pulsar icon indicating copy to clipboard operation
pulsar copied to clipboard

Published 20 hours ago verified publisher icon apache

PIP-206: Refresh different authentication data

Open nodece opened this issue 2 years ago • 2 comments

Motivation

The client supports passing two types of authentication data to connect to the broker, self-authentication data and original authentication data in the CommandConnect command.

self-authentication: The self-authentication data comes from the client directly connected to the broker -> CommandConnect.authData.

original-authentication: If a client with original authentication data, usually this client is a proxy, this original authentication data should be from the user client and forwarded by the proxy -> CommandConnect.originalAuthData.

When connected to the broker, the broker starts a thread to check if the authentication data is expired. When both authentication data exist, the broker only supports refreshing the original authentication data and ignores refreshing the self-authentication data. When self-authentication data is expired, we must consider how to refresh the self-authentication data.

Goal

Propose an approach that refreshes the different authentication data.

API Changes

  1. Add the original_auth_data field represents which authentication data is refreshed.
message CommandAuthResponse {
    optional bool original_auth_data = 4 [default = false];
}
  1. Add the refreshOriginalAuthentication method to the AuthenticationState interface.
public interface AuthenticationState {
     /**
     * If the authentication state supports refreshing and the credentials are expired,
     * the auth provider will call this method to initiate the refresh process.
     * <p>
     * The auth state here will return the broker side data that will be used to send
     * a challenge to the client
     *
     * @return the {@link AuthData} for the broker challenge to client
     * @throws AuthenticationException
     */
    default AuthData refreshOriginalAuthentication() throws AuthenticationException {
        return AuthData.of("PulsarOriginalAuthRefresh".getBytes(StandardCharsets.UTF_8));
    }
}

Implementation

For the broker, we need to add a method on the org.apache.pulsar.broker.service.PulsarChannelInitializer for checking the self-authentication data is expired.

For the client like the original client, or the proxy client, we need to parse the original_auth_data field from the CommandAuthChallenge command, then respond the correct authentication data to the broker to refresh the authentication data.

For the proxy handler, we need to do some forwarding operations to refresh authentication data.

Alternatives

No response

Anything else?

This change is fully compatible with different versions of client and broker, if the client fails to authenticate, the broker disconnects.

Reference

  • https://github.com/apache/pulsar/issues/10816

nodece avatar Sep 07 '22 10:09 nodece

@nodece Could you please provide more context about the difference of the self/original auth data?

codelipenghui avatar Sep 21 '22 09:09 codelipenghui

@codelipenghui This PIP has been updated.

nodece avatar Sep 21 '22 10:09 nodece

@codelipenghui @michaeljmarshall @merlimat @eolivelli Could you review this PIP? This is important fix.

nodece avatar Oct 11 '22 10:10 nodece

I have discussed this with @codelipenghui, @tuteng, and @mattisonchao offline. We will handle this issue on the proxy module to avoid adding complex logic to the broker. Just keep one authentication data on the broker!

nodece avatar Oct 12 '22 08:10 nodece

Thanks @nodece, that makes sense to me. Sorry for my delayed review, I'll try to review the next draft quicker.

michaeljmarshall avatar Oct 12 '22 17:10 michaeljmarshall