nodece opened a new pull request, #19519: URL: https://github.com/apache/pulsar/pull/19519
### Motivation In the authentication: - With the proxy, the broker stores the client authentication to the `originalAuthData` and `originalPrincipal`, and stores the proxy authentication to the `authenticationData` and `authRole`. - Without the proxy, the broker stores the authentication to the `authenticationData` and `authRole` When with the proxy, the broker only checks whether `originalAuthData` is expired. If true, the broker sends `AuthChallenge` to the client, then the client sends `CommandAuthResponse`. In `handleAuthResponse` logic, the broker always stores the authentication to `authenticationData` and `authRole`, without considering the proxy case. When the authorization provider checks the role and authentication data, it is unmatched, this is incorrect behavior, so we need to distinguish whether have the proxy and then store the authentication data and role correctly. More context: https://github.com/apache/pulsar/pull/18130 ### Modifications - Fix storing the authentication in the `authChallengeSuccessCallback` - Override the `newAuthState` in the `MockAuthenticationProvider` for refresh the role and datasource ### Verifying this change - [x] Make sure that the change passes the CI checks. Added `testRefreshOriginalPrincipalWithAuthDataForwardedFromProxy` test ### Documentation <!-- DO NOT REMOVE THIS SECTION. CHECK THE PROPER BOX ONLY. --> - [ ] `doc` <!-- Your PR contains doc changes. --> - [ ] `doc-required` <!-- Your PR changes impact docs and you will update later --> - [x] `doc-not-needed` <!-- Your PR changes do not impact docs --> - [ ] `doc-complete` <!-- Docs have been already added --> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
