Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix][authentication] Store the original authentication data #19519

Merged
merged 4 commits into from
Feb 16, 2023
Merged

[fix][authentication] Store the original authentication data #19519

merged 4 commits into from
Feb 16, 2023
+182 −69

Conversation

nodece
Copy link
Member

@nodece nodece commented Feb 14, 2023
edited
Loading

Motivation

In the authentication:

  • With the proxy, the broker stores the client authentication to the originalAuthData and originalPrincipal, and stores the proxy authentication to the authenticationData and authRole.
  • Without the proxy, the broker stores the authentication to the authenticationData and authRole

When with the proxy, the broker only checks whether originalAuthData is expired. If true, the broker sends AuthChallenge to the client, then the client sends CommandAuthResponse.

In handleAuthResponse logic, the broker always stores the authentication to authenticationData and authRole, without considering the proxy case. When the authorization provider checks the role and authentication data, it is unmatched, this is incorrect behavior, so we need to distinguish whether have the proxy and then store the authentication data and role correctly.

More context: #18130

Modifications

  • Fix storing the authentication in the authChallengeSuccessCallback
  • Add MockMutableAuthenticationProvider and MockMutableAuthenticationState to refresh the role and datasource
  • Make MockAlwaysExpiredAuthenticationState extends MockMutableAuthenticationState to avoid the code duplication, and override the isExpired

Verifying this change

  • Make sure that the change passes the CI checks.

Added testRefreshOriginalPrincipalWithAuthDataForwardedFromProxy test

Documentation

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

@nodece
[fix][authentication] Store the original authentication data
3883fcd 
Signed-off-by: Zixuan Liu <nodeces@gmail.com>
@nodece nodece self-assigned this Feb 14, 2023
@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Feb 14, 2023
@nodece nodece added this to the 3.0.0 milestone Feb 14, 2023
michaeljmarshall
michaeljmarshall reviewed Feb 15, 2023
View reviewed changes
Copy link
Member

@michaeljmarshall michaeljmarshall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like this PR is partially addressing #19332. It won't solve that issue because this PR doesn't address the fact that we cannot refresh both of the AuthData objects.

pulsar-broker/src/test/java/org/apache/pulsar/broker/service/ServerCnxTest.java
@@ -1030,6 +1030,55 @@ public void testVerifyAuthRoleAndAuthDataFromDirectConnectionBroker() throws Exc
}));
}

@Test
public void testRefreshOriginalPrincipalWithAuthDataForwardedFromProxy() throws Exception {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that the tests that comment about https://github.com/apache/pulsar/issues/19332 should fail because they make assertions on the current behavior.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For current design, it works fine.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I must not have written some of the assertions I thought I did. You're right that those tests all pass. It might be worth removing the comments that reference #19332 because your PR will make them incorrect.

@michaeljmarshall michaeljmarshall mentioned this pull request Feb 15, 2023
Open
2 tasks
@nodece
Improve test and authentication logic
03bcc4b 
Signed-off-by: Zixuan Liu <nodeces@gmail.com>
@nodece
Copy link
Member Author

nodece commented Feb 15, 2023

Hi @michaeljmarshall, I updated this PR.

@nodece
Revert MockAuthenticationProvider
72d5ed5 
Signed-off-by: Zixuan Liu <nodeces@gmail.com>
michaeljmarshall
michaeljmarshall approved these changes Feb 16, 2023
View reviewed changes
Copy link
Member

@michaeljmarshall michaeljmarshall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, great work @nodece

@nodece
Copy link
Member Author

nodece commented Feb 16, 2023

/pulsarbot rerun-failure-checks

1 similar comment
@nodece
Copy link
Member Author

nodece commented Feb 16, 2023

/pulsarbot rerun-failure-checks

@nodece
Fix test
6cf7aae 
Signed-off-by: Zixuan Liu <nodeces@gmail.com>
@nodece nodece merged commit 2d90089 into apache:master Feb 16, 2023
@nodece nodece mentioned this pull request Feb 16, 2023
Closed
4 tasks
@michaeljmarshall
Copy link
Member

@nodece - I think this is a bug, so we can back port it to the older release branches, if you would like. However, I am finishing up cherry picking some of this PR's dependencies, so it will be easiest to delay cherry-picking by a day or two.

@nodece
Copy link
Member Author

nodece commented Feb 17, 2023

@michaeljmarshall Thank you for your work! I look forward to your contribution!

@michaeljmarshall
Copy link
Member

@nodece - just so you know, I finished cherry picking my changes to the older branches.

nodece added a commit to nodece/pulsar that referenced this pull request Mar 2, 2023
@nodece
[fix][authentication] Store the original authentication data (apache#…
db32ce5 
…19519)

Signed-off-by: Zixuan Liu <nodeces@gmail.com>

(cherry picked from commit 2d90089)
Signed-off-by: Zixuan Liu <nodeces@gmail.com>
nodece added a commit to nodece/pulsar that referenced this pull request Mar 2, 2023
@nodece
[fix][authentication] Store the original authentication data (apache#…
27b6e42 
…19519)

Signed-off-by: Zixuan Liu <nodeces@gmail.com>

(cherry picked from commit 2d90089)
Signed-off-by: Zixuan Liu <nodeces@gmail.com>
nodece added a commit that referenced this pull request Mar 13, 2023
@nodece
[fix][authentication] Store the original authentication data (#19519)
58aa8da 
Signed-off-by: Zixuan Liu <nodeces@gmail.com>

(cherry picked from commit 2d90089)
Signed-off-by: Zixuan Liu <nodeces@gmail.com>
nodece added a commit to nodece/pulsar that referenced this pull request Mar 13, 2023
@nodece
[fix][authentication] Store the original authentication data (apache#…
a823e02 
…19519)

Signed-off-by: Zixuan Liu <nodeces@gmail.com>

(cherry picked from commit 2d90089)
Signed-off-by: Zixuan Liu <nodeces@gmail.com>
@nodece nodece mentioned this pull request Mar 13, 2023
Closed
4 tasks
This was referenced Mar 13, 2023
Closed
Closed
michaeljmarshall added a commit that referenced this pull request Mar 18, 2023
@michaeljmarshall
[test] Fix MockMutableAuthenticationState implementation
ad06fac 
When #19519 was
cherry-picked to branch-2.11, it did not implement the
authenticate method in the MockMutableAuthenticationState,
which led to several test failures in the ServerCnxTest class.
This commit fixes those tests.

Note that the issue is only in the test code.
@michaeljmarshall
Copy link
Member

@nodece - just letting you know there was a minor issue when cherry picking this to branch-2.11. Some of the ServerCnxTest tests were failing. I fixed it with ad06fac.

michaeljmarshall pushed a commit to michaeljmarshall/pulsar that referenced this pull request Apr 20, 2023
@nodece @michaeljmarshall
[fix][authentication] Store the original authentication data (apache#…
6b07892 
…19519)

Signed-off-by: Zixuan Liu <nodeces@gmail.com>
(cherry picked from commit 2d90089)
gaoran10 pushed a commit to gaoran10/pulsar that referenced this pull request Dec 2, 2023
@nodece @gaoran10
[fix][authentication] Store the original authentication data (apache#…
d767999 
…19519)

Signed-off-by: Zixuan Liu <nodeces@gmail.com>
(cherry picked from commit 2d90089)
This was referenced Dec 2, 2023
Open
Merged
gaoran10 pushed a commit to gaoran10/pulsar that referenced this pull request Dec 8, 2023
@nodece @gaoran10
[fix][authentication] Store the original authentication data (apache#…
d3e8e2c 
…19519)

Signed-off-by: Zixuan Liu <nodeces@gmail.com>
(cherry picked from commit 2d90089)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michaeljmarshall michaeljmarshall michaeljmarshall approved these changes

@lhotari lhotari Awaiting requested review from lhotari

@codelipenghui codelipenghui Awaiting requested review from codelipenghui

@coderzc coderzc Awaiting requested review from coderzc

@mattisonchao mattisonchao Awaiting requested review from mattisonchao

@merlimat merlimat Awaiting requested review from merlimat

@poorbarcode poorbarcode Awaiting requested review from poorbarcode

@Technoboy- Technoboy- Awaiting requested review from Technoboy-

Assignees

@nodece nodece

Labels
area/authn cherry-picked/branch-2.11 doc-not-needed Your PR changes do not impact docs ready-to-test release/2.11.1
Projects
None yet
Milestone
3.0.0
Development

Successfully merging this pull request may close these issues.
2 participants
@nodece @michaeljmarshall