-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: add getAuthToken method to AuthenticationPlugin interface #9239
Conversation
Just to understand a bit better, do we have a case where the WS was used with an authentication plugin where the header wasn't what was used for authentication? Does this have anything special to do with the WebSocket vs any other interface? Just to be clear, when the requests are forwarded, they are done using the |
...est-app/src/test/java/io/confluent/ksql/rest/integration/PullQueryRoutingFunctionalTest.java
Show resolved
Hide resolved
@@ -46,4 +46,9 @@ public interface AuthenticationPlugin { | |||
CompletableFuture<Principal> handleAuth(RoutingContext routingContext, | |||
WorkerExecutor workerExecutor); | |||
|
|||
|
|||
default String getAuthToken(final RoutingContext routingContext) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe add an additional comment here about how this is different from handleAuth. This is a little funny because we expose the auth token (as opposed to just treating it as entirely internal to the plugin, as handleAuth does) in addition to exposing handleAuth
, since we need it for the purpose of forwarding on requests inter-node as using it as a backup header for connect. Since we need it for those two purposes, I don't think we can easily hide it in a plugin method like prepareRequest()
.
Also, I assume that since this is default, it shouldn't break any existing plugins.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added a javadoc explaining why we need to expose this method. And yes the default just defaults back to the old logic so that nothing existing should break.
@AlanConfluent the internal jira that I slacked you has more context about how we identified the problem, but essentially it is because the WS requests do not use |
Description
Websocket pull queries that were forwarded to a different node were not correctly extracting their required credentials from the original pull query request. This PR fixes this by adding a
getAuthToken
method to the AuthenticationPlugin interface, with the default being the original behaviour of checking only for anAuthorization
header, and plugins being able to add any custom authentication they need for multi-node websocket pull queries.Testing done
Integration test added
Reviewer checklist