From commits-return-23312-archive-asf-public=cust-asf.ponee.io@pulsar.apache.org Thu Feb 28 11:53:44 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id B5B1D180676 for ; Thu, 28 Feb 2019 12:53:43 +0100 (CET) Received: (qmail 63721 invoked by uid 500); 28 Feb 2019 11:53:42 -0000 Mailing-List: contact commits-help@pulsar.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@pulsar.apache.org Delivered-To: mailing list commits@pulsar.apache.org Received: (qmail 63702 invoked by uid 99); 28 Feb 2019 11:53:42 -0000 Received: from ec2-52-202-80-70.compute-1.amazonaws.com (HELO gitbox.apache.org) (52.202.80.70) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 28 Feb 2019 11:53:42 +0000 From: GitBox To: commits@pulsar.apache.org Subject: [GitHub] jiazhai commented on a change in pull request #3677: PIP-30: interface and mutual change authentication Message-ID: <155135482212.8443.6233323336474266446.gitbox@gitbox.apache.org> Date: Thu, 28 Feb 2019 11:53:42 -0000 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit jiazhai commented on a change in pull request #3677: PIP-30: interface and mutual change authentication URL: https://github.com/apache/pulsar/pull/3677#discussion_r261161262 ########## File path: pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java ########## @@ -446,52 +454,98 @@ private String getOriginalPrincipal(String originalAuthData, String originalAuth return originalPrincipal; } + // called in handleConnect method below. + private void completeConnect(CommandConnect connect) { + ctx.writeAndFlush(Commands.newConnected(connect.getProtocolVersion())); + state = State.Connected; + remoteEndpointProtocolVersion = connect.getProtocolVersion(); + String version = connect.hasClientVersion() ? connect.getClientVersion() : null; + if (isNotBlank(version) && !version.contains(" ") /* ignore default version: pulsar client */) { + this.clientVersion = version.intern(); + } + } + @Override protected void handleConnect(CommandConnect connect) { - checkArgument(state == State.Start); - if (service.isAuthenticationEnabled()) { - try { - String authMethod = "none"; + checkArgument(state == State.Start || state == State.Connecting); + + if (log.isDebugEnabled()) { + log.debug("Received CONNECT from {}, auth enabled: {}", + remoteAddress, service.isAuthenticationEnabled()); + } + + if (!service.isAuthenticationEnabled()) { + completeConnect(connect); + return; + } + + try { + AuthData clientData = AuthData.of(connect.getAuthData().toByteArray()); + + // init authentication + if (state == State.Start) { if (connect.hasAuthMethodName()) { authMethod = connect.getAuthMethodName(); } else if (connect.hasAuthMethod()) { // Legacy client is passing enum authMethod = connect.getAuthMethod().name().substring(10).toLowerCase(); + } else { + authMethod = "none"; + } + + authenticationProvider = getBrokerService() + .getAuthenticationService() + .getAuthenticationProvider(authMethod); + + // Not find provider named authMethod. Most used for tests. + // In AuthenticationDisabled, it will set authMethod "none". + if (authenticationProvider == null) { + authRole = getBrokerService().getAuthenticationService().getAnonymousUserRole(); + completeConnect(connect); + return; } - String authData = connect.getAuthData().toStringUtf8(); + // init authState and other var ChannelHandler sslHandler = ctx.channel().pipeline().get(PulsarChannelInitializer.TLS_HANDLER); SSLSession sslSession = null; if (sslHandler != null) { sslSession = ((SslHandler) sslHandler).engine().getSession(); } originalPrincipal = getOriginalPrincipal( - connect.hasOriginalAuthData() ? connect.getOriginalAuthData() : null, - connect.hasOriginalAuthMethod() ? connect.getOriginalAuthMethod() : null, - connect.hasOriginalPrincipal() ? connect.getOriginalPrincipal() : null, - sslSession); - authenticationData = new AuthenticationDataCommand(authData, remoteAddress, sslSession); - authRole = getBrokerService().getAuthenticationService() - .authenticate(authenticationData, authMethod); - - log.info("[{}] Client successfully authenticated with {} role {} and originalPrincipal {}", remoteAddress, authMethod, authRole, originalPrincipal); - } catch (AuthenticationException e) { - String msg = "Unable to authenticate"; - log.warn("[{}] {}: {}", remoteAddress, msg, e.getMessage()); - ctx.writeAndFlush(Commands.newError(-1, ServerError.AuthenticationError, msg)); - close(); + connect.hasOriginalAuthData() ? connect.getOriginalAuthData() : null, + connect.hasOriginalAuthMethod() ? connect.getOriginalAuthMethod() : null, + connect.hasOriginalPrincipal() ? connect.getOriginalPrincipal() : null, + sslSession); + + authenticationData = authenticationProvider.getAuthDataSource(clientData, remoteAddress, sslSession); + authState = authenticationProvider.newAuthState(authenticationData); + } + + AuthData brokerData = authState.authenticate(clientData); Review comment: Thanks, @ivankelly , isComplete() is more like a method in authState, will add it in authState. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: users@infra.apache.org With regards, Apache Git Services