Update logic behind AuthenticateOriginalAuthData to better support multiple authentication Providers #25071
Description
Search before reporting
- I searched in the issues and found nothing similar.
Motivation
Currently if you utilize Pulsar Proxies, then to properly support JWT authentication and client disconnects after token expiry, one must enable authenticateOriginalAuthData on brokers.
If disabled, then connected clients with expired tokens can still produce/consume on topics as discussed in this issue #25062.
However, authenticateOriginalAuthData is not supported by Authentication methods like AuthenticationProviderTLS as the proxy performs a reencrypt of the TLS connection and therefore, authenticating the original principal always leads to the proxy identity which is not useful when authorizing.
Solution
-
AuthenticateOriginalAuthData can be made as a property of the AuthenticationProvider itself. With JWTs the original auth data must be authenticated, as otherwise connections will be kept open after token expiry. Therefore, it makes sense to include the property on the provider itself.
-
Terminate connections on Proxy if a token expires: I am not familiar with all the intricacies of how the proxy closes connections, but I do know that the Proxy does send a Disconnect to the client when it asserts the token to have expired. Therefore, if we can add a hook to the disconnect command, to close all proxied connections, we can get rid of authenticateOriginalAuthData completely.
Alternatives
No response
Anything else?
I am willing to work on this, however if solution 2 is possible, I would like a bit of help understanding the logic behind the proxy connections.
Are you willing to submit a PR?
- I'm willing to submit a PR!