nodece opened a new issue, #17517:
URL: https://github.com/apache/pulsar/issues/17517
### Motivation
The client supports passing two types of authentication data to connect to
the broker, self-authentication data and original authentication data. When
connected to the broker, the broker starts a thread to check if the
authentication data is expired. When both authentication data exist, the broker
only supports refreshing the original authentication data and ignores
refreshing the self-authentication data. When self-authentication data is
expired, we must consider how to refresh the self-authentication data.
### Goal
Propose an approach that refreshes the different authentication data.
### API Changes
1. Add the `original_auth_data` field represents which authentication data
is refreshed.
```
message CommandAuthResponse {
optional bool original_auth_data = 4 [default = false];
}
```
2. Add the `refreshOriginalAuthentication` method to the
`AuthenticationState` interface.
```java
public interface AuthenticationState {
/**
* If the authentication state supports refreshing and the credentials
are expired,
* the auth provider will call this method to initiate the refresh
process.
* <p>
* The auth state here will return the broker side data that will be
used to send
* a challenge to the client
*
* @return the {@link AuthData} for the broker challenge to client
* @throws AuthenticationException
*/
default AuthData refreshOriginalAuthentication() throws
AuthenticationException {
return
AuthData.of("PulsarOriginalAuthRefresh".getBytes(StandardCharsets.UTF_8));
}
}
```
### Implementation
For the broker, we need to add a method on the
`org.apache.pulsar.broker.service.PulsarChannelInitializer` for checking the
self-authentication data is expired.
For the client like the original client, or the proxy client, we need to
parse the `original_auth_data` field from the `CommandAuthChallenge` command,
then respond the correct authentication data to the broker to refresh the
authentication data.
For the proxy handler, we need to do some forwarding operations to refresh
authentication data.
### Alternatives
_No response_
### Anything else?
This change is fully compatible with different versions of client and
broker, if the client fails to authenticate, the broker disconnects.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
