-
Notifications
You must be signed in to change notification settings - Fork 3.6k
[fix][broker] Fix passing incorrect authentication data #16201
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
16fa583
to
ff33ae5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The proxy tests still succeed without the modifications on ServerCnx
You can try this step:
|
These tests need to verify the
This is my test result: |
I found the cause. It's because when I ran the tests, I have reverted your changes for Therefore, you must add another test to verify that when |
Your suggestion is great, I'll make a PR to do that. |
I'm still confused about why #16065 introduced the bug? I just reverted e6b12c6 and run the But this PR makes conf.setAuthenticateOriginalAuthData(true);
proxyConfig.setForwardAuthorizationCredentials(true); It looks like a breaking change on these configs. |
pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java
Outdated
Show resolved
Hide resolved
This bug is triggered only when the proxy is used, you can see this PR uses the
The following is our test log:
The subject doesn't equal the role, it is incorrect. I just reverted e6b12c6 and run the
It was an accident, although the intermediate link of verification is incorrect, the test can still pass. |
95223ce
to
6ba3293
Compare
f3b5671
to
3653e5c
Compare
@BewareMyPower Thank you for pointing out this problem, you are right, I made a wrong design in the code that made the test fail. |
pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java
Outdated
Show resolved
Hide resolved
pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java
Outdated
Show resolved
Hide resolved
pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java
Show resolved
Hide resolved
@merlimat Please help review this PR. |
Signed-off-by: Zixuan Liu <nodeces@gmail.com>
Could this please be picked into 2.8, 2.9 and 2.10? |
### Motivation #16065 fixes the race condition issue, but introduces a new issue. This issue is triggered when the Proxy and Broker work together, when we use the proxy to request the broker to do lookup/subscribe/produce operation, the broker always uses the original authentication data for authorization, not proxy authentication data, which causes this issue. ### Modification - Fix passing authentication data, differentiate between original auth data and connected auth data by avoid to use the `getAuthenticationData()`, this method name is easy to cause confusion and can not correctly get the authentication data (cherry picked from commit 936bbbc)
@codelipenghui Do you have this planning? |
### Motivation apache#16065 fixes the race condition issue, but introduces a new issue. This issue is triggered when the Proxy and Broker work together, when we use the proxy to request the broker to do lookup/subscribe/produce operation, the broker always uses the original authentication data for authorization, not proxy authentication data, which causes this issue. ### Modification - Fix passing authentication data, differentiate between original auth data and connected auth data by avoid to use the `getAuthenticationData()`, this method name is easy to cause confusion and can not correctly get the authentication data (cherry picked from commit 936bbbc) Signed-off-by: Zixuan Liu <nodeces@gmail.com>
### Motivation apache#16065 fixes the race condition issue, but introduces a new issue. This issue is triggered when the Proxy and Broker work together, when we use the proxy to request the broker to do lookup/subscribe/produce operation, the broker always uses the original authentication data for authorization, not proxy authentication data, which causes this issue. ### Modification - Fix passing authentication data, differentiate between original auth data and connected auth data by avoid to use the `getAuthenticationData()`, this method name is easy to cause confusion and can not correctly get the authentication data (cherry picked from commit 936bbbc) (cherry picked from commit adf5ce7)
### Motivation apache#16065 fixes the race condition issue, but introduces a new issue. This issue is triggered when the Proxy and Broker work together, when we use the proxy to request the broker to do lookup/subscribe/produce operation, the broker always uses the original authentication data for authorization, not proxy authentication data, which causes this issue. ### Modification - Fix passing authentication data, differentiate between original auth data and connected auth data by avoid to use the `getAuthenticationData()`, this method name is easy to cause confusion and can not correctly get the authentication data (cherry picked from commit 936bbbc) Signed-off-by: Zixuan Liu <nodeces@gmail.com>
) ### Motivation #16065 fixes the race condition issue, but introduces a new issue. This issue is triggered when the Proxy and Broker work together, when we use the proxy to request the broker to do lookup/subscribe/produce operation, the broker always uses the original authentication data for authorization, not proxy authentication data, which causes this issue. ### Modification - Fix passing authentication data, differentiate between original auth data and connected auth data by avoid to use the `getAuthenticationData()`, this method name is easy to cause confusion and can not correctly get the authentication data (cherry picked from commit 936bbbc) Signed-off-by: Zixuan Liu <nodeces@gmail.com>
@nodece Could you please open a PR for branch-2.8 |
### Motivation apache#16065 fixes the race condition issue, but introduces a new issue. This issue is triggered when the Proxy and Broker work together, when we use the proxy to request the broker to do lookup/subscribe/produce operation, the broker always uses the original authentication data for authorization, not proxy authentication data, which causes this issue. ### Modification - Fix passing authentication data, differentiate between original auth data and connected auth data by avoid to use the `getAuthenticationData()`, this method name is easy to cause confusion and can not correctly get the authentication data (cherry picked from commit 936bbbc) Signed-off-by: Zixuan Liu <nodeces@gmail.com>
### Motivation apache#16065 fixes the race condition issue, but introduces a new issue. This issue is triggered when the Proxy and Broker work together, when we use the proxy to request the broker to do lookup/subscribe/produce operation, the broker always uses the original authentication data for authorization, not proxy authentication data, which causes this issue. ### Modification - Fix passing authentication data, differentiate between original auth data and connected auth data by avoid to use the `getAuthenticationData()`, this method name is easy to cause confusion and can not correctly get the authentication data (cherry picked from commit 936bbbc) Signed-off-by: Zixuan Liu <nodeces@gmail.com>
### Motivation apache#16065 fixes the race condition issue, but introduces a new issue. This issue is triggered when the Proxy and Broker work together, when we use the proxy to request the broker to do lookup/subscribe/produce operation, the broker always uses the original authentication data for authorization, not proxy authentication data, which causes this issue. ### Modification - Fix passing authentication data, differentiate between original auth data and connected auth data by avoid to use the `getAuthenticationData()`, this method name is easy to cause confusion and can not correctly get the authentication data (cherry picked from commit 936bbbc) Signed-off-by: Zixuan Liu <nodeces@gmail.com>
) ### Motivation #16065 fixes the race condition issue, but introduces a new issue. This issue is triggered when the Proxy and Broker work together, when we use the proxy to request the broker to do lookup/subscribe/produce operation, the broker always uses the original authentication data for authorization, not proxy authentication data, which causes this issue. ### Modification - Fix passing authentication data, differentiate between original auth data and connected auth data by avoid to use the `getAuthenticationData()`, this method name is easy to cause confusion and can not correctly get the authentication data (cherry picked from commit 936bbbc) Signed-off-by: Zixuan Liu <nodeces@gmail.com>
Signed-off-by: Zixuan Liu nodeces@gmail.com
Motivation
#16065 fixes the race condition issue, but introduces a new issue. This issue is triggered when the Proxy and Broker work together, when we use the proxy to request the broker to do lookup/subscribe/produce operation, the broker always uses the original authentication data for authorization, not proxy authentication data, which causes this issue.
Modification
getAuthenticationData()
, this method name is easy to cause confusion and can not correctly get the authentication dataVerifying this change
Added unit test.
Documentation
doc-not-needed