Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PIP-30: interface and mutual change authentication #3677

Merged
merged 13 commits into from
Mar 13, 2019
Merged

PIP-30: interface and mutual change authentication #3677

merged 13 commits into from
Mar 13, 2019

Conversation

jiazhai
Copy link
Member

@jiazhai jiazhai commented Feb 23, 2019
edited
Loading

Motivation

This is to implement the mutual auth api discussed in PIP-30: change authentication provider API to support mutual authentication

Modifications

Describe the modifications you've done.

Verifying this change

@jiazhai
Copy link
Member Author

jiazhai commented Feb 23, 2019

@eolivelli would you please also help look at this. Thanks.

@eolivelli
Copy link
Contributor

Sure

eolivelli
eolivelli requested changes Feb 23, 2019
View reviewed changes
Copy link
Contributor

@eolivelli eolivelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good work.
I left a couple of suggestions

...r-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationDataSource.java Outdated Show resolved Hide resolved
...broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationState.java Show resolved Hide resolved
pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java Outdated Show resolved Hide resolved
pulsar-common/src/main/java/org/apache/pulsar/common/api/Commands.java Outdated Show resolved Hide resolved
sijie
sijie reviewed Feb 25, 2019
View reviewed changes
Copy link
Member

@sijie sijie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

overall looks good. left a few comments around the interface. I think there are still improvements to make the interface cleaner.

...broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationState.java Outdated Show resolved Hide resolved
pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java Outdated Show resolved Hide resolved
pulsar-client/src/main/java/org/apache/pulsar/client/impl/ClientCnx.java Outdated Show resolved Hide resolved
@jiazhai jiazhai changed the title [WIP]PIP-30: interface and mutual change authentication PIP-30: interface and mutual change authentication Feb 27, 2019
eolivelli
eolivelli reviewed Feb 27, 2019
View reviewed changes
Copy link
Contributor

@eolivelli eolivelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will take another look tomorrow.
What about the http API ?

ivankelly
ivankelly requested changes Feb 28, 2019
View reviewed changes
Copy link
Contributor

@ivankelly ivankelly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good in general. Requested a few changes.

...broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationState.java Outdated Show resolved Hide resolved
pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java Outdated Show resolved Hide resolved
pulsar-common/src/main/proto/PulsarApi.proto Show resolved Hide resolved
@jiazhai
Copy link
Member Author

jiazhai commented Mar 1, 2019

run integration tests

@jiazhai
Copy link
Member Author

jiazhai commented Mar 1, 2019

@eolivelli @ivankelly updated, Would you please help review again.

eolivelli
eolivelli requested changes Mar 1, 2019
View reviewed changes
Copy link
Contributor

@eolivelli eolivelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are close to be ready.
I left a couple of comments.

...r-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationDataSource.java Outdated Show resolved Hide resolved
...oker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationService.java Outdated Show resolved Hide resolved
pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java Show resolved Hide resolved
pulsar-client-api/src/main/java/org/apache/pulsar/common/api/AuthData.java Outdated Show resolved Hide resolved
@jiazhai
Copy link
Member Author

jiazhai commented Mar 1, 2019

@eolivelli Thanks for the comments, updated again.

ivankelly
ivankelly requested changes Mar 1, 2019
View reviewed changes
Copy link
Contributor

@ivankelly ivankelly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't reviewed fully, but one thing I saw quickly was that the challenge goes from the client to the broker. It should be the other way around. The client initiates the connection, the server challenges the client and the client responds to the server's challenge.

@jiazhai
Copy link
Member Author

jiazhai commented Mar 2, 2019

@ivankelly Thanks, updated.

@jiazhai
Copy link
Member Author

jiazhai commented Mar 2, 2019

run java8 tests

@ivankelly ivankelly requested a review from jerrypeng March 4, 2019 11:07
@ivankelly
Copy link
Contributor

@jiazhai added @jerrypeng as he's been making some other auth changes lately.

ivankelly
ivankelly requested changes Mar 4, 2019
View reviewed changes
...ker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProvider.java Outdated Show resolved Hide resolved
...oker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationService.java Outdated Show resolved Hide resolved
...broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationState.java Outdated Show resolved Hide resolved
pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java Outdated Show resolved Hide resolved
pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java Outdated Show resolved Hide resolved
...broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationState.java Show resolved Hide resolved
...ommon/src/main/java/org/apache/pulsar/broker/authentication/OneStageAuthenticationState.java Outdated Show resolved Hide resolved
pulsar-common/src/main/java/org/apache/pulsar/common/api/Commands.java Outdated Show resolved Hide resolved
pulsar-common/src/main/java/org/apache/pulsar/common/api/Commands.java Outdated Show resolved Hide resolved
pulsar-common/src/main/java/org/apache/pulsar/common/api/Commands.java Outdated Show resolved Hide resolved
@jiazhai
Copy link
Member Author

jiazhai commented Mar 4, 2019

Thanks @ivankelly , updated it again.

@jiazhai
Copy link
Member Author

jiazhai commented Mar 5, 2019

run java8 tests

@jiazhai
Copy link
Member Author

jiazhai commented Mar 5, 2019
edited
Loading

run java8 tests

for error:
org.apache.pulsar.client.api.BrokerServiceLookupTest.testWebserviceServiceTls

ivankelly
ivankelly requested changes Mar 5, 2019
View reviewed changes
Copy link
Contributor

@ivankelly ivankelly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change is missing unit tests. It should be fairly easy to mock up a AuthProvider to do multi stage auth.

pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java
private void doingAuthentication(AuthData clientData,
int clientProtocolVersion,
String clientVersion) throws Exception {
AuthData brokerData = authState.authenticate(clientData);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, what I find strange is that we make a call to mutate authState, and then immediately query authState to see what that mutation resulted in. It feels like this would be better done in a single call, especially if multiple threads come into play at a later date.

pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java Outdated Show resolved Hide resolved
pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java Outdated Show resolved Hide resolved
pulsar-common/src/main/proto/PulsarApi.proto Outdated Show resolved Hide resolved
pulsar-common/src/main/proto/PulsarApi.proto Outdated Show resolved Hide resolved
pulsar-common/src/main/java/org/apache/pulsar/common/api/Commands.java Outdated Show resolved Hide resolved
@jiazhai
Copy link
Member Author

jiazhai commented Mar 6, 2019

@ivankelly updated again. would you please help review it again

ivankelly
ivankelly requested changes Mar 6, 2019
View reviewed changes
Copy link
Contributor

@ivankelly ivankelly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On the client side, where does it get the initial data to sent in the ConnectCommand?

pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java Outdated Show resolved Hide resolved
pulsar-broker/src/test/java/org/apache/pulsar/broker/service/ServerCnxTest.java Outdated Show resolved Hide resolved
...ker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProvider.java Outdated Show resolved Hide resolved
...ommon/src/main/java/org/apache/pulsar/broker/authentication/OneStageAuthenticationState.java Outdated Show resolved Hide resolved
pulsar-broker/src/test/java/org/apache/pulsar/client/api/MutualAuthenticationTest.java Show resolved Hide resolved
pulsar-broker/src/test/java/org/apache/pulsar/client/api/MutualAuthenticationTest.java Outdated Show resolved Hide resolved
pulsar-broker/src/test/java/org/apache/pulsar/client/api/MutualAuthenticationTest.java Show resolved Hide resolved
pulsar-broker/src/test/java/org/apache/pulsar/client/api/MutualAuthenticationTest.java Outdated Show resolved Hide resolved
pulsar-broker/src/test/java/org/apache/pulsar/client/api/MutualAuthenticationTest.java Outdated Show resolved Hide resolved
@jiazhai
Copy link
Member Author

jiazhai commented Mar 6, 2019

@ivankelly Thanks for the comments. update it again.
as you mentioned, "init" is set when newConnectCommand in client side. in Kerberos, it is null. Here it just indicate that this is the start.

@jiazhai
Copy link
Member Author

jiazhai commented Mar 7, 2019

rerun java8 tests

1 similar comment
@jiazhai
Copy link
Member Author

jiazhai commented Mar 7, 2019

rerun java8 tests

@sijie
Copy link
Member

sijie commented Mar 8, 2019

@ivankelly @eolivelli can you guys please review this again? we have to push this forward to unblock subsequent changes.

ivankelly
ivankelly requested changes Mar 11, 2019
View reviewed changes
...ker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProvider.java Outdated Show resolved Hide resolved
...ker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProvider.java Outdated Show resolved Hide resolved
...broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationState.java Outdated Show resolved Hide resolved
pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java Show resolved Hide resolved
pulsar-client/src/main/java/org/apache/pulsar/client/impl/ClientCnx.java Outdated Show resolved Hide resolved
pulsar-broker/src/test/java/org/apache/pulsar/client/api/MutualAuthenticationTest.java Outdated Show resolved Hide resolved
pulsar-broker/src/test/java/org/apache/pulsar/client/api/MutualAuthenticationTest.java Outdated Show resolved Hide resolved
@jiazhai
Copy link
Member Author

jiazhai commented Mar 12, 2019

@ivankelly Thanks for the comments, updated

@jiazhai
Copy link
Member Author

jiazhai commented Mar 12, 2019
edited
Loading

run integration tests
run java8 tests

org.apache.pulsar.broker.admin.PersistentTopicsTest.cleanup


org.apache.pulsar.tests.integration.functions.PulsarFunctionsThreadTest.pulsar-test-suite

ivankelly
ivankelly requested changes Mar 12, 2019
View reviewed changes
Copy link
Contributor

@ivankelly ivankelly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One small comment. Otherwise it's ready to go.

pulsar-client-api/src/main/java/org/apache/pulsar/common/api/AuthData.java Outdated Show resolved Hide resolved
ivankelly
ivankelly approved these changes Mar 12, 2019
View reviewed changes
Copy link
Contributor

@ivankelly ivankelly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm. good work Jia!

@sijie sijie added area/client type/feature The PR added a new feature or issue requested a new feature area/broker area/security labels Mar 12, 2019
@sijie sijie added this to the 2.4.0 milestone Mar 12, 2019
@jiazhai jiazhai merged commit 09e3ed8 into apache:master Mar 13, 2019
This was referenced Mar 14, 2019
Closed
Merged
sijie pushed a commit that referenced this pull request Mar 19, 2019
@jiazhai @sijie
kerberos: authentication between client and broker (#3821)
7064285 
Fixes #3652

**Motivation**
Currently both Zookeeper and BookKeeper could be secured by using Kerberos, It would be good to support Kerberos in Pulsar Broker and Client.
This is the sub-task for issue in #3491 to support Kerberos in Pulsar Broker and Client.
Will add proxy and web resource support in following prs.
The Kerberos authentication is similar to that in Zookeeper and BookKeeper, which leverage SASL and GSSAPI, so reused some of the code there.
PR #3658 is the first version of PR before #3677 .

**Changes**
provide both client and broker side support for authentication api;
add unit test.
@rdhabalia rdhabalia mentioned this pull request Oct 24, 2019
Merged
@klaatu01 klaatu01 mentioned this pull request Feb 8, 2023
Merged
@michaeljmarshall michaeljmarshall mentioned this pull request Feb 24, 2023
Draft
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eolivelli eolivelli eolivelli requested changes

@ivankelly ivankelly ivankelly approved these changes

@sijie sijie sijie approved these changes

@merlimat merlimat Awaiting requested review from merlimat

@jerrypeng jerrypeng Awaiting requested review from jerrypeng

Assignees

@jiazhai jiazhai

Labels
area/broker area/client area/security type/feature The PR added a new feature or issue requested a new feature
Projects
None yet
Milestone
2.4.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@jiazhai @eolivelli @ivankelly @sijie