You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by pe...@apache.org on 2020/12/21 11:59:28 UTC
[pulsar] 02/02: Improve error handling when broker doesn't trust
client certificates (#8998)
This is an automated email from the ASF dual-hosted git repository.
penghui pushed a commit to branch branch-2.6
in repository https://gitbox.apache.org/repos/asf/pulsar.git
commit 56667b335c2043ea48afdc137724fdb732bae264
Author: Sijie Guo <si...@apache.org>
AuthorDate: Sun Dec 20 18:13:50 2020 -0800
Improve error handling when broker doesn't trust client certificates (#8998)
*Motivation*
When TLS throws `SSLPeerUnverifiedException`, broker doesn't log any information and just returns `null`.
It makes users very hard to debug problem.
*Changes*
Improve the error handling when broker doesn't trust client certificates.
See more details at https://github.com/apache/pulsar/issues/8963
(cherry picked from commit a292b0ac5d123eeb9d95b9012ba5205a2e26d79f)
---
.../apache/pulsar/broker/authentication/AuthenticationDataCommand.java | 3 +++
.../apache/pulsar/broker/authentication/AuthenticationProviderTls.java | 3 +++
2 files changed, 6 insertions(+)
diff --git a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationDataCommand.java b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationDataCommand.java
index 7299eae..efc3329 100644
--- a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationDataCommand.java
+++ b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationDataCommand.java
@@ -23,7 +23,9 @@ import java.security.cert.Certificate;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
+import lombok.extern.slf4j.Slf4j;
+@Slf4j
public class AuthenticationDataCommand implements AuthenticationDataSource {
protected final String authData;
protected final SocketAddress remoteAddress;
@@ -94,6 +96,7 @@ public class AuthenticationDataCommand implements AuthenticationDataSource {
try {
return sslSession.getPeerCertificates();
} catch (SSLPeerUnverifiedException e) {
+ log.error("Failed to verify the peer's identity", e);
return null;
}
}
diff --git a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderTls.java b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderTls.java
index 077ade2..de04c8a 100644
--- a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderTls.java
+++ b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderTls.java
@@ -72,6 +72,9 @@ public class AuthenticationProviderTls implements AuthenticationProvider {
// Example:
// CN=Steve Kille,O=Isode Limited,C=GB
Certificate[] certs = authData.getTlsCertificates();
+ if (null == certs) {
+ throw new AuthenticationException("Failed to get TLS certificates from client");
+ }
String distinguishedName = ((X509Certificate) certs[0]).getSubjectX500Principal().getName();
for (String keyValueStr : distinguishedName.split(",")) {
String[] keyValue = keyValueStr.split("=", 2);