[GitHub] [pulsar] codelipenghui commented on a diff in pull request #17831: [fix][proxy] Fix refresh client auth

Thu, 29 Sep 2022 02:36:58 -0700 


codelipenghui commented on code in PR #17831:
URL: https://github.com/apache/pulsar/pull/17831#discussion_r983309654


##########
pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyClientCnx.java:
##########
@@ -54,10 +59,54 @@ protected ByteBuf newConnectCommand() throws Exception {
 
         authenticationDataProvider = 
authentication.getAuthData(remoteHostName);
         AuthData authData = 
authenticationDataProvider.authenticate(AuthData.INIT_AUTH_DATA);
-        return Commands.newConnect(authentication.getAuthMethodName(), 
authData, this.protocolVersion,
-            PulsarVersion.getVersion(), proxyToTargetBrokerAddress, 
clientAuthRole, clientAuthData,
-            clientAuthMethod);
+        return Commands.newConnect(authentication.getAuthMethodName(), 
authData, protocolVersion,
+                PulsarVersion.getVersion(), proxyToTargetBrokerAddress, 
clientAuthRole, clientAuthData,
+                clientAuthMethod);
     }
 
-    private static final Logger log = 
LoggerFactory.getLogger(ProxyClientCnx.class);
+    @Override
+    protected void handleAuthChallenge(CommandAuthChallenge authChallenge) {
+        checkArgument(authChallenge.hasChallenge());
+        checkArgument(authChallenge.getChallenge().hasAuthData());
+
+        boolean isRefresh = Arrays.equals(AuthData.REFRESH_AUTH_DATA_BYTES, 
authChallenge.getChallenge().getAuthData());
+        if (!forwardClientAuthData || !isRefresh) {
+            super.handleAuthChallenge(authChallenge);
+            return;
+        }
+
+        try {
+            if (log.isDebugEnabled()) {
+                log.debug("Proxy {} request to refresh the original client 
authentication data for "
+                        + "the proxy client {}", 
proxyConnection.ctx().channel(), ctx.channel());
+            }
+
+            
proxyConnection.ctx().writeAndFlush(Commands.newAuthChallenge(clientAuthMethod, 
AuthData.REFRESH_AUTH_DATA,

Review Comment:
   It looks like we can make some improvements to avoid sending auth challenge 
command to the client if the proxy just has done the auth challenge. Because 
all the brokers that interacted with client connection will send the auth 
challenge command



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to