[jira] [Commented] (GEODE-9457) Investigate the behavior of CQ when authentication expires.

Mon, 20 Sep 2021 12:20:07 -0700 


    [ 
https://issues.apache.org/jira/browse/GEODE-9457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17417790#comment-17417790
 ] 

ASF subversion and git services commented on GEODE-9457:
--------------------------------------------------------

Commit b07f3209ec541c972420c952dcd8b13c8dc060e3 in geode's branch 
refs/heads/develop from Jinmei Liao
[ https://gitbox.apache.org/repos/asf?p=geode.git;h=b07f320 ]

GEODE-9457: re-authentication in event dispatcher (#6835)

* authorize the message before dispatching the message to the client
* add a new message type to be sent to the client for re-authentiate
* message dispatcher will wait for a certain time for client to reauthenticate 
before terminating the client
* when re-authenticate, the new subject will re-use the original uniqueId. 
Credentials will be sent to the user along with the old uniqueId if exists.
* old subject will be cleaned out when new subject re-authenticate back.
* re-auth multi-user mode in event dispatching is not supported (yet).

> Investigate the behavior of CQ when authentication expires.
> -----------------------------------------------------------
>
>                 Key: GEODE-9457
>                 URL: https://issues.apache.org/jira/browse/GEODE-9457
>             Project: Geode
>          Issue Type: Sub-task
>          Components: core, security
>            Reporter: Jinmei Liao
>            Priority: Major
>              Labels: GeodeOperationAPI, pull-request-available
>             Fix For: 1.15.0
>
>
> To ensure CQ message delivery when a user expires, we need to:
>  # authorize the message when dispatching the message.
>  # catch the AuthExpiredException and send REAUTHENTICATE message to the 
> client
>  # The client gets that message and re-authenticate
>  # the message dispatcher will use the new subject to authorize the message 
> again and try deliver
>  # if client didn't re-authenticate back in a timely manner, the proxy should 
> close the connection
>  # make sure this also works in multi-user mode
> To have the message dispatcher to use the newly updated user to authorize the 
> message, we need to be able to associate the new userId with the old userId. 
> This would require
>        7: have the AuthenticateUserOp send the old userId if exists
> make sure to include tests in multi-server cases



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to