fix: also skip basic authentication for authentication.skip.paths #9669
Conversation
| @@ -236,7 +236,6 @@ private void createQuery(final String suffix) { | |||
| TEST_HARNESS.getKafkaCluster().waitForTopicsToBePresent(SINK_TOPIC + suffix); | |||
| } | |||
|
|
|||
| @NotNull | |||
There was a problem hiding this comment.
For some reason, spotbugs kept thinking this can return null. Looks to me like a false alarm, not why I'm getting it.
|
@spena and/or @AlanConfluent could you maybe have a look? |
| new KsqlAuthorizationProviderHandler(server, ksqlAuthorizationProvider))); | ||
| selectiveHandler( | ||
| new KsqlAuthorizationProviderHandler(server, ksqlAuthorizationProvider), | ||
| provider -> provider == Provider.JAAS || provider == Provider.PLUGIN |
There was a problem hiding this comment.
Did we just implicitly only fall through to here if it was jaas or plugin and now you're just formally checking that?
There was a problem hiding this comment.
Yes, mostly. For SYSTEM there was a check inside KsqlAuthorizationProviderHandler that skipped authorization. The other two options were JAAS and PLUGIN, otherwise the selectHandler fails.
I moved those checks here to at least have the selection logic in one file and not spread across the various concrete implementations.
There was a problem hiding this comment.
That makes sense. It's better to have it centralized here.
| ) { | ||
| return rc -> { | ||
| if (rc.data().get(PROVIDER_KEY) != provider) { | ||
| if (!providerTest.test((Provider)rc.data().get(PROVIDER_KEY))) { |
There was a problem hiding this comment.
I know you didn't change this part of the logic, but this looks slightly scary that it skips this handler if the particular provider is different from what we expect. It just seems a little error prone that we decide which auth to use and invoke a handler in two different places. Maybe this is because we have to statically install all the handers, but only invoke one of them at request-time? Just a general comment -- not sure if you have any ideas.
There was a problem hiding this comment.
Yes, I totally agree. This could be a vertx-ish architectural style, but I'm not sure if it is achieving anything in our setting. It should be possible to have a single wrapping handler to call the sub-handlers -- essentially, merge selectHandler and selectiveHandler into one, so that you can use plain old control-flow for handler selection instead of passing around PROVIDER values. I didn't want to make this too large of a refactoring, but if you want to go down this road with me, I could try.
There was a problem hiding this comment.
No need for anything in this PR, more just thoughts while reading surrounding code. We can consider that as a followup if you do more changes in this area.
| @@ -130,6 +150,11 @@ private static void selectHandler( | |||
| context.next(); | |||
| return; | |||
| } | |||
| if (skipPathsPattern.matcher(context.normalizedPath()).matches()) { | |||
There was a problem hiding this comment.
Nit: Maybe put this first to match the previous order of checks in the plugin. Shouldn't make any difference, but just to be safe.
| @@ -58,28 +68,36 @@ static void setupAuthHandlers(final Server server, final Router router, | |||
| systemAuthenticationHandler.ifPresent(handler -> registerAuthHandler(router, handler)); | |||
There was a problem hiding this comment.
I don't think it should matter whether they're considered system authenticated before you check the path because it only has the effect of skipping any subsequent checks if they are.
| @@ -120,8 +138,10 @@ private static Handler<RoutingContext> wrappedHandler( | |||
| * In order of preference, we see if the user is the system user, then we check for | |||
| * JAAS configurations, and finally we check to see if there's a plugin we can use | |||
| */ | |||
| private static void selectHandler( | |||
| // default visibility for testing | |||
| @@ -120,11 +139,18 @@ private static Handler<RoutingContext> wrappedHandler( | |||
| * In order of preference, we see if the user is the system user, then we check for | |||
There was a problem hiding this comment.
Can you modify this comment for the order of preference? Btw, wouldn't check for SYSTEM be the step 1, then check for SKIP path?
There was a problem hiding this comment.
Yeah, see comment from Alan above. I would think SYSTEM goes first as well, but the original order in the code is SKIP first, and since it shouldn't really make a difference, the idea is to not risk breaking some existing behavior unknowingly.
Description
There is the KSQL parameter
authentication.skip.pathsthat disables authentication for specific paths. Currently, the parameter is ignored for basic authentication, which is probably a bug or at least very confusing to users.This change moves the handling of
authentication.skip.pathsfrom specific auth handlers to theAuthHandlersclass, which allows us to skip any authentication/authorization for paths that matchauthentication.skip.paths.This change introduces a new Provider called SKIP, that works very similar to the existing SYSTEM Provider - it means that all other authentication / authorization provides. It is enabled for
authentication.skip.pathsand for 3 hard-coded paths. We also slightly simplify the handling of the SYSTEM authorization to bring it in line with SKIP.Testing done
We port the existing, provider-specic unit tests to
AuthHandlers.I also performed manual testing with the settings
and the same JAAS configuration in the ticket #9206
and checking
Fixes #9206
Reviewer checklist