You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@pulsar.apache.org by Asaf Mesika <as...@gmail.com> on 2022/10/03 11:47:34 UTC

Re: [DISCUSS] Add an auth data const for refresh the original auth data

I kind of lost you here Zixuan.

Is there any chance you describe the authentication flow including the
commands? Then specify the change you wish to make?


On Thu, Aug 18, 2022 at 5:21 AM Zixuan Liu <no...@gmail.com> wrote:

> A little confusing here is that both ProxyClient and DirectProxyHandler
> pass original authentication and direct authentication data, but the broker
> can only check if the original authentication data is expired.
> This is the expected behavior, right? What if the direct authentication
> data is expired?
>
> Proxy connect method:
>
> https://github.com/apache/pulsar/blob/master/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/DirectProxyHandler.java#L327
>
> https://github.com/apache/pulsar/blob/master/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyClientCnx.java#L57
>
> Broker refresh method:
>
> https://github.com/apache/pulsar/blob/master/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java#L723
>
> Thanks,
> Zixuan
>
> Zixuan Liu <no...@gmail.com> 于2022年8月18日周四 10:11写道：
>
> > > So the problem is that the Proxy is not requesting a refresh ?
> >
> > It should be the proxy client.
> >
> > Zixuan
> >
> > Enrico Olivelli <eo...@gmail.com> 于2022年8月17日周三 23:35写道：
> >
> >> So the problem is that the Proxy is not requesting a refresh ?
> >>
> >> Enrico
> >>
> >> Il giorno mer 17 ago 2022 alle ore 16:26 Zixuan Liu
> >> <no...@gmail.com> ha scritto:
> >> >
> >> > Thank @Qiang!
> >> >
> >> > Update the diagram:
> >> >
> >>
> https://drive.google.com/file/d/1E6z0dzXzvW5ZxG6d6YUghL9OikA8j4UC/view?usp=sharing
> >> >
> >> > Thanks,
> >> > Zixuan
> >> >
> >> > Qiang Huang <qi...@gmail.com> 于2022年8月17日周三 19:13写道：
> >> >
> >> > > It makes sense to me. BTW, the image is broken.
> >> > >
> >> > > Zixuan Liu <no...@gmail.com> 于2022年8月17日周三 11:10写道：
> >> > >
> >> > > > Note that there are two clients, the user client, and the proxy
> >> client.
> >> > > > When the original authenticate data expires, the user client
> cannot
> >> send
> >> > > a
> >> > > > request to the proxy to find the broker URL. We haven't tests to
> >> cover
> >> > > this.
> >> > > >
> >> > > > A simple diagram represents workflow:
> >> > > > [image: image.png]
> >> > > > Both connections pass the proxy client and the user client
> >> authentication
> >> > > > data.
> >> > > >
> >> > > > Thanks,
> >> > > > Zixuan
> >> > > >
> >> > > > Zixuan Liu <no...@gmail.com> 于2022年8月16日周二 23:02写道：
> >> > > >
> >> > > >> Hi all,
> >> > > >>
> >> > > >> Refreshing the authentication data comes from the client is
> >> important.
> >> > > We
> >> > > >> have two types of authentication data, directly authentication
> >> data, and
> >> > > >> original authentication data:
> >> > > >>
> >> > > >> 1. Directly authentication data
> >> > > >> The client/proxy brings the authentication data directly
> connected
> >> to
> >> > > the
> >> > > >> broker, which is directly authentication data.
> >> > > >>
> >> > > >> When the directly authentication data is expired, the broker
> sends
> >> the
> >> > > >> `newAuthChallenge` command with `AuthData.REFRESH_AUTH_DATA` data
> >> to the
> >> > > >> client to refresh the authentication data.
> >> > > >>
> >> > > >> 2. Original authentication data
> >> > > >> We add a proxy between the client and the broker, both the proxy
> >> and the
> >> > > >> client bring the authentication data to request the broker, the
> >> > > >> authentication data from the proxy is directly authentication
> >> data, and
> >> > > the
> >> > > >> authentication data from the client is original authentication
> >> data.
> >> > > >>
> >> > > >> The broker can refresh the directly authentication data, but when
> >> we are
> >> > > >> using the proxy, the broker could not refresh the original
> >> > > >> authentication data, because we haven't any action to request to
> >> refresh
> >> > > >> the original authentication data, so we need to add an auth data
> >> const
> >> > > to
> >> > > >> request to refresh the original authentication data, so like
> >> > > >> `AuthData.REFRESH_AUTH_DATA`.
> >> > > >>
> >> > > >> Once most people agree with this, I'll make a PIP.
> >> > > >>
> >> > > >> References:
> >> > > >>
> >> > > >> - https://github.com/apache/pulsar/pull/13339
> >> > > >> - https://github.com/apache/pulsar/issues/10816
> >> > > >>
> >> > > >> Thanks,
> >> > > >> Zixuan
> >> > > >>
> >> > > >>
> >> > >
> >> > > --
> >> > > BR,
> >> > > Qiang Huang
> >> > >
> >>
> >
>

Re: [DISCUSS] Add an auth data const for refresh the original auth data

Posted by Zixuan Liu <no...@gmail.com>.

See https://github.com/apache/pulsar/issues/17517.

Asaf Mesika <as...@gmail.com> 于2022年10月3日周一 19:47写道：

> I kind of lost you here Zixuan.
>
> Is there any chance you describe the authentication flow including the
> commands? Then specify the change you wish to make?
>
>
> On Thu, Aug 18, 2022 at 5:21 AM Zixuan Liu <no...@gmail.com> wrote:
>
> > A little confusing here is that both ProxyClient and DirectProxyHandler
> > pass original authentication and direct authentication data, but the
> broker
> > can only check if the original authentication data is expired.
> > This is the expected behavior, right? What if the direct authentication
> > data is expired?
> >
> > Proxy connect method:
> >
> >
> https://github.com/apache/pulsar/blob/master/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/DirectProxyHandler.java#L327
> >
> >
> https://github.com/apache/pulsar/blob/master/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyClientCnx.java#L57
> >
> > Broker refresh method:
> >
> >
> https://github.com/apache/pulsar/blob/master/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java#L723
> >
> > Thanks,
> > Zixuan
> >
> > Zixuan Liu <no...@gmail.com> 于2022年8月18日周四 10:11写道：
> >
> > > > So the problem is that the Proxy is not requesting a refresh ?
> > >
> > > It should be the proxy client.
> > >
> > > Zixuan
> > >
> > > Enrico Olivelli <eo...@gmail.com> 于2022年8月17日周三 23:35写道：
> > >
> > >> So the problem is that the Proxy is not requesting a refresh ?
> > >>
> > >> Enrico
> > >>
> > >> Il giorno mer 17 ago 2022 alle ore 16:26 Zixuan Liu
> > >> <no...@gmail.com> ha scritto:
> > >> >
> > >> > Thank @Qiang!
> > >> >
> > >> > Update the diagram:
> > >> >
> > >>
> >
> https://drive.google.com/file/d/1E6z0dzXzvW5ZxG6d6YUghL9OikA8j4UC/view?usp=sharing
> > >> >
> > >> > Thanks,
> > >> > Zixuan
> > >> >
> > >> > Qiang Huang <qi...@gmail.com> 于2022年8月17日周三 19:13写道：
> > >> >
> > >> > > It makes sense to me. BTW, the image is broken.
> > >> > >
> > >> > > Zixuan Liu <no...@gmail.com> 于2022年8月17日周三 11:10写道：
> > >> > >
> > >> > > > Note that there are two clients, the user client, and the proxy
> > >> client.
> > >> > > > When the original authenticate data expires, the user client
> > cannot
> > >> send
> > >> > > a
> > >> > > > request to the proxy to find the broker URL. We haven't tests to
> > >> cover
> > >> > > this.
> > >> > > >
> > >> > > > A simple diagram represents workflow:
> > >> > > > [image: image.png]
> > >> > > > Both connections pass the proxy client and the user client
> > >> authentication
> > >> > > > data.
> > >> > > >
> > >> > > > Thanks,
> > >> > > > Zixuan
> > >> > > >
> > >> > > > Zixuan Liu <no...@gmail.com> 于2022年8月16日周二 23:02写道：
> > >> > > >
> > >> > > >> Hi all,
> > >> > > >>
> > >> > > >> Refreshing the authentication data comes from the client is
> > >> important.
> > >> > > We
> > >> > > >> have two types of authentication data, directly authentication
> > >> data, and
> > >> > > >> original authentication data:
> > >> > > >>
> > >> > > >> 1. Directly authentication data
> > >> > > >> The client/proxy brings the authentication data directly
> > connected
> > >> to
> > >> > > the
> > >> > > >> broker, which is directly authentication data.
> > >> > > >>
> > >> > > >> When the directly authentication data is expired, the broker
> > sends
> > >> the
> > >> > > >> `newAuthChallenge` command with `AuthData.REFRESH_AUTH_DATA`
> data
> > >> to the
> > >> > > >> client to refresh the authentication data.
> > >> > > >>
> > >> > > >> 2. Original authentication data
> > >> > > >> We add a proxy between the client and the broker, both the
> proxy
> > >> and the
> > >> > > >> client bring the authentication data to request the broker, the
> > >> > > >> authentication data from the proxy is directly authentication
> > >> data, and
> > >> > > the
> > >> > > >> authentication data from the client is original authentication
> > >> data.
> > >> > > >>
> > >> > > >> The broker can refresh the directly authentication data, but
> when
> > >> we are
> > >> > > >> using the proxy, the broker could not refresh the original
> > >> > > >> authentication data, because we haven't any action to request
> to
> > >> refresh
> > >> > > >> the original authentication data, so we need to add an auth
> data
> > >> const
> > >> > > to
> > >> > > >> request to refresh the original authentication data, so like
> > >> > > >> `AuthData.REFRESH_AUTH_DATA`.
> > >> > > >>
> > >> > > >> Once most people agree with this, I'll make a PIP.
> > >> > > >>
> > >> > > >> References:
> > >> > > >>
> > >> > > >> - https://github.com/apache/pulsar/pull/13339
> > >> > > >> - https://github.com/apache/pulsar/issues/10816
> > >> > > >>
> > >> > > >> Thanks,
> > >> > > >> Zixuan
> > >> > > >>
> > >> > > >>
> > >> > >
> > >> > > --
> > >> > > BR,
> > >> > > Qiang Huang
> > >> > >
> > >>
> > >
> >
>