nodece commented on code in PR #17831:
URL: https://github.com/apache/pulsar/pull/17831#discussion_r980825915
##########
pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConnection.java:
##########
@@ -543,6 +557,48 @@ protected void handleAuthResponse(CommandAuthResponse
authResponse) {
}
}
+ private CompletableFuture<AuthData>
getOrRefreshOriginalClientAuthData(boolean isRefresh) {
+ if (!isRefresh) {
+ if
(service.getConfiguration().isForwardAuthorizationCredentials()) {
+ return CompletableFuture.completedFuture(clientAuthData);
+ }
+ return CompletableFuture.completedFuture(null);
+ }
+
+ if (refreshAuthFuture != null && !refreshAuthFuture.isDone()) {
+ log.error("{} Mutual auth timeout", ctx.channel());
+ ctx.close();
+ return CompletableFuture.failedFuture(new
AuthenticationException("Mutual auth timeout"));
+ }
+
+ refreshAuthFuture = new CompletableFuture<>();
+ try {
+ AuthData refreshAuthData = authState.refreshAuthentication();
+ ctx.writeAndFlush(Commands.newAuthChallenge(clientAuthMethod,
refreshAuthData, protocolVersionToAdvertise))
+ .addListener(writeFuture -> {
+ if (writeFuture.isSuccess()) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("{} Sent auth challenge to client to
refresh credentials with method: {}",
+ ctx.channel(), clientAuthMethod);
+ }
+ } else {
+ LOG.error("{} Failed to send request for mutual
auth to client", ctx.channel(),
+ writeFuture.cause());
+
refreshAuthFuture.completeExceptionally(writeFuture.cause());
+ ctx.close();
+ }
+ });
+ } catch (AuthenticationException e) {
+ log.error("{} Failed to refresh authentication", ctx.channel(), e);
+ ctx.writeAndFlush(
+ Commands.newError(-1,
ServerError.AuthenticationError, "Failed to refresh authentication"))
+ .addListener(ChannelFutureListener.CLOSE);
+ refreshAuthFuture.completeExceptionally(e);
+ }
+
+ return refreshAuthFuture;
Review Comment:
> Looks like the `refreshAuthFuture` will only be completed with the
exception, not the auth data. How does it work?
See `org.apache.pulsar.proxy.server.ProxyConnection#doAuthentication`, we
will complete auth in this method.
> If we need the client(user) to refresh the auth data, we can just let the
proxy forward the auth challenge command to the client and forward the client
auth response to the broker. Does this not work? or maybe I missed something.
This is `org.apache.pulsar.proxy.server.DirectProxyHandler` functional, the
client can directly communication with broker by that.
You miss the first connection that the client connects to the proxy, which
is used to lookup operations, next step is the client can directly
communication with the broker by the proxy.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
