massakam opened a new pull request #7311: URL: https://github.com/apache/pulsar/pull/7311
### Motivation The authentication plugin for Athenz allows users to change the name of the HTTP header for sending an authentication token to a broker server with a parameter named `roleHeader`. `AuthenticationAthenz` sets the value of `roleHeader` to the system property `athenz.auth.role.header`. https://github.com/apache/pulsar/blob/12a5001cbbb205ba7811317eeb02f40912e45b56/pulsar-client-auth-athenz/src/main/java/org/apache/pulsar/client/impl/auth/AuthenticationAthenz.java#L151-L153 The Athenz class `ZTSClient` gets the header name from the system property and sets it in a static field. If no value is set in the system property, the default value is "Athenz-Role-Auth". https://github.com/yahoo/athenz/blob/62350364e0b3ffecbca13d5c74a5d5d4c7b0df01/clients/java/zts/core/src/main/java/com/yahoo/athenz/zts/ZTSClient.java#L157-L158 `ZTSClient.getHeader()` returns the value of this static field, and the Pulsar client uses this returned value as the header name. https://github.com/apache/pulsar/blob/12a5001cbbb205ba7811317eeb02f40912e45b56/pulsar-client-auth-athenz/src/main/java/org/apache/pulsar/client/impl/auth/AuthenticationAthenz.java#L83 Now, if `ZTSClient` is used before the `AuthenticationAthenz` instance is initialized, the problem arises. In this case, `ZTSClient` sets the default value in the static field before `AuthenticationAthenz` sets the header name in the system property. Therefore, the default header name "Athenz-Role-Auth" is always used. This can be reproduced with test code like this: ```java // Load ZTSClient class System.setProperty("athenz.athenz_conf", "/path/to/athenz.conf"); ZTSClient.getHeader(); AuthenticationAthenz auth = new AuthenticationAthenz(); auth.configure("{\"roleHeader\": \"Test-Role-Header\", ... }"); System.out.println("expected: Test-Role-Header"); System.out.println("actual: " + auth.getAuthData().getHttpHeaders().iterator().next().getKey()); ``` Execution result: ``` expected: Test-Role-Header actual: Athenz-Role-Auth ``` ### Modifications Hold the value of the `roleHeader` parameter on the `AuthenticationAthenz` side, and use it directly as the header name. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
