nodece opened a new pull request, #23842:
URL: https://github.com/apache/pulsar/pull/23842

   ### Motivation
   
   When using Pulsar admin version 2.10.x with JWT authentication and a broker 
running 3.0.x (forked from Apache Pulsar) configured with both Kerberos and JWT 
authentication providers, we encounter the following issue:
   
   ```
   ERROR org.apache.pulsar.broker.web.AuthenticationFilter - [172.19.0.17] 
Error performing authentication for HTTP
   2024-12-30 09:52:32 java.lang.IllegalStateException: Header token should 
exist if no role token.
   2024-12-30 09:52:32     at 
com.google.common.base.Preconditions.checkState(Preconditions.java:512) 
~[com.google.guava-guava-32.1.1-jre.jar:?]
   2024-12-30 09:52:32     at 
org.apache.pulsar.broker.authentication.AuthenticationProviderSasl.authenticateHttpRequest(AuthenticationProviderSasl.java:275)
 ~[com.ascentstream.pulsar-pulsar-broker-auth-sasl-3.0.8.1.jar:3.0.8.1]
   2024-12-30 09:52:32     at 
org.apache.pulsar.broker.authentication.AuthenticationService.authenticateHttpRequest(AuthenticationService.java:133)
 ~[com.ascentstream.pulsar-pulsar-broker-common-3.0.8.1.jar:3.0.8.1]
   2024-12-30 09:52:32     at 
org.apache.pulsar.broker.web.AuthenticationFilter.doFilter(AuthenticationFilter.java:59)
 ~[com.ascentstream.pulsar-pulsar-broker-common-3.0.8.1.jar:3.0.8.1]
   2024-12-30 09:52:32     at 
org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) 
~[org.eclipse.jetty-jetty-servlet-9.4.56.v20240826.jar:9.4.56.v20240826]
   2024-12-30 09:52:32     at 
org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
 ~[org.eclipse.jetty-jetty-servlet-9.4.56.v20240826.jar:9.4.56.v20240826]
   2024-12-30 09:52:32     at 
org.apache.pulsar.broker.intercept.BrokerInterceptor.onFilter(BrokerInterceptor.java:224)
 ~[com.ascentstream.pulsar-pulsar-broker-3.0.8.1.jar:3.0.8.1]
   2024-12-30 09:52:32     at 
org.apache.pulsar.broker.web.ProcessHandlerFilter.doFilter(ProcessHandlerFilter.java:46)
 ~[com.ascentstream.pulsar-pulsar-broker-3.0.8.1.jar:3.0.8.1]
   2024-12-30 09:52:32     at 
org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) 
~[org.eclipse.jetty-jetty-servlet-9.4.56.v20240826.jar:9.4.56.v20240826]
   ```
   
   When a request is without the authentication method name in the HTTP 
header(https://github.com/apache/pulsar/pull/14044 improves that), the broker 
iterates through each authentication provider to authenticate the request, if 
authentication data is valid, the broker acts on the request. In this scenario, 
I ensured that the JWT provider was configured correctly and the token was 
valid. However, I still encountered an authentication error.
   
   The root cause is that the 
`org.apache.pulsar.broker.authentication.AuthenticationService#authenticateHttpRequest(javax.servlet.http.HttpServletRequest,
 org.apache.pulsar.broker.authentication.AuthenticationDataSource)` and 
`org.apache.pulsar.broker.authentication.AuthenticationService#authenticateHttpRequest(javax.servlet.http.HttpServletRequest,
 javax.servlet.http.HttpServletResponse)` only catches the 
`AuthenticationExecption`, if one provider throws an exception of a different 
type, the authentication process will be terminated.
   
   Related to https://github.com/apache/pulsar/pull/23797, which fixes the 
pulsar chain authentication, not HTTP authentication.
   
   ### Modifications
   
   - Use `LinkedHashMap` instead of `HasMap` for provider ordering.
   - Catch type `Exception`, which can catch any exceptions.
   
   ### Documentation
   
   <!-- DO NOT REMOVE THIS SECTION. CHECK THE PROPER BOX ONLY. -->
   
   - [ ] `doc` <!-- Your PR contains doc changes. -->
   - [ ] `doc-required` <!-- Your PR changes impact docs and you will update 
later -->
   - [x] `doc-not-needed` <!-- Your PR changes do not impact docs -->
   - [ ] `doc-complete` <!-- Docs have been already added -->
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to