See https://github.com/apache/pulsar/issues/17517.
Asaf Mesika <asaf.mes...@gmail.com> 于2022年10月3日周一 19:47写道: > I kind of lost you here Zixuan. > > Is there any chance you describe the authentication flow including the > commands? Then specify the change you wish to make? > > > On Thu, Aug 18, 2022 at 5:21 AM Zixuan Liu <node...@gmail.com> wrote: > > > A little confusing here is that both ProxyClient and DirectProxyHandler > > pass original authentication and direct authentication data, but the > broker > > can only check if the original authentication data is expired. > > This is the expected behavior, right? What if the direct authentication > > data is expired? > > > > Proxy connect method: > > > > > https://github.com/apache/pulsar/blob/master/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/DirectProxyHandler.java#L327 > > > > > https://github.com/apache/pulsar/blob/master/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyClientCnx.java#L57 > > > > Broker refresh method: > > > > > https://github.com/apache/pulsar/blob/master/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java#L723 > > > > Thanks, > > Zixuan > > > > Zixuan Liu <node...@gmail.com> 于2022年8月18日周四 10:11写道: > > > > > > So the problem is that the Proxy is not requesting a refresh ? > > > > > > It should be the proxy client. > > > > > > Zixuan > > > > > > Enrico Olivelli <eolive...@gmail.com> 于2022年8月17日周三 23:35写道: > > > > > >> So the problem is that the Proxy is not requesting a refresh ? > > >> > > >> Enrico > > >> > > >> Il giorno mer 17 ago 2022 alle ore 16:26 Zixuan Liu > > >> <node...@gmail.com> ha scritto: > > >> > > > >> > Thank @Qiang! > > >> > > > >> > Update the diagram: > > >> > > > >> > > > https://drive.google.com/file/d/1E6z0dzXzvW5ZxG6d6YUghL9OikA8j4UC/view?usp=sharing > > >> > > > >> > Thanks, > > >> > Zixuan > > >> > > > >> > Qiang Huang <qiang.huang1...@gmail.com> 于2022年8月17日周三 19:13写道: > > >> > > > >> > > It makes sense to me. BTW, the image is broken. > > >> > > > > >> > > Zixuan Liu <node...@gmail.com> 于2022年8月17日周三 11:10写道: > > >> > > > > >> > > > Note that there are two clients, the user client, and the proxy > > >> client. > > >> > > > When the original authenticate data expires, the user client > > cannot > > >> send > > >> > > a > > >> > > > request to the proxy to find the broker URL. We haven't tests to > > >> cover > > >> > > this. > > >> > > > > > >> > > > A simple diagram represents workflow: > > >> > > > [image: image.png] > > >> > > > Both connections pass the proxy client and the user client > > >> authentication > > >> > > > data. > > >> > > > > > >> > > > Thanks, > > >> > > > Zixuan > > >> > > > > > >> > > > Zixuan Liu <node...@gmail.com> 于2022年8月16日周二 23:02写道: > > >> > > > > > >> > > >> Hi all, > > >> > > >> > > >> > > >> Refreshing the authentication data comes from the client is > > >> important. > > >> > > We > > >> > > >> have two types of authentication data, directly authentication > > >> data, and > > >> > > >> original authentication data: > > >> > > >> > > >> > > >> 1. Directly authentication data > > >> > > >> The client/proxy brings the authentication data directly > > connected > > >> to > > >> > > the > > >> > > >> broker, which is directly authentication data. > > >> > > >> > > >> > > >> When the directly authentication data is expired, the broker > > sends > > >> the > > >> > > >> `newAuthChallenge` command with `AuthData.REFRESH_AUTH_DATA` > data > > >> to the > > >> > > >> client to refresh the authentication data. > > >> > > >> > > >> > > >> 2. Original authentication data > > >> > > >> We add a proxy between the client and the broker, both the > proxy > > >> and the > > >> > > >> client bring the authentication data to request the broker, the > > >> > > >> authentication data from the proxy is directly authentication > > >> data, and > > >> > > the > > >> > > >> authentication data from the client is original authentication > > >> data. > > >> > > >> > > >> > > >> The broker can refresh the directly authentication data, but > when > > >> we are > > >> > > >> using the proxy, the broker could not refresh the original > > >> > > >> authentication data, because we haven't any action to request > to > > >> refresh > > >> > > >> the original authentication data, so we need to add an auth > data > > >> const > > >> > > to > > >> > > >> request to refresh the original authentication data, so like > > >> > > >> `AuthData.REFRESH_AUTH_DATA`. > > >> > > >> > > >> > > >> Once most people agree with this, I'll make a PIP. > > >> > > >> > > >> > > >> References: > > >> > > >> > > >> > > >> - https://github.com/apache/pulsar/pull/13339 > > >> > > >> - https://github.com/apache/pulsar/issues/10816 > > >> > > >> > > >> > > >> Thanks, > > >> > > >> Zixuan > > >> > > >> > > >> > > >> > > >> > > > > >> > > -- > > >> > > BR, > > >> > > Qiang Huang > > >> > > > > >> > > > > > >
