[Authenticate] fix Invalid signature error when use Kerberos Authentication

[liudezhi2098]

Motivation

When use Kerberos authentication , using Pulsar Admin to query topic state, will appear HTTP 401 Unauthorized, becasue
request redirect url will use current SaslRoleToken ，but redirect broker not recognized the token, per broker secret is not same.

WARN  org.apache.pulsar.broker.web.AuthenticationFilter - [10.3.0.4] Failed to authenticate HTTP request: Invalid signature

per broker secret is Random

protected String computeSignature(String str) {
        try {
            MessageDigest md = MessageDigest.getInstance("SHA-512");

            md.update(str.getBytes());

            md.update(secret);
            byte[] digest = md.digest();
            return new Base64(0).encodeToString(digest);
        } catch (NoSuchAlgorithmException ex) {
            throw new RuntimeException("It should not happen, " + ex.getMessage(), ex);
        }
    }

Modifications

secret can configuration
this.signer = new SaslRoleTokenSigner(config.getSaslJaasServerRoleTokenSignerSecret().getBytes());

Does this pull request potentially affect one of the following parts:

If yes was chosen, please highlight the changes

• Dependencies (does it add or upgrade a dependency): (yes / no)
• The public API: (no)
• The schema: (no )
• The default values of configurations: (yes)
• The wire protocol: (no)
• The rest endpoints: (no)
• The admin cli options: ( no)
• Anything that affects deployment: (no)

Documentation

Need to update docs?

• doc

[github-actions]

@liudezhi2098:Thanks for your contribution. For this PR, do we need to update docs?
(The PR template contains info about doc, which helps others know more about the changes. Can you provide doc-related info in this and future PR descriptions? Thanks)

[liudezhi2098]

/pulsarbot run-failure-checks

[Anonymitaet]

@liudezhi2098 I see you label this PR w/ doc but seems that there is no doc update in this PR?

[liudezhi2098]

@liudezhi2098 I see you label this PR w/ doc but seems that there is no doc update in this PR?

Wait for this pr to approved, I will submit another pr.

[Anonymitaet]

@liudezhi2098 I see you label this PR w/ doc but seems that there is no doc update in this PR?

Wait for this pr to approved, I will submit another pr.

so this PR should be labeled w/ doc-required.

[Anonymitaet]

@momo-jun a soft reminder: here is a PR w/ doc-required label, could u pls follow up? Thanks

[liudezhi2098]

@codelipenghui @jiazhai PTAL

[momo-jun]

@liudezhi2098 feel free to ping me when you need review or any help on the follow-up doc PR.

[liudezhi2098]

@liudezhi2098 feel free to ping me when you need review or any help on the follow-up doc PR.
👌

[liudezhi2098]

/pulsarbot run-failure-checks

[eolivelli]

Having a constant secret looks like a security hole to me.

Can you please explain more?

@michaeljmarshall PTAL

[liudezhi2098]

Having a constant secret looks like a security hole to me.

Can you please explain more?

@eolivelli becasue DefaultAsyncHttpClient will automatic request redirect url , and use current SaslRoleToken, there is currently no place to modify, so requesting to another broker, the saslRoleTokenSigner check failed.
If you use rest api, it will also cause this problem, having a constant secret , there will be certain security risks, but the key is stored on the broker side, and the client side does get.
eg :

DefaultAsyncHttpClientConfig.Builder confBuilder = new DefaultAsyncHttpClientConfig.Builder();
confBuilder.setFollowRedirect(true);

[liudezhi2098]

@eolivelli @lhotari thank you very much , PTAL.

[eolivelli]

LGTM

[liudezhi2098]

/pulsarbot run-failure-checks