Split internal client escalation from Authenticator interface#5073
Split internal client escalation from Authenticator interface#5073jon-wei merged 3 commits intoapache:masterfrom
Conversation
|
@jon-wei there's a conflict here now. |
|
I would like to get this into 0.11.0 as well, this isn't a "bug" but I think authenticator extension implementers are likely to run into similar circular dependency issues if they have intra-cluster communication requirements during authenticator initialization, and it would nice to have that addressed in the initial interface release |
|
@gianm fixed conflict |
| final AuthConfig authConfig, | ||
| final AuthorizerMapper authorizerMapper, | ||
| final AuthenticatorMapper authenticatorMapper | ||
| final Escalator escalator |
There was a problem hiding this comment.
It's cool that what's needed here got more fine grained.
|
|
||
| for (String authenticator : authenticators) { | ||
| String typeProperty = StringUtils.format("druid.auth.authenticator.%s.type", authenticator); | ||
| if (escalatorType.equals(properties.getProperty(typeProperty))) { |
There was a problem hiding this comment.
why is it required that escalatorType must match one of the Authenticator types ? Also, does this mean Escalator impls and Authenticator impls must have same json type names ?
There was a problem hiding this comment.
Actually, I think this is a good question -- do we really need to require that escalators match up with an authenticator?
I think there's no reason they should need to match exactly. It's plausible that an escalator doesn't line up totally with an authenticator. Imagine that the authenticator is a standard RBAC authenticator, and the escalator is some custom extension that pulls the internal user password from somewhere more secure than a config file.
There was a problem hiding this comment.
Whatever authentication scheme an Escalator uses, it has to be supported by some Authenticator that's configured, so I impose that type matching restriction to conceptually link the implementations.
It could function without that restriction, but I don't see much reason to have them differ.
This does mean they must have the same JSON type names, I have a section in the doc that calls out this requirement:
The Escalator chosen for this property must have the same type as an Authenticator in `druid.auth.authenticationChain. Authenticator extension implementors must also provide a corresponding Escalator implementation with the same type name if they intend to use a particular authentication scheme for internal Druid communications.
There was a problem hiding this comment.
I see, so technically its not necessary but you're imposing the restriction so that user thinks about Escalator and Authenticator impl together.
I think it would help extension writers if we put some comment on both Authenticator and Escalator interfaces that implementers must ensure that both Escalator and Authenticator implementations must have exactly same json type name. Its easy to miss from that line in the doc alone. thanks.
There was a problem hiding this comment.
@gianm how did your comment do the time travel ? (it shows up as 2nd comment wherease it should be 4th comment)
There was a problem hiding this comment.
@himanshug @gianm I removed the type matching enforcement
| * getEscalatedClient() method. | ||
| */ | ||
| public class AuthenticatorHttpClientWrapper | ||
| public class AllowAllEscalator implements Escalator |
There was a problem hiding this comment.
this is more of "NoopEscalator" , but I think it is named that way to match name with corresponding Authenticator impl used on the target server.
There was a problem hiding this comment.
renamed this to "NoopEscalator"
| { | ||
| String escalatorType = properties.getProperty("druid.escalator.type"); | ||
| if (escalatorType == null) { | ||
| escalatorType = "allowAll"; |
There was a problem hiding this comment.
This should be a constant (static final somewhere) and ideally all instances of the string "allowAll" would reference that.
There was a problem hiding this comment.
Made "allowAll" a constant under AuthConfig
|
|
||
| for (String authenticator : authenticators) { | ||
| String typeProperty = StringUtils.format("druid.auth.authenticator.%s.type", authenticator); | ||
| if (escalatorType.equals(properties.getProperty(typeProperty))) { |
There was a problem hiding this comment.
Actually, I think this is a good question -- do we really need to require that escalators match up with an authenticator?
I think there's no reason they should need to match exactly. It's plausible that an escalator doesn't line up totally with an authenticator. Imagine that the authenticator is a standard RBAC authenticator, and the escalator is some custom extension that pulls the internal user password from somewhere more secure than a config file.
|
👍 once #5073 (comment) is resolved . |
| |--------|-----------|--------|--------|--------| | ||
| |`druid.auth.authenticationChain`|JSON List of Strings|List of Authenticator type names|["allowAll"]|no| | ||
| |`druid.escalator.type`|String|Type of the Escalator that should be used for internal Druid communications. This Escalator must have the same type as an Authenticator in `druid.auth.authenticationChain`.|"allowAll"|no| | ||
| |`druid.escalator.type`|String|Type of the Escalator that should be used for internal Druid communications. This Escalator must have the same type as an Authenticator in `druid.auth.authenticationChain`.|"noop"|no| |
There was a problem hiding this comment.
"This Escalator..." line is not correct anymore.
…#5073) * Split internal client escalation from Authenticator interface * PR comments
3 participants
While developing an extension for basic HTTP authentication, I encountered the following problem:
The Authenticator implementation needed to communicate with the coordinator during initialization, grabbing data from an HTTP endpoint, using a DruidLeaderClient. This led to circular dependency issues as the DruidLeaderClient needs an escalated HTTP client created by an Authenticator to successfully authenticate with the coordinator.
This PR splits the "send requests with privileged internal system user credentials" functionality out of the Authenticator interface into a new Escalator interface, to help avoid circular dependency issues when Authenticator extension implementations need to communicate with Druid cluster nodes.