannot connect directly to the broker as a standalone client.
Actually, should we even need auth between function worker and broker if they're on the same host?This completely depends on your risk profile. One important detail is that the function worker connects to multiple brokers, so it isn't technically just connecting to the local host. Also, the broker connects to other brokers. Let me know if this helps.
Michael Marshall
05/18/2023, 5:15 AMJon P
05/19/2023, 9:48 AM