ivankelly commented on a change in pull request #6074: PIP-55: Refresh
Authentication Credentials
URL: https://github.com/apache/pulsar/pull/6074#discussion_r369982426
##########
File path:
pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java
##########
@@ -476,19 +473,42 @@ private void completeConnect(int clientProtoVersion,
String clientVersion) {
}
// According to auth result, send newConnected or newAuthChallenge command.
- private void doAuthentication(AuthData clientData,
- int clientProtocolVersion,
- String clientVersion) throws Exception {
+ private State doAuthentication(AuthData clientData,
+ int clientProtocolVersion,
+ String clientVersion) throws Exception {
+
+ // The original auth state can only be set on subsequent auth attempts
(and only
+ // in presence of a proxy and if the proxy is forwarding the
credentials).
+ // In this case, the re-validation needs to be done against the
original client
+ // credentials.
+ boolean useOriginalAuthState = (originalAuthState != null);
+ AuthenticationState authState = useOriginalAuthState ?
originalAuthState : this.authState;
+ String authRole = useOriginalAuthState ? originalPrincipal :
this.authRole;
AuthData brokerData = authState.authenticate(clientData);
+
// authentication has completed, will send newConnected command.
Review comment:
This comment is now wrong. I think the flow should change a little here, to
only call completeConnect if it's the initial auth. There seems to be enough
difference in the flows to have them completely separate.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
