You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2020/06/19 08:52:46 UTC

[GitHub] [pulsar] massakam opened a new pull request #7311: [client] Fix issue where HTTP header used in Athenz authentication can not be renamed

massakam opened a new pull request #7311:
URL: https://github.com/apache/pulsar/pull/7311


   ### Motivation
   
   The authentication plugin for Athenz allows users to change the name of the HTTP header for sending an authentication token to a broker server with a parameter named `roleHeader`.
   
   `AuthenticationAthenz` sets the value of `roleHeader` to the system property `athenz.auth.role.header`.
   https://github.com/apache/pulsar/blob/12a5001cbbb205ba7811317eeb02f40912e45b56/pulsar-client-auth-athenz/src/main/java/org/apache/pulsar/client/impl/auth/AuthenticationAthenz.java#L151-L153
   
   The Athenz class `ZTSClient` gets the header name from the system property and sets it in a static field. If no value is set in the system property, the default value is "Athenz-Role-Auth".
   https://github.com/yahoo/athenz/blob/62350364e0b3ffecbca13d5c74a5d5d4c7b0df01/clients/java/zts/core/src/main/java/com/yahoo/athenz/zts/ZTSClient.java#L157-L158
   
   `ZTSClient.getHeader()` returns the value of this static field, and the Pulsar client uses this returned value as the header name.
   https://github.com/apache/pulsar/blob/12a5001cbbb205ba7811317eeb02f40912e45b56/pulsar-client-auth-athenz/src/main/java/org/apache/pulsar/client/impl/auth/AuthenticationAthenz.java#L83
   
   Now, if `ZTSClient` is used before the `AuthenticationAthenz` instance is initialized, the problem arises. In this case, `ZTSClient` sets the default value in the static field before `AuthenticationAthenz` sets the header name in the system property. Therefore, the default header name "Athenz-Role-Auth" is always used.
   
   This can be reproduced with test code like this:
   ```java
   // Load ZTSClient class
   System.setProperty("athenz.athenz_conf", "/path/to/athenz.conf");
   ZTSClient.getHeader();
   
   AuthenticationAthenz auth = new AuthenticationAthenz();
   auth.configure("{\"roleHeader\": \"Test-Role-Header\", ... }");
   
   System.out.println("expected: Test-Role-Header");
   System.out.println("actual:   " + auth.getAuthData().getHttpHeaders().iterator().next().getKey());
   ```
   Execution result:
   ```
   expected: Test-Role-Header
   actual:   Athenz-Role-Auth
   ```
   
   ### Modifications
   
   Hold the value of the `roleHeader` parameter on the `AuthenticationAthenz` side, and use it directly as the header name.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] merlimat merged pull request #7311: [client] Fix issue where HTTP header used in Athenz authentication can not be renamed

Posted by GitBox <gi...@apache.org>.

merlimat merged pull request #7311:
URL: https://github.com/apache/pulsar/pull/7311


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org