Note that there are two clients, the user client, and the proxy client.
When the original authenticate data expires, the user client cannot send a
request to the proxy to find the broker URL. We haven't tests to cover this.

A simple diagram represents workflow:
[image: image.png]
Both connections pass the proxy client and the user client authentication
data.

Thanks,
Zixuan

Zixuan Liu <node...@gmail.com> 于2022年8月16日周二 23:02写道:

> Hi all,
>
> Refreshing the authentication data comes from the client is important. We
> have two types of authentication data, directly authentication data, and
> original authentication data:
>
> 1. Directly authentication data
> The client/proxy brings the authentication data directly connected to the
> broker, which is directly authentication data.
>
> When the directly authentication data is expired, the broker sends the
> `newAuthChallenge` command with `AuthData.REFRESH_AUTH_DATA` data to the
> client to refresh the authentication data.
>
> 2. Original authentication data
> We add a proxy between the client and the broker, both the proxy and the
> client bring the authentication data to request the broker, the
> authentication data from the proxy is directly authentication data, and the
> authentication data from the client is original authentication data.
>
> The broker can refresh the directly authentication data, but when we are
> using the proxy, the broker could not refresh the original
> authentication data, because we haven't any action to request to refresh
> the original authentication data, so we need to add an auth data const to
> request to refresh the original authentication data, so like
> `AuthData.REFRESH_AUTH_DATA`.
>
> Once most people agree with this, I'll make a PIP.
>
> References:
>
> - https://github.com/apache/pulsar/pull/13339
> - https://github.com/apache/pulsar/issues/10816
>
> Thanks,
> Zixuan
>
>

Reply via email to