You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by zh...@apache.org on 2019/03/13 02:18:40 UTC
[pulsar.wiki] branch master updated: Updated PIP 30: change
authentication provider API to support mutual authentication (markdown)
This is an automated email from the ASF dual-hosted git repository.
zhaijia pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.wiki.git
The following commit(s) were added to refs/heads/master by this push:
new 0638259 Updated PIP 30: change authentication provider API to support mutual authentication (markdown)
0638259 is described below
commit 06382598a27ed8b519ba357bba03be41bc25ba18
Author: Jia Zhai <zh...@apache.org>
AuthorDate: Wed Mar 13 10:18:39 2019 +0800
Updated PIP 30: change authentication provider API to support mutual authentication (markdown)
---
...rovider-API-to-support-mutual-authentication.md | 42 ++++++++++------------
1 file changed, 18 insertions(+), 24 deletions(-)
diff --git a/PIP-30:-change-authentication-provider-API-to-support-mutual-authentication.md b/PIP-30:-change-authentication-provider-API-to-support-mutual-authentication.md
index df2a9b0..8a4c264 100644
--- a/PIP-30:-change-authentication-provider-API-to-support-mutual-authentication.md
+++ b/PIP-30:-change-authentication-provider-API-to-support-mutual-authentication.md
@@ -16,20 +16,25 @@ So this PIP is try to discuss the interface changes to support mutual authentica
In Pulsar, authentication is happened when a new connection is creating between client and broker. When connecting, Client sends authentication data to Broker by `CommandConnect`, and Broker do the authentication and once success send command `CommandConnected` back to client.
-In PulsarApi.proto, [CommandConnect](https://github.com/apache/pulsar/blob/master/pulsar-common/src/main/proto/PulsarApi.proto#L173), it contains `auth_method_name` and `auth_data` fields. But broker no need to send auth data to client, so CommandConnected not contains auth data.
+In PulsarApi.proto, [CommandConnect](https://github.com/apache/pulsar/blob/master/pulsar-common/src/main/proto/PulsarApi.proto#L173), it contains `auth_method_name` and `auth_data` fields. But broker no need to send auth data to client, so add new command CommandAuthResponse and CommandAuthChallenge to carry the data between client and broker.
```
-message CommandConnect {
- required string client_version = 1;
- optional AuthMethod auth_method = 2; // Deprecated. Use "auth_method_name" instead.
- optional string auth_method_name = 5;
- optional bytes auth_data = 3;
- …
+message CommandAuthResponse {
+ optional string client_version = 1;
+ optional AuthData response = 2;
+ optional int32 protocol_version = 3 [default = 0];
}
-message CommandConnected {
- required string server_version = 1;
- optional int32 protocol_version = 2 [default = 0];
+message CommandAuthChallenge {
+ optional string server_version = 1;
+ optional AuthData challenge = 2;
+ optional int32 protocol_version = 3 [default = 0];
+}
+
+// To support mutual authentication type, such as Sasl, reuse this command to mutual auth.
+message AuthData {
+ optional string auth_method_name = 1;
+ optional bytes auth_data = 2;
}
```
@@ -37,30 +42,19 @@ The propose is to reuse these 2 commands related to connecting and auth, and als
A basic logic for the mutual authentication is like this :
-1, Client side newConnectCommand(authDataClient) and send to Broker;
+1, Client side newConnectCommand(init auth) and send to Broker;
2, Broker side handleConnect(authDataClient), do the auth in Broker side, and get authDataBroker.
- If auth is complete Broker.newConnected(), finish the auth, and send command back to Client.
-- If auth is not complete, Broker.newConnecting(authDataBroker) and send command back to Client.
+- If auth is not complete, Broker.newAuthChallenge(authDataBroker) and send command back to Client.
3, Client side
- If received Connected command, complete the auth, and connection established.
-- If received Connecting command, do the auth with authDataBroker, and get authDataClient, then send connect command back to Broker. Broker will repeat the process of step 2 until auth complete.
+- If received AuthChallenge command, do the auth with authDataBroker, and get authDataClient, then send AuthResponse back to Broker. Broker will repeat the process of step 2 until auth complete.
## Changes
### Proto
-In PulsarApi.proto, [CommandConnected](https://github.com/apache/pulsar/blob/master/pulsar-common/src/main/proto/PulsarApi.proto#L197) need to add auth data fields. So Broker could reuse this command to send auth data back to Client.
-
-```
-message CommandConnected {
- required string server_version = 1;
- optional int32 protocol_version = 2 [default = 0];
- // To support mutual authentication type, such as Sasl, reuse this command to do mutual auth.
- optional string auth_method_name = 3;
- optional bytes auth_data = 4;
-}
-```
### API changes