[
https://issues.apache.org/jira/browse/BOOKKEEPER-959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15676071#comment-15676071
]
Enrico Olivelli commented on BOOKKEEPER-959:
--------------------------------------------
I have updated the PR, this is the full list of changes:
- a breaking change to the Auth Plugin API (which used Protobuf shaded
dependency and so it was not usable by develpers of third party plugins)
- a breaking change to the protocol (this change affects only users of auth
plugin of 4.4.0)
- introduction of BookKeeperPrincipal, which represents the user bound to the
connection
- introduction of ClientSideConnectionPeer and BookieSideConnectionPeer , which
are handles to the connection, this classes allow AuthPlugins (and in the
future new kind of plugins) to access principals bound to the connection, the
remote address of the connected peer and also allow plugins to drop the
connection
- introduction of ClientConfiguration#CLIENT_ROLE configuration property
- the move of ClientConfiguration#CLIENT_AUTH_PROVIDER_FACTORY_CLASS to
AbstractConfiguration because it is to be configured on Bookie side to (for
usage by the Auditor)
- introduction of a way to perform a rolling upgrade from authentication
disabled to authentication enabled
The CLIENT_ROLE property is used internally to make the Auditor let the Client
Side Auth plugin to known that the connection will be used by the 'system',
valid values are:
- standard (standard clients)
- system (the auditor and autorecovery)
Is has been introduced to let the future SASL Kerberos Auth Plugin
(BOOKKEEPER-391) to use different configuration for there two kind of usecases,
it will be useful to any other plugin too
The xxxxPeer classes enhance the previous way of telling to the AuthPlugin
about the origin of the connection (in 4.4.0 only the SocketAddress was given),
during the discussion about SSL support (BOOKKEEPER-588) it seemed required to
make the AuthPlugin:
- access other Principals bound to the connection (like SSL certificates, both
from the server and the client side)
- a way to let the Plugin drop the connection in case of autorization
expiration (like SSL client side expired certificate)
> ClientAuthProvider and BookieAuthProvider Public API used Protobuf Shaded
> classes
> ---------------------------------------------------------------------------------
>
> Key: BOOKKEEPER-959
> URL: https://issues.apache.org/jira/browse/BOOKKEEPER-959
> Project: Bookkeeper
> Issue Type: Bug
> Components: bookkeeper-client, bookkeeper-server
> Affects Versions: 4.4.0
> Reporter: Enrico Olivelli
> Assignee: Enrico Olivelli
> Priority: Blocker
> Fix For: 4.5.0
>
>
> With 4.4.0 we introduced the ability to implement custom authentication
> plugins.
> The new interfaces ClientAuthProvider and BookieAuthProvider depend on
> ExtensionRegistry, which is a shaded dependency.
> As a consequence it is not possibile to implement any custom auth provider in
> code outside the project, because shaded/relocated dependencies cannot be
> used.
> We need to break the actual interface and introduce a new way to implement
> such plugins in a portable way
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
