Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feat][ws] Use async auth method to support OIDC #20238

Merged
merged 2 commits into from
May 8, 2023
Merged

[feat][ws] Use async auth method to support OIDC #20238

merged 2 commits into from
May 8, 2023

Conversation

michaeljmarshall
Copy link
Member

Fixes #20236
PIP: #19409

Motivation

In the AuthenticationService, we are currently using the deprecated authenticate methods. As a result, we hit the Not Implemented exception when using the AuthenticationProviderOpenID. This PR updates the implementation so that we're able

This solution isn't ideal for two reasons.

  1. We are not using the authenticationHttpRequest method, which seems like the right method for the WebSocket proxy. However, this is not a viable option, as I documented in Determine Correct Expansion of AuthenticationProvider interface for WebSocket Proxy #20237.
  2. We are calling .get() on a future. However, it is expected that the AuthenticationProvider not block forever, so I think this is acceptable for now. Please let me know if you disagree.

Modifications

  • Replace authenticate with authenticateAsync.

Verifying this change

This change is a trivial rework / code cleanup without any test coverage.

Documentation

  • doc-not-needed

Note that I do have documentation showing that 3.0.x does not support OIDC in the WebSocket Proxy. The next docs don't need that limitation since this PR fixes that and targets 3.1.0. apache/pulsar-site#558

Matching PR in forked repository

PR in forked repository: skipping for this trivial PR

@michaeljmarshall michaeljmarshall added this to the 3.1.0 milestone May 5, 2023
@michaeljmarshall michaeljmarshall self-assigned this May 5, 2023
@codecov-commenter
Copy link

Codecov Report

Merging #20238 (665f439) into master (9b72302) will increase coverage by 39.74%.
The diff coverage is 73.58%.

Impacted file tree graph

@@              Coverage Diff              @@
##             master   #20238       +/-   ##
=============================================
+ Coverage     33.17%   72.92%   +39.74%     
- Complexity    12236    31961    +19725     
=============================================
  Files          1499     1868      +369     
  Lines        114413   138597    +24184     
  Branches      12431    15247     +2816     
=============================================
+ Hits          37962   101069    +63107     
+ Misses        71499    29483    -42016     
- Partials       4952     8045     +3093
Flag Coverage Δ
inttests 24.14% <7.54%> (?)
systests 24.79% <9.43%> (?)
unittests 72.20% <73.58%> (+39.02%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
...e/pulsar/broker/authentication/oidc/JwksCache.java 56.62% <0.00%> (ø)
...thentication/oidc/OpenIDProviderMetadataCache.java 78.48% <0.00%> (ø)
...unctions/runtime/kubernetes/KubernetesRuntime.java 38.34% <0.00%> (+38.34%) ⬆️
...r/broker/authentication/AuthenticationService.java 69.52% <37.50%> (+35.52%) ⬆️
.../pulsar/broker/delayed/bucket/ImmutableBucket.java 88.39% <76.19%> (+88.39%) ⬆️
...elayed/bucket/BookkeeperBucketSnapshotStorage.java 83.73% <88.88%> (+83.73%) ⬆️
...r/delayed/bucket/BucketDelayedDeliveryTracker.java 84.50% <100.00%> (+84.50%) ⬆️
...he/pulsar/broker/delayed/bucket/MutableBucket.java 93.85% <100.00%> (+93.85%) ⬆️
...ava/org/apache/pulsar/broker/service/Consumer.java 86.81% <100.00%> (+27.03%) ⬆️
...ava/org/apache/pulsar/broker/service/Producer.java 81.91% <100.00%> (+24.65%) ⬆️

... and 1535 files with indirect coverage changes

nodece
nodece approved these changes May 6, 2023
View reviewed changes
Copy link
Member

@nodece nodece left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

mattisonchao
mattisonchao reviewed May 8, 2023
View reviewed changes
...oker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationService.java
@@ -171,20 +172,26 @@ public String authenticateHttpRequest(HttpServletRequest request, Authentication
authData = authenticationState.getAuthDataSource();
}
// Backward compatible, the authData value was null in the previous implementation
return providerToUse.authenticate(authData);
return providerToUse.authenticateAsync(authData).get();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we give it a timeout by any chance?

mattisonchao
mattisonchao reviewed May 8, 2023
View reviewed changes
...oker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationService.java
LOG.debug("Authentication failed for provider " + providerToUse.getAuthMethodName() + " : "
+ e.getMessage(), e);
}
throw new RuntimeException(e);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am unsure who will use it. Should we consider remark interrupted in the current Thread?

lhotari
lhotari approved these changes May 8, 2023
View reviewed changes
Copy link
Member

@lhotari lhotari left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@michaeljmarshall michaeljmarshall merged commit 03dc3db into apache:master May 8, 2023
@michaeljmarshall michaeljmarshall deleted the pip-97-websocket-proxy branch May 8, 2023 19:15
michaeljmarshall added a commit to datastax/pulsar that referenced this pull request May 8, 2023
@michaeljmarshall
[feat][ws] Use async auth method to support OIDC (apache#20238)
02d6c16 
Fixes apache#20236
PIP: apache#19409

### Motivation

In the `AuthenticationService`, we are currently using the deprecated `authenticate` methods. As a result, we hit the `Not Implemented` exception when using the `AuthenticationProviderOpenID`. This PR updates the implementation so that we're able

This solution isn't ideal for two reasons.

1. We are not using the `authenticationHttpRequest` method, which seems like the right method for the WebSocket proxy. However, this is not a viable option, as I documented in apache#20237.
2. We are calling `.get()` on a future. However, it is expected that the `AuthenticationProvider` not block forever, so I think this is acceptable for now. Please let me know if you disagree.

### Modifications

* Replace `authenticate` with `authenticateAsync`.

### Verifying this change

This change is a trivial rework / code cleanup without any test coverage.

### Documentation

- [x] `doc-not-needed`

Note that I do have documentation showing that 3.0.x does not support OIDC in the WebSocket Proxy. The `next` docs don't need that limitation since this PR fixes that and targets 3.1.0. apache/pulsar-site#558

### Matching PR in forked repository

PR in forked repository: skipping for this trivial PR

(cherry picked from commit 03dc3db)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lhotari lhotari lhotari approved these changes

@nodece nodece nodece approved these changes

@mattisonchao mattisonchao mattisonchao approved these changes

@tuteng tuteng Awaiting requested review from tuteng

@BewareMyPower BewareMyPower Awaiting requested review from BewareMyPower

Assignees

@michaeljmarshall michaeljmarshall

Labels
area/authn area/websocket doc-not-needed Your PR changes do not impact docs ready-to-test
Projects
None yet
Milestone
3.1.0
Development

Successfully merging this pull request may close these issues.

Add support for OpenID Connect in WebSocket Proxy
5 participants
@michaeljmarshall @codecov-commenter @lhotari @nodece @mattisonchao