You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2022/09/23 02:20:53 UTC
[GitHub] [pulsar] momo-jun opened a new pull request, #17808: [improve][doc]improve TLS encryption
momo-jun opened a new pull request, #17808:
URL: https://github.com/apache/pulsar/pull/17808
### Motivation
Improve the doc set of the Security chapter to provide Pulsar users with a more accurate, easy-to-understand, and comprehensive information experience.
This is a follow-up PR related to https://github.com/apache/pulsar/pull/17615 and https://github.com/apache/pulsar/pull/17666.
### Modifications
1. Improve the IA and task flow of TLS encryption
2. Refresh the content through a thorough review by @nodece.
### Documentation
- [ ] `doc`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] nodece commented on a diff in pull request #17808: [improve][doc] Improve TLS encryption
Posted by GitBox <gi...@apache.org>.
nodece commented on code in PR #17808:
URL: https://github.com/apache/pulsar/pull/17808#discussion_r983212330
##########
site2/docs/security-tls-transport.md:
##########
@@ -475,46 +407,97 @@ brokerClientTlsKeyStore=/var/private/tls/client.keystore.jks
brokerClientTlsKeyStorePassword=clientpw
```
-:::note
+To disable non-TLS ports, you need to set the values of `brokerServicePort` and `webServicePort` to empty.
-It is important to restrict access to the store files via filesystem permissions.
+Optional settings:
+1. `tlsRequireTrustedClientCertOnConnect=true`: Enable TLS authentication on both brokers and clients for mutual TLS. When enabled, it authenticates the other end of the communication channel.
+2. `tlsCiphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`: A cipher suite is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a network connection using TLS network protocol. By default, it is null. See [OpenSSL Ciphers](https://www.openssl.org/docs/man1.0.2/apps/ciphers.html) and [JDK Ciphers](http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#ciphersuites) for more details.
Review Comment:
Move 2 to `Configure TLS Protocol Version and Cipher`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] nodece commented on a diff in pull request #17808: [improve][doc] Improve TLS encryption
Posted by GitBox <gi...@apache.org>.
nodece commented on code in PR #17808:
URL: https://github.com/apache/pulsar/pull/17808#discussion_r983212330
##########
site2/docs/security-tls-transport.md:
##########
@@ -475,46 +407,97 @@ brokerClientTlsKeyStore=/var/private/tls/client.keystore.jks
brokerClientTlsKeyStorePassword=clientpw
```
-:::note
+To disable non-TLS ports, you need to set the values of `brokerServicePort` and `webServicePort` to empty.
-It is important to restrict access to the store files via filesystem permissions.
+Optional settings:
+1. `tlsRequireTrustedClientCertOnConnect=true`: Enable TLS authentication on both brokers and clients for mutual TLS. When enabled, it authenticates the other end of the communication channel.
+2. `tlsCiphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`: A cipher suite is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a network connection using TLS network protocol. By default, it is null. See [OpenSSL Ciphers](https://www.openssl.org/docs/man1.0.2/apps/ciphers.html) and [JDK Ciphers](http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#ciphersuites) for more details.
Review Comment:
Move 2,3 to `Configure TLS Protocol Version and Cipher`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on a diff in pull request #17808: [improve][doc] Improve TLS encryption
Posted by GitBox <gi...@apache.org>.
tisonkun commented on code in PR #17808:
URL: https://github.com/apache/pulsar/pull/17808#discussion_r981108077
##########
site2/docs/cookbooks-encryption.md:
##########
@@ -1,334 +0,0 @@
----
-id: cookbooks-encryption
-title: Configure end-to-end encryption
-sidebar_label: "Configure end-to-end encryption"
----
-
-````mdx-code-block
Review Comment:
It's possible to set up a client-side redirection here:
```jsx
import {Redirect} from '@docusaurus/router';
<Redirect to="security-encryption#get-started" />
```
So that users who have a bookmark to the original page won't get a 404 but be redirected to the new section. However, it's also reasonable to just remove it since I believe few users will depend on this page. Just for your information.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] momo-jun commented on a diff in pull request #17808: [improve][doc] Improve TLS encryption
Posted by GitBox <gi...@apache.org>.
momo-jun commented on code in PR #17808:
URL: https://github.com/apache/pulsar/pull/17808#discussion_r981119181
##########
site2/docs/security-encryption.md:
##########
@@ -35,7 +35,327 @@ If produced messages are consumed across application boundaries, you need to ens
## Get started
-Pulsar encryption allows applications to encrypt messages on the producer side and decrypt messages on the consumer side. See [cookbook](cookbooks-encryption.md) for detailed instructions.
+## Prerequisites
+
+* Pulsar Java/Python/C++/Node.js client 2.7.1 or later versions.
+* Pulsar Go client 0.6.0 or later versions.
+
+## Configure end-to-end encryption
+
+1. Create both public and private key pairs.
+ * ECDSA(for Java and Go clients)
+ ```shell
+ openssl ecparam -name secp521r1 -genkey -param_enc explicit -out test_ecdsa_privkey.pem
+ openssl ec -in test_ecdsa_privkey.pem -pubout -outform pem -out test_ecdsa_pubkey.pem
+ ```
+
+ * RSA (for Python, C++ and Node.js clients)
+ ```shell
+ openssl genrsa -out test_rsa_privkey.pem 2048
+ openssl rsa -in test_rsa_privkey.pem -pubout -outform pkcs8 -out test_rsa_pubkey.pem
Review Comment:
@Anonymitaet Thanks for the suggestion. Will apply this style.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] momo-jun merged pull request #17808: [improve][doc] Improve TLS encryption
Posted by GitBox <gi...@apache.org>.
momo-jun merged PR #17808:
URL: https://github.com/apache/pulsar/pull/17808
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] momo-jun commented on pull request #17808: [improve][doc] Improve TLS encryption
Posted by GitBox <gi...@apache.org>.
momo-jun commented on PR #17808:
URL: https://github.com/apache/pulsar/pull/17808#issuecomment-1258911796
@nodece can you pls review the two screenshots I attached in the PR? The content has addressed the points we covered in the discussion.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] nodece commented on a diff in pull request #17808: [improve][doc] Improve TLS encryption
Posted by GitBox <gi...@apache.org>.
nodece commented on code in PR #17808:
URL: https://github.com/apache/pulsar/pull/17808#discussion_r983212600
##########
site2/docs/security-tls-transport.md:
##########
@@ -475,46 +407,97 @@ brokerClientTlsKeyStore=/var/private/tls/client.keystore.jks
brokerClientTlsKeyStorePassword=clientpw
```
-:::note
+To disable non-TLS ports, you need to set the values of `brokerServicePort` and `webServicePort` to empty.
-It is important to restrict access to the store files via filesystem permissions.
+Optional settings:
+1. `tlsRequireTrustedClientCertOnConnect=true`: Enable TLS authentication on both brokers and clients for mutual TLS. When enabled, it authenticates the other end of the communication channel.
Review Comment:
Add a new section to introduce this.
##########
site2/docs/security-tls-transport.md:
##########
@@ -475,46 +407,97 @@ brokerClientTlsKeyStore=/var/private/tls/client.keystore.jks
brokerClientTlsKeyStorePassword=clientpw
```
-:::note
+To disable non-TLS ports, you need to set the values of `brokerServicePort` and `webServicePort` to empty.
-It is important to restrict access to the store files via filesystem permissions.
+Optional settings:
+1. `tlsRequireTrustedClientCertOnConnect=true`: Enable TLS authentication on both brokers and clients for mutual TLS. When enabled, it authenticates the other end of the communication channel.
Review Comment:
Add a new section to introduce this, it is important.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] Anonymitaet commented on a diff in pull request #17808: [improve][doc] Improve TLS encryption
Posted by GitBox <gi...@apache.org>.
Anonymitaet commented on code in PR #17808:
URL: https://github.com/apache/pulsar/pull/17808#discussion_r981024270
##########
site2/docs/security-encryption.md:
##########
@@ -35,7 +35,327 @@ If produced messages are consumed across application boundaries, you need to ens
## Get started
-Pulsar encryption allows applications to encrypt messages on the producer side and decrypt messages on the consumer side. See [cookbook](cookbooks-encryption.md) for detailed instructions.
+## Prerequisites
+
+* Pulsar Java/Python/C++/Node.js client 2.7.1 or later versions.
+* Pulsar Go client 0.6.0 or later versions.
+
+## Configure end-to-end encryption
+
+1. Create both public and private key pairs.
+ * ECDSA(for Java and Go clients)
+ ```shell
+ openssl ecparam -name secp521r1 -genkey -param_enc explicit -out test_ecdsa_privkey.pem
+ openssl ec -in test_ecdsa_privkey.pem -pubout -outform pem -out test_ecdsa_pubkey.pem
+ ```
+
+ * RSA (for Python, C++ and Node.js clients)
+ ```shell
+ openssl genrsa -out test_rsa_privkey.pem 2048
+ openssl rsa -in test_rsa_privkey.pem -pubout -outform pkcs8 -out test_rsa_pubkey.pem
Review Comment:
Can we consider using "multiple tabs" like this?
<img width="1171" alt="image" src="https://user-images.githubusercontent.com/50226895/192494366-18e6d5a9-2179-49c8-a5c0-5f581884849c.png">
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] nodece commented on a diff in pull request #17808: [improve][doc] Improve TLS encryption
Posted by GitBox <gi...@apache.org>.
nodece commented on code in PR #17808:
URL: https://github.com/apache/pulsar/pull/17808#discussion_r984257851
##########
site2/docs/security-tls-transport.md:
##########
@@ -475,46 +407,97 @@ brokerClientTlsKeyStore=/var/private/tls/client.keystore.jks
brokerClientTlsKeyStorePassword=clientpw
```
-:::note
+To disable non-TLS ports, you need to set the values of `brokerServicePort` and `webServicePort` to empty.
-It is important to restrict access to the store files via filesystem permissions.
+Optional settings:
+1. `tlsRequireTrustedClientCertOnConnect=true`: Enable TLS authentication on both brokers and clients for mutual TLS. When enabled, it authenticates the other end of the communication channel.
Review Comment:
LGTM
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] momo-jun commented on a diff in pull request #17808: [improve][doc] Improve TLS encryption
Posted by GitBox <gi...@apache.org>.
momo-jun commented on code in PR #17808:
URL: https://github.com/apache/pulsar/pull/17808#discussion_r984250323
##########
site2/docs/security-tls-transport.md:
##########
@@ -475,46 +407,97 @@ brokerClientTlsKeyStore=/var/private/tls/client.keystore.jks
brokerClientTlsKeyStorePassword=clientpw
```
-:::note
+To disable non-TLS ports, you need to set the values of `brokerServicePort` and `webServicePort` to empty.
-It is important to restrict access to the store files via filesystem permissions.
+Optional settings:
+1. `tlsRequireTrustedClientCertOnConnect=true`: Enable TLS authentication on both brokers and clients for mutual TLS. When enabled, it authenticates the other end of the communication channel.
+2. `tlsCiphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`: A cipher suite is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a network connection using TLS network protocol. By default, it is null. See [OpenSSL Ciphers](https://www.openssl.org/docs/man1.0.2/apps/ciphers.html) and [JDK Ciphers](http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#ciphersuites) for more details.
Review Comment:
Make sense. Done.
##########
site2/docs/security-tls-transport.md:
##########
@@ -475,46 +407,97 @@ brokerClientTlsKeyStore=/var/private/tls/client.keystore.jks
brokerClientTlsKeyStorePassword=clientpw
```
-:::note
+To disable non-TLS ports, you need to set the values of `brokerServicePort` and `webServicePort` to empty.
-It is important to restrict access to the store files via filesystem permissions.
+Optional settings:
+1. `tlsRequireTrustedClientCertOnConnect=true`: Enable TLS authentication on both brokers and clients for mutual TLS. When enabled, it authenticates the other end of the communication channel.
Review Comment:
@nodece can you pls take another look?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] momo-jun commented on a diff in pull request #17808: [improve][doc] Improve TLS encryption
Posted by GitBox <gi...@apache.org>.
momo-jun commented on code in PR #17808:
URL: https://github.com/apache/pulsar/pull/17808#discussion_r981119980
##########
site2/docs/cookbooks-encryption.md:
##########
@@ -1,334 +0,0 @@
----
-id: cookbooks-encryption
-title: Configure end-to-end encryption
-sidebar_label: "Configure end-to-end encryption"
----
-
-````mdx-code-block
Review Comment:
@tisonkun Thanks for the information. Will give it a try and see.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org