Fix duplicate peer usrpwd transport reconciliation#2578
Open
BOURBONCASK wants to merge 2 commits intoeclipse-zenoh:mainfrom
Open
Fix duplicate peer usrpwd transport reconciliation#2578BOURBONCASK wants to merge 2 commits intoeclipse-zenoh:mainfrom
BOURBONCASK wants to merge 2 commits intoeclipse-zenoh:mainfrom
Conversation
Signed-off-by: yifei.ma <yifeima98@gmail.com>
Signed-off-by: yifei.ma <yifeima98@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
What does this PR do?
This PR fixes duplicate peer transport reconciliation when
transport.auth.usrpwdis enabled.The transport layer no longer treats the authenticated principal as part of transport compatibility, and instead stores the usrpwd principal as transport-local metadata. When a duplicate transport is merged, the principal can now be upgraded from
UnknowntoKnown(username)after a successfulOpenAck.The PR also refreshes interceptors after such principal upgrades so that username-based access control sees the updated authenticated principal.
In addition, it adds:
Why is this change needed?
In a peer-to-peer duplicate connect scenario, inbound and outbound paths do not carry symmetric usrpwd identity information:
Before this change, that difference leaked into transport compatibility and caused duplicate peer connections to be rejected with repeated
OpenSyn -> Close(INVALID)errors.Even if duplicate reconciliation succeeds, the authenticated principal still needs to be propagated to runtime interceptors, otherwise username-based ACL decisions may continue to observe stale metadata.
Related Issues
Validation
cargo test -p zenoh-transport --test unicast_authenticator --features transport_tcp,auth_usrpwd authenticator_tcp_usrpwd_peer_duplicate_transport -- --exact --nocapturecargo test -p zenoh --test authentication --features unstable test::test_authentication_usrpwd_duplicate_peer_acl_refresh -- --exact --nocapturecargo test -p zenoh --test authentication --features unstable test::test_authentication_usrpwd -- --exact --nocapturecargo test -p zenoh --test authentication --features unstable test::test_authentication_subject_combinations -- --exact --nocapturecargo check -p zenoh --features internal🏷️ Label-Based Checklist
No specific label requirements detected.
Current labels: No labels
Add one of these labels to this PR to see relevant checklist items:
api-sync,breaking-change,bug,ci,dependencies,documentation,enhancement,new feature,internalThis section updates automatically when labels change.