Implement authentication long polling #9149
Conversation
|
Merged build finished. Test PASSed. |
|
Test PASSed. |
| @@ -51,6 +52,11 @@ public GrpcChannel(GrpcManagedChannelPool.ChannelKey channelKey, Channel channel | |||
| mChannelHealthState = channel instanceof AuthenticatedChannel | |||
| ? () -> (((AuthenticatedChannel) channel).isAuthenticated() && mChannelHealthy) | |||
| : () -> mChannelHealthy; | |||
| if (channel instanceof AuthenticatedChannel) { | |||
There was a problem hiding this comment.
we do various things for the instance of AuthenticatedChannel. Can we just have a bool for that?
Also, what other types of channels (not AuthenticatedChannel) are possible? All this checking looks like it can be abstracted away.
There was a problem hiding this comment.
Channel is not our class so can't replace AuthenticatedChannel with a boolean. I did some changes for better abstracting the authenticated channel handling.
| * @return the authentication server associated with this server | ||
| */ | ||
| @VisibleForTesting | ||
| public AuthenticationServer getAuthenticationServer() { |
There was a problem hiding this comment.
Can't the test just pass in the authentication server?
There was a problem hiding this comment.
GrpcServer is built by ServerBuilder which dynamically creates the auth server. Removing this method would mean adding a new method to builder with a slightly more complex code.
tests/src/test/java/alluxio/client/fuse/FuseFileSystemIntegrationTest.java
Outdated
Show resolved
Hide resolved
core/common/src/main/java/alluxio/security/authentication/ChannelAuthenticator.java
Show resolved
Hide resolved
core/common/src/main/java/alluxio/security/authentication/DefaultAuthenticationServer.java
Outdated
Show resolved
Hide resolved
core/common/src/main/java/alluxio/security/authentication/SaslStreamClientDriver.java
Outdated
Show resolved
Hide resolved
core/common/src/main/java/alluxio/security/authentication/SaslStreamClientDriver.java
Show resolved
Hide resolved
| @@ -41,20 +42,24 @@ | |||
| private SaslHandshakeClientHandler mSaslHandshakeClientHandler; | |||
| /** Used to wait until authentication is completed. */ | |||
| private SettableFuture<Boolean> mAuthenticated; | |||
| /** Whether the authentication is active. */ | |||
There was a problem hiding this comment.
can you add comments on how this is different from mAuthenticated and how they interact? Are both required? Having both is very confusing.
There was a problem hiding this comment.
SettableFuture is unfortunately not resettable, so it can't be used to reflect state changes following the initial state. I changed names and comments to try to make it less confusing.
|
@gpang Updated PR after your feedback. PTAL. |
|
Merged build finished. Test FAILed. |
|
Test FAILed. |
core/common/src/main/java/alluxio/security/authentication/SaslStreamClientDriver.java
Outdated
Show resolved
Hide resolved
core/common/src/main/java/alluxio/security/authentication/SaslStreamClientDriver.java
Show resolved
Hide resolved
|
Merged build finished. Test FAILed. |
|
Test FAILed. |
|
Merged build finished. Test FAILed. |
|
Test FAILed. |
|
jenkins, test this please |
|
Merged build finished. Test FAILed. |
|
Test FAILed. |
|
Jenkins, test this please |
|
Merged build finished. Test FAILed. |
|
Test FAILed. |
|
Jenkins, test this please |
|
@ggezer I think this looks good, but the tests keep failing |
|
Merged build finished. Test FAILed. |
|
Test FAILed. |
core/common/src/main/java/alluxio/security/authentication/SaslStreamClientDriver.java
Outdated
Show resolved
Hide resolved
core/common/src/test/java/alluxio/security/authentication/GrpcSecurityTest.java
Outdated
Show resolved
Hide resolved
core/common/src/test/java/alluxio/security/authentication/GrpcSecurityTest.java
Outdated
Show resolved
Hide resolved
core/common/src/main/java/alluxio/security/authentication/DefaultAuthenticationServer.java
Show resolved
Hide resolved
|
Merged build finished. Test FAILed. |
|
Test FAILed. |
core/common/src/main/java/alluxio/security/authentication/DefaultAuthenticationServer.java
Outdated
Show resolved
Hide resolved
core/common/src/main/java/alluxio/security/authentication/DefaultAuthenticationServer.java
Outdated
Show resolved
Hide resolved
|
Merged build finished. Test FAILed. |
|
Test FAILed. |
|
Merged build finished. Test PASSed. |
|
Test PASSed. |
|
Merged build finished. Test FAILed. |
|
Test FAILed. |
|
Merged build finished. Test PASSed. |
|
Test PASSed. |
|
alluxio-bot, merge this please |
|
@gpang Can you help cherry-pick this PR to 2.0 branch? |
|
alluxio-bot, cherry-pick this to branch-2.0 please. |
|
Auto cherry-pick successful to branch: branch-2.0 |
AuthenticationServerhas a setting for revoking authentication after a period of inactivity. To handle that on the client side, metadata clients, after a period of inactivity, will retry after gettingUnauthenticatedcode. However, due to nature of streaming, data clients can not retry after getting the error because they might have pipelined more data before seeing the error. And since this revocation will not change the connection state, they used to continue gettingUnauthenticated. See #9089 for an instance of this problem.This PR introduces long polling to authentication handshake. Client and server will not complete streams used for authentication and instead will use it for notifying end of an authentication session. With this change, revocation on server will be propagated to client channel via health status, causing a client recreation for later use of the same channel. Also client closing the channel will notify server and it'll clean its state of the recently closed channel.
Periodic cleanup has not been disabled in order to not prolong a duration for a channel to remain authenticated.