Avoid AuthenticationDataSource mutation for subscription name #16065
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
merlimat
added
type/bug
nodece
approved these changes
Jun 15, 2022
BewareMyPower
approved these changes
Jun 15, 2022
michaeljmarshall
approved these changes
Jun 15, 2022
codelipenghui
approved these changes
Jun 15, 2022
codelipenghui
pushed a commit
that referenced
this pull request
Jun 15, 2022
The `authenticationData` field in `ServerCnx` is being mutated to add the `subscription` field that will be passed on to the authorization plugin. The problem is that `authenticationData` is scoped to the whole connection and it should be getting mutated for each consumer that is created on the connection. The current code leads to a race condition where the subscription name used in the authz plugin is already modified while we're looking at it. Instead, we should create a new object and enforce the final modifier. (cherry picked from commit e6b12c6)
codelipenghui
pushed a commit
that referenced
this pull request
Jun 15, 2022
The `authenticationData` field in `ServerCnx` is being mutated to add the `subscription` field that will be passed on to the authorization plugin. The problem is that `authenticationData` is scoped to the whole connection and it should be getting mutated for each consumer that is created on the connection. The current code leads to a race condition where the subscription name used in the authz plugin is already modified while we're looking at it. Instead, we should create a new object and enforce the final modifier. (cherry picked from commit e6b12c6)
codelipenghui
pushed a commit
that referenced
this pull request
Jun 15, 2022
The `authenticationData` field in `ServerCnx` is being mutated to add the `subscription` field that will be passed on to the authorization plugin. The problem is that `authenticationData` is scoped to the whole connection and it should be getting mutated for each consumer that is created on the connection. The current code leads to a race condition where the subscription name used in the authz plugin is already modified while we're looking at it. Instead, we should create a new object and enforce the final modifier. (cherry picked from commit e6b12c6)
codelipenghui
pushed a commit
that referenced
this pull request
Jun 15, 2022
### Motivation The `authenticationData` field in `ServerCnx` is being mutated to add the `subscription` field that will be passed on to the authorization plugin. The problem is that `authenticationData` is scoped to the whole connection and it should be getting mutated for each consumer that is created on the connection. The current code leads to a race condition where the subscription name used in the authz plugin is already modified while we're looking at it. Instead, we should create a new object and enforce the final modifier. (cherry picked from commit e6b12c6)
codelipenghui
added
cherry-picked/branch-2.7
2 tasks
codelipenghui
pushed a commit
that referenced
this pull request
Jun 28, 2022
### Motivation #16065 fixes the race condition issue, but introduces a new issue. This issue is triggered when the Proxy and Broker work together, when we use the proxy to request the broker to do lookup/subscribe/produce operation, the broker always uses the original authentication data for authorization, not proxy authentication data, which causes this issue. ### Modification - Fix passing authentication data, differentiate between original auth data and connected auth data by avoid to use the `getAuthenticationData()`, this method name is easy to cause confusion and can not correctly get the authentication data
codelipenghui
pushed a commit
that referenced
this pull request
Jun 28, 2022
### Motivation #16065 fixes the race condition issue, but introduces a new issue. This issue is triggered when the Proxy and Broker work together, when we use the proxy to request the broker to do lookup/subscribe/produce operation, the broker always uses the original authentication data for authorization, not proxy authentication data, which causes this issue. ### Modification - Fix passing authentication data, differentiate between original auth data and connected auth data by avoid to use the `getAuthenticationData()`, this method name is easy to cause confusion and can not correctly get the authentication data (cherry picked from commit 936bbbc)
nodece
added a commit
to nodece/pulsar
that referenced
this pull request
Jun 29, 2022
### Motivation apache#16065 fixes the race condition issue, but introduces a new issue. This issue is triggered when the Proxy and Broker work together, when we use the proxy to request the broker to do lookup/subscribe/produce operation, the broker always uses the original authentication data for authorization, not proxy authentication data, which causes this issue. ### Modification - Fix passing authentication data, differentiate between original auth data and connected auth data by avoid to use the `getAuthenticationData()`, this method name is easy to cause confusion and can not correctly get the authentication data (cherry picked from commit 936bbbc) Signed-off-by: Zixuan Liu <nodeces@gmail.com>
nicoloboschi
pushed a commit
to datastax/pulsar
that referenced
this pull request
Jul 4, 2022
…#16065) ### Motivation The `authenticationData` field in `ServerCnx` is being mutated to add the `subscription` field that will be passed on to the authorization plugin. The problem is that `authenticationData` is scoped to the whole connection and it should be getting mutated for each consumer that is created on the connection. The current code leads to a race condition where the subscription name used in the authz plugin is already modified while we're looking at it. Instead, we should create a new object and enforce the final modifier. (cherry picked from commit e6b12c6) (cherry picked from commit 5cc3649)
nicoloboschi
pushed a commit
to datastax/pulsar
that referenced
this pull request
Jul 4, 2022
### Motivation apache#16065 fixes the race condition issue, but introduces a new issue. This issue is triggered when the Proxy and Broker work together, when we use the proxy to request the broker to do lookup/subscribe/produce operation, the broker always uses the original authentication data for authorization, not proxy authentication data, which causes this issue. ### Modification - Fix passing authentication data, differentiate between original auth data and connected auth data by avoid to use the `getAuthenticationData()`, this method name is easy to cause confusion and can not correctly get the authentication data (cherry picked from commit 936bbbc) (cherry picked from commit adf5ce7)
nodece
added a commit
to nodece/pulsar
that referenced
this pull request
Jul 5, 2022
### Motivation apache#16065 fixes the race condition issue, but introduces a new issue. This issue is triggered when the Proxy and Broker work together, when we use the proxy to request the broker to do lookup/subscribe/produce operation, the broker always uses the original authentication data for authorization, not proxy authentication data, which causes this issue. ### Modification - Fix passing authentication data, differentiate between original auth data and connected auth data by avoid to use the `getAuthenticationData()`, this method name is easy to cause confusion and can not correctly get the authentication data (cherry picked from commit 936bbbc) Signed-off-by: Zixuan Liu <nodeces@gmail.com>
Technoboy-
pushed a commit
that referenced
this pull request
Jul 5, 2022
) ### Motivation #16065 fixes the race condition issue, but introduces a new issue. This issue is triggered when the Proxy and Broker work together, when we use the proxy to request the broker to do lookup/subscribe/produce operation, the broker always uses the original authentication data for authorization, not proxy authentication data, which causes this issue. ### Modification - Fix passing authentication data, differentiate between original auth data and connected auth data by avoid to use the `getAuthenticationData()`, this method name is easy to cause confusion and can not correctly get the authentication data (cherry picked from commit 936bbbc) Signed-off-by: Zixuan Liu <nodeces@gmail.com>
nicoloboschi
pushed a commit
to datastax/pulsar
that referenced
this pull request
Jul 5, 2022
…#16065) The `authenticationData` field in `ServerCnx` is being mutated to add the `subscription` field that will be passed on to the authorization plugin. The problem is that `authenticationData` is scoped to the whole connection and it should be getting mutated for each consumer that is created on the connection. The current code leads to a race condition where the subscription name used in the authz plugin is already modified while we're looking at it. Instead, we should create a new object and enforce the final modifier. (cherry picked from commit e6b12c6) (cherry picked from commit 88b51b1)
nodece
added a commit
to nodece/pulsar
that referenced
this pull request
Jul 28, 2022
### Motivation apache#16065 fixes the race condition issue, but introduces a new issue. This issue is triggered when the Proxy and Broker work together, when we use the proxy to request the broker to do lookup/subscribe/produce operation, the broker always uses the original authentication data for authorization, not proxy authentication data, which causes this issue. ### Modification - Fix passing authentication data, differentiate between original auth data and connected auth data by avoid to use the `getAuthenticationData()`, this method name is easy to cause confusion and can not correctly get the authentication data (cherry picked from commit 936bbbc) Signed-off-by: Zixuan Liu <nodeces@gmail.com>
4 tasks
nodece
added a commit
to nodece/pulsar
that referenced
this pull request
Jul 29, 2022
### Motivation apache#16065 fixes the race condition issue, but introduces a new issue. This issue is triggered when the Proxy and Broker work together, when we use the proxy to request the broker to do lookup/subscribe/produce operation, the broker always uses the original authentication data for authorization, not proxy authentication data, which causes this issue. ### Modification - Fix passing authentication data, differentiate between original auth data and connected auth data by avoid to use the `getAuthenticationData()`, this method name is easy to cause confusion and can not correctly get the authentication data (cherry picked from commit 936bbbc) Signed-off-by: Zixuan Liu <nodeces@gmail.com>
nodece
added a commit
to nodece/pulsar
that referenced
this pull request
Aug 1, 2022
### Motivation apache#16065 fixes the race condition issue, but introduces a new issue. This issue is triggered when the Proxy and Broker work together, when we use the proxy to request the broker to do lookup/subscribe/produce operation, the broker always uses the original authentication data for authorization, not proxy authentication data, which causes this issue. ### Modification - Fix passing authentication data, differentiate between original auth data and connected auth data by avoid to use the `getAuthenticationData()`, this method name is easy to cause confusion and can not correctly get the authentication data (cherry picked from commit 936bbbc) Signed-off-by: Zixuan Liu <nodeces@gmail.com>
BewareMyPower
pushed a commit
that referenced
this pull request
Aug 2, 2022
) ### Motivation #16065 fixes the race condition issue, but introduces a new issue. This issue is triggered when the Proxy and Broker work together, when we use the proxy to request the broker to do lookup/subscribe/produce operation, the broker always uses the original authentication data for authorization, not proxy authentication data, which causes this issue. ### Modification - Fix passing authentication data, differentiate between original auth data and connected auth data by avoid to use the `getAuthenticationData()`, this method name is easy to cause confusion and can not correctly get the authentication data (cherry picked from commit 936bbbc) Signed-off-by: Zixuan Liu <nodeces@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
The
authenticationDatafield inServerCnxis being mutated to add thesubscriptionfield that will be passed on to the authorization plugin. The problem is thatauthenticationDatais scoped to the whole connection and it should be getting mutated for each consumer that is created on the connection.The current code leads to a race condition where the subscription name used in the authz plugin is already modified while we're looking at it. Instead, we should create a new object and enforce the final modifier.