[ https://issues.apache.org/jira/browse/GEODE-10243?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17523841#comment-17523841 ]
ASF subversion and git services commented on GEODE-10243: --------------------------------------------------------- Commit a3b006ffbc6f3917094af24a0f3b5142be99897e in geode's branch refs/heads/geode-for-redis-still-exists from Dan Smith [ https://gitbox.apache.org/repos/asf?p=geode.git;h=a3b006ffbc ] GEODE-10243: Fail early if old client auth expires We don't support re-authentication of old clients with server->client queues. 1.15 and greater clients will receive a new message to trigger reauthentication, but older clients have no reliable way to be notified that they need to re-authenticate themselves when they have a server->client queue. To make this clear to users, if an AuthenticationExpiredException is ever triggered for a client that has a server->client queue and is running a version less than 1.15, we will return an IllegalStateException to the client. If the exception happens while processing the queue we will log a warning and immediately disconnect their queue. > Old clients with durable queues should fail early if > AuthenticationExpiredException is thrown > --------------------------------------------------------------------------------------------- > > Key: GEODE-10243 > URL: https://issues.apache.org/jira/browse/GEODE-10243 > Project: Geode > Issue Type: Improvement > Components: client queues > Reporter: Dan Smith > Assignee: Dan Smith > Priority: Major > Labels: pull-request-available > > As part of the changes for GEODE-9457, when an AuthenticationExpiredException > is thrown from the SecurityManager during message dispatching, we send a > message to 1.15 and newer clients asking them to re-authenticate. > For 1.14 and older clients, we do not send a message. Instead, we just wait > for the {color:#00875a}reauthenticate.wait.time{color} to elapse and then > close the connection. > The net effect of this is that if users are doing cache operations from 1.14 > and older clients, and their SecurityManager expires the credentials of the > old clients, they will sometimes see their clients re-authenticate themselves > in that time window. This will mislead users into thinking that > re-authentication works with old clients and client queues, even though we > [have documented that we don't support > it|https://github.com/apache/geode/blob/09b8b46ef2fa1d463be885c6fa39dbfe1f0e3e83/geode-docs/managing/security/implementing_authentication_expiry.html.md.erb#L35]. > Instead of allowing re-authentication to sometimes work in this unsupported > use case, we should always fail so that is clear to users that this use case > is not supported. -- This message was sent by Atlassian Jira (v8.20.1#820001)