Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for StreamingCredentials #3068

Open
wants to merge 21 commits into
base: main
Choose a base branch
from
Open

Support for StreamingCredentials #3068

wants to merge 21 commits into from
+1,354 −21

Conversation

ggivo
Copy link
Contributor

@ggivo ggivo commented Dec 2, 2024
edited
Loading

Description
This PR is preparation step for adding support for Microsoft Entra ID (formerly Azure AD) authentication support

It introduces support for streaming credentials provider allowing connection re-authentication when new credentials are available.
Posible use cases is token based authentication (e.g. expiring tokens) or credential rotation.

PR introduces :

  1. StreamingCredentialsProvider extending existing CredentialsProvider with option for providing a stream of credentials
  2. If enabled connection will subscribe for credential updates and perform re-authentication

An example of credential provider supporting streaming : MyStreamingRedisCredentialsProvider
A basic usage would look like;

        MyStreamingRedisCredentialsProvider credentialsProvider = new MyStreamingRedisCredentialsProvider();
        
        RedisURI uri = RedisURI.builder()
            .withHost("REDIS_HOST")
            .withPort("REDIS_PORT")
            // use credential provider supporting credential stream
            .withAuthentication(credentialsProvider).build();  

        RedisClient client = RedisClient.create(uri);
        client.setOptions(ClientOptions.builder()
                 //enable re-authentication on new credentials
                .reauthenticateBehavior(ClientOptions.ReauthenticateBehavior.ON_NEW_CREDENTIALS)  
                .build());

        connection = client.connect()  
        ....
  • You have read the contribution guidelines.
  • You have created a feature request first to discuss your contribution intent. Please reference the feature request ticket number in the pull request.
  • You applied code formatting rules using the mvn formatter:format target. Don’t submit any formatting related changes.
  • You submit test cases (unit or integration tests) that back your changes.

@ggivo
Support for StreamingCredentials
91871b6 
     This enables use cases like credential rotation and token based auth without client disconnect. Especially with Pub/Sub clients will reduce the chnance of missing events.
@ggivo ggivo self-assigned this Dec 4, 2024
@ggivo ggivo requested a review from tishun December 4, 2024 09:52
@ggivo ggivo marked this pull request as ready for review December 4, 2024 09:53
ggivo added a commit to ggivo/lettuce that referenced this pull request Dec 4, 2024
@ggivo
Rebase on PR redis#3068
6531424
ggivo added 2 commits December 8, 2024 14:09
@ggivo
Conditionally enable connection reauthentication based on client setting
5858286 
DEFAULT_REAUTHENTICATE_BEHAVIOUR
@ggivo
Client setting for enabling reauthentication
779edca 
  - Moved Authentication handler to DefaultEndpoint
  - updated since 6.6.0
ggivo added a commit to ggivo/lettuce that referenced this pull request Dec 8, 2024
@ggivo
Rebase on PR redis#3068
78fb436 
# Conflicts:
#	src/test/java/io/lettuce/core/AuthenticationIntegrationTests.java
ggivo added a commit to ggivo/lettuce that referenced this pull request Dec 8, 2024
@ggivo
Rebase on PR redis#3068
98e72fb 
# Conflicts:
#	src/test/java/io/lettuce/core/AuthenticationIntegrationTests.java
ggivo added a commit to ggivo/lettuce that referenced this pull request Dec 8, 2024
@ggivo
Rebase on PR redis#3068
b7efe6c 
# Conflicts:
#	src/test/java/io/lettuce/core/AuthenticationIntegrationTests.java
@ggivo ggivo marked this pull request as draft December 11, 2024 12:02
@ggivo ggivo force-pushed the streaming-auth branch 2 times, most recently from d483898 to 7185e22 Compare December 11, 2024 17:32
@ggivo
Support multi with re-auth
b32f84c 
Defer the re-auth operation in case there is on-going multi
Tx in lettuce need to be externally synchronised when used in multithreaded env. Since re-auth happens from different thread we need to make sure it does not happen while there is ongoing transaction.
@ggivo ggivo marked this pull request as ready for review December 13, 2024 11:51
@ggivo ggivo requested a review from atakavci December 13, 2024 12:17
atakavci
atakavci reviewed Dec 16, 2024
View reviewed changes
Copy link
Collaborator

@atakavci atakavci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks clean from my POV, i got a few questions though.

src/main/java/io/lettuce/core/RedisAuthenticationHandler.java Outdated
}

if (credentialsProvider instanceof StreamingCredentialsProvider) {
if (!isSupportedConnection()) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are we good with the behavior when its configured with StreamingCredentials but doesnt work that way. It looks like it happens silently and nobody knows about it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I missed that one. WIll add a warning to the log.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On second thought, this is expected. We can have a streaming-enabled credentials provider and disabled the reauthentication

src/main/java/io/lettuce/core/RedisAuthenticationHandler.java Outdated Show resolved Hide resolved
src/main/java/io/lettuce/core/StatefulRedisConnectionImpl.java Outdated
multi = (multi == null ? new MultiOutput<>(codec) : multi);

if (command instanceof CompleteableCommand) {
((CompleteableCommand<?>) command).onComplete((ignored, e) -> {
if (e != null) {
multi = null;
inTransaction.set(false);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what are the cases that we know of it is not a CompleteableCommand ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at the code you can provide directly Command to dispath.
What is the actual use? I am not sure but if it is not CompletableCommand it will make most of preProcessCommand() method irrelevant.
Not sure if @tishun can add here.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤷

I thought it was that all sync commands are not completable commands.
But why are they exempt from these checks I am not sure.

Does MULTI even work with sync commands?

src/main/java/io/lettuce/core/StatefulRedisConnectionImpl.java Outdated Show resolved Hide resolved
src/main/java/io/lettuce/core/cluster/RedisClusterClient.java Outdated Show resolved Hide resolved
ggivo
ggivo commented Dec 17, 2024
View reviewed changes
Copy link
Contributor Author

@ggivo ggivo left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tishun
Thanks for the review and help with clean up! It looks neat and tidy!

I think there a few changes that lead to change in behavior
Putting some comments and will try to address them with follow up commit.

src/main/java/io/lettuce/core/StatefulRedisConnectionImpl.java Outdated Show resolved Hide resolved
src/main/java/io/lettuce/core/StatefulRedisConnectionImpl.java Outdated Show resolved Hide resolved
src/main/java/io/lettuce/core/RedisAuthenticationHandler.java Show resolved Hide resolved
ggivo added 4 commits December 17, 2024 17:16
@ggivo
fix inTransaction lock with dispatch command batch
8e9ab48
@ggivo
Remove StreamingCredentialsProvider interface.
746dd82 
move credentials() method to RedisCredentialsProvider.

Resolve issue with unsafe cast after extending RedisCredentialsProvider with supportsStreaming() method
@ggivo
Add authentication handler to ClusterPubSub connections
31341f1
@ggivo
Merge branch 'main' into streaming-auth
6891281
tishun
tishun approved these changes Dec 18, 2024
View reviewed changes
Copy link
Collaborator

@tishun tishun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@atakavci atakavci atakavci left review comments

@tishun tishun tishun approved these changes

Assignees

@ggivo ggivo

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ggivo @tishun @atakavci