[server] Add keep alive method for ServerAuthenticator for each rpc invocation. (#956)

Author: loserwang1024

fluss-common/src/main/java/com/alibaba/fluss/security/auth/ServerAuthenticator.java

@@ -20,13 +20,16 @@
 import com.alibaba.fluss.exception.AuthenticationException;
 import com.alibaba.fluss.security.acl.FlussPrincipal;
 
+import java.io.Closeable;
+import java.io.IOException;
+
 /**
  * Authenticator for server side.
  *
  * @since 0.7
  */
 @PublicEvolving
-public interface ServerAuthenticator {
+public interface ServerAuthenticator extends Closeable {
 
     String protocol();
 
@@ -83,6 +86,30 @@ default void initialize(AuthenticateContext context) {}
      */
     FlussPrincipal createPrincipal();
 
+    /**
+     * Performs a lightweight authentication check during each RPC invocation.
+     *
+     * <p>For example, this method serves some purposes:
+     *
+     * <ul>
+     *   <li>Verifies that the current authentication state remains valid (e.g., session not
+     *       expired, token still active).
+     *   <li>Optionally refreshes or extends the session to prevent expiration.
+     * </ul>
+     *
+     * <p>Implementations should ensure this method is non-blocking and efficient, as it may be
+     * invoked on every RPC call. A caching strategy is recommended if remote or expensive
+     * operations are involved.
+     *
+     * @throws AuthenticationException if the authentication has expired or become invalid
+     */
+    default void keepAlive(short apiKey) throws AuthenticationException {}
+
+    /** Close the authenticator. */
+    default void close() throws IOException {}
+
     /** The context of the authentication process. */
-    interface AuthenticateContext {}
+    interface AuthenticateContext {
+        String ipAddress();
+    }
 }

fluss-rpc/src/main/java/com/alibaba/fluss/rpc/netty/server/NettyServerHandler.java

@@ -39,6 +39,7 @@
 import com.alibaba.fluss.shaded.netty4.io.netty.handler.timeout.IdleState;
 import com.alibaba.fluss.shaded.netty4.io.netty.handler.timeout.IdleStateEvent;
 import com.alibaba.fluss.utils.ExceptionUtils;
+import com.alibaba.fluss.utils.IOUtils;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -139,6 +140,9 @@ public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception
                 // 3. the channel is complete, but receive auth request (PLAINTEXT case)
                 handleAuthenticateRequest(apiKey, requestMessage, future);
             } else {
+                if (state.isReady()) {
+                    authenticator.keepAlive(apiKey);
+                }
                 requestChannel.putRequest(request);
             }
 
@@ -175,6 +179,7 @@ public void channelActive(ChannelHandlerContext ctx) throws Exception {
     @Override
     public void channelInactive(ChannelHandlerContext ctx) throws Exception {
         super.channelInactive(ctx);
+        close();
     }
 
     @Override
@@ -183,7 +188,7 @@ public void userEventTriggered(ChannelHandlerContext ctx, Object evt) throws Exc
             IdleStateEvent event = (IdleStateEvent) evt;
             if (event.state().equals(IdleState.ALL_IDLE)) {
                 LOG.warn("Connection {} is idle, closing...", ctx.channel().remoteAddress());
-                ctx.close();
+                close();
             }
         }
     }
@@ -207,6 +212,7 @@ public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) throws E
 
     private void close() {
         switchState(ConnectionState.CLOSE);
+        IOUtils.closeQuietly(authenticator);
         ctx.close();
     }
 
@@ -363,8 +369,18 @@ public boolean isActive() {
         public boolean isAuthenticating() {
             return this == AUTHENTICATING;
         }
+
+        public boolean isReady() {
+            return this == READY;
+        }
     }
 
-    private static class DefaultAuthenticateContext
-            implements ServerAuthenticator.AuthenticateContext {}
+    private class DefaultAuthenticateContext implements ServerAuthenticator.AuthenticateContext {
+        @Override
+        public String ipAddress() {
+            return ((InetSocketAddress) ctx.channel().remoteAddress())
+                    .getAddress()
+                    .getHostAddress();
+        }
+    }
 }

fluss-rpc/src/test/java/com/alibaba/fluss/rpc/netty/authenticate/AuthenticationTest.java

@@ -62,6 +62,7 @@ public void cleanup() throws Exception {
         if (nettyServer != null) {
             nettyServer.close();
         }
+        MutualAuthenticationPlugin.errorType = MutualAuthenticationPlugin.ErrorType.NONE;
     }
 
     @Test
@@ -88,7 +89,8 @@ void testMutualAuthenticate() throws Exception {
         }
 
         // test invalid challenge from server
-        clientConfig.setString("client.security.mutual.error-type", "SERVER_ERROR_CHALLENGE");
+        MutualAuthenticationPlugin.errorType =
+                MutualAuthenticationPlugin.ErrorType.SERVER_ERROR_CHALLENGE;
         try (NettyClient nettyClient =
                 new NettyClient(clientConfig, TestingClientMetricGroup.newInstance())) {
             assertThatThrownBy(() -> verifyGetTableNamesList(nettyClient, mutualAuthServerNode))
@@ -98,7 +100,8 @@ void testMutualAuthenticate() throws Exception {
         }
 
         // test invalid token from client
-        clientConfig.setString("client.security.mutual.error-type", "CLIENT_ERROR_SECOND_TOKEN");
+        MutualAuthenticationPlugin.errorType =
+                MutualAuthenticationPlugin.ErrorType.CLIENT_ERROR_SECOND_TOKE;
         try (NettyClient nettyClient =
                 new NettyClient(clientConfig, TestingClientMetricGroup.newInstance())) {
             assertThatThrownBy(() -> verifyGetTableNamesList(nettyClient, mutualAuthServerNode))
@@ -111,7 +114,8 @@ void testMutualAuthenticate() throws Exception {
     void testNoChallengeBeforeClientComplete() throws Exception {
         Configuration clientConfig = new Configuration();
         clientConfig.set(ConfigOptions.CLIENT_SECURITY_PROTOCOL, "mutual");
-        clientConfig.setString("client.security.mutual.error-type", "SERVER_NO_CHALLENGE");
+        MutualAuthenticationPlugin.errorType =
+                MutualAuthenticationPlugin.ErrorType.SERVER_NO_CHALLENGE;
         try (NettyClient nettyClient =
                 new NettyClient(clientConfig, TestingClientMetricGroup.newInstance())) {
 
@@ -126,7 +130,8 @@ void testNoChallengeBeforeClientComplete() throws Exception {
     void testRetirableAuthenticateException() throws Exception {
         Configuration clientConfig = new Configuration();
         clientConfig.set(ConfigOptions.CLIENT_SECURITY_PROTOCOL, "mutual");
-        clientConfig.setString("client.security.mutual.error-type", "RETRIABLE_EXCEPTION");
+        MutualAuthenticationPlugin.errorType =
+                MutualAuthenticationPlugin.ErrorType.RETRIABLE_EXCEPTION;
         try (NettyClient nettyClient =
                 new NettyClient(clientConfig, TestingClientMetricGroup.newInstance())) {
             verifyGetTableNamesList(nettyClient, mutualAuthServerNode);
@@ -203,6 +208,22 @@ void testMultiClientsWithSameProtocol() throws Exception {
         }
     }
 
+    @Test
+    void testKeepAliveError() throws Exception {
+        Configuration clientConfig = new Configuration();
+        clientConfig.set(ConfigOptions.CLIENT_SECURITY_PROTOCOL, "mutual");
+        try (NettyClient nettyClient =
+                new NettyClient(clientConfig, TestingClientMetricGroup.newInstance())) {
+            verifyGetTableNamesList(nettyClient, mutualAuthServerNode);
+            MutualAuthenticationPlugin.errorType =
+                    MutualAuthenticationPlugin.ErrorType.KEEP_ALIVE_ERROR;
+            assertThatThrownBy(() -> verifyGetTableNamesList(nettyClient, mutualAuthServerNode))
+                    .hasRootCauseExactlyInstanceOf(AuthenticationException.class)
+                    .rootCause()
+                    .hasMessageContaining("Keep alive error");
+        }
+    }
+
     private void verifyGetTableNamesList(NettyClient nettyClient, ServerNode serverNode)
             throws Exception {
         ListTablesRequest request = new ListTablesRequest().setDatabaseName("test-database");

fluss-rpc/src/test/java/com/alibaba/fluss/rpc/netty/authenticate/MutualAuthenticationPlugin.java

@@ -16,7 +16,6 @@
 
 package com.alibaba.fluss.rpc.netty.authenticate;
 
-import com.alibaba.fluss.config.ConfigOption;
 import com.alibaba.fluss.config.Configuration;
 import com.alibaba.fluss.exception.AuthenticationException;
 import com.alibaba.fluss.exception.RetriableAuthenticationException;
@@ -26,25 +25,22 @@
 import com.alibaba.fluss.security.auth.ServerAuthenticationPlugin;
 import com.alibaba.fluss.security.auth.ServerAuthenticator;
 
+import java.io.IOException;
 import java.util.concurrent.ThreadLocalRandom;
 
-import static com.alibaba.fluss.config.ConfigBuilder.key;
-
 /**
  * An {@link com.alibaba.fluss.security.auth.AuthenticationPlugin} to mock mutual authentication.
  */
 public class MutualAuthenticationPlugin
         implements ServerAuthenticationPlugin, ClientAuthenticationPlugin {
 
     private static final String MUTUAL_AUTH_PROTOCOL = "mutual";
-    private static final ConfigOption<ErrorType> ERROR_TYPE =
-            key("client.security.mutual.error-type")
-                    .enumType(ErrorType.class)
-                    .defaultValue(ErrorType.NONE);
+
+    public static ErrorType errorType = ErrorType.NONE;
 
     @Override
     public ClientAuthenticator createClientAuthenticator(Configuration configuration) {
-        return new ClientAuthenticatorImpl(configuration);
+        return new ClientAuthenticatorImpl();
     }
 
     @Override
@@ -67,11 +63,6 @@ private enum Status {
 
         private Status status;
         Integer initialSalt;
-        private final int errorType;
-
-        public ClientAuthenticatorImpl(Configuration configuration) {
-            this.errorType = configuration.get(ERROR_TYPE).code;
-        }
 
         @Override
         public String protocol() {
@@ -88,23 +79,16 @@ public void initialize(AuthenticateContext context) {
         public byte[] authenticate(byte[] data) throws AuthenticationException {
             switch (status) {
                 case SEND_CLIENT_FIRST_MESSAGE:
-                    initialSalt =
-                            isError(
-                                            errorType,
-                                            ErrorType.SERVER_NO_CHALLENGE,
-                                            ErrorType.SERVER_ERROR_CHALLENGE,
-                                            ErrorType.RETRIABLE_EXCEPTION)
-                                    ? errorType
-                                    : generateInitialSalt();
+                    initialSalt = generateInitialSalt();
                     status = Status.RECEIVE_SERVER_FIRST_MESSAGE;
                     return String.valueOf(initialSalt).getBytes();
                 case RECEIVE_SERVER_FIRST_MESSAGE:
                     int challenge = parseToken(data);
                     if (challenge == initialSalt + 1) {
                         status = Status.RECEIVE_SERVER_FINAL_MESSAGE;
                         return String.valueOf(
-                                        isError(errorType, ErrorType.CLIENT_ERROR_SECOND_TOKEN)
-                                                ? errorType
+                                        errorType == ErrorType.CLIENT_ERROR_SECOND_TOKE
+                                                ? -1
                                                 : challenge + 1)
                                 .getBytes();
                     } else {
@@ -138,12 +122,14 @@ private static class ServerAuthenticatorImpl implements ServerAuthenticator {
         private enum Status {
             RECEIVE_CLIENT_FIRST_MESSAGE,
             RECEIVE_CLIENT_FINAL_MESSAGE,
-            COMPLETED
+            COMPLETED,
+            CLOSED
         }
 
         private Integer initialSalt;
         private int retryNumber = 0;
         private Status status = Status.RECEIVE_CLIENT_FIRST_MESSAGE;
+        private String ip;
 
         @Override
         public String protocol() {
@@ -153,6 +139,7 @@ public String protocol() {
         @Override
         public void initialize(AuthenticateContext context) {
             this.status = Status.RECEIVE_CLIENT_FIRST_MESSAGE;
+            this.ip = context.ipAddress();
             this.initialSalt = null;
         }
 
@@ -161,14 +148,14 @@ public byte[] evaluateResponse(byte[] token) throws AuthenticationException {
             int tokenValue = parseToken(token);
             switch (status) {
                 case RECEIVE_CLIENT_FIRST_MESSAGE:
-                    if (isError(tokenValue, ErrorType.SERVER_NO_CHALLENGE)) {
+                    if (errorType == ErrorType.SERVER_NO_CHALLENGE) {
                         return null;
                     }
-                    if (isError(tokenValue, ErrorType.SERVER_ERROR_CHALLENGE)) {
+                    if (errorType == ErrorType.SERVER_ERROR_CHALLENGE) {
                         return "-1".getBytes();
                     }
-                    if (isError(tokenValue, ErrorType.RETRIABLE_EXCEPTION) && retryNumber++ < 3) {
-                        throw new RetriableAuthenticationException("Retriable exception");
+                    if (errorType == ErrorType.RETRIABLE_EXCEPTION && retryNumber++ < 3) {
+                        throw new RetriableAuthenticationException("Retriable exception " + ip);
                     }
 
                     initialSalt = tokenValue + 1;
@@ -199,6 +186,18 @@ public FlussPrincipal createPrincipal() {
         public boolean isCompleted() {
             return status == Status.COMPLETED;
         }
+
+        @Override
+        public void keepAlive(short apiKey) throws AuthenticationException {
+            if (errorType == ErrorType.KEEP_ALIVE_ERROR) {
+                throw new AuthenticationException("Keep alive error");
+            }
+        }
+
+        @Override
+        public void close() throws IOException {
+            status = Status.CLOSED;
+        }
     }
 
     private static int parseToken(byte[] token) {
@@ -212,26 +211,13 @@ private static int generateInitialSalt() {
         return ThreadLocalRandom.current().nextInt(0, Integer.MAX_VALUE);
     }
 
-    private static boolean isError(int errorType, ErrorType... errorTypes) {
-        for (ErrorType type : errorTypes) {
-            if (errorType == type.code) {
-                return true;
-            }
-        }
-        return false;
-    }
-
-    enum ErrorType {
-        NONE(-1),
-        SERVER_NO_CHALLENGE(-2),
-        SERVER_ERROR_CHALLENGE(-3),
-        CLIENT_ERROR_SECOND_TOKEN(-4),
-        RETRIABLE_EXCEPTION(-5);
-
-        final int code;
-
-        ErrorType(int code) {
-            this.code = code;
-        }
+    /** Error types for testing. */
+    public enum ErrorType {
+        NONE,
+        SERVER_NO_CHALLENGE,
+        SERVER_ERROR_CHALLENGE,
+        CLIENT_ERROR_SECOND_TOKE,
+        RETRIABLE_EXCEPTION,
+        KEEP_ALIVE_ERROR
     }
 }