[PIP 97] Update Authentication Interfaces to Include Async Authentication Methods #12104
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Anonymitaet
reviewed
Sep 22, 2021
| @@ -51,6 +54,29 @@ | |||
| */ | |||
| String getAuthMethodName(); | |||
|
|
|||
| /** | |||
| * Validate the authentication for the given credentials with the specified authentication data. | |||
| * This method is useful in one stage authn, if you're not doing one stage or if you're providing | |||
There was a problem hiding this comment.
Some people know "authn is short for authentication, and authz is short for authorization." while others may not. It is suggested to spell out "authentication" or "authorization" to make everyone knows the info.
There was a problem hiding this comment.
Great point @Anonymitaet. I just updated it to authentication.
Anonymitaet
added
the
doc
RobertIndie
reviewed
Sep 23, 2021
I address this concern in the PR description. All current implementations of the I will submit subsequent PRs for each of the Pulsar authentication provider implementations to ensure that they remove implementations of the deprecated methods. |
|
/pulsarbot run-failure-checks |
|
@eolivelli - this PR doesn't have a label yet. It should target 2.10. |
codelipenghui
approved these changes
Nov 10, 2021
|
Thank you for merging this @codelipenghui. I will follow up next week with the implementation described in the master issue. |
eolivelli
pushed a commit
to eolivelli/pulsar
that referenced
this pull request
Nov 29, 2021
…tion Methods (apache#12104) Master Issue: apache#12105 ### Motivation As the first part of PIP-97, we need to update the interfaces. This PR is the only PR that will update interfaces. It should not introduce any breaking changes. ### Modifications #### AuthenticationProvider * Add `AuthenticationProvider#authenticateAsync`. Include a default implementation that calls the `authenticate` method. Note that current implementations should all be non-blocking, so there is no need to push the execution to a separate thread. * Deprecate `AuthenticationProvider#authenticate`. * Add `AuthenticationProvider#authenticateHttpRequestAsync`. This method is complicated. It is only called when using the SASL authentication provider (this is hard coded into the Pulsar code base). As such, I would argue that it is worth removing support for this unreachable method and then refactor the SASL authentication provider. I annotated this method with `@InterfaceStability.Unstable` and added details to the Javadoc in order to communicate the uncertainty of this method's future. I am happy to discuss this in more detail though. * Deprecate `AuthenticationProvider#authenticateHttpRequest`. #### AuthenticationState * Add `AuthenticationState#authenticateAsync`. Include a default implementation that calls the `authenticate` method and then performs a check to determine what result to return. Note that current implementations should all be non-blocking, so there is no need to push the execution to a separate thread. * Deprecate `AuthenticationState#authenticate`. The preferred method is `AuthenticationState#authenticateAsync`. * Deprecate `AuthenticationState#isComplete`. This method can be avoided by inferring authentication completeness from the result of `AuthenticationState#authenticateAsync`. When the result is `null`, auth is complete. When it is not `null`, auth is not complete. Since the result of the `authenticateAsync` method is the body delivered to the client, this seems like a reasonable abstraction to make. As a consequence, the `AuthenticationState` is simpler and also avoids certain thread safety issues that might arise when calling `isComplete` from a different thread. #### AuthenticationDataSource * Deprecate `AuthenticationDataSource#authenticate`. This method is not called by the Pulsar authentication framework. This needs to be deprecated to prevent confusion for end users seeking to extend the authentication framework. There is no need for an async version of this method. ### Verifying this change These changes only affect the interfaces. I will need to add tests to verify the correctness of the default implementations in this PR. ### Does this pull request potentially affect one of the following parts: Yes, it affects the public API. That is why it has a PIP. ### Documentation I've updated the Javadocs. There is not any current documentation on implementing your own authentication provider, so I think updating Javadocs is sufficient documentation, for now.
michaeljmarshall
added a commit
to michaeljmarshall/pulsar
that referenced
this pull request
Jan 20, 2022
…thentication Methods (apache#12104)" This reverts commit 5868025.
michaeljmarshall
added a commit
to michaeljmarshall/pulsar
that referenced
this pull request
Feb 23, 2022
…thentication Methods (apache#12104)" This reverts commit 5868025.
1 task
michaeljmarshall
added a commit
that referenced
this pull request
Feb 23, 2022
…thentication Methods (#12104)" (#14424) This reverts commit 5868025. Master Issue: #12105 ### Motivation Because the PIP is not completely implemented, we should not publish the interface changes in 2.10. ### Modifications * Revert the core commit for PIP 97. ### Verifying this change This change is trivial, because the original change was completely backwards compatible. ### Documentation - [x] `no-need-doc`
| */ | ||
| @Deprecated |
There was a problem hiding this comment.
Could you explain more about it? IMO, it should not be deprecated. I tried to implement an AuthenticationProvider that only overrides the authenticationAsync method but it never went here. Instead, the authenticate method was still called. There is no test to show it should be deprecated.
There was a problem hiding this comment.
It's weird that this PR should have been reverted in #14424, but it still exists in master branch.
There was a problem hiding this comment.
@BewareMyPower - I am not sure of the right way to proceed here. I had plans to complete the work for PIP 97, but I haven't been able to do so. I reverted it from branch-2.10 because the necessary implementation for making the ServerCnx and the http filter async was not in place. I will think about this some more and try to find the right approach.
Note that this PIP isn't needed unless you're doing something blocking when authenticate is called.
2 tasks
michaeljmarshall
added a commit
that referenced
this pull request
Jan 19, 2023
…19197) PIP: #12105 ### Motivation This is the first of several PRs to implement [PIP 97](#12105). This PR seeks to start to solve the fact that the `AuthenticationState` class currently authenticates `authData` twice instead of just once. This change is important to make before we are able to utilize the async methods introduced in #12104. Historical context: #14044 introduced the `AuthenticationProvider#newHttpAuthState` method. The only use case for this method in the pulsar code base is to let custom providers specify the `AuthenticationDataSource` on http request attributes. The primary problem with that implementation is that the `AuthenticationState` class currently involves authenticating the `authData` passed in to the `newHttpAuthState`. As such, this code is sub-optimal, and creates a confusing flow. I propose we deprecate the `newHttpAuthState` method and instead start using the `authenticateHttpRequestAsync` and `authenticateHttpRequest` methods to allow custom implementations to configure the desired `AuthenticationDataSource` on the request attributes. In order to simplify the diff for reviewers, this PR uses the deprecated `AuthenticationProvider#authenticateHttpRequest` method. I plan to follow up and switch to use the `AuthenticationProvider#authenticateHttpRequestAsync` method. Note that these changes are completely backwards compatible. The only risk is to users that have custom code loaded into the broker that calls the `AuthenticationProvider#authenticateHttpRequest` method. ### Modifications * Deprecate `AuthenticationService#authenticateHttpRequest(HttpServletRequest request, AuthenticationDataSource authData)`. It is no longer used. * Deprecate `AuthenticationProvider#newHttpAuthState(HttpServletRequest request)`. It is no longer used outside of the `AuthenticationProvider` interface itself. * Remove `@InterfaceStability.Unstable` annotation from the `authenticateHttpRequestAsync` method. When I introduced that annotation, I was under the impression that we didn't need it. However, in order to meet the requirements introduced in #14044, we need to let custom `AuthenticationProviders` add their own attributes. * Update the default implementation of `authenticateHttpRequest`. Because the previous implementation was unreachable by all auth providers except for the SASL implementation, this is a backwards compatible change. * Implement changes for the `AuthenticationProviderToken` so that it no longer relies on `newHttpAuthState`. ### Verifying this change I added new tests. ### Does this pull request potentially affect one of the following parts: - [x] The public API This changes the public API within the broker by marking some methods as `@Deprecated`. ### Documentation - [x] `doc-not-needed` We document the `AuthenticationProvider` interface in the code. I added these docs. There is currently no where else to update docs. ### Matching PR in forked repository PR in forked repository: michaeljmarshall#12 ### Additional motivation from PR discussion My primary motivation for this PR is to implement PIP 97. If we want authentication to be asynchronous, we cannot assume that when the `AuthenticationState` object is initialized, the `authenticationDataSource` and the `authRole` are present because the authentication might not yet be completed. My goal with this PR is to break an unnecessary relationship between `AuthenticationState` and http request authentication that was created by #14044.
michaeljmarshall
added a commit
to michaeljmarshall/pulsar
that referenced
this pull request
Apr 19, 2023
…tion Methods (apache#12104) Master Issue: apache#12105 ### Motivation As the first part of PIP-97, we need to update the interfaces. This PR is the only PR that will update interfaces. It should not introduce any breaking changes. ### Modifications #### AuthenticationProvider * Add `AuthenticationProvider#authenticateAsync`. Include a default implementation that calls the `authenticate` method. Note that current implementations should all be non-blocking, so there is no need to push the execution to a separate thread. * Deprecate `AuthenticationProvider#authenticate`. * Add `AuthenticationProvider#authenticateHttpRequestAsync`. This method is complicated. It is only called when using the SASL authentication provider (this is hard coded into the Pulsar code base). As such, I would argue that it is worth removing support for this unreachable method and then refactor the SASL authentication provider. I annotated this method with `@InterfaceStability.Unstable` and added details to the Javadoc in order to communicate the uncertainty of this method's future. I am happy to discuss this in more detail though. * Deprecate `AuthenticationProvider#authenticateHttpRequest`. #### AuthenticationState * Add `AuthenticationState#authenticateAsync`. Include a default implementation that calls the `authenticate` method and then performs a check to determine what result to return. Note that current implementations should all be non-blocking, so there is no need to push the execution to a separate thread. * Deprecate `AuthenticationState#authenticate`. The preferred method is `AuthenticationState#authenticateAsync`. * Deprecate `AuthenticationState#isComplete`. This method can be avoided by inferring authentication completeness from the result of `AuthenticationState#authenticateAsync`. When the result is `null`, auth is complete. When it is not `null`, auth is not complete. Since the result of the `authenticateAsync` method is the body delivered to the client, this seems like a reasonable abstraction to make. As a consequence, the `AuthenticationState` is simpler and also avoids certain thread safety issues that might arise when calling `isComplete` from a different thread. #### AuthenticationDataSource * Deprecate `AuthenticationDataSource#authenticate`. This method is not called by the Pulsar authentication framework. This needs to be deprecated to prevent confusion for end users seeking to extend the authentication framework. There is no need for an async version of this method. ### Verifying this change These changes only affect the interfaces. I will need to add tests to verify the correctness of the default implementations in this PR. ### Does this pull request potentially affect one of the following parts: Yes, it affects the public API. That is why it has a PIP. ### Documentation I've updated the Javadocs. There is not any current documentation on implementing your own authentication provider, so I think updating Javadocs is sufficient documentation, for now. (cherry picked from commit 5868025)
michaeljmarshall
added a commit
to michaeljmarshall/pulsar
that referenced
this pull request
Apr 19, 2023
…pache#19197) PIP: apache#12105 This is the first of several PRs to implement [PIP 97](apache#12105). This PR seeks to start to solve the fact that the `AuthenticationState` class currently authenticates `authData` twice instead of just once. This change is important to make before we are able to utilize the async methods introduced in apache#12104. Historical context: apache#14044 introduced the `AuthenticationProvider#newHttpAuthState` method. The only use case for this method in the pulsar code base is to let custom providers specify the `AuthenticationDataSource` on http request attributes. The primary problem with that implementation is that the `AuthenticationState` class currently involves authenticating the `authData` passed in to the `newHttpAuthState`. As such, this code is sub-optimal, and creates a confusing flow. I propose we deprecate the `newHttpAuthState` method and instead start using the `authenticateHttpRequestAsync` and `authenticateHttpRequest` methods to allow custom implementations to configure the desired `AuthenticationDataSource` on the request attributes. In order to simplify the diff for reviewers, this PR uses the deprecated `AuthenticationProvider#authenticateHttpRequest` method. I plan to follow up and switch to use the `AuthenticationProvider#authenticateHttpRequestAsync` method. Note that these changes are completely backwards compatible. The only risk is to users that have custom code loaded into the broker that calls the `AuthenticationProvider#authenticateHttpRequest` method. * Deprecate `AuthenticationService#authenticateHttpRequest(HttpServletRequest request, AuthenticationDataSource authData)`. It is no longer used. * Deprecate `AuthenticationProvider#newHttpAuthState(HttpServletRequest request)`. It is no longer used outside of the `AuthenticationProvider` interface itself. * Remove `@InterfaceStability.Unstable` annotation from the `authenticateHttpRequestAsync` method. When I introduced that annotation, I was under the impression that we didn't need it. However, in order to meet the requirements introduced in apache#14044, we need to let custom `AuthenticationProviders` add their own attributes. * Update the default implementation of `authenticateHttpRequest`. Because the previous implementation was unreachable by all auth providers except for the SASL implementation, this is a backwards compatible change. * Implement changes for the `AuthenticationProviderToken` so that it no longer relies on `newHttpAuthState`. I added new tests. - [x] The public API This changes the public API within the broker by marking some methods as `@Deprecated`. - [x] `doc-not-needed` We document the `AuthenticationProvider` interface in the code. I added these docs. There is currently no where else to update docs. PR in forked repository: #12 My primary motivation for this PR is to implement PIP 97. If we want authentication to be asynchronous, we cannot assume that when the `AuthenticationState` object is initialized, the `authenticationDataSource` and the `authRole` are present because the authentication might not yet be completed. My goal with this PR is to break an unnecessary relationship between `AuthenticationState` and http request authentication that was created by apache#14044. (cherry picked from commit 3c38ed5)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Master Issue: #12105
Motivation
As the first part of PIP-97, we need to update the interfaces. This PR is the only PR that will update interfaces. It should not introduce any breaking changes.
Modifications
AuthenticationProvider
AuthenticationProvider#authenticateAsync. Include a default implementation that calls theauthenticatemethod. Note that current implementations should all be non-blocking, so there is no need to push the execution to a separate thread.AuthenticationProvider#authenticate.AuthenticationProvider#authenticateHttpRequestAsync. This method is complicated. It is only called when using the SASL authentication provider (this is hard coded into the Pulsar code base). As such, I would argue that it is worth removing support for this unreachable method and then refactor the SASL authentication provider. I annotated this method with@InterfaceStability.Unstableand added details to the Javadoc in order to communicate the uncertainty of this method's future. I am happy to discuss this in more detail though.AuthenticationProvider#authenticateHttpRequest.AuthenticationState
AuthenticationState#authenticateAsync. Include a default implementation that calls theauthenticatemethod and then performs a check to determine what result to return. Note that current implementations should all be non-blocking, so there is no need to push the execution to a separate thread.AuthenticationState#authenticate. The preferred method isAuthenticationState#authenticateAsync.AuthenticationState#isComplete. This method can be avoided by inferring authentication completeness from the result ofAuthenticationState#authenticateAsync. When the result isnull, auth is complete. When it is notnull, auth is not complete. Since the result of theauthenticateAsyncmethod is the body delivered to the client, this seems like a reasonable abstraction to make. As a consequence, theAuthenticationStateis simpler and also avoids certain thread safety issues that might arise when callingisCompletefrom a different thread.AuthenticationDataSource
AuthenticationDataSource#authenticate. This method is not called by the Pulsar authentication framework. This needs to be deprecated to prevent confusion for end users seeking to extend the authentication framework. There is no need for an async version of this method.Verifying this change
These changes only affect the interfaces. I will need to add tests to verify the correctness of the default implementations in this PR.
Does this pull request potentially affect one of the following parts:
Yes, it affects the public API. That is why it has a PIP.
Documentation
I've updated the Javadocs. There is not any current documentation on implementing your own authentication provider, so I think updating Javadocs is sufficient documentation, for now.