-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed authentication flow via Pulsar Proxy #1707
Conversation
@jai1 This doesn't seem to me a super-critical error to stop the current RC. I think we can bump to 2.0.1 where we'll get all fixes (and we should do soon). |
@merlimat - ok changed the milestone to 2.0.1, can you review this PR |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.. few comments.
@Override | ||
protected ByteBuf newConnectCommand() throws PulsarClientException { | ||
if (log.isDebugEnabled()) { | ||
log.info( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
log.debug(..)
"New Connection opened via ProxyClientCnx with params clientAuthRole = {}, clientAuthData = {}, clientAuthMethod = {}", | ||
clientAuthRole, clientAuthData, clientAuthMethod); | ||
} | ||
String authData = ""; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we initialize with null?
try { | ||
client.close(); | ||
} catch (PulsarClientException e) { | ||
LOG.error("Unable to clode pulsar client - {}", client); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
type close
and add e.getMessage()
in log
this.clientAuthData = authData; | ||
this.clientAuthMethod = authMethod; | ||
} | ||
createClient(clientConf, this.clientAuthData, this.clientAuthMethod); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as name suggests. can we create and return client in createClient()
: this.client = createClient(..)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
also we don't want to share proxy-to-broker connection when service.getConfiguration().forwardAuthorizationCredentials()
is enabled. else, we can always share proxy-to-broker connection for lookup.
so, should we create a new client only in case of service.getConfiguration().forwardAuthorizationCredentials()=true
else we can always share it.?
proxyService.close(); | ||
} | ||
|
||
private void createAdminClient() throws PulsarClientException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
createAdminClient()
name seems misleading as we are not closing admin and we may think it's leaking. so, probably we can rename it as updateAdmin()
?
} | ||
} | ||
|
||
private int webServicePort; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we move it to top?
@@ -65,15 +60,10 @@ | |||
private ZooKeeperClientFactory zkClientFactory = null; | |||
|
|||
private final EventLoopGroup acceptorGroup; | |||
private final EventLoopGroup workerGroup; | |||
final EventLoopGroup workerGroup; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we keep it private?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
Currently, the broker/proxy authenticates the proxy/client when the connection is established (via
Server.handleConnect
orProxyConnection.handleConnect
) after that we cache theauthRole
we extract. The connection persists long after theauthData
expires since we use the cachedauthRole
then onwards.In #1169 in order to preserve the Connection pool in ProxyLookupHandler, I changed the proxy code to cache the client
authData
and forward it to authenticate duringlookups
andgetPartitionMetaData
what I failed to see was that if the clientauthData
expires broker will reject the lookups, since we are sending old ClientauthData
.The fix for this is that for lookups instead of maintaining a single connection pool in proxy we maintain one connection pool per client connection and authenticate both the client and the proxy only when a new connection is created.