You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@pulsar.apache.org by Zixuan Liu <no...@gmail.com> on 2022/08/16 15:02:15 UTC
[DISCUSS] Add an auth data const for refresh the original auth data
Hi all,
Refreshing the authentication data comes from the client is important. We
have two types of authentication data, directly authentication data, and
original authentication data:
1. Directly authentication data
The client/proxy brings the authentication data directly connected to the
broker, which is directly authentication data.
When the directly authentication data is expired, the broker sends the
`newAuthChallenge` command with `AuthData.REFRESH_AUTH_DATA` data to the
client to refresh the authentication data.
2. Original authentication data
We add a proxy between the client and the broker, both the proxy and the
client bring the authentication data to request the broker, the
authentication data from the proxy is directly authentication data, and the
authentication data from the client is original authentication data.
The broker can refresh the directly authentication data, but when we are
using the proxy, the broker could not refresh the original
authentication data, because we haven't any action to request to refresh
the original authentication data, so we need to add an auth data const to
request to refresh the original authentication data, so like
`AuthData.REFRESH_AUTH_DATA`.
Once most people agree with this, I'll make a PIP.
References:
- https://github.com/apache/pulsar/pull/13339
- https://github.com/apache/pulsar/issues/10816
Thanks,
Zixuan
Re: [DISCUSS] Add an auth data const for refresh the original auth data
Posted by Zixuan Liu <no...@gmail.com>.
See https://github.com/apache/pulsar/issues/17517.
Asaf Mesika <as...@gmail.com> 于2022年10月3日周一 19:47写道:
> I kind of lost you here Zixuan.
>
> Is there any chance you describe the authentication flow including the
> commands? Then specify the change you wish to make?
>
>
> On Thu, Aug 18, 2022 at 5:21 AM Zixuan Liu <no...@gmail.com> wrote:
>
> > A little confusing here is that both ProxyClient and DirectProxyHandler
> > pass original authentication and direct authentication data, but the
> broker
> > can only check if the original authentication data is expired.
> > This is the expected behavior, right? What if the direct authentication
> > data is expired?
> >
> > Proxy connect method:
> >
> >
> https://github.com/apache/pulsar/blob/master/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/DirectProxyHandler.java#L327
> >
> >
> https://github.com/apache/pulsar/blob/master/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyClientCnx.java#L57
> >
> > Broker refresh method:
> >
> >
> https://github.com/apache/pulsar/blob/master/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java#L723
> >
> > Thanks,
> > Zixuan
> >
> > Zixuan Liu <no...@gmail.com> 于2022年8月18日周四 10:11写道:
> >
> > > > So the problem is that the Proxy is not requesting a refresh ?
> > >
> > > It should be the proxy client.
> > >
> > > Zixuan
> > >
> > > Enrico Olivelli <eo...@gmail.com> 于2022年8月17日周三 23:35写道:
> > >
> > >> So the problem is that the Proxy is not requesting a refresh ?
> > >>
> > >> Enrico
> > >>
> > >> Il giorno mer 17 ago 2022 alle ore 16:26 Zixuan Liu
> > >> <no...@gmail.com> ha scritto:
> > >> >
> > >> > Thank @Qiang!
> > >> >
> > >> > Update the diagram:
> > >> >
> > >>
> >
> https://drive.google.com/file/d/1E6z0dzXzvW5ZxG6d6YUghL9OikA8j4UC/view?usp=sharing
> > >> >
> > >> > Thanks,
> > >> > Zixuan
> > >> >
> > >> > Qiang Huang <qi...@gmail.com> 于2022年8月17日周三 19:13写道:
> > >> >
> > >> > > It makes sense to me. BTW, the image is broken.
> > >> > >
> > >> > > Zixuan Liu <no...@gmail.com> 于2022年8月17日周三 11:10写道:
> > >> > >
> > >> > > > Note that there are two clients, the user client, and the proxy
> > >> client.
> > >> > > > When the original authenticate data expires, the user client
> > cannot
> > >> send
> > >> > > a
> > >> > > > request to the proxy to find the broker URL. We haven't tests to
> > >> cover
> > >> > > this.
> > >> > > >
> > >> > > > A simple diagram represents workflow:
> > >> > > > [image: image.png]
> > >> > > > Both connections pass the proxy client and the user client
> > >> authentication
> > >> > > > data.
> > >> > > >
> > >> > > > Thanks,
> > >> > > > Zixuan
> > >> > > >
> > >> > > > Zixuan Liu <no...@gmail.com> 于2022年8月16日周二 23:02写道:
> > >> > > >
> > >> > > >> Hi all,
> > >> > > >>
> > >> > > >> Refreshing the authentication data comes from the client is
> > >> important.
> > >> > > We
> > >> > > >> have two types of authentication data, directly authentication
> > >> data, and
> > >> > > >> original authentication data:
> > >> > > >>
> > >> > > >> 1. Directly authentication data
> > >> > > >> The client/proxy brings the authentication data directly
> > connected
> > >> to
> > >> > > the
> > >> > > >> broker, which is directly authentication data.
> > >> > > >>
> > >> > > >> When the directly authentication data is expired, the broker
> > sends
> > >> the
> > >> > > >> `newAuthChallenge` command with `AuthData.REFRESH_AUTH_DATA`
> data
> > >> to the
> > >> > > >> client to refresh the authentication data.
> > >> > > >>
> > >> > > >> 2. Original authentication data
> > >> > > >> We add a proxy between the client and the broker, both the
> proxy
> > >> and the
> > >> > > >> client bring the authentication data to request the broker, the
> > >> > > >> authentication data from the proxy is directly authentication
> > >> data, and
> > >> > > the
> > >> > > >> authentication data from the client is original authentication
> > >> data.
> > >> > > >>
> > >> > > >> The broker can refresh the directly authentication data, but
> when
> > >> we are
> > >> > > >> using the proxy, the broker could not refresh the original
> > >> > > >> authentication data, because we haven't any action to request
> to
> > >> refresh
> > >> > > >> the original authentication data, so we need to add an auth
> data
> > >> const
> > >> > > to
> > >> > > >> request to refresh the original authentication data, so like
> > >> > > >> `AuthData.REFRESH_AUTH_DATA`.
> > >> > > >>
> > >> > > >> Once most people agree with this, I'll make a PIP.
> > >> > > >>
> > >> > > >> References:
> > >> > > >>
> > >> > > >> - https://github.com/apache/pulsar/pull/13339
> > >> > > >> - https://github.com/apache/pulsar/issues/10816
> > >> > > >>
> > >> > > >> Thanks,
> > >> > > >> Zixuan
> > >> > > >>
> > >> > > >>
> > >> > >
> > >> > > --
> > >> > > BR,
> > >> > > Qiang Huang
> > >> > >
> > >>
> > >
> >
>
Re: [DISCUSS] Add an auth data const for refresh the original auth data
Posted by Asaf Mesika <as...@gmail.com>.
I kind of lost you here Zixuan.
Is there any chance you describe the authentication flow including the
commands? Then specify the change you wish to make?
On Thu, Aug 18, 2022 at 5:21 AM Zixuan Liu <no...@gmail.com> wrote:
> A little confusing here is that both ProxyClient and DirectProxyHandler
> pass original authentication and direct authentication data, but the broker
> can only check if the original authentication data is expired.
> This is the expected behavior, right? What if the direct authentication
> data is expired?
>
> Proxy connect method:
>
> https://github.com/apache/pulsar/blob/master/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/DirectProxyHandler.java#L327
>
> https://github.com/apache/pulsar/blob/master/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyClientCnx.java#L57
>
> Broker refresh method:
>
> https://github.com/apache/pulsar/blob/master/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java#L723
>
> Thanks,
> Zixuan
>
> Zixuan Liu <no...@gmail.com> 于2022年8月18日周四 10:11写道:
>
> > > So the problem is that the Proxy is not requesting a refresh ?
> >
> > It should be the proxy client.
> >
> > Zixuan
> >
> > Enrico Olivelli <eo...@gmail.com> 于2022年8月17日周三 23:35写道:
> >
> >> So the problem is that the Proxy is not requesting a refresh ?
> >>
> >> Enrico
> >>
> >> Il giorno mer 17 ago 2022 alle ore 16:26 Zixuan Liu
> >> <no...@gmail.com> ha scritto:
> >> >
> >> > Thank @Qiang!
> >> >
> >> > Update the diagram:
> >> >
> >>
> https://drive.google.com/file/d/1E6z0dzXzvW5ZxG6d6YUghL9OikA8j4UC/view?usp=sharing
> >> >
> >> > Thanks,
> >> > Zixuan
> >> >
> >> > Qiang Huang <qi...@gmail.com> 于2022年8月17日周三 19:13写道:
> >> >
> >> > > It makes sense to me. BTW, the image is broken.
> >> > >
> >> > > Zixuan Liu <no...@gmail.com> 于2022年8月17日周三 11:10写道:
> >> > >
> >> > > > Note that there are two clients, the user client, and the proxy
> >> client.
> >> > > > When the original authenticate data expires, the user client
> cannot
> >> send
> >> > > a
> >> > > > request to the proxy to find the broker URL. We haven't tests to
> >> cover
> >> > > this.
> >> > > >
> >> > > > A simple diagram represents workflow:
> >> > > > [image: image.png]
> >> > > > Both connections pass the proxy client and the user client
> >> authentication
> >> > > > data.
> >> > > >
> >> > > > Thanks,
> >> > > > Zixuan
> >> > > >
> >> > > > Zixuan Liu <no...@gmail.com> 于2022年8月16日周二 23:02写道:
> >> > > >
> >> > > >> Hi all,
> >> > > >>
> >> > > >> Refreshing the authentication data comes from the client is
> >> important.
> >> > > We
> >> > > >> have two types of authentication data, directly authentication
> >> data, and
> >> > > >> original authentication data:
> >> > > >>
> >> > > >> 1. Directly authentication data
> >> > > >> The client/proxy brings the authentication data directly
> connected
> >> to
> >> > > the
> >> > > >> broker, which is directly authentication data.
> >> > > >>
> >> > > >> When the directly authentication data is expired, the broker
> sends
> >> the
> >> > > >> `newAuthChallenge` command with `AuthData.REFRESH_AUTH_DATA` data
> >> to the
> >> > > >> client to refresh the authentication data.
> >> > > >>
> >> > > >> 2. Original authentication data
> >> > > >> We add a proxy between the client and the broker, both the proxy
> >> and the
> >> > > >> client bring the authentication data to request the broker, the
> >> > > >> authentication data from the proxy is directly authentication
> >> data, and
> >> > > the
> >> > > >> authentication data from the client is original authentication
> >> data.
> >> > > >>
> >> > > >> The broker can refresh the directly authentication data, but when
> >> we are
> >> > > >> using the proxy, the broker could not refresh the original
> >> > > >> authentication data, because we haven't any action to request to
> >> refresh
> >> > > >> the original authentication data, so we need to add an auth data
> >> const
> >> > > to
> >> > > >> request to refresh the original authentication data, so like
> >> > > >> `AuthData.REFRESH_AUTH_DATA`.
> >> > > >>
> >> > > >> Once most people agree with this, I'll make a PIP.
> >> > > >>
> >> > > >> References:
> >> > > >>
> >> > > >> - https://github.com/apache/pulsar/pull/13339
> >> > > >> - https://github.com/apache/pulsar/issues/10816
> >> > > >>
> >> > > >> Thanks,
> >> > > >> Zixuan
> >> > > >>
> >> > > >>
> >> > >
> >> > > --
> >> > > BR,
> >> > > Qiang Huang
> >> > >
> >>
> >
>
Re: [DISCUSS] Add an auth data const for refresh the original auth data
Posted by Zixuan Liu <no...@gmail.com>.
A little confusing here is that both ProxyClient and DirectProxyHandler
pass original authentication and direct authentication data, but the broker
can only check if the original authentication data is expired.
This is the expected behavior, right? What if the direct authentication
data is expired?
Proxy connect method:
https://github.com/apache/pulsar/blob/master/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/DirectProxyHandler.java#L327
https://github.com/apache/pulsar/blob/master/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyClientCnx.java#L57
Broker refresh method:
https://github.com/apache/pulsar/blob/master/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java#L723
Thanks,
Zixuan
Zixuan Liu <no...@gmail.com> 于2022年8月18日周四 10:11写道:
> > So the problem is that the Proxy is not requesting a refresh ?
>
> It should be the proxy client.
>
> Zixuan
>
> Enrico Olivelli <eo...@gmail.com> 于2022年8月17日周三 23:35写道:
>
>> So the problem is that the Proxy is not requesting a refresh ?
>>
>> Enrico
>>
>> Il giorno mer 17 ago 2022 alle ore 16:26 Zixuan Liu
>> <no...@gmail.com> ha scritto:
>> >
>> > Thank @Qiang!
>> >
>> > Update the diagram:
>> >
>> https://drive.google.com/file/d/1E6z0dzXzvW5ZxG6d6YUghL9OikA8j4UC/view?usp=sharing
>> >
>> > Thanks,
>> > Zixuan
>> >
>> > Qiang Huang <qi...@gmail.com> 于2022年8月17日周三 19:13写道:
>> >
>> > > It makes sense to me. BTW, the image is broken.
>> > >
>> > > Zixuan Liu <no...@gmail.com> 于2022年8月17日周三 11:10写道:
>> > >
>> > > > Note that there are two clients, the user client, and the proxy
>> client.
>> > > > When the original authenticate data expires, the user client cannot
>> send
>> > > a
>> > > > request to the proxy to find the broker URL. We haven't tests to
>> cover
>> > > this.
>> > > >
>> > > > A simple diagram represents workflow:
>> > > > [image: image.png]
>> > > > Both connections pass the proxy client and the user client
>> authentication
>> > > > data.
>> > > >
>> > > > Thanks,
>> > > > Zixuan
>> > > >
>> > > > Zixuan Liu <no...@gmail.com> 于2022年8月16日周二 23:02写道:
>> > > >
>> > > >> Hi all,
>> > > >>
>> > > >> Refreshing the authentication data comes from the client is
>> important.
>> > > We
>> > > >> have two types of authentication data, directly authentication
>> data, and
>> > > >> original authentication data:
>> > > >>
>> > > >> 1. Directly authentication data
>> > > >> The client/proxy brings the authentication data directly connected
>> to
>> > > the
>> > > >> broker, which is directly authentication data.
>> > > >>
>> > > >> When the directly authentication data is expired, the broker sends
>> the
>> > > >> `newAuthChallenge` command with `AuthData.REFRESH_AUTH_DATA` data
>> to the
>> > > >> client to refresh the authentication data.
>> > > >>
>> > > >> 2. Original authentication data
>> > > >> We add a proxy between the client and the broker, both the proxy
>> and the
>> > > >> client bring the authentication data to request the broker, the
>> > > >> authentication data from the proxy is directly authentication
>> data, and
>> > > the
>> > > >> authentication data from the client is original authentication
>> data.
>> > > >>
>> > > >> The broker can refresh the directly authentication data, but when
>> we are
>> > > >> using the proxy, the broker could not refresh the original
>> > > >> authentication data, because we haven't any action to request to
>> refresh
>> > > >> the original authentication data, so we need to add an auth data
>> const
>> > > to
>> > > >> request to refresh the original authentication data, so like
>> > > >> `AuthData.REFRESH_AUTH_DATA`.
>> > > >>
>> > > >> Once most people agree with this, I'll make a PIP.
>> > > >>
>> > > >> References:
>> > > >>
>> > > >> - https://github.com/apache/pulsar/pull/13339
>> > > >> - https://github.com/apache/pulsar/issues/10816
>> > > >>
>> > > >> Thanks,
>> > > >> Zixuan
>> > > >>
>> > > >>
>> > >
>> > > --
>> > > BR,
>> > > Qiang Huang
>> > >
>>
>
Re: [DISCUSS] Add an auth data const for refresh the original auth data
Posted by Zixuan Liu <no...@gmail.com>.
> So the problem is that the Proxy is not requesting a refresh ?
It should be the proxy client.
Zixuan
Enrico Olivelli <eo...@gmail.com> 于2022年8月17日周三 23:35写道:
> So the problem is that the Proxy is not requesting a refresh ?
>
> Enrico
>
> Il giorno mer 17 ago 2022 alle ore 16:26 Zixuan Liu
> <no...@gmail.com> ha scritto:
> >
> > Thank @Qiang!
> >
> > Update the diagram:
> >
> https://drive.google.com/file/d/1E6z0dzXzvW5ZxG6d6YUghL9OikA8j4UC/view?usp=sharing
> >
> > Thanks,
> > Zixuan
> >
> > Qiang Huang <qi...@gmail.com> 于2022年8月17日周三 19:13写道:
> >
> > > It makes sense to me. BTW, the image is broken.
> > >
> > > Zixuan Liu <no...@gmail.com> 于2022年8月17日周三 11:10写道:
> > >
> > > > Note that there are two clients, the user client, and the proxy
> client.
> > > > When the original authenticate data expires, the user client cannot
> send
> > > a
> > > > request to the proxy to find the broker URL. We haven't tests to
> cover
> > > this.
> > > >
> > > > A simple diagram represents workflow:
> > > > [image: image.png]
> > > > Both connections pass the proxy client and the user client
> authentication
> > > > data.
> > > >
> > > > Thanks,
> > > > Zixuan
> > > >
> > > > Zixuan Liu <no...@gmail.com> 于2022年8月16日周二 23:02写道:
> > > >
> > > >> Hi all,
> > > >>
> > > >> Refreshing the authentication data comes from the client is
> important.
> > > We
> > > >> have two types of authentication data, directly authentication
> data, and
> > > >> original authentication data:
> > > >>
> > > >> 1. Directly authentication data
> > > >> The client/proxy brings the authentication data directly connected
> to
> > > the
> > > >> broker, which is directly authentication data.
> > > >>
> > > >> When the directly authentication data is expired, the broker sends
> the
> > > >> `newAuthChallenge` command with `AuthData.REFRESH_AUTH_DATA` data
> to the
> > > >> client to refresh the authentication data.
> > > >>
> > > >> 2. Original authentication data
> > > >> We add a proxy between the client and the broker, both the proxy
> and the
> > > >> client bring the authentication data to request the broker, the
> > > >> authentication data from the proxy is directly authentication data,
> and
> > > the
> > > >> authentication data from the client is original authentication data.
> > > >>
> > > >> The broker can refresh the directly authentication data, but when
> we are
> > > >> using the proxy, the broker could not refresh the original
> > > >> authentication data, because we haven't any action to request to
> refresh
> > > >> the original authentication data, so we need to add an auth data
> const
> > > to
> > > >> request to refresh the original authentication data, so like
> > > >> `AuthData.REFRESH_AUTH_DATA`.
> > > >>
> > > >> Once most people agree with this, I'll make a PIP.
> > > >>
> > > >> References:
> > > >>
> > > >> - https://github.com/apache/pulsar/pull/13339
> > > >> - https://github.com/apache/pulsar/issues/10816
> > > >>
> > > >> Thanks,
> > > >> Zixuan
> > > >>
> > > >>
> > >
> > > --
> > > BR,
> > > Qiang Huang
> > >
>
Re: [DISCUSS] Add an auth data const for refresh the original auth data
Posted by Enrico Olivelli <eo...@gmail.com>.
So the problem is that the Proxy is not requesting a refresh ?
Enrico
Il giorno mer 17 ago 2022 alle ore 16:26 Zixuan Liu
<no...@gmail.com> ha scritto:
>
> Thank @Qiang!
>
> Update the diagram:
> https://drive.google.com/file/d/1E6z0dzXzvW5ZxG6d6YUghL9OikA8j4UC/view?usp=sharing
>
> Thanks,
> Zixuan
>
> Qiang Huang <qi...@gmail.com> 于2022年8月17日周三 19:13写道:
>
> > It makes sense to me. BTW, the image is broken.
> >
> > Zixuan Liu <no...@gmail.com> 于2022年8月17日周三 11:10写道:
> >
> > > Note that there are two clients, the user client, and the proxy client.
> > > When the original authenticate data expires, the user client cannot send
> > a
> > > request to the proxy to find the broker URL. We haven't tests to cover
> > this.
> > >
> > > A simple diagram represents workflow:
> > > [image: image.png]
> > > Both connections pass the proxy client and the user client authentication
> > > data.
> > >
> > > Thanks,
> > > Zixuan
> > >
> > > Zixuan Liu <no...@gmail.com> 于2022年8月16日周二 23:02写道:
> > >
> > >> Hi all,
> > >>
> > >> Refreshing the authentication data comes from the client is important.
> > We
> > >> have two types of authentication data, directly authentication data, and
> > >> original authentication data:
> > >>
> > >> 1. Directly authentication data
> > >> The client/proxy brings the authentication data directly connected to
> > the
> > >> broker, which is directly authentication data.
> > >>
> > >> When the directly authentication data is expired, the broker sends the
> > >> `newAuthChallenge` command with `AuthData.REFRESH_AUTH_DATA` data to the
> > >> client to refresh the authentication data.
> > >>
> > >> 2. Original authentication data
> > >> We add a proxy between the client and the broker, both the proxy and the
> > >> client bring the authentication data to request the broker, the
> > >> authentication data from the proxy is directly authentication data, and
> > the
> > >> authentication data from the client is original authentication data.
> > >>
> > >> The broker can refresh the directly authentication data, but when we are
> > >> using the proxy, the broker could not refresh the original
> > >> authentication data, because we haven't any action to request to refresh
> > >> the original authentication data, so we need to add an auth data const
> > to
> > >> request to refresh the original authentication data, so like
> > >> `AuthData.REFRESH_AUTH_DATA`.
> > >>
> > >> Once most people agree with this, I'll make a PIP.
> > >>
> > >> References:
> > >>
> > >> - https://github.com/apache/pulsar/pull/13339
> > >> - https://github.com/apache/pulsar/issues/10816
> > >>
> > >> Thanks,
> > >> Zixuan
> > >>
> > >>
> >
> > --
> > BR,
> > Qiang Huang
> >
Re: [DISCUSS] Add an auth data const for refresh the original auth data
Posted by Zixuan Liu <no...@gmail.com>.
Thank @Qiang!
Update the diagram:
https://drive.google.com/file/d/1E6z0dzXzvW5ZxG6d6YUghL9OikA8j4UC/view?usp=sharing
Thanks,
Zixuan
Qiang Huang <qi...@gmail.com> 于2022年8月17日周三 19:13写道:
> It makes sense to me. BTW, the image is broken.
>
> Zixuan Liu <no...@gmail.com> 于2022年8月17日周三 11:10写道:
>
> > Note that there are two clients, the user client, and the proxy client.
> > When the original authenticate data expires, the user client cannot send
> a
> > request to the proxy to find the broker URL. We haven't tests to cover
> this.
> >
> > A simple diagram represents workflow:
> > [image: image.png]
> > Both connections pass the proxy client and the user client authentication
> > data.
> >
> > Thanks,
> > Zixuan
> >
> > Zixuan Liu <no...@gmail.com> 于2022年8月16日周二 23:02写道:
> >
> >> Hi all,
> >>
> >> Refreshing the authentication data comes from the client is important.
> We
> >> have two types of authentication data, directly authentication data, and
> >> original authentication data:
> >>
> >> 1. Directly authentication data
> >> The client/proxy brings the authentication data directly connected to
> the
> >> broker, which is directly authentication data.
> >>
> >> When the directly authentication data is expired, the broker sends the
> >> `newAuthChallenge` command with `AuthData.REFRESH_AUTH_DATA` data to the
> >> client to refresh the authentication data.
> >>
> >> 2. Original authentication data
> >> We add a proxy between the client and the broker, both the proxy and the
> >> client bring the authentication data to request the broker, the
> >> authentication data from the proxy is directly authentication data, and
> the
> >> authentication data from the client is original authentication data.
> >>
> >> The broker can refresh the directly authentication data, but when we are
> >> using the proxy, the broker could not refresh the original
> >> authentication data, because we haven't any action to request to refresh
> >> the original authentication data, so we need to add an auth data const
> to
> >> request to refresh the original authentication data, so like
> >> `AuthData.REFRESH_AUTH_DATA`.
> >>
> >> Once most people agree with this, I'll make a PIP.
> >>
> >> References:
> >>
> >> - https://github.com/apache/pulsar/pull/13339
> >> - https://github.com/apache/pulsar/issues/10816
> >>
> >> Thanks,
> >> Zixuan
> >>
> >>
>
> --
> BR,
> Qiang Huang
>
Re: [DISCUSS] Add an auth data const for refresh the original auth data
Posted by Qiang Huang <qi...@gmail.com>.
It makes sense to me. BTW, the image is broken.
Zixuan Liu <no...@gmail.com> 于2022年8月17日周三 11:10写道:
> Note that there are two clients, the user client, and the proxy client.
> When the original authenticate data expires, the user client cannot send a
> request to the proxy to find the broker URL. We haven't tests to cover this.
>
> A simple diagram represents workflow:
> [image: image.png]
> Both connections pass the proxy client and the user client authentication
> data.
>
> Thanks,
> Zixuan
>
> Zixuan Liu <no...@gmail.com> 于2022年8月16日周二 23:02写道:
>
>> Hi all,
>>
>> Refreshing the authentication data comes from the client is important. We
>> have two types of authentication data, directly authentication data, and
>> original authentication data:
>>
>> 1. Directly authentication data
>> The client/proxy brings the authentication data directly connected to the
>> broker, which is directly authentication data.
>>
>> When the directly authentication data is expired, the broker sends the
>> `newAuthChallenge` command with `AuthData.REFRESH_AUTH_DATA` data to the
>> client to refresh the authentication data.
>>
>> 2. Original authentication data
>> We add a proxy between the client and the broker, both the proxy and the
>> client bring the authentication data to request the broker, the
>> authentication data from the proxy is directly authentication data, and the
>> authentication data from the client is original authentication data.
>>
>> The broker can refresh the directly authentication data, but when we are
>> using the proxy, the broker could not refresh the original
>> authentication data, because we haven't any action to request to refresh
>> the original authentication data, so we need to add an auth data const to
>> request to refresh the original authentication data, so like
>> `AuthData.REFRESH_AUTH_DATA`.
>>
>> Once most people agree with this, I'll make a PIP.
>>
>> References:
>>
>> - https://github.com/apache/pulsar/pull/13339
>> - https://github.com/apache/pulsar/issues/10816
>>
>> Thanks,
>> Zixuan
>>
>>
--
BR,
Qiang Huang
Re: [DISCUSS] Add an auth data const for refresh the original auth data
Posted by Zixuan Liu <no...@gmail.com>.
Note that there are two clients, the user client, and the proxy client.
When the original authenticate data expires, the user client cannot send a
request to the proxy to find the broker URL. We haven't tests to cover this.
A simple diagram represents workflow:
[image: image.png]
Both connections pass the proxy client and the user client authentication
data.
Thanks,
Zixuan
Zixuan Liu <no...@gmail.com> 于2022年8月16日周二 23:02写道:
> Hi all,
>
> Refreshing the authentication data comes from the client is important. We
> have two types of authentication data, directly authentication data, and
> original authentication data:
>
> 1. Directly authentication data
> The client/proxy brings the authentication data directly connected to the
> broker, which is directly authentication data.
>
> When the directly authentication data is expired, the broker sends the
> `newAuthChallenge` command with `AuthData.REFRESH_AUTH_DATA` data to the
> client to refresh the authentication data.
>
> 2. Original authentication data
> We add a proxy between the client and the broker, both the proxy and the
> client bring the authentication data to request the broker, the
> authentication data from the proxy is directly authentication data, and the
> authentication data from the client is original authentication data.
>
> The broker can refresh the directly authentication data, but when we are
> using the proxy, the broker could not refresh the original
> authentication data, because we haven't any action to request to refresh
> the original authentication data, so we need to add an auth data const to
> request to refresh the original authentication data, so like
> `AuthData.REFRESH_AUTH_DATA`.
>
> Once most people agree with this, I'll make a PIP.
>
> References:
>
> - https://github.com/apache/pulsar/pull/13339
> - https://github.com/apache/pulsar/issues/10816
>
> Thanks,
> Zixuan
>
>