New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GEODE-9933: documentation for authorization expiry #7248
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jmelchio Thanks for your contribution to the user guide!
I approve the two example files as-is.
I request a few changes to the implementation files - I've attached a diff containing these changes.
One change is mandatory in each file - please replace Geode with the product_name variable (see diff for syntax).
A discretionary change in the implementing_authentication file would be my suggested re-phrasing (three occurrences) that emphasizes that the token is one alternative, and that the username/password combination is a second alternative. Your choice on this one - read it and see what you think.
GEODE-9933.DIFF.zip
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should somehow convey these to the readers:
- the
Properties
returned by thegetCredentials
call is passed directly to theauthenticate
call, and the subject returned by theauthenticate
call is passed directly to theauthorize
. So getCredentials() --> authenticate() --> authorize(). the output of the previous call is fed to the next. The interface doesn't dictate what should be in the input/output. - When a
AuthorizationExpiredException
is thrown anywhere in the calling chain, the client will try one more time to callgetCredentials
again and re-login automatically behind the scene, if the re-try failed, user will then seeAuthorizationExpiredException
. Bear in mind there is a time gap betweengetCredentials
call on the client andauthorize
call on the server, so if client returns a credential that's gonna expire in the very near future, even the retry might fail. - limitation of this auto-retry: currently only supported on client/server protocol, and is not supported in event-dispatching (cq and registered interest) in multi-user client mode.
Thanks @davebarnes97, I've applied the patch file and pushed the commit. |
@jinmeiliao I will update to add the information mentioned in the first point. I think the second point is covered in the updated docs, and I will update to clarify the thirst point. |
I think we should dedicate a section for the re-auth feature, outline the process, when the feature is started (1.15.0), what's the behavior on older clients (also for older client, the CQ/register interest client will be disconnected if they have expired credentials ), and those I mentioned in my bullet 3 above. |
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Almost there.
Good new page on expiry. I edited it in place to make one format tweak: a blank line before the bullet list so it would display as intended.
One more request: Since you've added a new file, it needs an entry in the left-hand navigation source file: /geode-book/master_middleman/source/subnavs/geode-subnav.erb
Attached diff file shows the change.
GEODE-9933-2.DIFF.zip
One more comment for the record: |
handle. | ||
|
||
Clients older than version 1.15 will also be able to do an automatic reconnect unless the connection | ||
is one of the following types where the exception will always be propagated up the chain: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is misleading. Older client with multi-user auth will still work in regular user operations like put/get etc.
Probably a diagram would explain this better
single user ops | single user CQ/RI | multi user ops | multi user CQ/RI
1.15 and later | | | X
previous | X | | X
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jmelchio Be sure to say "Geode 1.15", as this source file is consumed by other products whose versioning may differ.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@davebarnes97 updated the code
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, this table shows client version, did we mention anywhere in the doc that the re-authentication feature is only supported by server with Geode 1.15 and higher
Where `AuthInitialize.getCredentials()` provides the `security properties` for `SecurityManager.authenticate()` which | ||
in turn provides the `principal object` for `SecurityManager.authorize()`. | ||
|
||
In case of the use of an external token provider we assume that this token provider will be asked for |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Emphasize that there would be time gap between the call of getCredential
and authorize
…ded for format purposes
- emphasize time passing between calls
Fleshed-out the table with a heading and “Y” vs “N” so every cell has a value.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work, @jmelchio . Thanks for your contribution.
* GEODE-9933: documentation for authorization expiry Co-authored-by: Dave Barnes <daveba@vmware.com>
Describes the addition of throwing
AuthenticationExpiredException
inSecurityManager.authorize
andSecurityManager.authenticate
methods along with some additional information on token based authentication.