You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by lh...@apache.org on 2022/06/01 08:27:23 UTC
[pulsar] branch branch-2.8 updated (945cc75d2c1 -> d38407652f6)
This is an automated email from the ASF dual-hosted git repository.
lhotari pushed a change to branch branch-2.8
in repository https://gitbox.apache.org/repos/asf/pulsar.git
from 945cc75d2c1 [fix][python]Fix generated Python protobuf code not compatible with latest protobuf package (#15846)
new d63cc31d764 Switch to rely on Netty for Hostname Verification (#15824)
new d38407652f6 Configure DLog Bookie, Pulsar, and Admin clients via pass through config (#15818)
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../resources/authentication/tls/broker-cert.pem | 74 ++++++-------
.../test/resources/authentication/tls/cacert.pem | 110 ++++++++++----------
.../resources/authentication/tls/client-cert.pem | 74 ++++++-------
build/regenerate_certs_for_tests.sh | 25 ++---
conf/broker.conf | 14 ++-
conf/functions_worker.yml | 20 ++++
conf/proxy.conf | 4 +
conf/websocket.conf | 4 +
.../pulsar/broker/BookKeeperClientFactoryImpl.java | 16 ++-
.../org/apache/pulsar/broker/PulsarService.java | 29 ++++--
.../pulsar/broker/namespace/NamespaceService.java | 6 ++
.../pulsar/broker/service/BrokerService.java | 21 +++-
.../apache/pulsar/compaction/CompactorTool.java | 6 ++
...kerInternalClientConfigurationOverrideTest.java | 115 +++++++++++++++++++++
.../AuthenticationTlsHostnameVerificationTest.java | 34 ++----
.../PulsarClientConfigurationOverrideTest.java | 56 ++++++++++
.../websocket/proxy/ProxyConfigurationTest.java | 6 ++
.../pulsar/client/admin/PulsarAdminBuilder.java | 23 +++++
.../admin/internal/PulsarAdminBuilderImpl.java | 9 +-
.../admin/internal/http/AsyncHttpConnector.java | 9 +-
.../pulsar/client/internal/PropertiesUtils.java | 64 ++++++++++++
.../org/apache/pulsar/client/impl/ClientCnx.java | 48 ---------
.../org/apache/pulsar/client/impl/HttpClient.java | 1 +
.../client/impl/PulsarChannelInitializer.java | 7 ++
.../util/NettyClientSslContextRefresher.java | 3 +-
.../apache/pulsar/common/util/SecurityUtility.java | 10 ++
.../src/test/resources/test_worker_config.yml | 3 +
.../functions/worker/PulsarWorkerService.java | 12 ++-
.../pulsar/functions/worker/WorkerUtils.java | 45 +++++++-
.../pulsar/functions/worker/WorkerUtilsTest.java | 19 ++++
.../bookkeeper/BookKeeperPackagesStorage.java | 8 ++
.../BookKeeperPackagesStorageConfiguration.java | 4 +
.../core/PackagesStorageConfiguration.java | 6 ++
.../impl/DefaultPackagesStorageConfiguration.java | 5 +
.../pulsar/proxy/server/AdminProxyHandler.java | 7 +-
.../pulsar/proxy/server/DirectProxyHandler.java | 101 +++++++++++++-----
.../pulsar/proxy/server/ProxyConnection.java | 24 +++--
.../proxy/server/ServiceChannelInitializer.java | 66 +-----------
.../proxy/server/ProxyWithAuthorizationTest.java | 70 +++++++------
.../ProxyWithAuthorizationTest/broker-cacert.pem | 110 ++++++++++----------
.../tls/ProxyWithAuthorizationTest/broker-cert.pem | 74 ++++++-------
.../ProxyWithAuthorizationTest/client-cacert.pem | 110 ++++++++++----------
.../tls/ProxyWithAuthorizationTest/client-cert.pem | 74 ++++++-------
.../ProxyWithAuthorizationTest/proxy-cacert.pem | 110 ++++++++++----------
.../tls/ProxyWithAuthorizationTest/proxy-cert.pem | 74 ++++++-------
.../test/resources/authentication/tls/cacert.pem | 110 ++++++++++----------
.../resources/authentication/tls/client-cert.pem | 74 ++++++-------
.../resources/authentication/tls/server-cert.pem | 74 ++++++-------
.../apache/pulsar/websocket/WebSocketService.java | 7 +-
site2/docs/reference-configuration.md | 21 ++++
50 files changed, 1218 insertions(+), 778 deletions(-)
create mode 100644 pulsar-broker/src/test/java/org/apache/pulsar/broker/service/BrokerInternalClientConfigurationOverrideTest.java
create mode 100644 pulsar-broker/src/test/java/org/apache/pulsar/client/impl/PulsarClientConfigurationOverrideTest.java
create mode 100644 pulsar-client-api/src/main/java/org/apache/pulsar/client/internal/PropertiesUtils.java
[pulsar] 01/02: Switch to rely on Netty for Hostname Verification (#15824)
Posted by lh...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
lhotari pushed a commit to branch branch-2.8
in repository https://gitbox.apache.org/repos/asf/pulsar.git
commit d63cc31d764efb076be9aa94d1ebe801b14e57a7
Author: Michael Marshall <mm...@apache.org>
AuthorDate: Wed Jun 1 00:00:01 2022 -0500
Switch to rely on Netty for Hostname Verification (#15824)
* Switch to relying on Netty for Hostname Verification
- Add "subjectAltName = DNS:localhost, IP:127.0.0.1" to unit test certs
Co-authored-by: Lari Hotari <lh...@apache.org>
(cherry picked from commit aa7700dbf45303fab8c874bd9e5fcf95745d2777)
---
.../resources/authentication/tls/broker-cert.pem | 74 +++++++-------
.../test/resources/authentication/tls/cacert.pem | 110 ++++++++++-----------
.../resources/authentication/tls/client-cert.pem | 74 +++++++-------
build/regenerate_certs_for_tests.sh | 25 +++--
.../AuthenticationTlsHostnameVerificationTest.java | 34 +++----
.../admin/internal/http/AsyncHttpConnector.java | 9 +-
.../org/apache/pulsar/client/impl/ClientCnx.java | 48 ---------
.../org/apache/pulsar/client/impl/HttpClient.java | 1 +
.../client/impl/PulsarChannelInitializer.java | 7 ++
.../util/NettyClientSslContextRefresher.java | 3 +-
.../apache/pulsar/common/util/SecurityUtility.java | 10 ++
.../pulsar/proxy/server/AdminProxyHandler.java | 7 +-
.../pulsar/proxy/server/DirectProxyHandler.java | 101 +++++++++++++------
.../pulsar/proxy/server/ProxyConnection.java | 9 +-
.../proxy/server/ServiceChannelInitializer.java | 66 +------------
.../proxy/server/ProxyWithAuthorizationTest.java | 70 +++++++------
.../ProxyWithAuthorizationTest/broker-cacert.pem | 110 ++++++++++-----------
.../tls/ProxyWithAuthorizationTest/broker-cert.pem | 74 +++++++-------
.../ProxyWithAuthorizationTest/client-cacert.pem | 110 ++++++++++-----------
.../tls/ProxyWithAuthorizationTest/client-cert.pem | 74 +++++++-------
.../ProxyWithAuthorizationTest/proxy-cacert.pem | 110 ++++++++++-----------
.../tls/ProxyWithAuthorizationTest/proxy-cert.pem | 74 +++++++-------
.../test/resources/authentication/tls/cacert.pem | 110 ++++++++++-----------
.../resources/authentication/tls/client-cert.pem | 74 +++++++-------
.../resources/authentication/tls/server-cert.pem | 74 +++++++-------
25 files changed, 714 insertions(+), 744 deletions(-)
diff --git a/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/broker-cert.pem b/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/broker-cert.pem
index 7f9effa6e92..e9be840d3a0 100644
--- a/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/broker-cert.pem
+++ b/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/broker-cert.pem
@@ -1,13 +1,13 @@
Certificate:
Data:
- Version: 1 (0x0)
+ Version: 3 (0x2)
Serial Number:
- 0c:26:15:df:8f:71:1d:6a:31:d0:da:af:64:ef:80:de:ac:9a:46:76
+ 61:e6:1b:07:90:6a:4f:f7:cd:46:b9:59:1d:3e:1c:39:0d:f2:5e:05
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: C = US, ST = CA, O = Apache, OU = Apache Pulsar, CN = localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
@@ -32,37 +32,41 @@ Certificate:
a0:1a:81:9d:d2:e1:66:dd:c4:cc:fc:63:04:ac:ec:
a7:35
Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Alternative Name:
+ DNS:localhost, IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
- 3a:38:c8:85:48:ed:84:c9:f4:bc:ef:b4:4b:a1:46:9c:97:9b:
- 5f:7e:1a:ff:9b:dc:93:0e:7e:ab:de:09:21:30:1f:7f:2a:f7:
- 94:d1:b3:07:3d:b1:71:4f:72:90:1f:41:3d:fe:34:14:ac:5a:
- 39:02:f1:a4:8a:d1:d3:c0:48:da:6f:37:dc:b5:1d:60:29:e6:
- c5:b0:ce:b4:52:8d:f6:6b:59:0b:e4:c8:f1:1a:40:3a:4f:bd:
- e2:dd:32:2f:21:3c:33:d7:61:5f:86:cd:94:31:31:f1:ff:c6:
- 08:9e:67:bc:8f:9d:bf:38:a8:8c:ff:3f:1f:fb:24:ab:bb:7c:
- fb:1b:c3:1b:62:b4:dd:21:d3:7b:19:92:16:b7:7d:f6:95:ee:
- 14:a0:83:de:c5:05:d8:af:44:1d:f7:eb:32:e2:03:ac:c9:12:
- df:11:b6:af:f8:b9:24:ae:55:3e:25:ae:2a:b2:d3:b6:6a:e9:
- f9:28:e6:e0:46:98:66:2c:0d:a3:fe:c7:82:48:13:80:f2:b2:
- d1:5c:7d:bb:11:1c:60:62:1b:f7:1a:11:e1:ee:29:70:f1:95:
- c1:67:c4:f1:e2:d5:f4:24:49:0d:6e:2f:65:7b:48:cd:40:f9:
- c9:26:a3:c7:41:20:d1:6e:2c:38:8e:1b:bc:93:fa:22:39:3d:
- 2a:f6:ba:77
+ 88:1d:a7:42:a1:1c:87:45:4a:e6:5e:aa:9c:7b:71:2e:5c:9e:
+ 11:85:0f:a3:c5:b4:ea:73:9e:b7:61:9d:4a:e9:cd:1a:c5:2e:
+ 03:be:a3:2b:b6:12:6a:15:03:04:3f:fb:4a:09:0d:84:0e:dd:
+ c0:63:2b:0f:13:fb:1f:98:64:49:48:e7:96:d5:41:c4:ca:94:
+ bf:ab:c5:ea:80:2c:ee:1f:ab:12:54:74:f1:f1:56:ea:03:c0:
+ 1c:0d:8d:b9:6e:b0:d0:5f:21:c1:d3:e3:45:df:cf:64:69:13:
+ 6c:54:79:06:7d:53:46:77:3c:21:cc:c4:6a:5f:f9:9a:07:0f:
+ a5:95:20:f0:0e:93:07:48:96:a9:2c:28:50:21:d7:f8:13:4f:
+ b8:ca:aa:1f:a6:41:7c:71:1f:ad:11:3f:3d:1e:e9:81:3c:86:
+ c1:af:2d:39:a0:13:9f:99:ec:9a:47:44:df:28:02:a7:1d:6a:
+ 8d:c0:1e:24:e8:19:fc:1d:dc:67:29:04:be:0a:d6:c5:81:59:
+ 27:2c:f5:e5:df:ba:0b:c6:50:e5:b3:bd:73:12:3e:2c:ef:a6:
+ 8a:ed:eb:86:9a:45:45:52:a3:44:78:12:60:17:e2:3a:32:92:
+ 03:6e:89:89:16:c5:e0:bc:be:a7:cb:93:4b:d8:56:33:a0:a0:
+ 53:b2:0d:a5
-----BEGIN CERTIFICATE-----
-MIIC7zCCAdcCFAwmFd+PcR1qMdDar2TvgN6smkZ2MA0GCSqGSIb3DQEBCwUAMBEx
-DzANBgNVBAMMBkNBUm9vdDAeFw0yMTA0MjMxNzA4NTFaFw0zMTA0MjExNzA4NTFa
-MFcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEPMA0GA1UEChMGQXBhY2hlMRYw
-FAYDVQQLEw1BcGFjaGUgUHVsc2FyMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvv7ctmK2d9tqjE9RiD5i+HKKJIrpv
-1f0fZ+ORA5iAgQ7t2PZwfyw2aD1T6lg6ptWJZku9HldxE21LEeVApXaEJJJAWICW
-yR8sxFXro3lzcFw3montL7pr44J8aUoCVIuBXjy/TIrL6ixeg+e3EAhfglijidHa
-kroqKO4wKD9brhBxlsfhEsWwGq1Eb0Q6EUqaPA+NBoB7NO8/bPRexURUHsjdx4CF
-gNlo5sZTA3fh/hhhB3cFTO1ZvF1BOGrvXaGyYJjUSCiVAooO/c97G9IRzBAMUHPX
-zDhsg915JqqQyJuEhrxZ6WJp9JgbxIB4fqAagZ3S4WbdxMz8YwSs7Kc1AgMBAAEw
-DQYJKoZIhvcNAQELBQADggEBADo4yIVI7YTJ9LzvtEuhRpyXm19+Gv+b3JMOfqve
-CSEwH38q95TRswc9sXFPcpAfQT3+NBSsWjkC8aSK0dPASNpvN9y1HWAp5sWwzrRS
-jfZrWQvkyPEaQDpPveLdMi8hPDPXYV+GzZQxMfH/xgieZ7yPnb84qIz/Px/7JKu7
-fPsbwxtitN0h03sZkha3ffaV7hSgg97FBdivRB336zLiA6zJEt8Rtq/4uSSuVT4l
-riqy07Zq6fko5uBGmGYsDaP+x4JIE4DystFcfbsRHGBiG/caEeHuKXDxlcFnxPHi
-1fQkSQ1uL2V7SM1A+ckmo8dBINFuLDiOG7yT+iI5PSr2unc=
+MIIDFDCCAfygAwIBAgIUYeYbB5BqT/fNRrlZHT4cOQ3yXgUwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowVzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQ8wDQYDVQQKEwZBcGFj
+aGUxFjAUBgNVBAsTDUFwYWNoZSBQdWxzYXIxEjAQBgNVBAMTCWxvY2FsaG9zdDCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+/ty2YrZ322qMT1GIPmL4c
+ookium/V/R9n45EDmICBDu3Y9nB/LDZoPVPqWDqm1YlmS70eV3ETbUsR5UCldoQk
+kkBYgJbJHyzEVeujeXNwXDeaie0vumvjgnxpSgJUi4FePL9MisvqLF6D57cQCF+C
+WKOJ0dqSuioo7jAoP1uuEHGWx+ESxbAarURvRDoRSpo8D40GgHs07z9s9F7FRFQe
+yN3HgIWA2WjmxlMDd+H+GGEHdwVM7Vm8XUE4au9dobJgmNRIKJUCig79z3sb0hHM
+EAxQc9fMOGyD3XkmqpDIm4SGvFnpYmn0mBvEgHh+oBqBndLhZt3EzPxjBKzspzUC
+AwEAAaMeMBwwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEB
+CwUAA4IBAQCIHadCoRyHRUrmXqqce3EuXJ4RhQ+jxbTqc563YZ1K6c0axS4DvqMr
+thJqFQMEP/tKCQ2EDt3AYysPE/sfmGRJSOeW1UHEypS/q8XqgCzuH6sSVHTx8Vbq
+A8AcDY25brDQXyHB0+NF389kaRNsVHkGfVNGdzwhzMRqX/maBw+llSDwDpMHSJap
+LChQIdf4E0+4yqofpkF8cR+tET89HumBPIbBry05oBOfmeyaR0TfKAKnHWqNwB4k
+6Bn8HdxnKQS+CtbFgVknLPXl37oLxlDls71zEj4s76aK7euGmkVFUqNEeBJgF+I6
+MpIDbomJFsXgvL6ny5NL2FYzoKBTsg2l
-----END CERTIFICATE-----
diff --git a/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/cacert.pem b/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/cacert.pem
index 90fbb9b8898..21bbaba213f 100644
--- a/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/cacert.pem
+++ b/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/cacert.pem
@@ -2,76 +2,76 @@ Certificate:
Data:
Version: 3 (0x2)
Serial Number:
- 10:50:a0:5c:8e:cf:88:33:b6:b5:d2:1e:38:bf:78:56:2a:f1:09:22
+ 70:4c:6b:e0:aa:cc:01:77:f2:1f:04:8c:d4:72:03:a5:32:5f:c7:be
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: CN = CARoot
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
- 00:c4:92:ca:40:ce:8d:71:dd:e9:2b:e3:3b:b7:17:
- 1d:25:bf:12:66:c0:cb:32:18:32:3e:24:ea:e1:26:
- 1a:97:e8:85:4b:19:8e:c0:0a:da:a6:57:ec:31:a6:
- a8:68:d9:8e:5c:a2:00:54:30:11:47:a6:0e:84:0d:
- 6d:e3:48:a8:a6:e3:42:63:97:ef:91:c0:3a:bc:db:
- 77:77:3b:d0:45:fc:c5:a8:3a:74:dc:82:4e:83:ed:
- f9:9d:a0:30:11:0c:d9:20:7b:a6:04:60:a1:9c:41:
- 33:c6:04:d2:a7:e8:b1:46:e6:35:5e:fd:ca:2e:42:
- 2f:f4:0c:f7:6e:8d:60:f5:cf:82:7a:e3:eb:ed:d0:
- a1:51:a9:78:8d:14:2d:ca:ea:cc:fa:ae:a9:f9:6c:
- df:5c:cb:83:4a:42:22:5c:48:3e:a6:63:70:43:63:
- ff:3f:d8:1f:88:e1:91:7b:49:b9:67:10:8a:60:51:
- 24:68:db:68:24:5f:10:a5:a2:b3:95:83:7e:3c:88:
- 9c:1c:52:6a:2c:03:52:aa:90:90:85:21:78:a7:20:
- b0:e2:dc:79:b4:b7:57:f0:be:df:3b:fc:21:23:ee:
- ff:63:5d:0b:0d:3d:ab:61:54:8c:2d:96:44:7b:42:
- 10:60:3b:1d:a8:ab:33:01:e7:96:74:08:a6:f9:9d:
- ba:cf
+ 00:dc:9c:01:30:5f:c5:42:48:10:78:30:5d:66:20:
+ 0e:74:61:f6:82:74:9f:6f:b2:ed:00:9e:6c:21:b6:
+ 83:21:6b:54:34:e8:a9:dc:81:83:7a:0e:9f:cc:3d:
+ eb:97:ee:cf:ca:0e:5f:96:81:dc:e7:75:88:91:2f:
+ d5:65:74:c2:d8:67:58:d8:41:6a:5f:a9:79:dc:29:
+ 36:4a:b8:39:20:d2:f8:a8:59:9f:e3:be:f9:61:80:
+ 1b:ce:63:bb:12:56:06:b9:77:4e:6a:40:65:9b:bf:
+ 5b:f8:27:88:f5:ff:40:ee:47:bc:2d:8e:c3:a6:62:
+ 0d:18:76:d1:f5:af:1a:6b:25:4e:d4:55:15:f0:e3:
+ 97:1b:68:eb:75:b8:80:ea:64:ef:7e:e2:f0:5c:da:
+ 6d:d6:16:7b:0f:5e:ae:72:47:5a:df:0b:8a:e0:74:
+ c1:b7:82:0d:97:41:d7:84:16:51:40:37:15:a1:eb:
+ 70:0c:f1:5a:26:39:11:1e:97:b9:36:32:ce:16:b9:
+ 42:ad:31:5b:1e:89:f5:3e:07:0e:d6:fc:9a:46:8e:
+ 87:89:90:5c:f3:00:e4:9b:ce:7b:93:fe:9a:d8:65:
+ ec:49:5c:e8:eb:41:3d:53:bc:ce:e8:6d:44:ec:76:
+ 3f:e6:9b:13:e4:f8:d0:1c:00:e6:4f:73:e1:b0:27:
+ 6f:99
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
- C6:91:71:A0:C9:1F:A9:5A:87:7B:E5:10:FB:9A:2A:12:90:44:7D:A0
+ 8B:30:D2:81:7C:BE:AB:4D:76:37:19:2B:69:5E:DB:F7:81:95:73:F5
X509v3 Authority Key Identifier:
- keyid:C6:91:71:A0:C9:1F:A9:5A:87:7B:E5:10:FB:9A:2A:12:90:44:7D:A0
+ keyid:8B:30:D2:81:7C:BE:AB:4D:76:37:19:2B:69:5E:DB:F7:81:95:73:F5
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
- 5d:c2:68:9e:66:fb:67:39:fc:5e:2f:ba:4c:f0:20:3f:f9:4a:
- e2:b9:05:56:d6:5e:da:01:c7:8b:1a:70:e6:67:61:84:71:67:
- a8:11:bc:7c:4d:58:d0:52:44:71:19:47:87:60:cb:16:12:25:
- b2:b0:95:13:ff:52:00:36:78:2d:d3:ce:4e:c6:7d:1b:e5:8e:
- 37:23:8a:ef:c2:44:88:e2:bc:47:c4:ef:23:f5:8b:6d:fc:39:
- 3c:cb:7e:70:7c:60:51:33:5a:38:3a:fd:cc:8f:2c:08:d5:07:
- 06:f9:89:77:96:8e:60:21:e5:05:98:37:d6:c4:b7:a3:43:9e:
- 87:13:9d:12:c4:8f:6a:ad:a9:67:c4:3a:7e:14:77:c3:75:72:
- 95:e6:25:a2:14:e7:77:4d:8f:dd:45:ae:f0:f6:f3:fe:2b:cf:
- ea:0e:f8:61:66:45:db:9f:6b:e4:5e:b8:d4:04:41:68:e9:7c:
- a4:7e:c8:1c:4d:ec:49:49:57:a4:46:95:e8:0f:55:ea:08:2e:
- b9:7a:62:e2:be:05:00:d5:81:5f:60:60:58:4e:19:bc:24:ee:
- 0e:17:63:da:fd:40:44:c2:5f:7d:e9:26:b4:80:4d:db:88:4f:
- 31:a4:16:93:fd:a8:70:94:50:f1:23:92:20:fb:26:c3:9a:71:
- b1:9c:c9:db
+ 02:4c:80:4f:a4:b5:f4:70:be:82:cf:3a:ed:40:f9:97:17:22:
+ 07:5d:e0:9b:4e:54:f8:4b:64:99:f5:07:7f:87:5b:9c:60:ec:
+ 9f:69:e6:00:97:5a:cd:14:59:31:45:be:b7:bd:c4:ce:57:82:
+ 1a:4a:62:ce:8e:c8:59:d5:62:43:8b:94:c0:ab:c2:cc:3a:a0:
+ 69:d3:65:15:82:35:de:85:64:e6:7b:d9:3a:22:12:77:f7:71:
+ 82:86:d7:6c:e5:69:d5:3a:f2:a7:25:f7:dc:f3:6f:cb:eb:85:
+ 48:44:63:e2:6d:3c:82:eb:3a:c0:e1:bd:9d:3a:12:11:66:1f:
+ 05:8f:49:65:31:d6:cf:26:06:46:ba:73:c7:ad:61:fc:14:5f:
+ 68:d1:ee:02:5f:4b:98:b6:5b:0c:98:4e:61:7b:cb:35:ee:44:
+ a1:ce:e1:00:a2:56:f0:0d:72:3b:58:66:e8:9a:dc:62:d5:95:
+ 3e:5a:48:21:a8:7c:f8:1f:5a:13:db:53:33:11:3e:e6:14:39:
+ cd:2b:3f:77:5b:ee:f7:0c:59:69:2f:46:9a:34:56:89:05:8e:
+ 40:94:94:3f:95:f6:fa:f9:1a:e8:1a:80:7b:1d:f7:0c:a1:be:
+ e2:38:98:fd:0f:e7:68:4d:7d:fe:ae:5f:e3:32:c6:5d:37:77:
+ 7a:28:ce:cc
-----BEGIN CERTIFICATE-----
-MIIDAzCCAeugAwIBAgIUEFCgXI7PiDO2tdIeOL94VirxCSIwDQYJKoZIhvcNAQEL
-BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIxMDQyMzE3MDg1MVoXDTMxMDQyMTE3
-MDg1MVowETEPMA0GA1UEAwwGQ0FSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAxJLKQM6Ncd3pK+M7txcdJb8SZsDLMhgyPiTq4SYal+iFSxmOwAra
-plfsMaaoaNmOXKIAVDARR6YOhA1t40iopuNCY5fvkcA6vNt3dzvQRfzFqDp03IJO
-g+35naAwEQzZIHumBGChnEEzxgTSp+ixRuY1Xv3KLkIv9Az3bo1g9c+CeuPr7dCh
-Ual4jRQtyurM+q6p+WzfXMuDSkIiXEg+pmNwQ2P/P9gfiOGRe0m5ZxCKYFEkaNto
-JF8QpaKzlYN+PIicHFJqLANSqpCQhSF4pyCw4tx5tLdX8L7fO/whI+7/Y10LDT2r
-YVSMLZZEe0IQYDsdqKszAeeWdAim+Z26zwIDAQABo1MwUTAdBgNVHQ4EFgQUxpFx
-oMkfqVqHe+UQ+5oqEpBEfaAwHwYDVR0jBBgwFoAUxpFxoMkfqVqHe+UQ+5oqEpBE
-faAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAXcJonmb7Zzn8
-Xi+6TPAgP/lK4rkFVtZe2gHHixpw5mdhhHFnqBG8fE1Y0FJEcRlHh2DLFhIlsrCV
-E/9SADZ4LdPOTsZ9G+WONyOK78JEiOK8R8TvI/WLbfw5PMt+cHxgUTNaODr9zI8s
-CNUHBvmJd5aOYCHlBZg31sS3o0OehxOdEsSPaq2pZ8Q6fhR3w3VyleYlohTnd02P
-3UWu8Pbz/ivP6g74YWZF259r5F641ARBaOl8pH7IHE3sSUlXpEaV6A9V6gguuXpi
-4r4FANWBX2BgWE4ZvCTuDhdj2v1ARMJffekmtIBN24hPMaQWk/2ocJRQ8SOSIPsm
-w5pxsZzJ2w==
+MIIDAzCCAeugAwIBAgIUcExr4KrMAXfyHwSM1HIDpTJfx74wDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowETEPMA0GA1UEAwwGQ0FSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA3JwBMF/FQkgQeDBdZiAOdGH2gnSfb7LtAJ5sIbaDIWtUNOip3IGD
+eg6fzD3rl+7Pyg5floHc53WIkS/VZXTC2GdY2EFqX6l53Ck2Srg5INL4qFmf4775
+YYAbzmO7ElYGuXdOakBlm79b+CeI9f9A7ke8LY7DpmINGHbR9a8aayVO1FUV8OOX
+G2jrdbiA6mTvfuLwXNpt1hZ7D16uckda3wuK4HTBt4INl0HXhBZRQDcVoetwDPFa
+JjkRHpe5NjLOFrlCrTFbHon1PgcO1vyaRo6HiZBc8wDkm857k/6a2GXsSVzo60E9
+U7zO6G1E7HY/5psT5PjQHADmT3PhsCdvmQIDAQABo1MwUTAdBgNVHQ4EFgQUizDS
+gXy+q012NxkraV7b94GVc/UwHwYDVR0jBBgwFoAUizDSgXy+q012NxkraV7b94GV
+c/UwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAAkyAT6S19HC+
+gs867UD5lxciB13gm05U+EtkmfUHf4dbnGDsn2nmAJdazRRZMUW+t73EzleCGkpi
+zo7IWdViQ4uUwKvCzDqgadNlFYI13oVk5nvZOiISd/dxgobXbOVp1TrypyX33PNv
+y+uFSERj4m08gus6wOG9nToSEWYfBY9JZTHWzyYGRrpzx61h/BRfaNHuAl9LmLZb
+DJhOYXvLNe5Eoc7hAKJW8A1yO1hm6JrcYtWVPlpIIah8+B9aE9tTMxE+5hQ5zSs/
+d1vu9wxZaS9GmjRWiQWOQJSUP5X2+vka6BqAex33DKG+4jiY/Q/naE19/q5f4zLG
+XTd3eijOzA==
-----END CERTIFICATE-----
diff --git a/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/client-cert.pem b/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/client-cert.pem
index e79bac70987..e5d9e6e74b2 100644
--- a/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/client-cert.pem
+++ b/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/client-cert.pem
@@ -1,13 +1,13 @@
Certificate:
Data:
- Version: 1 (0x0)
+ Version: 3 (0x2)
Serial Number:
- 0c:26:15:df:8f:71:1d:6a:31:d0:da:af:64:ef:80:de:ac:9a:46:77
+ 61:e6:1b:07:90:6a:4f:f7:cd:46:b9:59:1d:3e:1c:39:0d:f2:5e:06
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: C = US, ST = CA, O = Apache, OU = Apache Pulsar, CN = superUser
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
@@ -32,37 +32,41 @@ Certificate:
b6:98:ef:dd:03:82:58:a3:32:dc:90:a1:b6:a6:1e:
e1:0b
Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Alternative Name:
+ DNS:localhost, IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
- 6f:c2:2f:41:a4:a0:45:10:33:61:20:27:d2:74:40:f9:80:3b:
- 06:88:91:c3:b8:4d:1a:c4:fd:39:9e:3a:c8:41:de:31:4e:ef:
- 8b:06:ce:17:e2:8e:b5:ee:43:92:0a:44:3d:55:e9:85:81:49:
- c9:19:44:15:f1:bd:ec:1e:cb:34:44:b1:01:c0:96:49:30:a4:
- 5a:64:44:6e:59:d9:b1:17:bf:01:13:b7:45:53:8c:8d:a7:79:
- fc:19:b4:a9:b5:9b:6f:16:8e:b3:de:5e:2a:db:01:f2:3e:b0:
- 8f:23:4f:8f:49:ee:d5:b7:98:54:6e:b5:be:8b:fc:05:87:e3:
- 8b:2e:70:28:2c:75:75:c3:76:a4:0d:5e:71:67:30:ec:69:cc:
- 2b:43:69:3b:e8:78:89:51:98:07:cb:21:e9:7a:76:a9:b3:e8:
- e6:19:e7:32:ae:3a:b8:24:c4:20:d8:c2:dc:91:99:d1:9b:8f:
- 77:3c:e7:a8:53:ee:91:fe:ed:2b:86:18:0a:55:44:46:78:a1:
- 78:41:a5:e9:fe:8b:db:bb:10:2e:72:52:b7:54:81:84:8b:f7:
- 29:f3:86:29:7f:f8:e2:d8:51:d8:b2:3c:c2:78:7c:a4:11:9c:
- 0a:42:64:1b:13:cc:91:1a:08:d9:ed:f1:23:5f:fd:b3:89:bb:
- 7a:cc:96:8d
+ 90:62:ba:7b:6f:45:95:7a:71:2f:e7:88:0c:64:b8:6c:05:86:
+ 7f:47:08:ce:d6:e2:5a:32:13:0c:82:ad:a7:af:f0:a2:f7:86:
+ 79:87:1a:89:78:95:b1:9f:be:c5:8b:39:fd:12:94:b6:e1:69:
+ ff:fa:1e:c3:82:d8:6c:03:80:45:ac:1c:06:70:bb:77:c3:41:
+ 5f:b6:9d:fe:36:6f:ae:23:6c:bf:43:79:8e:74:85:8e:96:89:
+ a9:c4:6d:d9:fa:05:ba:a8:11:7c:82:45:94:3d:9f:b6:7c:2f:
+ 4e:6d:37:c3:fb:79:7e:0c:d2:15:fa:0e:ea:2d:c9:24:f3:34:
+ 13:6f:db:d7:55:e1:0c:2f:7e:fe:4c:3b:fa:7e:03:26:0f:6a:
+ 95:d2:22:ce:27:71:6a:97:ac:36:0a:20:ec:19:a0:78:23:0c:
+ 54:f3:b1:dd:33:36:7c:b7:61:23:70:8f:7f:c8:5f:e8:9e:b5:
+ 02:31:4d:b3:40:b0:7b:b2:ee:14:a7:69:22:8b:38:85:5d:04:
+ 6e:d5:44:41:31:a7:4b:71:86:fb:81:cd:3d:db:96:23:0b:bc:
+ e1:67:46:0e:87:86:91:4e:1a:35:37:af:a4:ac:9a:de:e3:4f:
+ 82:47:f1:c4:16:58:11:8f:76:d2:4d:df:a1:c6:a2:8f:33:6d:
+ 72:15:28:76
-----BEGIN CERTIFICATE-----
-MIIC7zCCAdcCFAwmFd+PcR1qMdDar2TvgN6smkZ3MA0GCSqGSIb3DQEBCwUAMBEx
-DzANBgNVBAMMBkNBUm9vdDAeFw0yMTA0MjMxNzA4NTFaFw0zMTA0MjExNzA4NTFa
-MFcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEPMA0GA1UEChMGQXBhY2hlMRYw
-FAYDVQQLEw1BcGFjaGUgUHVsc2FyMRIwEAYDVQQDEwlzdXBlclVzZXIwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNQ32YQPmwW7yu28ALrSaQluBiOO1o
-sXBGO95E+RRRhhDrypDniOj5kYXg3bW0FLl444bVVG1o7BSStPgiWwU97TElZQgF
-hMrmDCESWDLHGmCjT9JKnigZfEWEAIyJ3N6K5U+Ikcyk8YFFTH3C/+LBicYSc5Xi
-Nr3brotaaGqQUd4riF+qZ/So42PcvhmCzJ1/5o37gr4iAT1WEztbBLToxRjmLg36
-ukqN6MZaoVGaSmLXr920/OLVza6ZbFxhVgvXDBp3XPU6alS1njOsqXUomnav0HpX
-ABuREzH9QoghRwUQAS9Zu8c62eFYTBtscbaY790DglijMtyQobamHuELAgMBAAEw
-DQYJKoZIhvcNAQELBQADggEBAG/CL0GkoEUQM2EgJ9J0QPmAOwaIkcO4TRrE/Tme
-OshB3jFO74sGzhfijrXuQ5IKRD1V6YWBSckZRBXxveweyzREsQHAlkkwpFpkRG5Z
-2bEXvwETt0VTjI2nefwZtKm1m28WjrPeXirbAfI+sI8jT49J7tW3mFRutb6L/AWH
-44sucCgsdXXDdqQNXnFnMOxpzCtDaTvoeIlRmAfLIel6dqmz6OYZ5zKuOrgkxCDY
-wtyRmdGbj3c856hT7pH+7SuGGApVREZ4oXhBpen+i9u7EC5yUrdUgYSL9ynzhil/
-+OLYUdiyPMJ4fKQRnApCZBsTzJEaCNnt8SNf/bOJu3rMlo0=
+MIIDFDCCAfygAwIBAgIUYeYbB5BqT/fNRrlZHT4cOQ3yXgYwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowVzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQ8wDQYDVQQKEwZBcGFj
+aGUxFjAUBgNVBAsTDUFwYWNoZSBQdWxzYXIxEjAQBgNVBAMTCXN1cGVyVXNlcjCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM1DfZhA+bBbvK7bwAutJpCW
+4GI47WixcEY73kT5FFGGEOvKkOeI6PmRheDdtbQUuXjjhtVUbWjsFJK0+CJbBT3t
+MSVlCAWEyuYMIRJYMscaYKNP0kqeKBl8RYQAjInc3orlT4iRzKTxgUVMfcL/4sGJ
+xhJzleI2vduui1poapBR3iuIX6pn9KjjY9y+GYLMnX/mjfuCviIBPVYTO1sEtOjF
+GOYuDfq6So3oxlqhUZpKYtev3bT84tXNrplsXGFWC9cMGndc9TpqVLWeM6ypdSia
+dq/QelcAG5ETMf1CiCFHBRABL1m7xzrZ4VhMG2xxtpjv3QOCWKMy3JChtqYe4QsC
+AwEAAaMeMBwwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEB
+CwUAA4IBAQCQYrp7b0WVenEv54gMZLhsBYZ/RwjO1uJaMhMMgq2nr/Ci94Z5hxqJ
+eJWxn77Fizn9EpS24Wn/+h7DgthsA4BFrBwGcLt3w0Fftp3+Nm+uI2y/Q3mOdIWO
+lompxG3Z+gW6qBF8gkWUPZ+2fC9ObTfD+3l+DNIV+g7qLckk8zQTb9vXVeEML37+
+TDv6fgMmD2qV0iLOJ3Fql6w2CiDsGaB4IwxU87HdMzZ8t2EjcI9/yF/onrUCMU2z
+QLB7su4Up2kiiziFXQRu1URBMadLcYb7gc0925YjC7zhZ0YOh4aRTho1N6+krJre
+40+CR/HEFlgRj3bSTd+hxqKPM21yFSh2
-----END CERTIFICATE-----
diff --git a/build/regenerate_certs_for_tests.sh b/build/regenerate_certs_for_tests.sh
index 7e4cf8474e2..fb0274cc193 100755
--- a/build/regenerate_certs_for_tests.sh
+++ b/build/regenerate_certs_for_tests.sh
@@ -34,7 +34,7 @@ function reissue_certificate() {
keyfile=$1
certfile=$2
openssl x509 -x509toreq -in $certfile -signkey $keyfile -out ${certfile}.csr
- openssl x509 -req -CA ca-cert.pem -CAkey ca-key -in ${certfile}.csr -text -outform pem -out $certfile -days 3650 -CAcreateserial
+ openssl x509 -req -CA ca-cert.pem -CAkey ca-key -in ${certfile}.csr -text -outform pem -out $certfile -days 3650 -CAcreateserial -extfile <(printf "subjectAltName = DNS:localhost, IP:127.0.0.1")
}
generate_ca
@@ -44,6 +44,16 @@ reissue_certificate $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls
reissue_certificate $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/server-key.pem \
$ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/server-cert.pem
+# use same CA key and cert for ProxyWithAuthorizationTest/client-cacert.pem
+cp ca-cert.pem $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cacert.pem
+reissue_certificate $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-key.pem \
+ $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cert.pem
+
+# use same CA key and cert for ProxyWithAuthorizationTest/proxy-cacert.pem
+cp ca-cert.pem $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cacert.pem
+reissue_certificate $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-key.pem \
+ $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cert.pem
+
generate_ca
cp ca-cert.pem $ROOT_DIR/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/cacert.pem
reissue_certificate $ROOT_DIR/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/broker-key.pem \
@@ -56,18 +66,5 @@ cp ca-cert.pem $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/Prox
reissue_certificate $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-key.pem \
$ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cert.pem
-generate_ca
-cp ca-cert.pem $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cacert.pem
-reissue_certificate $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-key.pem \
- $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cert.pem
-
-generate_ca
-cp ca-cert.pem $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cacert.pem
-reissue_certificate $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-key.pem \
- $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cert.pem
-
-
-
-
cd $ROOT_DIR
rm -rf /tmp/keygendir$$
diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthenticationTlsHostnameVerificationTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthenticationTlsHostnameVerificationTest.java
index bb8a02143e5..157b35a8aa9 100644
--- a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthenticationTlsHostnameVerificationTest.java
+++ b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthenticationTlsHostnameVerificationTest.java
@@ -18,8 +18,7 @@
*/
package org.apache.pulsar.client.api;
-import static org.mockito.Mockito.spy;
-
+import com.google.common.collect.Sets;
import java.lang.reflect.Method;
import java.util.HashMap;
import java.util.HashSet;
@@ -27,16 +26,12 @@ import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.TimeUnit;
-
import org.apache.pulsar.broker.authentication.AuthenticationProviderBasic;
import org.apache.pulsar.broker.authentication.AuthenticationProviderTls;
-import org.apache.pulsar.client.admin.PulsarAdmin;
import org.apache.pulsar.client.impl.auth.AuthenticationTls;
-import org.apache.pulsar.common.policies.data.ClusterData;
import org.apache.pulsar.common.tls.PublicSuffixMatcher;
import org.apache.pulsar.common.tls.TlsHostnameVerifier;
import org.apache.pulsar.common.policies.data.ClusterDataImpl;
-import org.apache.pulsar.common.policies.data.TenantInfoImpl;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.testng.Assert;
@@ -44,8 +39,6 @@ import org.testng.annotations.AfterMethod;
import org.testng.annotations.DataProvider;
import org.testng.annotations.Test;
-import com.google.common.collect.Sets;
-
@Test(groups = "broker-api")
public class AuthenticationTlsHostnameVerificationTest extends ProducerConsumerBase {
private static final Logger log = LoggerFactory.getLogger(AuthenticationTlsHostnameVerificationTest.class);
@@ -65,8 +58,13 @@ public class AuthenticationTlsHostnameVerificationTest extends ProducerConsumerB
private final String BASIC_CONF_FILE_PATH = "./src/test/resources/authentication/basic/.htpasswd";
private boolean hostnameVerificationEnabled = true;
+ private String clientTrustCertFilePath = TLS_TRUST_CERT_FILE_PATH;
protected void setup() throws Exception {
+ super.internalSetup();
+ super.producerBaseSetup();
+ super.stopBroker();
+
if (methodName.equals("testAnonymousSyncProducerAndConsumer")) {
conf.setAnonymousUserRole("anonymousUser");
}
@@ -74,7 +72,7 @@ public class AuthenticationTlsHostnameVerificationTest extends ProducerConsumerB
conf.setAuthenticationEnabled(true);
conf.setAuthorizationEnabled(true);
- conf.setTlsAllowInsecureConnection(true);
+ conf.setTlsAllowInsecureConnection(false);
Set<String> superUserRoles = new HashSet<>();
superUserRoles.add("localhost");
@@ -96,7 +94,7 @@ public class AuthenticationTlsHostnameVerificationTest extends ProducerConsumerB
conf.setClusterName("test");
conf.setNumExecutorThreadPoolSize(5);
- super.init();
+ startBroker();
setupClient();
}
@@ -109,22 +107,11 @@ public class AuthenticationTlsHostnameVerificationTest extends ProducerConsumerB
Authentication authTls = new AuthenticationTls();
authTls.configure(authParams);
- admin = spy(PulsarAdmin.builder().serviceHttpUrl(brokerUrlTls.toString())
- .tlsTrustCertsFilePath(TLS_MIM_TRUST_CERT_FILE_PATH).allowTlsInsecureConnection(true)
- .authentication(authTls).build());
replacePulsarClient(PulsarClient.builder()
.serviceUrl(pulsar.getBrokerServiceUrlTls())
.statsInterval(0, TimeUnit.SECONDS)
- .tlsTrustCertsFilePath(TLS_MIM_TRUST_CERT_FILE_PATH).allowTlsInsecureConnection(true)
+ .tlsTrustCertsFilePath(clientTrustCertFilePath)
.authentication(authTls).enableTls(true).enableTlsHostnameVerification(hostnameVerificationEnabled));
-
- admin.clusters().createCluster("test", ClusterData.builder()
- .serviceUrl(brokerUrl.toString())
- .build());
-
- admin.tenants().createTenant("my-property",
- new TenantInfoImpl(Sets.newHashSet("appid1", "appid2"), Sets.newHashSet("test")));
- admin.namespaces().createNamespace("my-property/my-ns", Sets.newHashSet("test"));
}
@AfterMethod(alwaysRun = true)
@@ -157,10 +144,11 @@ public class AuthenticationTlsHostnameVerificationTest extends ProducerConsumerB
log.info("-- Starting {} test --", methodName);
this.hostnameVerificationEnabled = hostnameVerificationEnabled;
+ clientTrustCertFilePath = TLS_MIM_TRUST_CERT_FILE_PATH;
// setup broker cert which has CN = "pulsar" different than broker's hostname="localhost"
conf.setBrokerServicePortTls(Optional.of(0));
conf.setWebServicePortTls(Optional.of(0));
- conf.setTlsTrustCertsFilePath(TLS_MIM_TRUST_CERT_FILE_PATH);
+ conf.setTlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH);
conf.setTlsCertificateFilePath(TLS_MIM_SERVER_CERT_FILE_PATH);
conf.setTlsKeyFilePath(TLS_MIM_SERVER_KEY_FILE_PATH);
conf.setBrokerClientAuthenticationParameters(
diff --git a/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/http/AsyncHttpConnector.java b/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/http/AsyncHttpConnector.java
index 1f302f6586c..5de7ea0095a 100644
--- a/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/http/AsyncHttpConnector.java
+++ b/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/http/AsyncHttpConnector.java
@@ -128,7 +128,7 @@ public class AsyncHttpConnector implements Connector {
params != null ? params.getKeyStoreType() : null,
params != null ? params.getKeyStorePath() : null,
params != null ? params.getKeyStorePassword() : null,
- conf.isTlsAllowInsecureConnection() || !conf.isTlsHostnameVerificationEnable(),
+ conf.isTlsAllowInsecureConnection(),
conf.getTlsTrustStoreType(),
conf.getTlsTrustStorePath(),
conf.getTlsTrustStorePassword(),
@@ -147,12 +147,12 @@ public class AsyncHttpConnector implements Connector {
sslCtx = authData.getTlsTrustStoreStream() == null
? SecurityUtility.createAutoRefreshSslContextForClient(
sslProvider,
- conf.isTlsAllowInsecureConnection() || !conf.isTlsHostnameVerificationEnable(),
+ conf.isTlsAllowInsecureConnection(),
conf.getTlsTrustCertsFilePath(), authData.getTlsCerificateFilePath(),
authData.getTlsPrivateKeyFilePath(), null, autoCertRefreshTimeSeconds, delayer)
: SecurityUtility.createNettySslContextForClient(
sslProvider,
- conf.isTlsAllowInsecureConnection() || !conf.isTlsHostnameVerificationEnable(),
+ conf.isTlsAllowInsecureConnection(),
authData.getTlsTrustStoreStream(), authData.getTlsCertificates(),
authData.getTlsPrivateKey(),
conf.getTlsCiphers(),
@@ -160,7 +160,7 @@ public class AsyncHttpConnector implements Connector {
} else {
sslCtx = SecurityUtility.createNettySslContextForClient(
sslProvider,
- conf.isTlsAllowInsecureConnection() || !conf.isTlsHostnameVerificationEnable(),
+ conf.isTlsAllowInsecureConnection(),
conf.getTlsTrustCertsFilePath(),
conf.getTlsCiphers(),
conf.getTlsProtocols());
@@ -168,6 +168,7 @@ public class AsyncHttpConnector implements Connector {
confBuilder.setSslContext(sslCtx);
}
}
+ confBuilder.setDisableHttpsEndpointIdentificationAlgorithm(!conf.isTlsHostnameVerificationEnable());
}
httpClient = new DefaultAsyncHttpClient(confBuilder.build());
this.readTimeout = Duration.ofMillis(readTimeoutMs);
diff --git a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/ClientCnx.java b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/ClientCnx.java
index e8caecf1889..bb686553d78 100644
--- a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/ClientCnx.java
+++ b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/ClientCnx.java
@@ -24,12 +24,10 @@ import static org.apache.pulsar.common.util.Runnables.catchingAndLoggingThrowabl
import com.google.common.collect.Queues;
import io.netty.buffer.ByteBuf;
import io.netty.channel.Channel;
-import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.EventLoopGroup;
import io.netty.channel.unix.Errors.NativeIoException;
import io.netty.handler.codec.LengthFieldBasedFrameDecoder;
-import io.netty.handler.ssl.SslHandler;
import io.netty.util.concurrent.Promise;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
@@ -46,7 +44,6 @@ import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.Semaphore;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicIntegerFieldUpdater;
-import javax.net.ssl.SSLSession;
import lombok.Getter;
import org.apache.commons.lang3.exception.ExceptionUtils;
import org.apache.commons.lang3.tuple.Pair;
@@ -150,9 +147,6 @@ public class ClientCnx extends PulsarHandler {
protected String proxyToTargetBrokerAddress = null;
// Remote hostName with which client is connected
protected String remoteHostName = null;
- private boolean isTlsHostnameVerificationEnable;
-
- private static final TlsHostnameVerifier HOSTNAME_VERIFIER = new TlsHostnameVerifier();
private ScheduledFuture<?> timeoutTask;
@@ -216,7 +210,6 @@ public class ClientCnx extends PulsarHandler {
this.maxNumberOfRejectedRequestPerConnection = conf.getMaxNumberOfRejectedRequestPerConnection();
this.operationTimeoutMs = conf.getOperationTimeoutMs();
this.state = State.None;
- this.isTlsHostnameVerificationEnable = conf.isTlsHostnameVerificationEnable();
this.protocolVersion = protocolVersion;
}
@@ -314,14 +307,6 @@ public class ClientCnx extends PulsarHandler {
@Override
protected void handleConnected(CommandConnected connected) {
-
- if (isTlsHostnameVerificationEnable && remoteHostName != null && !verifyTlsHostName(remoteHostName, ctx)) {
- // close the connection if host-verification failed with the broker
- log.warn("[{}] Failed to verify hostname of {}", ctx.channel(), remoteHostName);
- ctx.close();
- return;
- }
-
checkArgument(state == State.SentConnectFrame || state == State.Connecting);
if (connected.hasMaxMessageSize()) {
if (log.isDebugEnabled()) {
@@ -1038,39 +1023,6 @@ public class ClientCnx extends PulsarHandler {
}
}
- /**
- * verifies host name provided in x509 Certificate in tls session
- *
- * it matches hostname with below scenarios
- *
- * <pre>
- * 1. Supports IPV4 and IPV6 host matching
- * 2. Supports wild card matching for DNS-name
- * eg:
- * HostName CN Result
- * 1. localhost localhost PASS
- * 2. localhost local* PASS
- * 3. pulsar1-broker.com pulsar*.com PASS
- * </pre>
- *
- * @param ctx
- * @return true if hostname is verified else return false
- */
- private boolean verifyTlsHostName(String hostname, ChannelHandlerContext ctx) {
- ChannelHandler sslHandler = ctx.channel().pipeline().get("tls");
-
- SSLSession sslSession = null;
- if (sslHandler != null) {
- sslSession = ((SslHandler) sslHandler).engine().getSession();
- if (log.isDebugEnabled()) {
- log.debug("Verifying HostName for {}, Cipher {}, Protocols {}", hostname, sslSession.getCipherSuite(),
- sslSession.getProtocol());
- }
- return HOSTNAME_VERIFIER.verify(hostname, sslSession);
- }
- return false;
- }
-
void registerConsumer(final long consumerId, final ConsumerImpl<?> consumer) {
consumers.put(consumerId, consumer);
}
diff --git a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java
index 2a7e434cd38..49caabcd351 100644
--- a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java
+++ b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java
@@ -136,6 +136,7 @@ public class HttpClient implements Closeable {
}
confBuilder.setUseInsecureTrustManager(conf.isTlsAllowInsecureConnection());
+ confBuilder.setDisableHttpsEndpointIdentificationAlgorithm(!conf.isTlsHostnameVerificationEnable());
} catch (GeneralSecurityException e) {
throw new PulsarClientException.InvalidConfigurationException(e);
} catch (Exception e) {
diff --git a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/PulsarChannelInitializer.java b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/PulsarChannelInitializer.java
index 2a55a1e05ca..048dbfdb845 100644
--- a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/PulsarChannelInitializer.java
+++ b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/PulsarChannelInitializer.java
@@ -51,6 +51,7 @@ public class PulsarChannelInitializer extends ChannelInitializer<SocketChannel>
private final Supplier<ClientCnx> clientCnxSupplier;
@Getter
private final boolean tlsEnabled;
+ private final boolean tlsHostnameVerificationEnabled;
private final boolean tlsEnabledWithKeyStore;
private final Supplier<SslContext> sslContextSupplier;
@@ -63,6 +64,7 @@ public class PulsarChannelInitializer extends ChannelInitializer<SocketChannel>
super();
this.clientCnxSupplier = clientCnxSupplier;
this.tlsEnabled = conf.isUseTls();
+ this.tlsHostnameVerificationEnabled = conf.isTlsHostnameVerificationEnable();
this.tlsEnabledWithKeyStore = conf.isUseKeyStoreTls();
if (tlsEnabled) {
@@ -160,6 +162,11 @@ public class PulsarChannelInitializer extends ChannelInitializer<SocketChannel>
? new SslHandler(nettySSLContextAutoRefreshBuilder.get()
.createSSLEngine(sniHost.getHostString(), sniHost.getPort()))
: sslContextSupplier.get().newHandler(ch.alloc(), sniHost.getHostString(), sniHost.getPort());
+
+ if (tlsHostnameVerificationEnabled) {
+ SecurityUtility.configureSSLHandler(handler);
+ }
+
ch.pipeline().addFirst(TLS_HANDLER, handler);
initTlsFuture.complete(ch);
} catch (Throwable t) {
diff --git a/pulsar-common/src/main/java/org/apache/pulsar/common/util/NettyClientSslContextRefresher.java b/pulsar-common/src/main/java/org/apache/pulsar/common/util/NettyClientSslContextRefresher.java
index 5a0105fc282..8938c72503e 100644
--- a/pulsar-common/src/main/java/org/apache/pulsar/common/util/NettyClientSslContextRefresher.java
+++ b/pulsar-common/src/main/java/org/apache/pulsar/common/util/NettyClientSslContextRefresher.java
@@ -49,8 +49,7 @@ public class NettyClientSslContextRefresher extends SslContextAutoRefreshBuilder
AuthenticationDataProvider authData,
Set<String> ciphers,
Set<String> protocols,
- long delayInSeconds)
- throws IOException, GeneralSecurityException {
+ long delayInSeconds) {
super(delayInSeconds);
this.tlsAllowInsecureConnection = allowInsecure;
this.tlsTrustCertsFilePath = new FileModifiedTimeUpdater(trustCertsFilePath);
diff --git a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java
index 0bde6e3ed5c..0c6a26de3cd 100644
--- a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java
+++ b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java
@@ -21,6 +21,7 @@ package org.apache.pulsar.common.util;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
+import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslProvider;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import java.io.BufferedReader;
@@ -57,7 +58,9 @@ import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLParameters;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import lombok.extern.slf4j.Slf4j;
@@ -550,6 +553,13 @@ public class SecurityUtility {
}
}
+ public static void configureSSLHandler(SslHandler handler) {
+ SSLEngine sslEngine = handler.engine();
+ SSLParameters sslParameters = sslEngine.getSSLParameters();
+ sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
+ sslEngine.setSSLParameters(sslParameters);
+ }
+
public static Provider resolveProvider(String providerName) throws NoSuchAlgorithmException {
Provider provider = null;
if (!StringUtils.isEmpty(providerName)) {
diff --git a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/AdminProxyHandler.java b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/AdminProxyHandler.java
index 5c86d2be089..de72d513e3c 100644
--- a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/AdminProxyHandler.java
+++ b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/AdminProxyHandler.java
@@ -258,10 +258,11 @@ class AdminProxyHandler extends ProxyServlet {
);
}
-
- SslContextFactory contextFactory = new SslContextFactory.Client(true);
+ SslContextFactory contextFactory = new SslContextFactory.Client();
contextFactory.setSslContext(sslCtx);
-
+ if (!config.isTlsHostnameVerificationEnabled()) {
+ contextFactory.setEndpointIdentificationAlgorithm(null);
+ }
return new JettyHttpClient(contextFactory);
} catch (Exception e) {
try {
diff --git a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/DirectProxyHandler.java b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/DirectProxyHandler.java
index 24802f60a3d..8ffcdb0acd5 100644
--- a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/DirectProxyHandler.java
+++ b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/DirectProxyHandler.java
@@ -21,13 +21,13 @@ package org.apache.pulsar.proxy.server;
import static com.google.common.base.Preconditions.checkArgument;
import static com.google.common.base.Preconditions.checkState;
+import static org.apache.commons.lang3.StringUtils.isEmpty;
import io.netty.bootstrap.Bootstrap;
import io.netty.buffer.ByteBuf;
import io.netty.buffer.Unpooled;
import io.netty.channel.Channel;
import io.netty.channel.ChannelFuture;
import io.netty.channel.ChannelFutureListener;
-import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelInitializer;
import io.netty.channel.ChannelOption;
@@ -37,18 +37,19 @@ import io.netty.handler.codec.haproxy.HAProxyCommand;
import io.netty.handler.codec.haproxy.HAProxyMessage;
import io.netty.handler.codec.haproxy.HAProxyProtocolVersion;
import io.netty.handler.codec.haproxy.HAProxyProxiedProtocol;
+import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslHandler;
+import io.netty.handler.ssl.SslProvider;
import io.netty.handler.timeout.ReadTimeoutHandler;
import io.netty.util.CharsetUtil;
import java.net.InetSocketAddress;
import java.util.Arrays;
import java.util.concurrent.TimeUnit;
-import java.util.function.Supplier;
-import javax.net.ssl.SSLSession;
import lombok.Getter;
import org.apache.pulsar.PulsarVersion;
import org.apache.pulsar.client.api.Authentication;
import org.apache.pulsar.client.api.AuthenticationDataProvider;
+import org.apache.pulsar.client.api.AuthenticationFactory;
import org.apache.pulsar.client.api.PulsarClientException;
import org.apache.pulsar.common.allocator.PulsarByteBufAllocator;
import org.apache.pulsar.common.api.AuthData;
@@ -57,7 +58,10 @@ import org.apache.pulsar.common.api.proto.CommandConnected;
import org.apache.pulsar.common.protocol.Commands;
import org.apache.pulsar.common.protocol.PulsarDecoder;
import org.apache.pulsar.common.stats.Rate;
-import org.apache.pulsar.common.tls.TlsHostnameVerifier;
+import org.apache.pulsar.common.util.NettyClientSslContextRefresher;
+import org.apache.pulsar.common.util.SecurityUtility;
+import org.apache.pulsar.common.util.SslContextAutoRefreshBuilder;
+import org.apache.pulsar.common.util.keystoretls.NettySSLContextAutoRefreshBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -79,6 +83,11 @@ public class DirectProxyHandler {
private AuthenticationDataProvider authenticationDataProvider;
private final ProxyService service;
private final Runnable onHandshakeCompleteAction;
+ private final boolean tlsHostnameVerificationEnabled;
+ private final boolean tlsEnabledWithKeyStore;
+ private final boolean tlsEnabledWithBroker;
+ private final SslContextAutoRefreshBuilder<SslContext> clientSslCtxRefresher;
+ private final NettySSLContextAutoRefreshBuilder clientSSLContextAutoRefreshBuilder;
public DirectProxyHandler(ProxyService service, ProxyConnection proxyConnection) {
this.service = service;
@@ -89,11 +98,59 @@ public class DirectProxyHandler {
this.originalPrincipal = proxyConnection.clientAuthRole;
this.clientAuthData = proxyConnection.clientAuthData;
this.clientAuthMethod = proxyConnection.clientAuthMethod;
+ this.tlsEnabledWithBroker = service.getConfiguration().isTlsEnabledWithBroker();
+ this.tlsHostnameVerificationEnabled = service.getConfiguration().isTlsHostnameVerificationEnabled();
+ this.tlsEnabledWithKeyStore = service.getConfiguration().isTlsEnabledWithKeyStore();
this.onHandshakeCompleteAction = proxyConnection::cancelKeepAliveTask;
+ ProxyConfiguration config = service.getConfiguration();
+
+ if (tlsEnabledWithBroker) {
+ AuthenticationDataProvider authData = null;
+
+ if (!isEmpty(config.getBrokerClientAuthenticationPlugin())) {
+ try {
+ authData = AuthenticationFactory.create(config.getBrokerClientAuthenticationPlugin(),
+ config.getBrokerClientAuthenticationParameters()).getAuthData();
+ } catch (PulsarClientException e) {
+ throw new RuntimeException(e);
+ }
+ }
+
+ if (tlsEnabledWithKeyStore) {
+ clientSSLContextAutoRefreshBuilder = new NettySSLContextAutoRefreshBuilder(
+ config.getBrokerClientSslProvider(),
+ config.isTlsAllowInsecureConnection(),
+ config.getBrokerClientTlsTrustStoreType(),
+ config.getBrokerClientTlsTrustStore(),
+ config.getBrokerClientTlsTrustStorePassword(),
+ config.getBrokerClientTlsCiphers(),
+ config.getBrokerClientTlsProtocols(),
+ config.getTlsCertRefreshCheckDurationSec(),
+ authData);
+ clientSslCtxRefresher = null;
+ } else {
+ SslProvider sslProvider = null;
+ if (config.getBrokerClientSslProvider() != null) {
+ sslProvider = SslProvider.valueOf(config.getBrokerClientSslProvider());
+ }
+ clientSslCtxRefresher = new NettyClientSslContextRefresher(
+ sslProvider,
+ config.isTlsAllowInsecureConnection(),
+ config.getBrokerClientTrustCertsFilePath(),
+ authData,
+ config.getBrokerClientTlsCiphers(),
+ config.getBrokerClientTlsProtocols(),
+ config.getTlsCertRefreshCheckDurationSec()
+ );
+ clientSSLContextAutoRefreshBuilder = null;
+ }
+ } else {
+ clientSSLContextAutoRefreshBuilder = null;
+ clientSslCtxRefresher = null;
+ }
}
- public void connect(String brokerHostAndPort, InetSocketAddress targetBrokerAddress,
- int protocolVersion, Supplier<SslHandler> sslHandlerSupplier) {
+ public void connect(String brokerHostAndPort, InetSocketAddress targetBrokerAddress, int protocolVersion) {
ProxyConfiguration config = service.getConfiguration();
// Start the connection attempt.
@@ -121,8 +178,16 @@ public class DirectProxyHandler {
b.handler(new ChannelInitializer<SocketChannel>() {
@Override
protected void initChannel(SocketChannel ch) {
- if (sslHandlerSupplier != null) {
- ch.pipeline().addLast(TLS_HANDLER, sslHandlerSupplier.get());
+ if (tlsEnabledWithBroker) {
+ String host = targetBrokerAddress.getHostString();
+ int port = targetBrokerAddress.getPort();
+ SslHandler handler = tlsEnabledWithKeyStore
+ ? new SslHandler(clientSSLContextAutoRefreshBuilder.get().createSSLEngine(host, port))
+ : clientSslCtxRefresher.get().newHandler(ch.alloc(), host, port);
+ if (tlsHostnameVerificationEnabled) {
+ SecurityUtility.configureSSLHandler(handler);
+ }
+ ch.pipeline().addLast(TLS_HANDLER, handler);
}
int brokerProxyReadTimeoutMs = service.getConfiguration().getBrokerProxyReadTimeoutMs();
if (brokerProxyReadTimeoutMs > 0) {
@@ -338,15 +403,6 @@ public class DirectProxyHandler {
log.debug("[{}] [{}] Received Connected from broker", inboundChannel, outboundChannel);
}
- if (config.isTlsHostnameVerificationEnabled() && remoteHostName != null
- && !verifyTlsHostName(remoteHostName, ctx)) {
- // close the connection if host-verification failed with the
- // broker
- log.warn("[{}] Failed to verify hostname of {}", ctx.channel(), remoteHostName);
- ctx.close();
- return;
- }
-
state = BackendState.HandshakeCompleted;
onHandshakeCompleteAction.run();
@@ -409,17 +465,6 @@ public class DirectProxyHandler {
log.warn("[{}] [{}] Caught exception: {}", inboundChannel, outboundChannel, cause.getMessage(), cause);
ctx.close();
}
-
- private boolean verifyTlsHostName(String hostname, ChannelHandlerContext ctx) {
- ChannelHandler sslHandler = ctx.channel().pipeline().get("tls");
-
- SSLSession sslSession;
- if (sslHandler != null) {
- sslSession = ((SslHandler) sslHandler).engine().getSession();
- return (new TlsHostnameVerifier()).verify(hostname, sslSession);
- }
- return false;
- }
}
private static final Logger log = LoggerFactory.getLogger(DirectProxyHandler.class);
diff --git a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConnection.java b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConnection.java
index eeabced97b0..d9f0f5db38f 100644
--- a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConnection.java
+++ b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConnection.java
@@ -82,7 +82,6 @@ public class ProxyConnection extends PulsarHandler {
private final DnsAddressResolverGroup dnsAddressResolverGroup;
AuthenticationDataSource authenticationData;
private State state;
- private final Supplier<SslHandler> sslHandlerSupplier;
private LookupProxyHandler lookupProxyHandler = null;
@Getter
@@ -131,13 +130,11 @@ public class ProxyConnection extends PulsarHandler {
return connectionPool;
}
- public ProxyConnection(ProxyService proxyService, Supplier<SslHandler> sslHandlerSupplier,
- DnsAddressResolverGroup dnsAddressResolverGroup) {
+ public ProxyConnection(ProxyService proxyService, DnsAddressResolverGroup dnsAddressResolverGroup) {
super(30, TimeUnit.SECONDS);
this.service = proxyService;
this.dnsAddressResolverGroup = dnsAddressResolverGroup;
this.state = State.Init;
- this.sslHandlerSupplier = sslHandlerSupplier;
this.brokerProxyValidator = service.getBrokerProxyValidator();
}
@@ -360,8 +357,7 @@ public class ProxyConnection extends PulsarHandler {
private void connectToBroker(InetSocketAddress brokerAddress) {
checkState(ctx.executor().inEventLoop(), "This method should be called in the event loop");
DirectProxyHandler directProxyHandler = new DirectProxyHandler(service, this);
- directProxyHandler.connect(proxyToBrokerUrl, brokerAddress,
- protocolVersionToAdvertise, sslHandlerSupplier);
+ directProxyHandler.connect(proxyToBrokerUrl, brokerAddress, protocolVersionToAdvertise);
}
public void brokerConnected(DirectProxyHandler directProxyHandler, CommandConnected connected) {
@@ -531,6 +527,7 @@ public class ProxyConnection extends PulsarHandler {
clientConf.setAuthentication(this.getClientAuthentication());
if (proxyConfig.isTlsEnabledWithBroker()) {
clientConf.setUseTls(true);
+ clientConf.setTlsHostnameVerificationEnable(proxyConfig.isTlsHostnameVerificationEnabled());
if (proxyConfig.isBrokerClientTlsEnabledWithKeyStore()) {
clientConf.setUseKeyStoreTls(true);
clientConf.setTlsTrustStoreType(proxyConfig.getBrokerClientTlsTrustStoreType());
diff --git a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ServiceChannelInitializer.java b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ServiceChannelInitializer.java
index 2ce2a93819f..db2574f0df1 100644
--- a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ServiceChannelInitializer.java
+++ b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ServiceChannelInitializer.java
@@ -18,18 +18,13 @@
*/
package org.apache.pulsar.proxy.server;
-import static org.apache.commons.lang3.StringUtils.isEmpty;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslProvider;
import io.netty.handler.timeout.ReadTimeoutHandler;
import java.util.concurrent.TimeUnit;
-import java.util.function.Supplier;
-import org.apache.pulsar.client.api.AuthenticationDataProvider;
-import org.apache.pulsar.client.api.AuthenticationFactory;
import org.apache.pulsar.common.protocol.Commands;
import org.apache.pulsar.common.protocol.OptionalProxyProtocolDecoder;
-import org.apache.pulsar.common.util.NettyClientSslContextRefresher;
import org.apache.pulsar.common.util.NettyServerSslContextBuilder;
import io.netty.channel.ChannelInitializer;
@@ -52,9 +47,7 @@ public class ServiceChannelInitializer extends ChannelInitializer<SocketChannel>
private final int brokerProxyReadTimeoutMs;
private SslContextAutoRefreshBuilder<SslContext> serverSslCtxRefresher;
- private SslContextAutoRefreshBuilder<SslContext> clientSslCtxRefresher;
private NettySSLContextAutoRefreshBuilder serverSSLContextAutoRefreshBuilder;
- private NettySSLContextAutoRefreshBuilder clientSSLContextAutoRefreshBuilder;
public ServiceChannelInitializer(ProxyService proxyService, ProxyConfiguration serviceConfig, boolean enableTls)
throws Exception {
@@ -95,44 +88,6 @@ public class ServiceChannelInitializer extends ChannelInitializer<SocketChannel>
} else {
this.serverSslCtxRefresher = null;
}
-
- if (serviceConfig.isTlsEnabledWithBroker()) {
- AuthenticationDataProvider authData = null;
-
- if (!isEmpty(serviceConfig.getBrokerClientAuthenticationPlugin())) {
- authData = AuthenticationFactory.create(serviceConfig.getBrokerClientAuthenticationPlugin(),
- serviceConfig.getBrokerClientAuthenticationParameters()).getAuthData();
- }
-
- if (tlsEnabledWithKeyStore) {
- clientSSLContextAutoRefreshBuilder = new NettySSLContextAutoRefreshBuilder(
- serviceConfig.getBrokerClientSslProvider(),
- serviceConfig.isTlsAllowInsecureConnection(),
- serviceConfig.getBrokerClientTlsTrustStoreType(),
- serviceConfig.getBrokerClientTlsTrustStore(),
- serviceConfig.getBrokerClientTlsTrustStorePassword(),
- serviceConfig.getBrokerClientTlsCiphers(),
- serviceConfig.getBrokerClientTlsProtocols(),
- serviceConfig.getTlsCertRefreshCheckDurationSec(),
- authData);
- } else {
- SslProvider sslProvider = null;
- if (serviceConfig.getBrokerClientSslProvider() != null) {
- sslProvider = SslProvider.valueOf(serviceConfig.getBrokerClientSslProvider());
- }
- clientSslCtxRefresher = new NettyClientSslContextRefresher(
- sslProvider,
- serviceConfig.isTlsAllowInsecureConnection(),
- serviceConfig.getBrokerClientTrustCertsFilePath(),
- authData,
- serviceConfig.getBrokerClientTlsCiphers(),
- serviceConfig.getBrokerClientTlsProtocols(),
- serviceConfig.getTlsCertRefreshCheckDurationSec()
- );
- }
- } else {
- this.clientSslCtxRefresher = null;
- }
}
@Override
@@ -156,25 +111,6 @@ public class ServiceChannelInitializer extends ChannelInitializer<SocketChannel>
ch.pipeline().addLast("frameDecoder", new LengthFieldBasedFrameDecoder(
Commands.DEFAULT_MAX_MESSAGE_SIZE + Commands.MESSAGE_SIZE_FRAME_PADDING, 0, 4, 0, 4));
- Supplier<SslHandler> sslHandlerSupplier = null;
- if (clientSslCtxRefresher != null) {
- sslHandlerSupplier = new Supplier<SslHandler>() {
- @Override
- public SslHandler get() {
- return clientSslCtxRefresher.get().newHandler(ch.alloc());
- }
- };
- } else if (clientSSLContextAutoRefreshBuilder != null) {
- sslHandlerSupplier = new Supplier<SslHandler>() {
- @Override
- public SslHandler get() {
- return new SslHandler(clientSSLContextAutoRefreshBuilder.get().createSSLEngine());
- }
- };
- }
-
- ch.pipeline().addLast("handler",
- new ProxyConnection(proxyService, sslHandlerSupplier, proxyService.getDnsAddressResolverGroup()));
-
+ ch.pipeline().addLast("handler", new ProxyConnection(proxyService, proxyService.getDnsAddressResolverGroup()));
}
}
diff --git a/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyWithAuthorizationTest.java b/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyWithAuthorizationTest.java
index d813777f7eb..dd06f33b79a 100644
--- a/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyWithAuthorizationTest.java
+++ b/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyWithAuthorizationTest.java
@@ -19,15 +19,13 @@
package org.apache.pulsar.proxy.server;
import static org.mockito.Mockito.spy;
-
import com.google.common.collect.Sets;
-
+import java.util.Collections;
import java.util.HashSet;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.TimeUnit;
-
import lombok.Cleanup;
import org.apache.pulsar.broker.authentication.AuthenticationProviderTls;
import org.apache.pulsar.broker.authentication.AuthenticationService;
@@ -145,20 +143,24 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
};
}
- @BeforeMethod
@Override
- protected void setup() throws Exception {
-
+ protected void doInitConf() throws Exception {
+ super.doInitConf();
// enable tls and auth&auth at broker
conf.setAuthenticationEnabled(true);
conf.setAuthorizationEnabled(true);
+ conf.setTopicLevelPoliciesEnabled(false);
+ conf.setProxyRoles(Collections.singleton("Proxy"));
+ conf.setAdvertisedAddress(null);
conf.setBrokerServicePortTls(Optional.of(0));
+ conf.setBrokerServicePort(Optional.empty());
conf.setWebServicePortTls(Optional.of(0));
+ conf.setWebServicePort(Optional.empty());
conf.setTlsTrustCertsFilePath(TLS_PROXY_TRUST_CERT_FILE_PATH);
conf.setTlsCertificateFilePath(TLS_BROKER_CERT_FILE_PATH);
conf.setTlsKeyFilePath(TLS_BROKER_KEY_FILE_PATH);
- conf.setTlsAllowInsecureConnection(true);
+ conf.setTlsAllowInsecureConnection(false);
Set<String> superUserRoles = new HashSet<>();
superUserRoles.add("superUser");
@@ -168,20 +170,24 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
conf.setBrokerClientAuthenticationParameters(
"tlsCertFile:" + TLS_BROKER_CERT_FILE_PATH + "," + "tlsKeyFile:" + TLS_BROKER_KEY_FILE_PATH);
conf.setBrokerClientTrustCertsFilePath(TLS_BROKER_TRUST_CERT_FILE_PATH);
- Set<String> providers = new HashSet<>();
- providers.add(AuthenticationProviderTls.class.getName());
- conf.setAuthenticationProviders(providers);
+ conf.setAuthenticationProviders(Collections.singleton(AuthenticationProviderTls.class.getName()));
conf.setClusterName("proxy-authorization");
conf.setNumExecutorThreadPoolSize(5);
+ }
+ @BeforeMethod
+ @Override
+ protected void setup() throws Exception {
super.init();
// start proxy service
proxyConfig.setAuthenticationEnabled(true);
proxyConfig.setAuthorizationEnabled(false);
+ proxyConfig.setForwardAuthorizationCredentials(true);
proxyConfig.setBrokerServiceURL(pulsar.getBrokerServiceUrl());
proxyConfig.setBrokerServiceURLTLS(pulsar.getBrokerServiceUrlTls());
+ proxyConfig.setAdvertisedAddress(null);
proxyConfig.setServicePort(Optional.of(0));
proxyConfig.setBrokerProxyAllowedTargetPorts("*");
@@ -198,7 +204,7 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
proxyConfig.setBrokerClientAuthenticationPlugin(AuthenticationTls.class.getName());
proxyConfig.setBrokerClientAuthenticationParameters(
"tlsCertFile:" + TLS_PROXY_CERT_FILE_PATH + "," + "tlsKeyFile:" + TLS_PROXY_KEY_FILE_PATH);
- proxyConfig.setAuthenticationProviders(providers);
+ proxyConfig.setAuthenticationProviders(Collections.singleton(AuthenticationProviderTls.class.getName()));
proxyService = Mockito.spy(new ProxyService(proxyConfig,
new AuthenticationService(
@@ -240,11 +246,11 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
@Cleanup
PulsarClient proxyClient = createPulsarClient(proxyService.getServiceUrlTls(), PulsarClient.builder());
- String namespaceName = "my-property/proxy-authorization/my-ns";
+ String namespaceName = "my-tenant/my-ns";
- admin.clusters().createCluster("proxy-authorization", ClusterData.builder().serviceUrl(brokerUrl.toString()).build());
+ admin.clusters().createCluster("proxy-authorization", ClusterData.builder().serviceUrlTls(brokerUrlTls.toString()).build());
- admin.tenants().createTenant("my-property",
+ admin.tenants().createTenant("my-tenant",
new TenantInfoImpl(Sets.newHashSet("appid1", "appid2"), Sets.newHashSet("proxy-authorization")));
admin.namespaces().createNamespace(namespaceName);
@@ -254,11 +260,11 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
Sets.newHashSet(AuthAction.consume, AuthAction.produce));
Consumer<byte[]> consumer = proxyClient.newConsumer()
- .topic("persistent://my-property/proxy-authorization/my-ns/my-topic1")
+ .topic("persistent://my-tenant/my-ns/my-topic1")
.subscriptionName("my-subscriber-name").subscribe();
Producer<byte[]> producer = proxyClient.newProducer(Schema.BYTES)
- .topic("persistent://my-property/proxy-authorization/my-ns/my-topic1").create();
+ .topic("persistent://my-tenant/my-ns/my-topic1").create();
final int msgs = 10;
for (int i = 0; i < msgs; i++) {
String message = "my-message-" + i;
@@ -294,11 +300,11 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
PulsarClient proxyClient = createPulsarClient(proxyService.getServiceUrlTls(),
PulsarClient.builder().enableTlsHostnameVerification(hostnameVerificationEnabled));
- String namespaceName = "my-property/proxy-authorization/my-ns";
+ String namespaceName = "my-tenant/my-ns";
- admin.clusters().createCluster("proxy-authorization", ClusterData.builder().serviceUrl(brokerUrl.toString()).build());
+ admin.clusters().createCluster("proxy-authorization", ClusterData.builder().serviceUrl(brokerUrlTls.toString()).build());
- admin.tenants().createTenant("my-property",
+ admin.tenants().createTenant("my-tenant",
new TenantInfoImpl(Sets.newHashSet("appid1", "appid2"), Sets.newHashSet("proxy-authorization")));
admin.namespaces().createNamespace(namespaceName);
@@ -308,7 +314,7 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
Sets.newHashSet(AuthAction.consume, AuthAction.produce));
try {
- proxyClient.newConsumer().topic("persistent://my-property/proxy-authorization/my-ns/my-topic1")
+ proxyClient.newConsumer().topic("persistent://my-tenant/my-ns/my-topic1")
.subscriptionName("my-subscriber-name").subscribe();
if (hostnameVerificationEnabled) {
Assert.fail("Connection should be failed due to hostnameVerification enabled");
@@ -344,13 +350,13 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
// create a client which connects to proxy over tls and pass authData
@Cleanup
PulsarClient proxyClient = createPulsarClient(proxyService.getServiceUrlTls(),
- PulsarClient.builder().operationTimeout(1, TimeUnit.SECONDS));
+ PulsarClient.builder().operationTimeout(15, TimeUnit.SECONDS));
- String namespaceName = "my-property/proxy-authorization/my-ns";
+ String namespaceName = "my-tenant/my-ns";
- admin.clusters().createCluster("proxy-authorization", ClusterData.builder().serviceUrl(brokerUrl.toString()).build());
+ admin.clusters().createCluster("proxy-authorization", ClusterData.builder().serviceUrlTls(brokerUrlTls.toString()).build());
- admin.tenants().createTenant("my-property",
+ admin.tenants().createTenant("my-tenant",
new TenantInfoImpl(Sets.newHashSet("appid1", "appid2"), Sets.newHashSet("proxy-authorization")));
admin.namespaces().createNamespace(namespaceName);
@@ -360,7 +366,7 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
Sets.newHashSet(AuthAction.consume, AuthAction.produce));
try {
- proxyClient.newConsumer().topic("persistent://my-property/proxy-authorization/my-ns/my-topic1")
+ proxyClient.newConsumer().topic("persistent://my-tenant/my-ns/my-topic1")
.subscriptionName("my-subscriber-name").subscribe();
if (hostnameVerificationEnabled) {
Assert.fail("Connection should be failed due to hostnameVerification enabled");
@@ -382,12 +388,12 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
public void tlsCiphersAndProtocols(Set<String> tlsCiphers, Set<String> tlsProtocols, boolean expectFailure)
throws Exception {
log.info("-- Starting {} test --", methodName);
- String namespaceName = "my-property/proxy-authorization/my-ns";
+ String namespaceName = "my-tenant/my-ns";
createAdminClient();
- admin.clusters().createCluster("proxy-authorization", ClusterData.builder().serviceUrl(brokerUrl.toString()).build());
+ admin.clusters().createCluster("proxy-authorization", ClusterData.builder().serviceUrl(brokerUrlTls.toString()).build());
- admin.tenants().createTenant("my-property",
+ admin.tenants().createTenant("my-tenant",
new TenantInfoImpl(Sets.newHashSet("appid1", "appid2"), Sets.newHashSet("proxy-authorization")));
admin.namespaces().createNamespace(namespaceName);
@@ -399,8 +405,10 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
ProxyConfiguration proxyConfig = new ProxyConfiguration();
proxyConfig.setAuthenticationEnabled(true);
proxyConfig.setAuthorizationEnabled(false);
+ proxyConfig.setForwardAuthorizationCredentials(true);
proxyConfig.setBrokerServiceURL(pulsar.getBrokerServiceUrl());
proxyConfig.setBrokerServiceURLTLS(pulsar.getBrokerServiceUrlTls());
+ proxyConfig.setAdvertisedAddress(null);
proxyConfig.setServicePort(Optional.of(0));
proxyConfig.setBrokerProxyAllowedTargetPorts("*");
@@ -447,7 +455,7 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
@Cleanup
PulsarClient proxyClient = createPulsarClient("pulsar://localhost:" + proxyService.getListenPortTls().get(), PulsarClient.builder());
Consumer<byte[]> consumer = proxyClient.newConsumer()
- .topic("persistent://my-property/proxy-authorization/my-ns/my-topic1")
+ .topic("persistent://my-tenant/my-ns/my-topic1")
.subscriptionName("my-subscriber-name").subscribe();
if (expectFailure) {
@@ -469,7 +477,7 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
authParams.put("tlsKeyFile", TLS_SUPERUSER_CLIENT_KEY_FILE_PATH);
admin = spy(PulsarAdmin.builder().serviceHttpUrl(brokerUrlTls.toString())
- .tlsTrustCertsFilePath(TLS_PROXY_TRUST_CERT_FILE_PATH).allowTlsInsecureConnection(true)
+ .tlsTrustCertsFilePath(TLS_BROKER_TRUST_CERT_FILE_PATH)
.authentication(AuthenticationTls.class.getName(), authParams).build());
}
@@ -483,7 +491,7 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
authTls.configure(authParams);
return clientBuilder.serviceUrl(proxyServiceUrl).statsInterval(0, TimeUnit.SECONDS)
- .tlsTrustCertsFilePath(TLS_PROXY_TRUST_CERT_FILE_PATH).allowTlsInsecureConnection(true)
+ .tlsTrustCertsFilePath(TLS_PROXY_TRUST_CERT_FILE_PATH)
.authentication(authTls).enableTls(true)
.operationTimeout(1000, TimeUnit.MILLISECONDS).build();
}
diff --git a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cacert.pem b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cacert.pem
index df21a4968bf..7d2d58d8d7a 100644
--- a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cacert.pem
+++ b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cacert.pem
@@ -2,76 +2,76 @@ Certificate:
Data:
Version: 3 (0x2)
Serial Number:
- 37:55:7a:ae:71:6b:5f:f0:0d:f7:11:df:b5:f9:ce:e1:65:a4:0c:a4
+ 40:cd:a5:a5:35:76:ee:02:57:8b:30:8f:2a:12:34:03:45:c5:96:8c
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: CN = CARoot
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
- 00:ce:29:c8:45:af:07:8e:79:1e:55:66:7b:93:af:
- 09:2c:72:fd:d5:33:38:30:a9:b5:50:92:90:33:b0:
- 55:b0:c4:6b:37:4a:ba:5b:76:4d:52:0b:9f:58:b2:
- c5:95:8c:47:6d:2b:07:0a:f5:74:43:ec:7d:36:bf:
- 3e:8c:d6:13:31:ce:fc:d1:77:b0:ac:3c:ae:69:4b:
- bd:5d:93:bd:84:57:51:a7:ef:03:2e:ae:3e:93:73:
- 8b:1e:39:90:8b:32:e2:0a:dd:b8:20:83:98:76:91:
- 75:d6:d5:db:43:7b:f4:c9:4e:23:52:e3:11:55:05:
- 48:b8:82:47:ea:32:0b:56:1b:07:11:f3:06:c7:4a:
- d5:6b:87:c2:2e:e2:9a:8c:9d:54:ca:5e:96:08:02:
- 5d:17:42:4d:73:86:08:ab:6e:2e:f3:a8:c3:a3:c1:
- bd:88:63:5e:69:7e:fa:af:31:8d:3a:49:ed:e8:cf:
- 80:15:ca:d4:2b:fe:84:3d:aa:27:7e:98:36:48:4f:
- 3b:27:90:1d:c1:fe:4e:13:b0:5e:a5:32:6e:16:38:
- 2e:b7:d1:f3:6b:18:a5:3e:b6:d7:07:42:21:c7:d9:
- 8e:d6:8c:a5:bf:25:9e:5c:fc:c7:12:18:59:23:b9:
- 3d:39:45:3d:1c:81:e2:f2:29:91:05:20:46:b2:52:
- 06:51
+ 00:d8:d5:00:e0:6b:4f:4e:8a:67:08:e9:e3:3f:23:
+ ef:15:1d:82:10:85:f3:3b:77:9c:96:c1:aa:eb:90:
+ 41:0b:5b:ae:77:d9:a3:f1:cf:2a:32:40:78:33:6a:
+ 81:b9:c2:cd:91:36:98:df:41:84:c0:62:8a:a1:03:
+ 89:8d:2b:b8:91:49:a9:e8:a2:90:ad:b9:cd:23:84:
+ bc:60:1f:6f:b5:81:9f:9c:cf:d5:26:a8:a5:b6:4d:
+ 59:5f:5c:7f:da:e8:1d:3d:04:f3:b8:ef:f8:d5:73:
+ c6:fd:6a:b1:91:ae:16:b7:45:21:9a:1a:1a:76:74:
+ 01:40:ee:fc:3c:67:be:6a:7f:f4:a3:82:37:ee:43:
+ 41:f5:67:d5:d5:64:9c:d8:53:75:34:4d:23:80:b5:
+ 59:13:c2:27:47:8e:20:32:6f:f6:b3:70:bf:5e:15:
+ 08:7e:d1:bf:aa:4d:06:6b:0d:17:21:eb:95:47:52:
+ fa:d7:97:ef:1a:5d:63:26:17:36:01:20:ac:57:50:
+ 34:f0:57:49:38:3d:9c:68:6a:87:91:38:b6:76:9d:
+ bc:e9:4e:c2:58:54:8d:8a:32:05:9e:ba:cb:f0:d0:
+ ec:91:67:1d:77:bf:d5:02:77:d4:22:78:94:f4:9a:
+ 49:fa:ef:b2:9b:30:1a:8a:f0:a7:9a:2b:e5:e9:c7:
+ 36:c5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
- EF:DA:58:74:AA:21:F9:9E:19:7E:44:2B:84:32:93:F4:0F:79:18:3B
+ DD:AC:A0:40:6E:E9:2B:49:F2:35:DB:B4:E9:98:AD:58:7B:37:6B:55
X509v3 Authority Key Identifier:
- keyid:EF:DA:58:74:AA:21:F9:9E:19:7E:44:2B:84:32:93:F4:0F:79:18:3B
+ keyid:DD:AC:A0:40:6E:E9:2B:49:F2:35:DB:B4:E9:98:AD:58:7B:37:6B:55
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
- 2e:f5:b6:f7:fc:50:89:16:1e:ea:8c:ec:57:54:f6:ca:d3:19:
- 65:fe:da:c5:73:53:f6:d0:1e:26:96:f2:d3:03:55:8d:6e:c4:
- cd:8c:2d:7a:ea:fa:38:6c:ed:fa:d5:23:b8:52:c1:e3:52:04:
- 3d:46:8c:2d:b6:b2:47:68:41:92:f6:47:24:50:78:47:5e:2a:
- 9b:df:85:a8:92:0d:49:17:eb:51:e8:b2:69:3c:4a:f3:9f:5f:
- ea:fd:b2:08:3c:30:1a:93:be:d3:c3:b3:c7:60:7c:ea:f4:15:
- 43:bd:3f:b1:d0:69:3c:84:5b:05:01:55:d7:d5:87:fb:58:53:
- 03:d8:91:5f:e8:e0:37:88:82:ea:dc:1c:2d:a0:8d:82:68:65:
- 6e:ea:0d:2a:e1:aa:cc:b3:d1:ce:a8:2b:2d:ed:e4:ba:0f:7f:
- 51:48:d2:4b:2f:7c:eb:02:01:4f:2c:b6:06:c1:9a:97:2c:b7:
- 6c:b7:06:86:d1:8b:cc:d6:d4:c3:ff:b5:65:c5:92:eb:9c:68:
- 6d:99:d8:4a:6d:7a:ac:fe:dc:f3:12:f8:bb:2b:0a:b9:d8:1e:
- 87:b6:e9:8b:51:32:f3:7b:0b:1a:29:57:4c:7d:5a:b6:9c:83:
- 23:e5:35:2b:98:83:aa:7c:ef:24:3a:74:a8:86:22:32:06:fb:
- 03:b7:01:9d
+ 07:0c:90:05:fa:2c:c9:4e:05:ec:6b:7d:99:9c:52:2a:20:34:
+ 46:ac:8d:24:81:f9:a7:f3:1d:03:32:45:82:9a:61:af:1f:63:
+ 25:6b:97:ca:93:78:e5:d7:87:81:b6:29:22:d4:0d:8d:ed:0e:
+ bd:85:80:6c:38:e9:86:3c:bd:ee:ff:26:78:0a:f0:a7:54:0b:
+ af:27:9e:8b:83:b7:10:e9:44:0d:4a:7e:a8:e2:aa:1c:06:f8:
+ 18:f1:c4:c9:e4:bb:17:41:59:94:b4:dc:78:53:fb:1b:43:57:
+ 82:59:de:6c:03:52:9a:28:cb:e4:9e:ea:c5:00:93:e0:27:b4:
+ 4b:e6:b3:c5:88:2d:14:33:10:ff:b0:23:4e:5d:ea:17:97:7d:
+ f4:e2:c8:fe:c3:4a:77:83:64:ef:c9:b6:3e:77:64:32:07:91:
+ bd:e1:58:9a:e1:38:ab:eb:d2:e3:cb:05:7c:c7:f3:2b:47:bf:
+ 36:64:7e:32:5a:62:44:07:c8:8e:9d:55:1a:99:c4:14:5a:66:
+ ed:5f:8b:ab:dd:eb:36:28:cd:77:47:84:00:ae:a7:34:0e:0d:
+ 77:df:67:72:08:94:75:52:1b:4a:71:4d:31:5d:aa:1b:aa:b6:
+ e0:d6:86:52:7c:26:ae:1f:96:ab:06:32:cb:7a:f3:bb:76:3e:
+ 08:53:9f:64
-----BEGIN CERTIFICATE-----
-MIIDAzCCAeugAwIBAgIUN1V6rnFrX/AN9xHftfnO4WWkDKQwDQYJKoZIhvcNAQEL
-BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIxMDQyMzE3MDg1MVoXDTMxMDQyMTE3
-MDg1MVowETEPMA0GA1UEAwwGQ0FSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAzinIRa8HjnkeVWZ7k68JLHL91TM4MKm1UJKQM7BVsMRrN0q6W3ZN
-UgufWLLFlYxHbSsHCvV0Q+x9Nr8+jNYTMc780XewrDyuaUu9XZO9hFdRp+8DLq4+
-k3OLHjmQizLiCt24IIOYdpF11tXbQ3v0yU4jUuMRVQVIuIJH6jILVhsHEfMGx0rV
-a4fCLuKajJ1Uyl6WCAJdF0JNc4YIq24u86jDo8G9iGNeaX76rzGNOknt6M+AFcrU
-K/6EPaonfpg2SE87J5Adwf5OE7BepTJuFjgut9HzaxilPrbXB0Ihx9mO1oylvyWe
-XPzHEhhZI7k9OUU9HIHi8imRBSBGslIGUQIDAQABo1MwUTAdBgNVHQ4EFgQU79pY
-dKoh+Z4ZfkQrhDKT9A95GDswHwYDVR0jBBgwFoAU79pYdKoh+Z4ZfkQrhDKT9A95
-GDswDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEALvW29/xQiRYe
-6ozsV1T2ytMZZf7axXNT9tAeJpby0wNVjW7EzYwteur6OGzt+tUjuFLB41IEPUaM
-LbayR2hBkvZHJFB4R14qm9+FqJINSRfrUeiyaTxK859f6v2yCDwwGpO+08Ozx2B8
-6vQVQ70/sdBpPIRbBQFV19WH+1hTA9iRX+jgN4iC6twcLaCNgmhlbuoNKuGqzLPR
-zqgrLe3kug9/UUjSSy986wIBTyy2BsGalyy3bLcGhtGLzNbUw/+1ZcWS65xobZnY
-Sm16rP7c8xL4uysKudgeh7bpi1Ey83sLGilXTH1atpyDI+U1K5iDqnzvJDp0qIYi
-Mgb7A7cBnQ==
+MIIDAzCCAeugAwIBAgIUQM2lpTV27gJXizCPKhI0A0XFlowwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowETEPMA0GA1UEAwwGQ0FSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA2NUA4GtPTopnCOnjPyPvFR2CEIXzO3eclsGq65BBC1uud9mj8c8q
+MkB4M2qBucLNkTaY30GEwGKKoQOJjSu4kUmp6KKQrbnNI4S8YB9vtYGfnM/VJqil
+tk1ZX1x/2ugdPQTzuO/41XPG/Wqxka4Wt0UhmhoadnQBQO78PGe+an/0o4I37kNB
+9WfV1WSc2FN1NE0jgLVZE8InR44gMm/2s3C/XhUIftG/qk0Gaw0XIeuVR1L615fv
+Gl1jJhc2ASCsV1A08FdJOD2caGqHkTi2dp286U7CWFSNijIFnrrL8NDskWcdd7/V
+AnfUIniU9JpJ+u+ymzAaivCnmivl6cc2xQIDAQABo1MwUTAdBgNVHQ4EFgQU3ayg
+QG7pK0nyNdu06ZitWHs3a1UwHwYDVR0jBBgwFoAU3aygQG7pK0nyNdu06ZitWHs3
+a1UwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEABwyQBfosyU4F
+7Gt9mZxSKiA0RqyNJIH5p/MdAzJFgpphrx9jJWuXypN45deHgbYpItQNje0OvYWA
+bDjphjy97v8meArwp1QLryeei4O3EOlEDUp+qOKqHAb4GPHEyeS7F0FZlLTceFP7
+G0NXglnebANSmijL5J7qxQCT4Ce0S+azxYgtFDMQ/7AjTl3qF5d99OLI/sNKd4Nk
+78m2PndkMgeRveFYmuE4q+vS48sFfMfzK0e/NmR+MlpiRAfIjp1VGpnEFFpm7V+L
+q93rNijNd0eEAK6nNA4Nd99ncgiUdVIbSnFNMV2qG6q24NaGUnwmrh+WqwYyy3rz
+u3Y+CFOfZA==
-----END CERTIFICATE-----
diff --git a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cert.pem b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cert.pem
index edd9a025176..31743d06846 100644
--- a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cert.pem
+++ b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cert.pem
@@ -1,13 +1,13 @@
Certificate:
Data:
- Version: 1 (0x0)
+ Version: 3 (0x2)
Serial Number:
- 0c:26:15:df:8f:71:1d:6a:31:d0:da:af:64:ef:80:de:ac:9a:46:78
+ 61:e6:1b:07:90:6a:4f:f7:cd:46:b9:59:1d:3e:1c:39:0d:f2:5e:07
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: C = US, ST = CA, O = Apache Pulsar, OU = Broker, CN = Broker
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
@@ -32,37 +32,41 @@ Certificate:
07:f0:b0:06:4f:2c:4c:75:c2:37:ff:35:0d:b1:42:
06:0b
Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Alternative Name:
+ DNS:localhost, IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
- 46:84:81:7e:4a:91:2a:c0:d7:0c:5a:a2:fb:6e:a2:e1:66:15:
- b9:b3:50:1c:93:8c:68:ba:90:42:07:2c:d1:d9:22:53:c4:e7:
- 74:a9:ac:0c:25:cb:ae:c9:a1:c9:35:49:5d:10:c6:ee:08:2a:
- 23:f3:a4:87:24:92:c4:4e:35:b8:23:8e:be:ad:8c:5b:25:df:
- 25:d4:49:8c:d6:11:bf:79:43:a2:88:7f:70:87:8c:fb:51:9a:
- 4c:73:8d:10:e7:5b:fa:fb:76:f9:88:7a:6a:d0:bf:0f:65:1e:
- 26:22:87:57:31:9a:c9:4c:62:cf:ef:00:2b:4e:2f:ee:d4:d8:
- 0d:2f:7f:2e:14:21:d5:c3:25:ce:29:a3:f0:ee:c6:3d:d2:dc:
- 7b:80:34:57:50:97:e7:79:d9:ca:39:10:73:2d:46:f4:98:de:
- ec:be:98:1a:17:12:c3:9e:1f:0d:25:c8:4e:17:a1:4a:8d:6a:
- 21:11:42:56:1a:16:79:12:e2:db:39:e1:5d:c4:2e:03:31:54:
- d9:97:53:21:bc:f0:60:e1:ba:ff:f6:a5:4b:c1:39:4f:e1:87:
- b7:63:9a:63:fa:a2:83:1c:b5:8e:fd:48:be:d5:50:40:0b:69:
- 34:81:1e:d1:ca:c5:34:ff:bc:c3:ec:22:a5:3e:ca:31:fe:43:
- 39:00:79:72
+ 8d:1d:69:d2:44:1f:af:68:30:80:c1:91:b2:2f:9a:7e:ca:ff:
+ 38:46:8e:28:59:02:2d:e7:74:c4:3c:b3:ac:b3:22:53:e9:54:
+ 3a:e2:4d:4d:65:63:47:dd:38:86:ec:d1:7d:4f:fe:5d:c6:c8:
+ c8:10:b8:33:5a:4d:9e:83:e3:92:97:c5:f1:d8:e3:97:6d:01:
+ 50:03:de:25:d8:e4:de:62:70:b8:c4:55:5b:9f:8c:61:b8:d7:
+ f0:8f:6c:2d:80:cc:b8:7b:8b:b4:54:9a:d6:e1:f9:7f:52:99:
+ 7b:ef:23:88:61:e5:7c:85:5c:57:98:cc:a6:98:4b:71:84:5c:
+ ab:5e:82:48:5a:da:5f:d6:84:b5:52:43:df:3c:0f:95:06:29:
+ 00:94:f8:98:94:6d:1c:c8:76:21:7a:2f:61:34:ab:bd:27:59:
+ d1:41:99:91:69:68:f7:b6:65:21:e8:9a:b1:9b:ac:72:12:17:
+ 54:0b:56:08:bd:9d:6b:0e:35:4a:f8:97:b6:83:00:55:96:0c:
+ 66:13:06:c9:27:5f:cc:d0:81:4b:3e:6e:d2:85:cd:79:7a:8c:
+ a0:1e:d8:9b:e4:da:e9:ba:51:f1:29:0f:69:00:df:24:a0:55:
+ 5e:cd:d0:84:c9:4a:a8:b4:12:33:29:6f:8a:8c:d7:a1:b4:8b:
+ 4a:7d:a2:30
-----BEGIN CERTIFICATE-----
-MIIC7DCCAdQCFAwmFd+PcR1qMdDar2TvgN6smkZ4MA0GCSqGSIb3DQEBCwUAMBEx
-DzANBgNVBAMMBkNBUm9vdDAeFw0yMTA0MjMxNzA4NTFaFw0zMTA0MjExNzA4NTFa
-MFQxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEChMNQXBhY2hlIFB1
-bHNhcjEPMA0GA1UECxMGQnJva2VyMQ8wDQYDVQQDEwZCcm9rZXIwggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKd9wqEyUkyyliBhJfqJLJU9Y/B8qqCl9y
-ks236kVHcfBjT1gaPfrOpnOQwKn3JfB2de2yAxe+2IpW809qTH4DZZXlReuNR+hg
-Xp44dFBUZaDs2FxlYDQbloN9cdRdf+NiWWfo8NYkfcBuNwNUTD0MMzmbM+FSRMVD
-2uruLPMcFi5GTHyfXU1u/owjnvd+nznBcQZS9CaaItTPxSU5qdLkJMbYSkii7nYl
-yzzwv80Qd/+BEUMhzDvMEHoHhPzMAqJF3pEta9HtFxrQRvSufbOJ+DF3leVGsakx
-1tjjRwCygYHbihzZ8c3jTTX2OJEN6gfwsAZPLEx1wjf/NQ2xQgYLAgMBAAEwDQYJ
-KoZIhvcNAQELBQADggEBAEaEgX5KkSrA1wxaovtuouFmFbmzUByTjGi6kEIHLNHZ
-IlPE53SprAwly67Jock1SV0Qxu4IKiPzpIckksRONbgjjr6tjFsl3yXUSYzWEb95
-Q6KIf3CHjPtRmkxzjRDnW/r7dvmIemrQvw9lHiYih1cxmslMYs/vACtOL+7U2A0v
-fy4UIdXDJc4po/Duxj3S3HuANFdQl+d52co5EHMtRvSY3uy+mBoXEsOeHw0lyE4X
-oUqNaiERQlYaFnkS4ts54V3ELgMxVNmXUyG88GDhuv/2pUvBOU/hh7djmmP6ooMc
-tY79SL7VUEALaTSBHtHKxTT/vMPsIqU+yjH+QzkAeXI=
+MIIDETCCAfmgAwIBAgIUYeYbB5BqT/fNRrlZHT4cOQ3yXgcwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowVDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQKEw1BcGFj
+aGUgUHVsc2FyMQ8wDQYDVQQLEwZCcm9rZXIxDzANBgNVBAMTBkJyb2tlcjCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMp33CoTJSTLKWIGEl+okslT1j8H
+yqoKX3KSzbfqRUdx8GNPWBo9+s6mc5DAqfcl8HZ17bIDF77YilbzT2pMfgNlleVF
+641H6GBenjh0UFRloOzYXGVgNBuWg31x1F1/42JZZ+jw1iR9wG43A1RMPQwzOZsz
+4VJExUPa6u4s8xwWLkZMfJ9dTW7+jCOe936fOcFxBlL0Jpoi1M/FJTmp0uQkxthK
+SKLudiXLPPC/zRB3/4ERQyHMO8wQegeE/MwCokXekS1r0e0XGtBG9K59s4n4MXeV
+5UaxqTHW2ONHALKBgduKHNnxzeNNNfY4kQ3qB/CwBk8sTHXCN/81DbFCBgsCAwEA
+AaMeMBwwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEBCwUA
+A4IBAQCNHWnSRB+vaDCAwZGyL5p+yv84Ro4oWQIt53TEPLOssyJT6VQ64k1NZWNH
+3TiG7NF9T/5dxsjIELgzWk2eg+OSl8Xx2OOXbQFQA94l2OTeYnC4xFVbn4xhuNfw
+j2wtgMy4e4u0VJrW4fl/Upl77yOIYeV8hVxXmMymmEtxhFyrXoJIWtpf1oS1UkPf
+PA+VBikAlPiYlG0cyHYhei9hNKu9J1nRQZmRaWj3tmUh6Jqxm6xyEhdUC1YIvZ1r
+DjVK+Je2gwBVlgxmEwbJJ1/M0IFLPm7Shc15eoygHtib5NrpulHxKQ9pAN8koFVe
+zdCEyUqotBIzKW+KjNehtItKfaIw
-----END CERTIFICATE-----
diff --git a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cacert.pem b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cacert.pem
index dc75fe9506e..127f56dd777 100644
--- a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cacert.pem
+++ b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cacert.pem
@@ -2,76 +2,76 @@ Certificate:
Data:
Version: 3 (0x2)
Serial Number:
- 33:a3:2e:28:58:0b:7a:7b:3c:71:4e:51:1d:1d:16:f5:72:3d:99:01
+ 77:4f:f6:cf:99:ca:77:e8:a7:6e:1e:fd:e2:cf:ac:a9:da:68:d2:42
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: CN = CARoot
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
- 00:d9:06:95:38:4a:ed:0d:ef:57:12:26:5e:2f:ea:
- 3c:05:78:1e:36:90:6c:d6:8d:dc:18:e7:e0:24:d7:
- 72:ae:d3:af:6a:ff:32:1f:ee:d8:93:9e:f4:53:88:
- 0f:5d:d6:56:41:03:b9:1e:d7:d4:0d:d5:ae:27:20:
- d8:8f:e3:7d:65:79:d3:00:c9:cc:f4:ef:f5:c9:f6:
- 83:a4:45:b4:6d:11:ac:fc:55:f2:94:6b:75:74:d9:
- f7:23:b2:5a:ba:a3:21:b4:6e:5a:2d:fc:84:32:ef:
- 78:f5:d7:22:7c:e8:a8:15:aa:1d:9f:53:63:fd:77:
- f4:d7:20:cc:21:34:1c:7a:22:a9:6a:de:90:06:ae:
- 10:ff:96:21:61:9e:6d:21:f5:66:37:ef:a0:5a:a8:
- 51:5f:22:24:9f:a9:a9:b3:21:10:f4:7a:d9:ee:c3:
- 20:73:c3:48:0a:c7:98:7c:5f:04:7a:e1:eb:8c:d6:
- f0:18:d7:e9:0c:11:cd:a1:81:f4:d4:67:c0:72:0f:
- e3:90:86:92:97:bd:bc:44:df:b1:b3:6d:85:4f:6b:
- fa:bf:9e:6a:1d:9c:77:23:3b:6f:89:38:fb:45:ff:
- f5:76:b3:19:f7:7c:59:2b:07:ff:6a:4a:f5:93:4a:
- 62:ef:18:3b:ea:54:8f:2d:c2:34:c8:a3:6f:ee:f8:
- f2:a3
+ 00:b8:5e:c2:60:ed:c4:ee:3c:5b:ab:fc:64:52:f3:
+ 30:41:fc:10:5a:ac:a6:9b:0a:93:d0:d0:c9:bf:96:
+ 14:a7:cf:5c:3e:23:91:7e:54:ec:fe:2d:9f:c9:34:
+ d1:4e:95:2f:85:9c:cc:be:90:a3:a4:cb:4d:a4:72:
+ d2:84:e0:c7:42:c4:bf:70:b6:fa:d2:45:8b:83:66:
+ 1e:a4:e9:0e:06:a3:46:ea:a7:18:cd:33:b9:f1:ff:
+ 76:91:72:8f:cd:f9:93:43:c3:6e:17:1f:2d:86:df:
+ b6:fb:2d:d6:be:2d:98:ad:de:00:c7:de:f9:68:b5:
+ 40:40:56:49:ae:23:e5:a1:3b:5f:15:5a:44:50:da:
+ fb:02:d3:42:c6:87:0d:c0:8d:3a:e6:e2:aa:73:31:
+ ab:79:58:51:cd:03:80:f3:12:ce:2f:35:04:8b:39:
+ 5f:b0:cc:b8:41:99:47:c1:17:96:8b:c2:44:84:b5:
+ 21:8a:15:52:fe:1a:5a:f9:88:cc:11:17:ee:48:dd:
+ ba:bf:ed:67:6e:27:35:42:cf:07:5e:b1:8b:81:55:
+ 92:01:8e:61:fd:8e:82:74:b1:70:7a:3d:52:1f:16:
+ 78:12:bb:b5:09:62:ce:6d:18:4a:e9:f5:27:19:bc:
+ 93:4e:ed:dd:53:a8:c1:bb:48:b7:18:20:7b:79:48:
+ 48:9d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
- 86:1F:20:03:1D:EA:65:52:AA:D7:38:B7:A7:B1:DC:0A:02:F9:F2:02
+ 0F:46:61:3E:6F:71:22:E6:1F:32:37:7C:B2:81:A6:CC:DB:9D:F5:7C
X509v3 Authority Key Identifier:
- keyid:86:1F:20:03:1D:EA:65:52:AA:D7:38:B7:A7:B1:DC:0A:02:F9:F2:02
+ keyid:0F:46:61:3E:6F:71:22:E6:1F:32:37:7C:B2:81:A6:CC:DB:9D:F5:7C
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
- c3:8a:4d:5b:3a:01:28:08:cc:cd:8b:cc:37:0d:0b:0c:45:dd:
- c0:44:ee:36:9c:1d:7d:1f:b9:5a:a7:fd:9a:19:34:0f:8c:09:
- 9d:24:f1:7b:a2:22:ef:7f:f3:4f:31:e2:b8:a5:f2:ec:d5:32:
- 02:f3:10:c4:82:c4:a0:33:b0:50:53:b7:2e:3d:78:30:8e:b3:
- c1:f8:51:4d:30:5b:40:65:6f:ad:b8:99:be:d8:cc:3b:43:00:
- 2b:16:5c:9c:bd:83:24:a0:48:0d:cd:2e:29:74:a8:e6:bc:df:
- f0:7c:2c:1f:03:72:f4:47:4d:88:e6:8f:53:77:25:23:57:0a:
- 84:fb:38:e7:b0:84:57:2b:4d:5a:f0:94:34:8a:48:ca:dc:f7:
- 08:b5:d5:1e:64:b4:03:c9:f3:3d:dd:f5:27:ac:f8:2b:d5:80:
- ab:b5:b1:37:8e:ae:2f:03:c2:19:4d:37:d6:e2:76:24:a2:98:
- ed:c8:c5:d0:65:29:4d:ce:0a:bf:d0:a3:3f:f6:03:47:fa:75:
- 8c:06:22:fe:8a:13:9a:9c:17:f5:35:71:7d:66:b9:cd:ca:ac:
- 1e:c3:09:c6:76:b0:6c:2b:45:fd:5b:a9:02:7b:e8:fa:65:32:
- e3:8e:7d:25:6e:06:db:bc:fd:5b:ad:78:d3:e0:09:df:3d:9c:
- 3b:56:c5:69
+ 91:e8:d8:c4:32:2e:80:5c:d4:cb:24:7a:81:43:a9:c7:95:90:
+ 1a:2e:7a:d3:0c:5d:b6:21:05:67:4d:98:5a:0d:71:ea:80:01:
+ 95:42:fe:fa:f1:7c:dc:bd:76:ff:05:26:3b:f0:94:b3:09:2c:
+ 34:dd:43:56:46:2b:15:35:99:d9:94:54:22:cf:a6:68:b0:d1:
+ 79:e2:f0:9f:0b:02:7c:cf:1f:bd:d0:f6:49:c6:82:28:a5:c6:
+ ae:94:65:cf:fd:ad:a8:6c:c2:17:da:db:f3:be:30:1a:1b:b4:
+ 2c:fa:08:71:9d:64:09:45:02:92:02:ad:eb:15:47:14:43:5b:
+ a8:2d:1a:ec:14:93:dc:ff:bb:51:33:a3:d5:4d:e2:77:ca:e1:
+ a5:98:5c:7a:b6:10:19:d3:d7:f5:14:a5:d5:08:f1:97:18:3d:
+ 5f:a6:4e:a2:4a:0d:4b:d4:bb:56:6b:a8:44:35:62:c5:d8:c6:
+ 67:11:93:1c:22:64:3e:aa:15:08:dc:87:39:dd:f6:e0:a0:d5:
+ 00:db:27:79:3d:f4:35:7c:46:a9:fa:0c:fa:fc:74:f5:bf:f4:
+ fe:71:40:45:33:22:35:83:f7:1a:96:2a:fc:b2:33:e0:1a:e8:
+ 24:48:91:5d:90:5c:4c:93:33:4c:40:de:26:bb:24:ac:48:9b:
+ ae:fe:19:34
-----BEGIN CERTIFICATE-----
-MIIDAzCCAeugAwIBAgIUM6MuKFgLens8cU5RHR0W9XI9mQEwDQYJKoZIhvcNAQEL
-BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIxMDQyMzE3MDg1MVoXDTMxMDQyMTE3
-MDg1MVowETEPMA0GA1UEAwwGQ0FSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEA2QaVOErtDe9XEiZeL+o8BXgeNpBs1o3cGOfgJNdyrtOvav8yH+7Y
-k570U4gPXdZWQQO5HtfUDdWuJyDYj+N9ZXnTAMnM9O/1yfaDpEW0bRGs/FXylGt1
-dNn3I7JauqMhtG5aLfyEMu949dcifOioFaodn1Nj/Xf01yDMITQceiKpat6QBq4Q
-/5YhYZ5tIfVmN++gWqhRXyIkn6mpsyEQ9HrZ7sMgc8NICseYfF8EeuHrjNbwGNfp
-DBHNoYH01GfAcg/jkIaSl728RN+xs22FT2v6v55qHZx3IztviTj7Rf/1drMZ93xZ
-Kwf/akr1k0pi7xg76lSPLcI0yKNv7vjyowIDAQABo1MwUTAdBgNVHQ4EFgQUhh8g
-Ax3qZVKq1zi3p7HcCgL58gIwHwYDVR0jBBgwFoAUhh8gAx3qZVKq1zi3p7HcCgL5
-8gIwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAw4pNWzoBKAjM
-zYvMNw0LDEXdwETuNpwdfR+5Wqf9mhk0D4wJnSTxe6Ii73/zTzHiuKXy7NUyAvMQ
-xILEoDOwUFO3Lj14MI6zwfhRTTBbQGVvrbiZvtjMO0MAKxZcnL2DJKBIDc0uKXSo
-5rzf8HwsHwNy9EdNiOaPU3clI1cKhPs457CEVytNWvCUNIpIytz3CLXVHmS0A8nz
-Pd31J6z4K9WAq7WxN46uLwPCGU031uJ2JKKY7cjF0GUpTc4Kv9CjP/YDR/p1jAYi
-/ooTmpwX9TVxfWa5zcqsHsMJxnawbCtF/VupAnvo+mUy4459JW4G27z9W6140+AJ
-3z2cO1bFaQ==
+MIIDAzCCAeugAwIBAgIUd0/2z5nKd+inbh794s+sqdpo0kIwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowETEPMA0GA1UEAwwGQ0FSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuF7CYO3E7jxbq/xkUvMwQfwQWqymmwqT0NDJv5YUp89cPiORflTs
+/i2fyTTRTpUvhZzMvpCjpMtNpHLShODHQsS/cLb60kWLg2YepOkOBqNG6qcYzTO5
+8f92kXKPzfmTQ8NuFx8tht+2+y3Wvi2Yrd4Ax975aLVAQFZJriPloTtfFVpEUNr7
+AtNCxocNwI065uKqczGreVhRzQOA8xLOLzUEizlfsMy4QZlHwReWi8JEhLUhihVS
+/hpa+YjMERfuSN26v+1nbic1Qs8HXrGLgVWSAY5h/Y6CdLFwej1SHxZ4Eru1CWLO
+bRhK6fUnGbyTTu3dU6jBu0i3GCB7eUhInQIDAQABo1MwUTAdBgNVHQ4EFgQUD0Zh
+Pm9xIuYfMjd8soGmzNud9XwwHwYDVR0jBBgwFoAUD0ZhPm9xIuYfMjd8soGmzNud
+9XwwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkejYxDIugFzU
+yyR6gUOpx5WQGi560wxdtiEFZ02YWg1x6oABlUL++vF83L12/wUmO/CUswksNN1D
+VkYrFTWZ2ZRUIs+maLDReeLwnwsCfM8fvdD2ScaCKKXGrpRlz/2tqGzCF9rb874w
+Ghu0LPoIcZ1kCUUCkgKt6xVHFENbqC0a7BST3P+7UTOj1U3id8rhpZhcerYQGdPX
+9RSl1Qjxlxg9X6ZOokoNS9S7VmuoRDVixdjGZxGTHCJkPqoVCNyHOd324KDVANsn
+eT30NXxGqfoM+vx09b/0/nFARTMiNYP3GpYq/LIz4BroJEiRXZBcTJMzTEDeJrsk
+rEibrv4ZNA==
-----END CERTIFICATE-----
diff --git a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cert.pem b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cert.pem
index 0ac579026ef..1a21d9d4138 100644
--- a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cert.pem
+++ b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cert.pem
@@ -1,13 +1,13 @@
Certificate:
Data:
- Version: 1 (0x0)
+ Version: 3 (0x2)
Serial Number:
- 0c:26:15:df:8f:71:1d:6a:31:d0:da:af:64:ef:80:de:ac:9a:46:79
+ 61:e6:1b:07:90:6a:4f:f7:cd:46:b9:59:1d:3e:1c:39:0d:f2:5e:03
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: C = US, ST = CA, O = Apache Pulsar, OU = Client, CN = Client
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
@@ -32,37 +32,41 @@ Certificate:
8e:18:48:4c:5f:19:e9:b0:7b:22:d3:bc:42:32:45:
9a:d1
Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Alternative Name:
+ DNS:localhost, IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
- a4:bb:d2:e4:ba:17:1f:07:13:26:ac:e1:71:df:1e:d4:d7:a7:
- 31:dd:df:ce:e6:bb:11:fb:cf:a5:66:d2:fb:0e:26:90:fd:94:
- 0d:d2:d6:91:f3:65:75:ae:16:b6:92:2e:0a:41:b5:fc:ba:33:
- 57:85:92:e8:a3:30:97:d9:26:dc:e0:37:da:c5:bd:5f:e9:dd:
- db:81:cb:38:96:99:6e:d2:a5:6d:92:a8:6d:be:03:6f:a9:48:
- 4a:a1:4b:91:f9:c3:11:85:79:1e:4e:77:98:ff:43:dd:e0:f9:
- 8e:95:fe:f3:e2:eb:48:72:cf:04:fe:3d:78:b3:a8:ee:56:c8:
- 12:c8:0a:3d:70:f4:86:42:d2:b9:54:4d:07:8c:45:ad:af:b9:
- 43:c8:f9:ee:fc:5d:96:a2:b6:d5:d9:48:57:4e:b5:7d:c7:8c:
- 35:21:99:13:9a:60:42:1f:39:4a:3a:1b:3b:e5:ab:1d:91:59:
- 8a:e1:82:9e:70:79:f9:9a:6e:bb:a9:99:30:4d:93:c8:bf:95:
- 91:a1:03:a3:ac:d8:cd:80:db:89:82:a7:e6:74:8d:53:b3:a6:
- 7a:b9:ca:93:14:a2:01:08:bd:9f:4e:2d:0d:50:b3:aa:e8:a6:
- a8:43:b5:d6:a4:1c:2f:62:7a:1f:1b:92:6b:2d:fa:12:c3:1a:
- ed:8b:11:fe
+ 8b:88:90:00:1a:15:fa:11:f2:f0:35:6f:0f:f2:76:74:fc:8d:
+ bc:03:ee:a5:c5:21:17:c9:01:6b:58:93:fa:3e:7b:e0:0d:6d:
+ db:1f:2a:48:fa:15:34:66:b7:cb:be:82:c6:28:91:99:42:5a:
+ 36:b6:0b:2f:bb:85:14:88:a9:ea:dd:0a:7a:be:c4:e7:b2:2d:
+ 82:a9:37:bc:d9:5c:aa:03:2e:54:68:b1:b7:e8:d6:45:a5:8f:
+ 48:45:2c:9c:7a:55:0a:4a:07:1b:30:8a:49:6d:f4:62:b1:9e:
+ 92:0e:d9:34:44:6c:6d:e7:a3:18:bb:85:58:6d:da:20:83:d5:
+ ca:65:63:1e:3b:e6:df:7b:97:40:4f:b1:59:63:a9:b5:80:6f:
+ 97:51:53:a1:d3:29:1f:1a:26:05:17:59:3e:16:4f:5f:38:36:
+ 76:30:c6:bf:1e:3e:ed:39:83:91:31:58:01:13:59:5c:c5:e9:
+ d6:61:e0:f3:5f:c7:47:8a:5f:af:23:98:89:7b:b4:e6:f6:51:
+ 98:a0:26:31:c8:67:91:6d:d5:68:75:3d:4d:48:44:5f:3b:9c:
+ df:a7:87:a0:11:02:d2:13:5f:c1:4c:3f:3e:09:59:2e:fc:cb:
+ c2:c5:f0:f8:91:df:c3:dd:ad:c8:fc:44:23:9b:78:0d:3b:f2:
+ 82:f6:02:82
-----BEGIN CERTIFICATE-----
-MIIC7DCCAdQCFAwmFd+PcR1qMdDar2TvgN6smkZ5MA0GCSqGSIb3DQEBCwUAMBEx
-DzANBgNVBAMMBkNBUm9vdDAeFw0yMTA0MjMxNzA4NTFaFw0zMTA0MjExNzA4NTFa
-MFQxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEChMNQXBhY2hlIFB1
-bHNhcjEPMA0GA1UECxMGQ2xpZW50MQ8wDQYDVQQDEwZDbGllbnQwggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeHhC9ZBPBbHpJhgE7q6sd7LKTQWxsIfLm
-FRtRzq1n/Rg+f3pkomJfLgtZtO3ZFw63vFBmQbfjxHHJc3M92G00gPLjuZiPK1QU
-lbNRG9aRhc23NKJQtvGGbgcw+q5VoF35fByRUGJ9uxSGkgqsKT4oG5nKMGPcqV8F
-+Dg+MBACn8yU10fgGvQcaJY9El5YIUEs7JatnghWg3qSX0vmvQEWcCivqicdxP6y
-Cb+ltEfZWEv+QYEOokZXwTl8jeSxpyXmtN3zniTJ58CMGrSr3bkzvxHLvrsi9/yt
-xEBB1+83CBqVRR/bFF8L+Ej/QSTLXI4YSExfGemweyLTvEIyRZrRAgMBAAEwDQYJ
-KoZIhvcNAQELBQADggEBAKS70uS6Fx8HEyas4XHfHtTXpzHd387muxH7z6Vm0vsO
-JpD9lA3S1pHzZXWuFraSLgpBtfy6M1eFkuijMJfZJtzgN9rFvV/p3duByziWmW7S
-pW2SqG2+A2+pSEqhS5H5wxGFeR5Od5j/Q93g+Y6V/vPi60hyzwT+PXizqO5WyBLI
-Cj1w9IZC0rlUTQeMRa2vuUPI+e78XZaittXZSFdOtX3HjDUhmROaYEIfOUo6Gzvl
-qx2RWYrhgp5wefmabrupmTBNk8i/lZGhA6Os2M2A24mCp+Z0jVOzpnq5ypMUogEI
-vZ9OLQ1Qs6ropqhDtdakHC9ieh8bkmst+hLDGu2LEf4=
+MIIDETCCAfmgAwIBAgIUYeYbB5BqT/fNRrlZHT4cOQ3yXgMwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowVDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQKEw1BcGFj
+aGUgUHVsc2FyMQ8wDQYDVQQLEwZDbGllbnQxDzANBgNVBAMTBkNsaWVudDCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN4eEL1kE8FsekmGATurqx3sspNB
+bGwh8uYVG1HOrWf9GD5/emSiYl8uC1m07dkXDre8UGZBt+PEcclzcz3YbTSA8uO5
+mI8rVBSVs1Eb1pGFzbc0olC28YZuBzD6rlWgXfl8HJFQYn27FIaSCqwpPigbmcow
+Y9ypXwX4OD4wEAKfzJTXR+Aa9Bxolj0SXlghQSzslq2eCFaDepJfS+a9ARZwKK+q
+Jx3E/rIJv6W0R9lYS/5BgQ6iRlfBOXyN5LGnJea03fOeJMnnwIwatKvduTO/Ecu+
+uyL3/K3EQEHX7zcIGpVFH9sUXwv4SP9BJMtcjhhITF8Z6bB7ItO8QjJFmtECAwEA
+AaMeMBwwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEBCwUA
+A4IBAQCLiJAAGhX6EfLwNW8P8nZ0/I28A+6lxSEXyQFrWJP6PnvgDW3bHypI+hU0
+ZrfLvoLGKJGZQlo2tgsvu4UUiKnq3Qp6vsTnsi2CqTe82VyqAy5UaLG36NZFpY9I
+RSycelUKSgcbMIpJbfRisZ6SDtk0RGxt56MYu4VYbdogg9XKZWMeO+bfe5dAT7FZ
+Y6m1gG+XUVOh0ykfGiYFF1k+Fk9fODZ2MMa/Hj7tOYORMVgBE1lcxenWYeDzX8dH
+il+vI5iJe7Tm9lGYoCYxyGeRbdVodT1NSERfO5zfp4egEQLSE1/BTD8+CVku/MvC
+xfD4kd/D3a3I/EQjm3gNO/KC9gKC
-----END CERTIFICATE-----
diff --git a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cacert.pem b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cacert.pem
index cb22ab50573..127f56dd777 100644
--- a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cacert.pem
+++ b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cacert.pem
@@ -2,76 +2,76 @@ Certificate:
Data:
Version: 3 (0x2)
Serial Number:
- 2d:fc:78:73:ca:55:1e:32:12:3e:ef:08:24:cf:63:95:1e:ad:ea:ae
+ 77:4f:f6:cf:99:ca:77:e8:a7:6e:1e:fd:e2:cf:ac:a9:da:68:d2:42
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: CN = CARoot
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
- 00:c3:e0:f7:5d:bb:9a:76:ee:84:c6:2d:79:3f:a6:
- 4b:3b:1f:32:31:d9:65:80:d3:02:13:23:2a:f1:2f:
- e6:ac:bc:24:d1:cb:b9:5b:ed:cb:63:fe:31:e4:e6:
- b8:f3:13:72:be:48:57:cb:d1:70:0f:67:16:6d:26:
- bc:23:1c:64:30:ee:c8:0e:0e:68:d9:43:7e:42:74:
- 7a:d4:59:a4:76:67:70:9f:85:aa:f3:9f:6c:e6:a1:
- b5:06:3c:1d:46:38:45:05:df:88:cc:3a:ad:6c:72:
- 96:69:55:d0:b2:a8:ed:fd:b8:07:6b:5c:6d:1c:0d:
- 98:c2:88:3f:59:3c:d6:6c:ab:df:dd:3a:c0:5c:fe:
- 86:74:38:bc:00:d4:f0:50:ea:f0:e6:74:23:48:6d:
- 63:77:c7:f6:e2:94:f8:1b:0f:51:98:f6:fb:e0:20:
- 58:c1:b6:a0:58:08:6f:ad:05:f7:71:90:b3:1a:5b:
- 24:88:0b:ed:71:26:aa:84:c2:21:97:76:e7:d5:77:
- 30:62:15:d4:30:5e:f9:aa:bc:7f:1f:50:5e:92:47:
- f2:92:c0:85:cf:ce:33:07:24:e9:ee:b7:04:0d:b7:
- 9f:82:ae:a0:b6:73:51:8f:fe:bd:2c:f3:b5:76:61:
- 3c:da:c6:c0:bd:44:46:6f:43:9d:47:b6:0a:80:a5:
- fe:3b
+ 00:b8:5e:c2:60:ed:c4:ee:3c:5b:ab:fc:64:52:f3:
+ 30:41:fc:10:5a:ac:a6:9b:0a:93:d0:d0:c9:bf:96:
+ 14:a7:cf:5c:3e:23:91:7e:54:ec:fe:2d:9f:c9:34:
+ d1:4e:95:2f:85:9c:cc:be:90:a3:a4:cb:4d:a4:72:
+ d2:84:e0:c7:42:c4:bf:70:b6:fa:d2:45:8b:83:66:
+ 1e:a4:e9:0e:06:a3:46:ea:a7:18:cd:33:b9:f1:ff:
+ 76:91:72:8f:cd:f9:93:43:c3:6e:17:1f:2d:86:df:
+ b6:fb:2d:d6:be:2d:98:ad:de:00:c7:de:f9:68:b5:
+ 40:40:56:49:ae:23:e5:a1:3b:5f:15:5a:44:50:da:
+ fb:02:d3:42:c6:87:0d:c0:8d:3a:e6:e2:aa:73:31:
+ ab:79:58:51:cd:03:80:f3:12:ce:2f:35:04:8b:39:
+ 5f:b0:cc:b8:41:99:47:c1:17:96:8b:c2:44:84:b5:
+ 21:8a:15:52:fe:1a:5a:f9:88:cc:11:17:ee:48:dd:
+ ba:bf:ed:67:6e:27:35:42:cf:07:5e:b1:8b:81:55:
+ 92:01:8e:61:fd:8e:82:74:b1:70:7a:3d:52:1f:16:
+ 78:12:bb:b5:09:62:ce:6d:18:4a:e9:f5:27:19:bc:
+ 93:4e:ed:dd:53:a8:c1:bb:48:b7:18:20:7b:79:48:
+ 48:9d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
- 4E:9B:EB:E2:41:17:D1:24:AF:39:02:BC:42:D6:81:B7:62:6D:E3:57
+ 0F:46:61:3E:6F:71:22:E6:1F:32:37:7C:B2:81:A6:CC:DB:9D:F5:7C
X509v3 Authority Key Identifier:
- keyid:4E:9B:EB:E2:41:17:D1:24:AF:39:02:BC:42:D6:81:B7:62:6D:E3:57
+ keyid:0F:46:61:3E:6F:71:22:E6:1F:32:37:7C:B2:81:A6:CC:DB:9D:F5:7C
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
- 16:01:53:ab:85:57:5f:92:b9:24:85:c5:70:02:fa:fe:ae:ff:
- e9:3e:36:24:6e:9e:34:dd:7c:56:f9:31:a1:d1:ae:63:af:3c:
- 2c:e5:8e:47:34:df:b0:1c:33:48:3f:e7:32:fd:a8:38:99:a6:
- ef:e1:7b:65:92:80:1e:68:e5:98:db:c5:50:4a:35:53:e5:86:
- 89:56:85:0c:6e:da:64:28:68:33:dc:29:3f:41:8b:cf:9c:ec:
- fc:74:15:19:ff:da:0a:ef:d0:51:67:97:ad:2f:e4:8a:94:52:
- 96:18:bd:77:b3:2b:79:9a:f8:de:af:0f:a2:65:c4:f2:88:3a:
- 57:79:18:e1:d8:7c:e0:52:da:35:8c:dd:d9:75:0d:72:e9:e8:
- d0:a7:a6:0b:49:88:6d:ed:86:45:25:72:15:4e:2a:0b:6f:9c:
- 2f:48:75:28:b0:aa:cd:15:7f:ae:b3:b7:ec:75:d9:63:c8:46:
- 8f:84:49:1c:e2:db:95:7b:3d:bb:fd:98:45:53:56:3c:3c:de:
- 60:16:f9:14:b8:7e:27:37:be:f0:69:b5:a0:18:bc:83:1e:c1:
- 3a:11:9b:a3:1d:1f:a6:9c:7e:c9:aa:7c:53:44:9e:1d:cb:ca:
- c8:22:7f:cc:ad:e6:fa:51:54:4d:b5:a1:e6:e3:04:4e:49:1e:
- 67:9c:93:30
+ 91:e8:d8:c4:32:2e:80:5c:d4:cb:24:7a:81:43:a9:c7:95:90:
+ 1a:2e:7a:d3:0c:5d:b6:21:05:67:4d:98:5a:0d:71:ea:80:01:
+ 95:42:fe:fa:f1:7c:dc:bd:76:ff:05:26:3b:f0:94:b3:09:2c:
+ 34:dd:43:56:46:2b:15:35:99:d9:94:54:22:cf:a6:68:b0:d1:
+ 79:e2:f0:9f:0b:02:7c:cf:1f:bd:d0:f6:49:c6:82:28:a5:c6:
+ ae:94:65:cf:fd:ad:a8:6c:c2:17:da:db:f3:be:30:1a:1b:b4:
+ 2c:fa:08:71:9d:64:09:45:02:92:02:ad:eb:15:47:14:43:5b:
+ a8:2d:1a:ec:14:93:dc:ff:bb:51:33:a3:d5:4d:e2:77:ca:e1:
+ a5:98:5c:7a:b6:10:19:d3:d7:f5:14:a5:d5:08:f1:97:18:3d:
+ 5f:a6:4e:a2:4a:0d:4b:d4:bb:56:6b:a8:44:35:62:c5:d8:c6:
+ 67:11:93:1c:22:64:3e:aa:15:08:dc:87:39:dd:f6:e0:a0:d5:
+ 00:db:27:79:3d:f4:35:7c:46:a9:fa:0c:fa:fc:74:f5:bf:f4:
+ fe:71:40:45:33:22:35:83:f7:1a:96:2a:fc:b2:33:e0:1a:e8:
+ 24:48:91:5d:90:5c:4c:93:33:4c:40:de:26:bb:24:ac:48:9b:
+ ae:fe:19:34
-----BEGIN CERTIFICATE-----
-MIIDAzCCAeugAwIBAgIULfx4c8pVHjISPu8IJM9jlR6t6q4wDQYJKoZIhvcNAQEL
-BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIxMDQyMzE3MDg1MVoXDTMxMDQyMTE3
-MDg1MVowETEPMA0GA1UEAwwGQ0FSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAw+D3Xbuadu6Exi15P6ZLOx8yMdllgNMCEyMq8S/mrLwk0cu5W+3L
-Y/4x5Oa48xNyvkhXy9FwD2cWbSa8IxxkMO7IDg5o2UN+QnR61Fmkdmdwn4Wq859s
-5qG1BjwdRjhFBd+IzDqtbHKWaVXQsqjt/bgHa1xtHA2Ywog/WTzWbKvf3TrAXP6G
-dDi8ANTwUOrw5nQjSG1jd8f24pT4Gw9RmPb74CBYwbagWAhvrQX3cZCzGlskiAvt
-cSaqhMIhl3bn1XcwYhXUMF75qrx/H1BekkfyksCFz84zByTp7rcEDbefgq6gtnNR
-j/69LPO1dmE82sbAvURGb0OdR7YKgKX+OwIDAQABo1MwUTAdBgNVHQ4EFgQUTpvr
-4kEX0SSvOQK8QtaBt2Jt41cwHwYDVR0jBBgwFoAUTpvr4kEX0SSvOQK8QtaBt2Jt
-41cwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAFgFTq4VXX5K5
-JIXFcAL6/q7/6T42JG6eNN18VvkxodGuY688LOWORzTfsBwzSD/nMv2oOJmm7+F7
-ZZKAHmjlmNvFUEo1U+WGiVaFDG7aZChoM9wpP0GLz5zs/HQVGf/aCu/QUWeXrS/k
-ipRSlhi9d7MreZr43q8PomXE8og6V3kY4dh84FLaNYzd2XUNcuno0KemC0mIbe2G
-RSVyFU4qC2+cL0h1KLCqzRV/rrO37HXZY8hGj4RJHOLblXs9u/2YRVNWPDzeYBb5
-FLh+Jze+8Gm1oBi8gx7BOhGbox0fppx+yap8U0SeHcvKyCJ/zK3m+lFUTbWh5uME
-TkkeZ5yTMA==
+MIIDAzCCAeugAwIBAgIUd0/2z5nKd+inbh794s+sqdpo0kIwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowETEPMA0GA1UEAwwGQ0FSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuF7CYO3E7jxbq/xkUvMwQfwQWqymmwqT0NDJv5YUp89cPiORflTs
+/i2fyTTRTpUvhZzMvpCjpMtNpHLShODHQsS/cLb60kWLg2YepOkOBqNG6qcYzTO5
+8f92kXKPzfmTQ8NuFx8tht+2+y3Wvi2Yrd4Ax975aLVAQFZJriPloTtfFVpEUNr7
+AtNCxocNwI065uKqczGreVhRzQOA8xLOLzUEizlfsMy4QZlHwReWi8JEhLUhihVS
+/hpa+YjMERfuSN26v+1nbic1Qs8HXrGLgVWSAY5h/Y6CdLFwej1SHxZ4Eru1CWLO
+bRhK6fUnGbyTTu3dU6jBu0i3GCB7eUhInQIDAQABo1MwUTAdBgNVHQ4EFgQUD0Zh
+Pm9xIuYfMjd8soGmzNud9XwwHwYDVR0jBBgwFoAUD0ZhPm9xIuYfMjd8soGmzNud
+9XwwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkejYxDIugFzU
+yyR6gUOpx5WQGi560wxdtiEFZ02YWg1x6oABlUL++vF83L12/wUmO/CUswksNN1D
+VkYrFTWZ2ZRUIs+maLDReeLwnwsCfM8fvdD2ScaCKKXGrpRlz/2tqGzCF9rb874w
+Ghu0LPoIcZ1kCUUCkgKt6xVHFENbqC0a7BST3P+7UTOj1U3id8rhpZhcerYQGdPX
+9RSl1Qjxlxg9X6ZOokoNS9S7VmuoRDVixdjGZxGTHCJkPqoVCNyHOd324KDVANsn
+eT30NXxGqfoM+vx09b/0/nFARTMiNYP3GpYq/LIz4BroJEiRXZBcTJMzTEDeJrsk
+rEibrv4ZNA==
-----END CERTIFICATE-----
diff --git a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cert.pem b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cert.pem
index a4c03e3c2ea..e2c1e5a230c 100644
--- a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cert.pem
+++ b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cert.pem
@@ -1,13 +1,13 @@
Certificate:
Data:
- Version: 1 (0x0)
+ Version: 3 (0x2)
Serial Number:
- 0c:26:15:df:8f:71:1d:6a:31:d0:da:af:64:ef:80:de:ac:9a:46:7a
+ 61:e6:1b:07:90:6a:4f:f7:cd:46:b9:59:1d:3e:1c:39:0d:f2:5e:04
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: C = US, ST = CA, O = Apache Pulsar, OU = Proxy, CN = Proxy
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
@@ -32,37 +32,41 @@ Certificate:
29:e1:23:c4:ed:a0:1c:f6:2a:ed:dc:c0:df:97:a9:
f3:8d
Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Alternative Name:
+ DNS:localhost, IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
- 7b:27:a8:2a:54:35:76:e5:f8:a7:60:8d:e7:35:12:69:38:f3:
- 32:af:25:0f:69:1a:b1:af:79:e5:7c:94:5c:8f:aa:76:95:54:
- 35:b4:bb:64:20:1a:91:1e:b3:e4:d1:06:72:24:c3:35:bd:9c:
- f6:54:61:d9:39:22:99:42:08:d4:97:aa:7d:82:46:fc:77:58:
- df:93:29:03:6c:ba:1c:13:d1:42:49:32:f1:38:09:d3:3e:43:
- 89:1b:61:c4:40:f3:ac:4c:c1:36:2f:28:bd:57:a0:de:35:82:
- c9:da:93:5f:09:d6:e8:5b:cd:15:45:b3:28:22:7d:48:00:c4:
- 55:0f:f6:de:d9:c2:0a:39:5e:69:a4:50:9b:3f:e1:06:44:8a:
- 13:af:0b:56:8d:70:c4:9f:d1:a2:b4:25:09:8b:19:47:e8:d2:
- 98:49:2a:a0:8b:fe:8c:cb:23:d8:f8:e6:28:c6:d9:0b:10:7c:
- d3:ce:48:07:8d:c7:56:bb:c9:e8:d7:a8:a1:24:93:bf:5f:d2:
- a9:f1:35:b7:40:ad:08:bf:89:63:e5:49:40:13:e7:1e:6a:77:
- 7f:9a:5b:07:0c:eb:80:77:b0:ac:fa:8a:9d:b8:83:53:a1:1e:
- 0e:14:2b:c9:50:96:81:c2:c0:0b:d1:c6:b6:2e:ea:98:3e:7b:
- ee:5f:09:f7
+ 8d:b6:2c:5f:87:13:06:a8:66:ce:11:2a:2c:20:1e:c7:ee:50:
+ 75:a7:d1:7c:ad:c6:ec:d1:18:d0:fa:aa:00:fa:08:f9:0f:cc:
+ df:59:9a:6b:1c:18:07:15:84:d0:9a:24:8d:dd:46:79:9c:dc:
+ 9e:3e:97:10:24:b2:9d:d4:f6:c5:79:58:87:7c:a6:af:cf:69:
+ 23:fb:43:7a:0f:4d:26:e0:e9:66:c5:ad:fa:88:e2:c5:6e:6a:
+ ce:70:0c:8f:73:01:d6:fd:a9:1f:31:49:41:17:45:22:cc:a6:
+ 71:e4:f4:0f:0f:2e:3e:49:0b:5f:04:94:36:49:fa:72:42:c9:
+ 25:75:84:9a:dc:16:cb:69:44:44:e5:3a:ff:26:f6:44:42:4c:
+ 6c:e2:56:d6:3e:bc:f2:8b:83:de:e2:91:70:65:b9:d0:dd:a3:
+ d1:de:53:27:77:13:2d:86:27:c3:40:2f:c1:a5:50:1c:5a:44:
+ 51:b4:29:11:c3:30:9d:1a:96:25:7a:d6:05:70:ad:06:0d:f2:
+ 9b:b1:b6:82:39:06:c7:7c:b2:49:04:19:e4:7e:87:b8:d8:42:
+ 1d:ab:ed:d0:b0:7f:79:6b:89:75:2f:6a:26:67:3d:33:57:5f:
+ 5a:49:52:98:3b:2a:e5:43:d7:f9:97:ca:75:cd:6f:e9:e4:66:
+ b6:d6:c2:c7
-----BEGIN CERTIFICATE-----
-MIIC6jCCAdICFAwmFd+PcR1qMdDar2TvgN6smkZ6MA0GCSqGSIb3DQEBCwUAMBEx
-DzANBgNVBAMMBkNBUm9vdDAeFw0yMTA0MjMxNzA4NTFaFw0zMTA0MjExNzA4NTFa
-MFIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEChMNQXBhY2hlIFB1
-bHNhcjEOMAwGA1UECxMFUHJveHkxDjAMBgNVBAMTBVByb3h5MIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw1zFrRfc9NTE6hxgWiRGE9nPwM2DLi+CcOXg
-jTO9lbXPxvBU1Y29hw1ibB0/UmZ0/wYzHDzV7S5j2ZbG8ZiCx5RKvGTymzpU7IGZ
-vBSCQ4cMa9oDjKoLQdf+J8T5iIE0sf8q4G3QR93BEaVUqVMyzY/2dViOBeTZsaxp
-/rZUw602BKJ39VO2dIPVagHglrWir1CPtdedp8K9+DGGCV98CrLbNOGAJRdffW+L
-3I7V+c/P9faPav4+lgDJVrDQ40beuaaKXpuOf+oZzKJbdSI8HTZI5PIaAZVhwfB6
-J52DlnTMqQRCCFM0mC6344P58qMp4SPE7aAc9irt3MDfl6nzjQIDAQABMA0GCSqG
-SIb3DQEBCwUAA4IBAQB7J6gqVDV25finYI3nNRJpOPMyryUPaRqxr3nlfJRcj6p2
-lVQ1tLtkIBqRHrPk0QZyJMM1vZz2VGHZOSKZQgjUl6p9gkb8d1jfkykDbLocE9FC
-STLxOAnTPkOJG2HEQPOsTME2Lyi9V6DeNYLJ2pNfCdboW80VRbMoIn1IAMRVD/be
-2cIKOV5ppFCbP+EGRIoTrwtWjXDEn9GitCUJixlH6NKYSSqgi/6MyyPY+OYoxtkL
-EHzTzkgHjcdWu8no16ihJJO/X9Kp8TW3QK0Iv4lj5UlAE+ceand/mlsHDOuAd7Cs
-+oqduINToR4OFCvJUJaBwsAL0ca2LuqYPnvuXwn3
+MIIDDzCCAfegAwIBAgIUYeYbB5BqT/fNRrlZHT4cOQ3yXgQwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowUjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQKEw1BcGFj
+aGUgUHVsc2FyMQ4wDAYDVQQLEwVQcm94eTEOMAwGA1UEAxMFUHJveHkwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDXMWtF9z01MTqHGBaJEYT2c/AzYMu
+L4Jw5eCNM72Vtc/G8FTVjb2HDWJsHT9SZnT/BjMcPNXtLmPZlsbxmILHlEq8ZPKb
+OlTsgZm8FIJDhwxr2gOMqgtB1/4nxPmIgTSx/yrgbdBH3cERpVSpUzLNj/Z1WI4F
+5NmxrGn+tlTDrTYEonf1U7Z0g9VqAeCWtaKvUI+1152nwr34MYYJX3wKsts04YAl
+F199b4vcjtX5z8/19o9q/j6WAMlWsNDjRt65popem45/6hnMolt1IjwdNkjk8hoB
+lWHB8HonnYOWdMypBEIIUzSYLrfjg/nyoynhI8TtoBz2Ku3cwN+XqfONAgMBAAGj
+HjAcMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEAjbYsX4cTBqhmzhEqLCAex+5QdafRfK3G7NEY0PqqAPoI+Q/M31maaxwYBxWE
+0Jokjd1GeZzcnj6XECSyndT2xXlYh3ymr89pI/tDeg9NJuDpZsWt+ojixW5qznAM
+j3MB1v2pHzFJQRdFIsymceT0Dw8uPkkLXwSUNkn6ckLJJXWEmtwWy2lEROU6/yb2
+REJMbOJW1j688ouD3uKRcGW50N2j0d5TJ3cTLYYnw0AvwaVQHFpEUbQpEcMwnRqW
+JXrWBXCtBg3ym7G2gjkGx3yySQQZ5H6HuNhCHavt0LB/eWuJdS9qJmc9M1dfWklS
+mDsq5UPX+ZfKdc1v6eRmttbCxw==
-----END CERTIFICATE-----
diff --git a/pulsar-proxy/src/test/resources/authentication/tls/cacert.pem b/pulsar-proxy/src/test/resources/authentication/tls/cacert.pem
index b607fb9d131..127f56dd777 100644
--- a/pulsar-proxy/src/test/resources/authentication/tls/cacert.pem
+++ b/pulsar-proxy/src/test/resources/authentication/tls/cacert.pem
@@ -2,76 +2,76 @@ Certificate:
Data:
Version: 3 (0x2)
Serial Number:
- 7f:c3:12:28:23:73:86:8e:bb:d6:e6:21:43:e3:72:e8:01:17:3e:d1
+ 77:4f:f6:cf:99:ca:77:e8:a7:6e:1e:fd:e2:cf:ac:a9:da:68:d2:42
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: CN = CARoot
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
- 00:b3:6a:94:67:7c:33:90:4e:db:b9:94:b0:a6:1a:
- 69:77:bb:33:31:fe:3c:8b:6d:8a:f1:cf:07:d9:87:
- 86:ad:45:cf:4c:e3:e7:35:d5:4b:a3:76:27:9b:30:
- b1:82:3f:57:29:c9:f0:be:25:49:25:16:64:58:cc:
- b0:f1:01:2e:19:69:52:c8:38:64:61:16:b4:a7:ba:
- 76:2b:54:e6:a5:80:6c:b6:6c:8a:3c:c1:06:c2:e1:
- c1:f3:18:6b:87:08:4b:bb:54:f4:b3:72:1d:f2:ce:
- 47:18:5f:82:d3:88:c9:39:7b:71:fc:71:1a:aa:7e:
- 55:6c:35:7f:83:c1:60:e7:7d:b1:80:d0:17:7a:ed:
- e7:0d:87:8b:59:e3:18:47:e9:cf:de:0d:0e:c6:3e:
- 5c:eb:6e:f4:43:95:31:01:2d:e8:f2:ba:8a:bf:ed:
- 82:0c:7c:14:14:13:0e:fb:ae:f0:3a:7c:29:ee:55:
- 29:ca:46:7a:be:05:9f:fa:75:65:4c:f5:fb:cf:fe:
- 92:8d:78:e2:e1:41:55:32:2c:36:a2:ac:96:43:aa:
- e2:60:5a:ff:a6:e2:3f:5b:fc:d4:d3:af:cf:78:45:
- b5:e7:6e:7d:b6:fa:c4:05:84:a6:49:a7:ac:16:8e:
- b2:17:ac:75:76:f0:29:df:c8:da:a2:01:05:25:08:
- 4d:8f
+ 00:b8:5e:c2:60:ed:c4:ee:3c:5b:ab:fc:64:52:f3:
+ 30:41:fc:10:5a:ac:a6:9b:0a:93:d0:d0:c9:bf:96:
+ 14:a7:cf:5c:3e:23:91:7e:54:ec:fe:2d:9f:c9:34:
+ d1:4e:95:2f:85:9c:cc:be:90:a3:a4:cb:4d:a4:72:
+ d2:84:e0:c7:42:c4:bf:70:b6:fa:d2:45:8b:83:66:
+ 1e:a4:e9:0e:06:a3:46:ea:a7:18:cd:33:b9:f1:ff:
+ 76:91:72:8f:cd:f9:93:43:c3:6e:17:1f:2d:86:df:
+ b6:fb:2d:d6:be:2d:98:ad:de:00:c7:de:f9:68:b5:
+ 40:40:56:49:ae:23:e5:a1:3b:5f:15:5a:44:50:da:
+ fb:02:d3:42:c6:87:0d:c0:8d:3a:e6:e2:aa:73:31:
+ ab:79:58:51:cd:03:80:f3:12:ce:2f:35:04:8b:39:
+ 5f:b0:cc:b8:41:99:47:c1:17:96:8b:c2:44:84:b5:
+ 21:8a:15:52:fe:1a:5a:f9:88:cc:11:17:ee:48:dd:
+ ba:bf:ed:67:6e:27:35:42:cf:07:5e:b1:8b:81:55:
+ 92:01:8e:61:fd:8e:82:74:b1:70:7a:3d:52:1f:16:
+ 78:12:bb:b5:09:62:ce:6d:18:4a:e9:f5:27:19:bc:
+ 93:4e:ed:dd:53:a8:c1:bb:48:b7:18:20:7b:79:48:
+ 48:9d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
- 09:93:47:8E:5F:F3:BD:19:A2:77:FD:09:BA:13:A9:B6:C6:75:4E:B0
+ 0F:46:61:3E:6F:71:22:E6:1F:32:37:7C:B2:81:A6:CC:DB:9D:F5:7C
X509v3 Authority Key Identifier:
- keyid:09:93:47:8E:5F:F3:BD:19:A2:77:FD:09:BA:13:A9:B6:C6:75:4E:B0
+ keyid:0F:46:61:3E:6F:71:22:E6:1F:32:37:7C:B2:81:A6:CC:DB:9D:F5:7C
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
- a1:52:44:1e:c0:a1:73:48:98:dd:91:b9:a7:e1:da:c5:48:65:
- d2:6d:38:77:b5:fa:f6:f7:c5:e4:b7:51:28:ea:f1:6c:9e:82:
- 80:6d:6f:56:9c:3b:31:b8:71:0e:ad:17:f9:8e:c6:7e:87:a9:
- 5f:30:1c:0e:17:c8:c7:c2:3c:96:3d:7d:01:a9:ce:d0:cd:c3:
- 55:6b:ce:64:35:53:93:c6:8c:4c:3d:0d:38:01:17:7b:e2:d8:
- b3:a5:78:46:77:fc:7e:da:16:f8:96:d0:72:35:89:c3:15:8c:
- 38:37:8b:7f:ff:01:f9:84:b2:e9:8d:11:64:82:36:e7:ef:86:
- a6:de:11:d9:78:b4:07:6c:18:89:aa:d6:6d:a2:d8:24:98:40:
- 85:5d:ba:5c:36:75:ad:e8:25:03:2d:94:69:d1:ce:d9:8f:9b:
- fd:79:5d:4b:30:7a:de:18:08:5a:54:e9:7b:7d:e2:cb:20:65:
- 99:4c:5a:31:de:c8:2c:01:b1:c8:d1:30:1d:33:bd:ef:9b:43:
- 4d:ac:7d:20:1f:c3:10:53:2e:1a:99:d5:6c:62:0e:15:b3:bd:
- 3c:88:58:88:0c:4f:06:21:b7:a4:8c:eb:9f:63:2e:5e:1d:c8:
- 91:39:9a:2b:e3:bf:e4:0a:bd:6e:4d:71:15:4d:e1:af:01:15:
- 99:38:25:12
+ 91:e8:d8:c4:32:2e:80:5c:d4:cb:24:7a:81:43:a9:c7:95:90:
+ 1a:2e:7a:d3:0c:5d:b6:21:05:67:4d:98:5a:0d:71:ea:80:01:
+ 95:42:fe:fa:f1:7c:dc:bd:76:ff:05:26:3b:f0:94:b3:09:2c:
+ 34:dd:43:56:46:2b:15:35:99:d9:94:54:22:cf:a6:68:b0:d1:
+ 79:e2:f0:9f:0b:02:7c:cf:1f:bd:d0:f6:49:c6:82:28:a5:c6:
+ ae:94:65:cf:fd:ad:a8:6c:c2:17:da:db:f3:be:30:1a:1b:b4:
+ 2c:fa:08:71:9d:64:09:45:02:92:02:ad:eb:15:47:14:43:5b:
+ a8:2d:1a:ec:14:93:dc:ff:bb:51:33:a3:d5:4d:e2:77:ca:e1:
+ a5:98:5c:7a:b6:10:19:d3:d7:f5:14:a5:d5:08:f1:97:18:3d:
+ 5f:a6:4e:a2:4a:0d:4b:d4:bb:56:6b:a8:44:35:62:c5:d8:c6:
+ 67:11:93:1c:22:64:3e:aa:15:08:dc:87:39:dd:f6:e0:a0:d5:
+ 00:db:27:79:3d:f4:35:7c:46:a9:fa:0c:fa:fc:74:f5:bf:f4:
+ fe:71:40:45:33:22:35:83:f7:1a:96:2a:fc:b2:33:e0:1a:e8:
+ 24:48:91:5d:90:5c:4c:93:33:4c:40:de:26:bb:24:ac:48:9b:
+ ae:fe:19:34
-----BEGIN CERTIFICATE-----
-MIIDAzCCAeugAwIBAgIUf8MSKCNzho671uYhQ+Ny6AEXPtEwDQYJKoZIhvcNAQEL
-BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIxMDQyMzE3MDg1MVoXDTMxMDQyMTE3
-MDg1MVowETEPMA0GA1UEAwwGQ0FSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAs2qUZ3wzkE7buZSwphppd7szMf48i22K8c8H2YeGrUXPTOPnNdVL
-o3YnmzCxgj9XKcnwviVJJRZkWMyw8QEuGWlSyDhkYRa0p7p2K1TmpYBstmyKPMEG
-wuHB8xhrhwhLu1T0s3Id8s5HGF+C04jJOXtx/HEaqn5VbDV/g8Fg532xgNAXeu3n
-DYeLWeMYR+nP3g0Oxj5c6270Q5UxAS3o8rqKv+2CDHwUFBMO+67wOnwp7lUpykZ6
-vgWf+nVlTPX7z/6SjXji4UFVMiw2oqyWQ6riYFr/puI/W/zU06/PeEW15259tvrE
-BYSmSaesFo6yF6x1dvAp38jaogEFJQhNjwIDAQABo1MwUTAdBgNVHQ4EFgQUCZNH
-jl/zvRmid/0JuhOptsZ1TrAwHwYDVR0jBBgwFoAUCZNHjl/zvRmid/0JuhOptsZ1
-TrAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAoVJEHsChc0iY
-3ZG5p+HaxUhl0m04d7X69vfF5LdRKOrxbJ6CgG1vVpw7MbhxDq0X+Y7GfoepXzAc
-DhfIx8I8lj19AanO0M3DVWvOZDVTk8aMTD0NOAEXe+LYs6V4Rnf8ftoW+JbQcjWJ
-wxWMODeLf/8B+YSy6Y0RZII25++Gpt4R2Xi0B2wYiarWbaLYJJhAhV26XDZ1regl
-Ay2UadHO2Y+b/XldSzB63hgIWlTpe33iyyBlmUxaMd7ILAGxyNEwHTO975tDTax9
-IB/DEFMuGpnVbGIOFbO9PIhYiAxPBiG3pIzrn2MuXh3IkTmaK+O/5Aq9bk1xFU3h
-rwEVmTglEg==
+MIIDAzCCAeugAwIBAgIUd0/2z5nKd+inbh794s+sqdpo0kIwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowETEPMA0GA1UEAwwGQ0FSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuF7CYO3E7jxbq/xkUvMwQfwQWqymmwqT0NDJv5YUp89cPiORflTs
+/i2fyTTRTpUvhZzMvpCjpMtNpHLShODHQsS/cLb60kWLg2YepOkOBqNG6qcYzTO5
+8f92kXKPzfmTQ8NuFx8tht+2+y3Wvi2Yrd4Ax975aLVAQFZJriPloTtfFVpEUNr7
+AtNCxocNwI065uKqczGreVhRzQOA8xLOLzUEizlfsMy4QZlHwReWi8JEhLUhihVS
+/hpa+YjMERfuSN26v+1nbic1Qs8HXrGLgVWSAY5h/Y6CdLFwej1SHxZ4Eru1CWLO
+bRhK6fUnGbyTTu3dU6jBu0i3GCB7eUhInQIDAQABo1MwUTAdBgNVHQ4EFgQUD0Zh
+Pm9xIuYfMjd8soGmzNud9XwwHwYDVR0jBBgwFoAUD0ZhPm9xIuYfMjd8soGmzNud
+9XwwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkejYxDIugFzU
+yyR6gUOpx5WQGi560wxdtiEFZ02YWg1x6oABlUL++vF83L12/wUmO/CUswksNN1D
+VkYrFTWZ2ZRUIs+maLDReeLwnwsCfM8fvdD2ScaCKKXGrpRlz/2tqGzCF9rb874w
+Ghu0LPoIcZ1kCUUCkgKt6xVHFENbqC0a7BST3P+7UTOj1U3id8rhpZhcerYQGdPX
+9RSl1Qjxlxg9X6ZOokoNS9S7VmuoRDVixdjGZxGTHCJkPqoVCNyHOd324KDVANsn
+eT30NXxGqfoM+vx09b/0/nFARTMiNYP3GpYq/LIz4BroJEiRXZBcTJMzTEDeJrsk
+rEibrv4ZNA==
-----END CERTIFICATE-----
diff --git a/pulsar-proxy/src/test/resources/authentication/tls/client-cert.pem b/pulsar-proxy/src/test/resources/authentication/tls/client-cert.pem
index 0fc458dbe53..192d686246f 100644
--- a/pulsar-proxy/src/test/resources/authentication/tls/client-cert.pem
+++ b/pulsar-proxy/src/test/resources/authentication/tls/client-cert.pem
@@ -1,13 +1,13 @@
Certificate:
Data:
- Version: 1 (0x0)
+ Version: 3 (0x2)
Serial Number:
- 0c:26:15:df:8f:71:1d:6a:31:d0:da:af:64:ef:80:de:ac:9a:46:74
+ 61:e6:1b:07:90:6a:4f:f7:cd:46:b9:59:1d:3e:1c:39:0d:f2:5e:01
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: C = US, ST = CA, O = Apache, OU = Apache Pulsar, CN = superUser
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
@@ -32,37 +32,41 @@ Certificate:
b6:98:ef:dd:03:82:58:a3:32:dc:90:a1:b6:a6:1e:
e1:0b
Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Alternative Name:
+ DNS:localhost, IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
- 33:40:2a:38:48:99:a0:fe:68:4d:07:3b:08:ae:af:a1:7c:ea:
- 70:ab:a7:c8:32:b4:ff:9f:5a:51:3b:2b:a2:aa:21:75:44:7d:
- be:e7:fb:08:b9:81:e5:4c:cf:01:86:f9:06:63:4f:ce:7a:1d:
- cb:1e:9e:8f:d5:0a:54:53:69:91:05:10:2c:b0:4f:d4:3a:b5:
- 25:0e:25:4c:eb:67:64:d7:85:29:77:63:30:da:2a:77:3f:59:
- c2:8c:e9:02:57:49:93:3a:51:91:1a:b2:59:4d:d5:69:c9:9d:
- cc:e2:4f:b2:6c:5b:ba:45:68:c7:f5:18:f4:1d:b8:0c:eb:fd:
- 0a:cf:10:5d:dc:3e:26:49:03:33:37:40:f7:96:88:82:99:5c:
- 38:8d:cc:3b:de:b5:b9:ee:f9:ac:ae:ce:03:9a:1e:a7:f8:02:
- 73:2e:af:e7:b0:22:cb:3d:a3:ca:85:16:e9:e6:e2:d6:bf:1c:
- 1a:4c:ea:14:49:52:84:67:38:97:c7:b3:30:72:cc:c6:08:e5:
- 40:0a:87:da:19:98:26:4f:0b:54:43:a2:a0:ea:51:b2:23:88:
- d2:b4:0e:82:4f:02:92:a4:fb:27:e2:06:15:76:e7:27:f2:a2:
- e4:23:7b:24:ca:e6:80:93:2b:cd:54:ca:1b:9b:fd:d9:59:d1:
- 96:31:25:7b
+ 96:c2:23:2d:46:d0:3d:23:0e:ab:3d:b6:1e:31:96:00:eb:ae:
+ 17:ac:6e:c0:d4:1a:8d:0f:36:63:27:02:49:4e:24:cf:d3:80:
+ 88:3a:4f:d0:f1:e5:1c:df:2d:8a:ab:ae:8d:48:77:a0:d0:dc:
+ d5:80:1c:a1:3d:0d:49:64:bf:cb:39:84:c9:f3:5d:e0:2d:ba:
+ a0:f2:ac:03:85:44:a1:97:6b:0b:de:ed:a7:49:19:46:b2:18:
+ 49:21:62:43:52:36:6f:47:6c:21:6b:5e:41:85:28:71:6c:22:
+ 27:35:76:82:ed:ac:ad:d7:fa:9d:4c:7d:6f:44:7e:06:dd:8a:
+ 11:32:0c:d9:d0:f6:63:2a:40:ae:0d:5a:df:9e:d7:91:8a:db:
+ 2d:95:f3:19:f0:8f:1e:34:e3:b2:31:67:38:74:fd:3f:e6:49:
+ 5e:53:eb:88:ae:b1:45:71:0e:67:97:3c:99:4e:c7:ea:1e:02:
+ 67:b4:54:ef:4f:10:55:4a:70:c0:eb:41:e4:50:d4:48:5e:70:
+ c5:0f:79:f2:06:3d:35:ea:ce:5d:13:8e:14:65:fc:98:21:16:
+ 2d:5d:6d:f8:e0:6b:c7:c6:e4:8a:ca:c9:38:1f:93:27:86:28:
+ ef:96:e7:ad:6c:4a:9e:10:78:48:00:f4:4a:43:dc:87:1d:e3:
+ d3:39:53:68
-----BEGIN CERTIFICATE-----
-MIIC7zCCAdcCFAwmFd+PcR1qMdDar2TvgN6smkZ0MA0GCSqGSIb3DQEBCwUAMBEx
-DzANBgNVBAMMBkNBUm9vdDAeFw0yMTA0MjMxNzA4NTFaFw0zMTA0MjExNzA4NTFa
-MFcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEPMA0GA1UEChMGQXBhY2hlMRYw
-FAYDVQQLEw1BcGFjaGUgUHVsc2FyMRIwEAYDVQQDEwlzdXBlclVzZXIwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNQ32YQPmwW7yu28ALrSaQluBiOO1o
-sXBGO95E+RRRhhDrypDniOj5kYXg3bW0FLl444bVVG1o7BSStPgiWwU97TElZQgF
-hMrmDCESWDLHGmCjT9JKnigZfEWEAIyJ3N6K5U+Ikcyk8YFFTH3C/+LBicYSc5Xi
-Nr3brotaaGqQUd4riF+qZ/So42PcvhmCzJ1/5o37gr4iAT1WEztbBLToxRjmLg36
-ukqN6MZaoVGaSmLXr920/OLVza6ZbFxhVgvXDBp3XPU6alS1njOsqXUomnav0HpX
-ABuREzH9QoghRwUQAS9Zu8c62eFYTBtscbaY790DglijMtyQobamHuELAgMBAAEw
-DQYJKoZIhvcNAQELBQADggEBADNAKjhImaD+aE0HOwiur6F86nCrp8gytP+fWlE7
-K6KqIXVEfb7n+wi5geVMzwGG+QZjT856Hcseno/VClRTaZEFECywT9Q6tSUOJUzr
-Z2TXhSl3YzDaKnc/WcKM6QJXSZM6UZEasllN1WnJncziT7JsW7pFaMf1GPQduAzr
-/QrPEF3cPiZJAzM3QPeWiIKZXDiNzDvetbnu+ayuzgOaHqf4AnMur+ewIss9o8qF
-Funm4ta/HBpM6hRJUoRnOJfHszByzMYI5UAKh9oZmCZPC1RDoqDqUbIjiNK0DoJP
-ApKk+yfiBhV25yfyouQjeyTK5oCTK81Uyhub/dlZ0ZYxJXs=
+MIIDFDCCAfygAwIBAgIUYeYbB5BqT/fNRrlZHT4cOQ3yXgEwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowVzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQ8wDQYDVQQKEwZBcGFj
+aGUxFjAUBgNVBAsTDUFwYWNoZSBQdWxzYXIxEjAQBgNVBAMTCXN1cGVyVXNlcjCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM1DfZhA+bBbvK7bwAutJpCW
+4GI47WixcEY73kT5FFGGEOvKkOeI6PmRheDdtbQUuXjjhtVUbWjsFJK0+CJbBT3t
+MSVlCAWEyuYMIRJYMscaYKNP0kqeKBl8RYQAjInc3orlT4iRzKTxgUVMfcL/4sGJ
+xhJzleI2vduui1poapBR3iuIX6pn9KjjY9y+GYLMnX/mjfuCviIBPVYTO1sEtOjF
+GOYuDfq6So3oxlqhUZpKYtev3bT84tXNrplsXGFWC9cMGndc9TpqVLWeM6ypdSia
+dq/QelcAG5ETMf1CiCFHBRABL1m7xzrZ4VhMG2xxtpjv3QOCWKMy3JChtqYe4QsC
+AwEAAaMeMBwwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEB
+CwUAA4IBAQCWwiMtRtA9Iw6rPbYeMZYA664XrG7A1BqNDzZjJwJJTiTP04CIOk/Q
+8eUc3y2Kq66NSHeg0NzVgByhPQ1JZL/LOYTJ813gLbqg8qwDhUShl2sL3u2nSRlG
+shhJIWJDUjZvR2wha15BhShxbCInNXaC7ayt1/qdTH1vRH4G3YoRMgzZ0PZjKkCu
+DVrfnteRitstlfMZ8I8eNOOyMWc4dP0/5kleU+uIrrFFcQ5nlzyZTsfqHgJntFTv
+TxBVSnDA60HkUNRIXnDFD3nyBj016s5dE44UZfyYIRYtXW344GvHxuSKysk4H5Mn
+hijvluetbEqeEHhIAPRKQ9yHHePTOVNo
-----END CERTIFICATE-----
diff --git a/pulsar-proxy/src/test/resources/authentication/tls/server-cert.pem b/pulsar-proxy/src/test/resources/authentication/tls/server-cert.pem
index 0f8bc17b9ed..c09434c85d2 100644
--- a/pulsar-proxy/src/test/resources/authentication/tls/server-cert.pem
+++ b/pulsar-proxy/src/test/resources/authentication/tls/server-cert.pem
@@ -1,13 +1,13 @@
Certificate:
Data:
- Version: 1 (0x0)
+ Version: 3 (0x2)
Serial Number:
- 0c:26:15:df:8f:71:1d:6a:31:d0:da:af:64:ef:80:de:ac:9a:46:75
+ 61:e6:1b:07:90:6a:4f:f7:cd:46:b9:59:1d:3e:1c:39:0d:f2:5e:02
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: C = US, ST = CA, O = Apache, OU = Apache Pulsar, CN = localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
@@ -32,37 +32,41 @@ Certificate:
a0:1a:81:9d:d2:e1:66:dd:c4:cc:fc:63:04:ac:ec:
a7:35
Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Alternative Name:
+ DNS:localhost, IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
- 81:a7:27:69:49:e6:1b:c0:f2:a6:10:c2:ef:c7:64:27:69:53:
- 3c:bd:8e:7c:b7:b8:bd:2a:02:d4:ab:4b:f3:7b:25:e8:1e:d8:
- 3d:88:00:04:6c:a0:da:67:57:65:5d:a2:b6:1d:9a:8c:c7:bd:
- 27:53:78:6a:61:3f:61:c1:23:d5:34:65:f1:49:ec:20:5d:f1:
- 01:90:99:e8:e6:99:17:ae:c3:ed:e5:da:c4:f1:8c:89:e8:38:
- c1:01:e0:84:27:bf:01:f5:ee:62:87:55:6c:63:fc:45:12:d3:
- 2f:f7:e2:b9:f0:33:d0:84:1e:6b:23:7b:3e:ae:25:f6:ff:11:
- 12:f4:12:63:b6:88:5d:01:aa:ce:c9:e4:d8:78:a2:2d:4c:9a:
- 50:4d:57:80:6a:4b:2d:19:4c:61:21:6a:7a:06:2b:cf:82:ae:
- f3:61:b0:ef:62:ae:3b:2d:2d:0d:c8:da:75:49:72:5a:1c:8b:
- 15:c2:bb:07:5b:37:81:f6:42:e4:84:29:4c:cb:fc:4d:e1:86:
- 9b:86:af:1f:03:08:58:b0:15:4c:72:fd:e6:62:e2:b2:37:ca:
- eb:a4:67:ec:12:8f:95:57:d7:e7:cf:fe:b5:f9:4a:55:66:c4:
- 2f:af:e9:65:a9:54:a8:9d:1a:1e:9a:9e:ec:60:bf:b5:ef:2b:
- b6:d5:02:e9
+ 88:89:d7:52:b3:61:49:73:7d:ee:aa:6f:47:11:cd:52:f1:ef:
+ 9a:63:5f:43:a9:4f:66:c8:36:dd:44:24:ba:4f:c3:6c:94:90:
+ 85:5e:29:fb:65:cf:03:3b:37:16:5e:88:07:70:97:54:93:f0:
+ f3:09:d7:65:60:09:00:fd:7f:dd:6a:ab:25:3a:30:c4:89:34:
+ 43:82:f6:f5:f4:2d:39:3d:21:90:c4:00:27:c5:6a:23:41:20:
+ c6:42:35:56:91:17:fa:31:90:09:6a:4c:e4:a7:53:ae:61:b6:
+ d3:5b:82:71:08:d0:0b:af:34:0f:9b:bd:bc:8c:1c:31:43:43:
+ 97:82:9a:ac:2a:53:ca:11:ce:6f:64:ac:86:c1:f0:62:14:aa:
+ c3:dd:15:5b:1c:02:6f:bb:40:87:17:b7:e5:9d:93:9a:51:c9:
+ 1e:7a:8c:d1:22:75:44:f1:9d:90:4b:3e:1f:6c:ab:6f:e3:be:
+ cd:c7:15:9d:04:84:4a:1b:a7:ac:64:5d:d7:3e:23:98:b9:49:
+ dd:85:dd:80:4c:46:08:9b:f5:df:eb:19:c8:57:70:ac:43:f9:
+ d6:9c:1b:1b:2a:94:cf:c1:35:56:a2:f4:b1:00:5d:9e:1e:36:
+ 54:72:ab:aa:ef:49:b2:f0:dc:cf:5b:22:51:bf:e4:c9:57:dc:
+ d0:48:0d:f2
-----BEGIN CERTIFICATE-----
-MIIC7zCCAdcCFAwmFd+PcR1qMdDar2TvgN6smkZ1MA0GCSqGSIb3DQEBCwUAMBEx
-DzANBgNVBAMMBkNBUm9vdDAeFw0yMTA0MjMxNzA4NTFaFw0zMTA0MjExNzA4NTFa
-MFcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEPMA0GA1UEChMGQXBhY2hlMRYw
-FAYDVQQLEw1BcGFjaGUgUHVsc2FyMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvv7ctmK2d9tqjE9RiD5i+HKKJIrpv
-1f0fZ+ORA5iAgQ7t2PZwfyw2aD1T6lg6ptWJZku9HldxE21LEeVApXaEJJJAWICW
-yR8sxFXro3lzcFw3montL7pr44J8aUoCVIuBXjy/TIrL6ixeg+e3EAhfglijidHa
-kroqKO4wKD9brhBxlsfhEsWwGq1Eb0Q6EUqaPA+NBoB7NO8/bPRexURUHsjdx4CF
-gNlo5sZTA3fh/hhhB3cFTO1ZvF1BOGrvXaGyYJjUSCiVAooO/c97G9IRzBAMUHPX
-zDhsg915JqqQyJuEhrxZ6WJp9JgbxIB4fqAagZ3S4WbdxMz8YwSs7Kc1AgMBAAEw
-DQYJKoZIhvcNAQELBQADggEBAIGnJ2lJ5hvA8qYQwu/HZCdpUzy9jny3uL0qAtSr
-S/N7Jege2D2IAARsoNpnV2VdorYdmozHvSdTeGphP2HBI9U0ZfFJ7CBd8QGQmejm
-mReuw+3l2sTxjInoOMEB4IQnvwH17mKHVWxj/EUS0y/34rnwM9CEHmsjez6uJfb/
-ERL0EmO2iF0Bqs7J5Nh4oi1MmlBNV4BqSy0ZTGEhanoGK8+CrvNhsO9irjstLQ3I
-2nVJclocixXCuwdbN4H2QuSEKUzL/E3hhpuGrx8DCFiwFUxy/eZi4rI3yuukZ+wS
-j5VX1+fP/rX5SlVmxC+v6WWpVKidGh6anuxgv7XvK7bVAuk=
+MIIDFDCCAfygAwIBAgIUYeYbB5BqT/fNRrlZHT4cOQ3yXgIwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowVzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQ8wDQYDVQQKEwZBcGFj
+aGUxFjAUBgNVBAsTDUFwYWNoZSBQdWxzYXIxEjAQBgNVBAMTCWxvY2FsaG9zdDCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+/ty2YrZ322qMT1GIPmL4c
+ookium/V/R9n45EDmICBDu3Y9nB/LDZoPVPqWDqm1YlmS70eV3ETbUsR5UCldoQk
+kkBYgJbJHyzEVeujeXNwXDeaie0vumvjgnxpSgJUi4FePL9MisvqLF6D57cQCF+C
+WKOJ0dqSuioo7jAoP1uuEHGWx+ESxbAarURvRDoRSpo8D40GgHs07z9s9F7FRFQe
+yN3HgIWA2WjmxlMDd+H+GGEHdwVM7Vm8XUE4au9dobJgmNRIKJUCig79z3sb0hHM
+EAxQc9fMOGyD3XkmqpDIm4SGvFnpYmn0mBvEgHh+oBqBndLhZt3EzPxjBKzspzUC
+AwEAAaMeMBwwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEB
+CwUAA4IBAQCIiddSs2FJc33uqm9HEc1S8e+aY19DqU9myDbdRCS6T8NslJCFXin7
+Zc8DOzcWXogHcJdUk/DzCddlYAkA/X/daqslOjDEiTRDgvb19C05PSGQxAAnxWoj
+QSDGQjVWkRf6MZAJakzkp1OuYbbTW4JxCNALrzQPm728jBwxQ0OXgpqsKlPKEc5v
+ZKyGwfBiFKrD3RVbHAJvu0CHF7flnZOaUckeeozRInVE8Z2QSz4fbKtv477NxxWd
+BIRKG6esZF3XPiOYuUndhd2ATEYIm/Xf6xnIV3CsQ/nWnBsbKpTPwTVWovSxAF2e
+HjZUcquq70my8NzPWyJRv+TJV9zQSA3y
-----END CERTIFICATE-----
[pulsar] 02/02: Configure DLog Bookie, Pulsar, and Admin clients via pass through config (#15818)
Posted by lh...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
lhotari pushed a commit to branch branch-2.8
in repository https://gitbox.apache.org/repos/asf/pulsar.git
commit d38407652f642d144f8d9ab05443e65015bebccb
Author: Michael Marshall <mm...@apache.org>
AuthorDate: Wed Jun 1 02:14:49 2022 -0500
Configure DLog Bookie, Pulsar, and Admin clients via pass through config (#15818)
(cherry picked from commit aa673498f88d0ed4f9d5788a5036355834ea5119)
---
conf/broker.conf | 14 ++-
conf/functions_worker.yml | 20 ++++
conf/proxy.conf | 4 +
conf/websocket.conf | 4 +
.../pulsar/broker/BookKeeperClientFactoryImpl.java | 16 ++-
.../org/apache/pulsar/broker/PulsarService.java | 29 ++++--
.../pulsar/broker/namespace/NamespaceService.java | 6 ++
.../pulsar/broker/service/BrokerService.java | 21 +++-
.../apache/pulsar/compaction/CompactorTool.java | 6 ++
...kerInternalClientConfigurationOverrideTest.java | 115 +++++++++++++++++++++
.../PulsarClientConfigurationOverrideTest.java | 56 ++++++++++
.../websocket/proxy/ProxyConfigurationTest.java | 6 ++
.../pulsar/client/admin/PulsarAdminBuilder.java | 23 +++++
.../admin/internal/PulsarAdminBuilderImpl.java | 9 +-
.../pulsar/client/internal/PropertiesUtils.java | 64 ++++++++++++
.../src/test/resources/test_worker_config.yml | 3 +
.../functions/worker/PulsarWorkerService.java | 12 ++-
.../pulsar/functions/worker/WorkerUtils.java | 45 +++++++-
.../pulsar/functions/worker/WorkerUtilsTest.java | 19 ++++
.../bookkeeper/BookKeeperPackagesStorage.java | 8 ++
.../BookKeeperPackagesStorageConfiguration.java | 4 +
.../core/PackagesStorageConfiguration.java | 6 ++
.../impl/DefaultPackagesStorageConfiguration.java | 5 +
.../pulsar/proxy/server/ProxyConnection.java | 15 ++-
.../apache/pulsar/websocket/WebSocketService.java | 7 +-
site2/docs/reference-configuration.md | 21 ++++
26 files changed, 504 insertions(+), 34 deletions(-)
diff --git a/conf/broker.conf b/conf/broker.conf
index cd304dc858c..ea27c8022b3 100644
--- a/conf/broker.conf
+++ b/conf/broker.conf
@@ -646,6 +646,9 @@ brokerClientTlsCiphers=
# used by the internal client to authenticate with Pulsar brokers
brokerClientTlsProtocols=
+# You can add extra configuration options for the Pulsar Client and the Pulsar Admin Client
+# by prefixing them with "brokerClient_". These configurations are applied after hard coded configuration
+# and before the above brokerClient configurations named above.
### --- Authentication --- ###
@@ -884,8 +887,11 @@ managedLedgerDefaultAckQuorum=2
# in case of lack of enough bookies
#bookkeeper_opportunisticStriping=false
-# you can add other configuration options for the BookKeeper client
-# by prefixing them with bookkeeper_
+# You can add other configuration options for the BookKeeper client
+# by prefixing them with "bookkeeper_". These configurations are applied
+# to all bookkeeper clients started by the broker (including the managed ledger bookkeeper clients as well as
+# the BookkeeperPackagesStorage bookkeeper client), except the distributed log bookkeeper client.
+# The dlog bookkeeper client is configured in the functions worker configuration file.
# How frequently to flush the cursor positions that were accumulated due to rate limiting. (seconds).
# Default is 60 seconds
@@ -1323,4 +1329,8 @@ packagesReplicas=1
# The bookkeeper ledger root path
packagesManagementLedgerRootPath=/ledgers
+# When using BookKeeperPackagesStorageProvider, you can configure the
+# bookkeeper client by prefixing configurations with "bookkeeper_".
+# This config applies to managed ledger bookkeeper clients, as well.
+
### --- Packages management service configuration variables (end) --- ###
diff --git a/conf/functions_worker.yml b/conf/functions_worker.yml
index dbcce3d660f..5fa0ef18feb 100644
--- a/conf/functions_worker.yml
+++ b/conf/functions_worker.yml
@@ -362,3 +362,23 @@ validateConnectorConfig: false
# Whether to initialize distributed log metadata by runtime.
# If it is set to true, you must ensure that it has been initialized by "bin/pulsarinitialize-cluster-metadata" command.
initializedDlogMetadata: false
+###########################
+# Arbitrary Configuration
+###########################
+# When a configuration parameter is not explicitly named in the WorkerConfig class, it is only accessible from the
+# properties map. This map can be configured by supplying values to the properties map in this config file.
+
+# Configure the DLog bookkeeper client by prefixing configurations with "bookkeeper_". Because these are arbitrary, they
+# must be added to the properties map to get correctly applied. This configuration applies to the Dlog bookkeeper client
+# in both the standalone function workers and function workers initialized in the broker.
+
+# You can add extra configuration options for the Pulsar Client and the Pulsar Admin Client
+# by prefixing them with "brokerClient_". These configurations are applied after hard coded configuration
+# and before the above brokerClient configurations named above.
+
+## For example, when using the token authentication provider (AuthenticationProviderToken), you must configure several
+## custom configurations. Here is a sample for configuring one of the necessary configs:
+#properties:
+# tokenPublicKey: "file:///path/to/my/key"
+# tokenPublicAlg: "RSA256"
+
diff --git a/conf/proxy.conf b/conf/proxy.conf
index e5088b2742c..3336a6166a5 100644
--- a/conf/proxy.conf
+++ b/conf/proxy.conf
@@ -163,6 +163,10 @@ tlsEnabledWithBroker=false
# Tls cert refresh duration in seconds (set 0 to check on every new connection)
tlsCertRefreshCheckDurationSec=300
+# You can add extra configuration options for the Pulsar Client
+# by prefixing them with "brokerClient_". These configurations are applied after hard coded configuration
+# and before the above brokerClient configurations named above.
+
##### --- Rate Limiting --- #####
# Max concurrent inbound connections. The proxy will reject requests beyond that.
diff --git a/conf/websocket.conf b/conf/websocket.conf
index e2688516bc2..57d545ae80e 100644
--- a/conf/websocket.conf
+++ b/conf/websocket.conf
@@ -92,6 +92,10 @@ brokerClientAuthenticationPlugin=
brokerClientAuthenticationParameters=
brokerClientTrustCertsFilePath=
+# You can add extra configuration options for the Pulsar Client
+# by prefixing them with "brokerClient_". These configurations are applied after hard coded configuration
+# and before the above brokerClient configurations named above.
+
# When this parameter is not empty, unauthenticated users perform as anonymousUserRole
anonymousUserRole=
diff --git a/pulsar-broker/src/main/java/org/apache/pulsar/broker/BookKeeperClientFactoryImpl.java b/pulsar-broker/src/main/java/org/apache/pulsar/broker/BookKeeperClientFactoryImpl.java
index a59ee652523..b06e29db97a 100644
--- a/pulsar-broker/src/main/java/org/apache/pulsar/broker/BookKeeperClientFactoryImpl.java
+++ b/pulsar-broker/src/main/java/org/apache/pulsar/broker/BookKeeperClientFactoryImpl.java
@@ -29,7 +29,6 @@ import io.netty.channel.EventLoopGroup;
import java.io.IOException;
import java.util.Map;
import java.util.Optional;
-import java.util.Properties;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicReference;
import lombok.extern.slf4j.Slf4j;
@@ -42,6 +41,7 @@ import org.apache.bookkeeper.conf.ClientConfiguration;
import org.apache.bookkeeper.stats.NullStatsLogger;
import org.apache.bookkeeper.stats.StatsLogger;
import org.apache.commons.lang3.StringUtils;
+import org.apache.pulsar.client.internal.PropertiesUtils;
import org.apache.pulsar.common.allocator.PulsarByteBufAllocator;
import org.apache.pulsar.common.protocol.Commands;
import org.apache.pulsar.zookeeper.ZkBookieRackAffinityMapping;
@@ -146,15 +146,11 @@ public class BookKeeperClientFactoryImpl implements BookKeeperClientFactory {
conf.getBookkeeperClientGetBookieInfoIntervalSeconds(), TimeUnit.SECONDS);
bkConf.setGetBookieInfoRetryIntervalSeconds(
conf.getBookkeeperClientGetBookieInfoRetryIntervalSeconds(), TimeUnit.SECONDS);
- Properties allProps = conf.getProperties();
- allProps.forEach((key, value) -> {
- String sKey = key.toString();
- if (sKey.startsWith("bookkeeper_") && value != null) {
- String bkExtraConfigKey = sKey.substring(11);
- log.info("Extra BookKeeper client configuration {}, setting {}={}", sKey, bkExtraConfigKey, value);
- bkConf.setProperty(bkExtraConfigKey, value);
- }
- });
+ PropertiesUtils.filterAndMapProperties(conf.getProperties(), "bookkeeper_")
+ .forEach((key, value) -> {
+ log.info("Applying BookKeeper client configuration setting {}={}", key, value);
+ bkConf.setProperty(key, value);
+ });
return bkConf;
}
diff --git a/pulsar-broker/src/main/java/org/apache/pulsar/broker/PulsarService.java b/pulsar-broker/src/main/java/org/apache/pulsar/broker/PulsarService.java
index a8c107fa0b3..14897831755 100644
--- a/pulsar-broker/src/main/java/org/apache/pulsar/broker/PulsarService.java
+++ b/pulsar-broker/src/main/java/org/apache/pulsar/broker/PulsarService.java
@@ -130,6 +130,8 @@ import org.apache.pulsar.client.api.PulsarClientException;
import org.apache.pulsar.client.api.transaction.TransactionBufferClient;
import org.apache.pulsar.client.impl.PulsarClientImpl;
import org.apache.pulsar.client.impl.conf.ClientConfigurationData;
+import org.apache.pulsar.client.impl.conf.ConfigurationDataUtils;
+import org.apache.pulsar.client.internal.PropertiesUtils;
import org.apache.pulsar.common.conf.InternalConfigurationData;
import org.apache.pulsar.common.configuration.PulsarConfigurationLoader;
import org.apache.pulsar.common.configuration.VipStatus;
@@ -1344,7 +1346,16 @@ public class PulsarService implements AutoCloseable {
public synchronized PulsarClient getClient() throws PulsarServerException {
if (this.client == null) {
try {
- ClientConfigurationData conf = new ClientConfigurationData();
+ ClientConfigurationData initialConf = new ClientConfigurationData();
+ initialConf.setStatsIntervalSeconds(0);
+
+ // Apply all arbitrary configuration. This must be called before setting any fields annotated as
+ // @Secret on the ClientConfigurationData object because of the way they are serialized.
+ // See https://github.com/apache/pulsar/issues/8509 for more information.
+ Map<String, Object> overrides = PropertiesUtils
+ .filterAndMapProperties(this.getConfiguration().getProperties(), "brokerClient_");
+ ClientConfigurationData conf =
+ ConfigurationDataUtils.loadData(overrides, initialConf, ClientConfigurationData.class);
conf.setServiceUrl(this.getConfiguration().isTlsEnabled()
? this.brokerServiceUrlTls : this.brokerServiceUrl);
conf.setTlsAllowInsecureConnection(this.getConfiguration().isTlsAllowInsecureConnection());
@@ -1372,8 +1383,6 @@ public class PulsarService implements AutoCloseable {
this.getConfiguration().getBrokerClientAuthenticationPlugin(),
this.getConfiguration().getBrokerClientAuthenticationParameters()));
}
-
- conf.setStatsIntervalSeconds(0);
this.client = new PulsarClientImpl(conf, ioEventLoopGroup);
} catch (Exception e) {
throw new PulsarServerException(e);
@@ -1393,10 +1402,16 @@ public class PulsarService implements AutoCloseable {
+ ", webServiceAddressTls: " + webServiceAddressTls
+ ", webServiceAddress: " + webServiceAddress);
}
- PulsarAdminBuilder builder = PulsarAdmin.builder().serviceHttpUrl(adminApiUrl) //
- .authentication(//
- conf.getBrokerClientAuthenticationPlugin(), //
- conf.getBrokerClientAuthenticationParameters());
+ PulsarAdminBuilder builder = PulsarAdmin.builder().serviceHttpUrl(adminApiUrl);
+
+ // Apply all arbitrary configuration. This must be called before setting any fields annotated as
+ // @Secret on the ClientConfigurationData object because of the way they are serialized.
+ // See https://github.com/apache/pulsar/issues/8509 for more information.
+ builder.loadConf(PropertiesUtils.filterAndMapProperties(config.getProperties(), "brokerClient_"));
+
+ builder.authentication(
+ conf.getBrokerClientAuthenticationPlugin(),
+ conf.getBrokerClientAuthenticationParameters());
if (conf.isBrokerClientTlsEnabled()) {
builder.tlsCiphers(config.getBrokerClientTlsCiphers())
diff --git a/pulsar-broker/src/main/java/org/apache/pulsar/broker/namespace/NamespaceService.java b/pulsar-broker/src/main/java/org/apache/pulsar/broker/namespace/NamespaceService.java
index 36c5cc31c11..0012c3bd825 100644
--- a/pulsar-broker/src/main/java/org/apache/pulsar/broker/namespace/NamespaceService.java
+++ b/pulsar-broker/src/main/java/org/apache/pulsar/broker/namespace/NamespaceService.java
@@ -73,6 +73,7 @@ import org.apache.pulsar.client.api.PulsarClientException;
import org.apache.pulsar.client.impl.ClientBuilderImpl;
import org.apache.pulsar.client.impl.PulsarClientImpl;
import org.apache.pulsar.client.impl.conf.ClientConfigurationData;
+import org.apache.pulsar.client.internal.PropertiesUtils;
import org.apache.pulsar.common.api.proto.CommandGetTopicsOfNamespace.Mode;
import org.apache.pulsar.common.lookup.data.LookupData;
import org.apache.pulsar.common.naming.NamespaceBundle;
@@ -1279,6 +1280,11 @@ public class NamespaceService implements AutoCloseable {
.enableTcpNoDelay(false)
.statsInterval(0, TimeUnit.SECONDS);
+ // Apply all arbitrary configuration. This must be called before setting any fields annotated as
+ // @Secret on the ClientConfigurationData object because of the way they are serialized.
+ // See https://github.com/apache/pulsar/issues/8509 for more information.
+ clientBuilder.loadConf(PropertiesUtils.filterAndMapProperties(config.getProperties(), "brokerClient_"));
+
if (pulsar.getConfiguration().isAuthenticationEnabled()) {
clientBuilder.authentication(pulsar.getConfiguration().getBrokerClientAuthenticationPlugin(),
pulsar.getConfiguration().getBrokerClientAuthenticationParameters());
diff --git a/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/BrokerService.java b/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/BrokerService.java
index a5e013230c3..bdaded637b6 100644
--- a/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/BrokerService.java
+++ b/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/BrokerService.java
@@ -131,6 +131,7 @@ import org.apache.pulsar.client.api.PulsarClient;
import org.apache.pulsar.client.impl.ClientBuilderImpl;
import org.apache.pulsar.client.impl.PulsarClientImpl;
import org.apache.pulsar.client.impl.conf.ClientConfigurationData;
+import org.apache.pulsar.client.internal.PropertiesUtils;
import org.apache.pulsar.common.allocator.PulsarByteBufAllocator;
import org.apache.pulsar.common.configuration.FieldContext;
import org.apache.pulsar.common.intercept.AppendIndexMetadataInterceptor;
@@ -1130,6 +1131,12 @@ public class BrokerService implements Closeable, ZooKeeperCacheListener<Policies
.enableTcpNoDelay(false)
.connectionsPerBroker(pulsar.getConfiguration().getReplicationConnectionsPerBroker())
.statsInterval(0, TimeUnit.SECONDS);
+ // Apply all arbitrary configuration. This must be called before setting any fields annotated as
+ // @Secret on the ClientConfigurationData object because of the way they are serialized.
+ // See https://github.com/apache/pulsar/issues/8509 for more information.
+ clientBuilder.loadConf(PropertiesUtils.filterAndMapProperties(pulsar.getConfiguration().getProperties(),
+ "brokerClient_"));
+
if (data.getAuthenticationPlugin() != null && data.getAuthenticationParameters() != null) {
clientBuilder.authentication(data.getAuthenticationPlugin(), data.getAuthenticationParameters());
} else if (pulsar.getConfiguration().isAuthenticationEnabled()) {
@@ -1206,10 +1213,16 @@ public class BrokerService implements Closeable, ZooKeeperCacheListener<Policies
boolean isTlsUrl = conf.isBrokerClientTlsEnabled() && isNotBlank(data.getServiceUrlTls());
String adminApiUrl = isTlsUrl ? data.getServiceUrlTls() : data.getServiceUrl();
- PulsarAdminBuilder builder = PulsarAdmin.builder().serviceHttpUrl(adminApiUrl)
- .authentication(
- conf.getBrokerClientAuthenticationPlugin(),
- conf.getBrokerClientAuthenticationParameters());
+ PulsarAdminBuilder builder = PulsarAdmin.builder().serviceHttpUrl(adminApiUrl);
+
+ // Apply all arbitrary configuration. This must be called before setting any fields annotated as
+ // @Secret on the ClientConfigurationData object because of the way they are serialized.
+ // See https://github.com/apache/pulsar/issues/8509 for more information.
+ builder.loadConf(PropertiesUtils.filterAndMapProperties(conf.getProperties(), "brokerClient_"));
+
+ builder.authentication(
+ conf.getBrokerClientAuthenticationPlugin(),
+ conf.getBrokerClientAuthenticationParameters());
if (isTlsUrl) {
builder.allowTlsInsecureConnection(conf.isTlsAllowInsecureConnection());
diff --git a/pulsar-broker/src/main/java/org/apache/pulsar/compaction/CompactorTool.java b/pulsar-broker/src/main/java/org/apache/pulsar/compaction/CompactorTool.java
index ee2b374e56b..f4259d101b4 100644
--- a/pulsar-broker/src/main/java/org/apache/pulsar/compaction/CompactorTool.java
+++ b/pulsar-broker/src/main/java/org/apache/pulsar/compaction/CompactorTool.java
@@ -38,6 +38,7 @@ import org.apache.pulsar.broker.ServiceConfiguration;
import org.apache.pulsar.broker.ServiceConfigurationUtils;
import org.apache.pulsar.client.api.ClientBuilder;
import org.apache.pulsar.client.api.PulsarClient;
+import org.apache.pulsar.client.internal.PropertiesUtils;
import org.apache.pulsar.common.configuration.PulsarConfigurationLoader;
import org.apache.pulsar.common.util.netty.EventLoopUtil;
import org.apache.pulsar.zookeeper.ZooKeeperClientFactory;
@@ -94,6 +95,11 @@ public class CompactorTool {
ClientBuilder clientBuilder = PulsarClient.builder();
+ // Apply all arbitrary configuration. This must be called before setting any fields annotated as
+ // @Secret on the ClientConfigurationData object because of the way they are serialized.
+ // See https://github.com/apache/pulsar/issues/8509 for more information.
+ clientBuilder.loadConf(PropertiesUtils.filterAndMapProperties(brokerConfig.getProperties(), "brokerClient_"));
+
if (isNotBlank(brokerConfig.getBrokerClientAuthenticationPlugin())) {
clientBuilder.authentication(brokerConfig.getBrokerClientAuthenticationPlugin(),
brokerConfig.getBrokerClientAuthenticationParameters());
diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/broker/service/BrokerInternalClientConfigurationOverrideTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/broker/service/BrokerInternalClientConfigurationOverrideTest.java
new file mode 100644
index 00000000000..8ec7f7aeeb1
--- /dev/null
+++ b/pulsar-broker/src/test/java/org/apache/pulsar/broker/service/BrokerInternalClientConfigurationOverrideTest.java
@@ -0,0 +1,115 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.pulsar.broker.service;
+
+import org.apache.pulsar.broker.PulsarServerException;
+import org.apache.pulsar.client.admin.internal.PulsarAdminImpl;
+import org.apache.pulsar.client.impl.PulsarClientImpl;
+import org.apache.pulsar.client.impl.conf.ClientConfigurationData;
+import org.apache.pulsar.common.policies.data.ClusterData;
+import org.apache.pulsar.common.policies.data.ClusterDataImpl;
+import org.testng.Assert;
+import org.testng.annotations.AfterClass;
+import org.testng.annotations.BeforeClass;
+import org.testng.annotations.Test;
+
+import java.util.Optional;
+import java.util.Properties;
+
+public class BrokerInternalClientConfigurationOverrideTest extends BrokerTestBase {
+
+ @BeforeClass
+ @Override
+ protected void setup() throws Exception {
+ super.baseSetup();
+ }
+
+ @AfterClass(alwaysRun = true)
+ @Override
+ protected void cleanup() throws Exception {
+ super.internalCleanup();
+ }
+
+ @Test
+ public void testPulsarServiceAdminClientConfiguration() throws PulsarServerException {
+ Properties config = pulsar.getConfiguration().getProperties();
+ config.setProperty("brokerClient_operationTimeoutMs", "60000");
+ config.setProperty("brokerClient_statsIntervalSeconds", "10");
+ ClientConfigurationData clientConf = ((PulsarAdminImpl) pulsar.getAdminClient()).getClientConfigData();
+ Assert.assertEquals(clientConf.getOperationTimeoutMs(), 60000);
+ Assert.assertEquals(clientConf.getStatsIntervalSeconds(), 10);
+ }
+
+ @Test
+ public void testPulsarServicePulsarClientConfiguration() throws PulsarServerException {
+ Properties config = pulsar.getConfiguration().getProperties();
+ config.setProperty("brokerClient_operationTimeoutMs", "60000");
+ config.setProperty("brokerClient_statsIntervalSeconds", "10");
+ pulsar.getConfiguration().setBrokerClientAuthenticationParameters("sensitive");
+ ClientConfigurationData clientConf = ((PulsarClientImpl) pulsar.getClient()).getConfiguration();
+ Assert.assertEquals(clientConf.getOperationTimeoutMs(), 60000);
+ // Config should override internal default, which is 0.
+ Assert.assertEquals(clientConf.getStatsIntervalSeconds(), 10);
+ Assert.assertEquals(clientConf.getAuthParams(), "sensitive");
+ }
+
+ @Test
+ public void testBrokerServicePulsarClientConfiguration() {
+ // This data only needs to have the service url for this test.
+ ClusterData data = ClusterData.builder().serviceUrl("http://localhost:8080").build();
+
+ // Set the configs and set some configs that won't apply
+ Properties config = pulsar.getConfiguration().getProperties();
+ config.setProperty("brokerClient_operationTimeoutMs", "60000");
+ config.setProperty("brokerClient_statsIntervalSeconds", "10");
+ config.setProperty("memoryLimitBytes", "10");
+ config.setProperty("brokerClient_memoryLimitBytes", "100000");
+
+ PulsarClientImpl client = (PulsarClientImpl) pulsar.getBrokerService()
+ .getReplicationClient("test");
+ ClientConfigurationData clientConf = client.getConfiguration();
+ Assert.assertEquals(clientConf.getOperationTimeoutMs(), 60000);
+ // Config should override internal default, which is 0.
+ Assert.assertEquals(clientConf.getStatsIntervalSeconds(), 10);
+ // This config defaults to 0 (for good reason), but it could be overridden by configuration.
+ Assert.assertEquals(clientConf.getMemoryLimitBytes(), 100000);
+ }
+
+ @Test
+ public void testNamespaceServicePulsarClientConfiguration() {
+ // This data only needs to have the service url for this test.
+ ClusterDataImpl data = (ClusterDataImpl) ClusterData.builder().serviceUrl("http://localhost:8080").build();
+
+ // Set the configs and set some configs that won't apply
+ Properties config = pulsar.getConfiguration().getProperties();
+ config.setProperty("brokerClient_operationTimeoutMs", "60000");
+ config.setProperty("brokerClient_statsIntervalSeconds", "10");
+ config.setProperty("memoryLimitBytes", "10");
+ config.setProperty("brokerClient_memoryLimitBytes", "100000");
+
+ PulsarClientImpl client = pulsar.getNamespaceService().getNamespaceClient(data);
+ ClientConfigurationData clientConf = client.getConfiguration();
+ Assert.assertEquals(clientConf.getOperationTimeoutMs(), 60000);
+ // Config should override internal default, which is 0.
+ Assert.assertEquals(clientConf.getStatsIntervalSeconds(), 10);
+ // This config defaults to 0 (for good reason), but it could be overridden by configuration.
+ Assert.assertEquals(clientConf.getMemoryLimitBytes(), 100000);
+ }
+
+}
diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/PulsarClientConfigurationOverrideTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/PulsarClientConfigurationOverrideTest.java
new file mode 100644
index 00000000000..4f885ecc46b
--- /dev/null
+++ b/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/PulsarClientConfigurationOverrideTest.java
@@ -0,0 +1,56 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.pulsar.client.impl;
+
+import org.apache.pulsar.broker.ServiceConfiguration;
+import org.apache.pulsar.client.api.ClientBuilder;
+import org.apache.pulsar.client.api.PulsarClient;
+import org.apache.pulsar.client.internal.PropertiesUtils;
+import org.testng.Assert;
+import org.testng.annotations.Test;
+
+import java.util.Map;
+
+public class PulsarClientConfigurationOverrideTest {
+ @Test
+ public void testFilterAndMapProperties() {
+ // Create a default config
+ ServiceConfiguration conf = new ServiceConfiguration();
+ conf.getProperties().setProperty("keepAliveIntervalSeconds", "15");
+ conf.getProperties().setProperty("brokerClient_keepAliveIntervalSeconds", "25");
+
+ // Apply the filtering and mapping logic
+ Map<String, Object> result = PropertiesUtils.filterAndMapProperties(conf.getProperties(), "brokerClient_");
+
+ // Ensure the results match expectations
+ Assert.assertEquals(result.size(), 1, "The filtered map should have one entry.");
+ Assert.assertNull(result.get("brokerClient_keepAliveIntervalSeconds"),
+ "The mapped prop should not be in the result.");
+ Assert.assertEquals(result.get("keepAliveIntervalSeconds"), "25", "The original value is overridden.");
+
+ // Create sample ClientBuilder
+ ClientBuilder builder = PulsarClient.builder();
+ Assert.assertEquals(
+ ((ClientBuilderImpl) builder).getClientConfigurationData().getKeepAliveIntervalSeconds(), 30);
+ // Note: this test would fail if any @Secret fields were set before the loadConf and the accessed afterwards.
+ builder.loadConf(result);
+ Assert.assertEquals(
+ ((ClientBuilderImpl) builder).getClientConfigurationData().getKeepAliveIntervalSeconds(), 25);
+ }
+}
diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/websocket/proxy/ProxyConfigurationTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/websocket/proxy/ProxyConfigurationTest.java
index aeeab2afddc..24a503bc1d7 100644
--- a/pulsar-broker/src/test/java/org/apache/pulsar/websocket/proxy/ProxyConfigurationTest.java
+++ b/pulsar-broker/src/test/java/org/apache/pulsar/websocket/proxy/ProxyConfigurationTest.java
@@ -63,6 +63,9 @@ public class ProxyConfigurationTest extends ProducerConsumerBase {
public void configTest(int numIoThreads, int connectionsPerBroker) throws Exception {
config.setWebSocketNumIoThreads(numIoThreads);
config.setWebSocketConnectionsPerBroker(connectionsPerBroker);
+ config.getProperties().setProperty("brokerClient_serviceUrl", "https://broker.com:8080");
+ config.setServiceUrl("http://localhost:8080");
+ config.getProperties().setProperty("brokerClient_requestTimeoutMs", "100");
WebSocketService service = spyWithClassAndConstructorArgs(WebSocketService.class, config);
doReturn(new ZKMetadataStore(mockZooKeeperGlobal)).when(service).createMetadataStore(anyString(), anyInt());
service.start();
@@ -70,6 +73,9 @@ public class ProxyConfigurationTest extends ProducerConsumerBase {
PulsarClientImpl client = (PulsarClientImpl) service.getPulsarClient();
assertEquals(client.getConfiguration().getNumIoThreads(), numIoThreads);
assertEquals(client.getConfiguration().getConnectionsPerBroker(), connectionsPerBroker);
+ assertEquals(client.getConfiguration().getServiceUrl(), "http://localhost:8080",
+ "brokerClient_ configs take precedence");
+ assertEquals(client.getConfiguration().getRequestTimeoutMs(), 100);
service.close();
}
diff --git a/pulsar-client-admin-api/src/main/java/org/apache/pulsar/client/admin/PulsarAdminBuilder.java b/pulsar-client-admin-api/src/main/java/org/apache/pulsar/client/admin/PulsarAdminBuilder.java
index 9f8b4be1409..c685c1f7793 100644
--- a/pulsar-client-admin-api/src/main/java/org/apache/pulsar/client/admin/PulsarAdminBuilder.java
+++ b/pulsar-client-admin-api/src/main/java/org/apache/pulsar/client/admin/PulsarAdminBuilder.java
@@ -36,6 +36,29 @@ public interface PulsarAdminBuilder {
*/
PulsarAdmin build() throws PulsarClientException;
+ /**
+ * Load the configuration from provided <tt>config</tt> map.
+ *
+ * <p>Example:
+ *
+ * <pre>
+ * {@code
+ * Map<String, Object> config = new HashMap<>();
+ * config.put("serviceHttpUrl", "http://localhost:6650");
+ *
+ * PulsarAdminBuilder builder = ...;
+ * builder = builder.loadConf(config);
+ *
+ * PulsarAdmin client = builder.build();
+ * }
+ * </pre>
+ *
+ * @param config
+ * configuration to load
+ * @return the client builder instance
+ */
+ PulsarAdminBuilder loadConf(Map<String, Object> config);
+
/**
* Create a copy of the current client builder.
* <p/>
diff --git a/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/PulsarAdminBuilderImpl.java b/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/PulsarAdminBuilderImpl.java
index 70463b7fb4e..d86b9e73457 100644
--- a/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/PulsarAdminBuilderImpl.java
+++ b/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/PulsarAdminBuilderImpl.java
@@ -28,10 +28,11 @@ import org.apache.pulsar.client.api.AuthenticationFactory;
import org.apache.pulsar.client.api.PulsarClientException;
import org.apache.pulsar.client.api.PulsarClientException.UnsupportedAuthenticationException;
import org.apache.pulsar.client.impl.conf.ClientConfigurationData;
+import org.apache.pulsar.client.impl.conf.ConfigurationDataUtils;
public class PulsarAdminBuilderImpl implements PulsarAdminBuilder {
- protected final ClientConfigurationData conf;
+ protected ClientConfigurationData conf;
private int connectTimeout = PulsarAdminImpl.DEFAULT_CONNECT_TIMEOUT_SECONDS;
private int readTimeout = PulsarAdminImpl.DEFAULT_READ_TIMEOUT_SECONDS;
private int requestTimeout = PulsarAdminImpl.DEFAULT_REQUEST_TIMEOUT_SECONDS;
@@ -62,6 +63,12 @@ public class PulsarAdminBuilderImpl implements PulsarAdminBuilder {
return new PulsarAdminBuilderImpl(conf.clone());
}
+ @Override
+ public PulsarAdminBuilder loadConf(Map<String, Object> config) {
+ conf = ConfigurationDataUtils.loadData(config, conf, ClientConfigurationData.class);
+ return this;
+ }
+
@Override
public PulsarAdminBuilder serviceHttpUrl(String serviceHttpUrl) {
conf.setServiceUrl(serviceHttpUrl);
diff --git a/pulsar-client-api/src/main/java/org/apache/pulsar/client/internal/PropertiesUtils.java b/pulsar-client-api/src/main/java/org/apache/pulsar/client/internal/PropertiesUtils.java
new file mode 100644
index 00000000000..4a418b1d515
--- /dev/null
+++ b/pulsar-client-api/src/main/java/org/apache/pulsar/client/internal/PropertiesUtils.java
@@ -0,0 +1,64 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.pulsar.client.internal;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Properties;
+
+/**
+ * Internal utility methods for filtering and mapping {@link Properties} objects.
+ */
+public class PropertiesUtils {
+
+ /**
+ * Filters the {@link Properties} object so that only properties with the configured prefix are retained,
+ * and then removes that prefix and puts the key value pairs into the result map.
+ * @param props - the properties object to filter
+ * @param prefix - the prefix to filter against and then remove for keys in the resulting map
+ * @return a map of properties
+ */
+ public static Map<String, Object> filterAndMapProperties(Properties props, String prefix) {
+ return filterAndMapProperties(props, prefix, "");
+ }
+
+ /**
+ * Filters the {@link Properties} object so that only properties with the configured prefix are retained,
+ * and then replaces the srcPrefix with the targetPrefix when putting the key value pairs in the resulting map.
+ * @param props - the properties object to filter
+ * @param srcPrefix - the prefix to filter against and then remove for keys in the resulting map
+ * @param targetPrefix - the prefix to add to keys in the result map
+ * @return a map of properties
+ */
+ public static Map<String, Object> filterAndMapProperties(Properties props, String srcPrefix, String targetPrefix) {
+ Map<String, Object> result = new HashMap<>();
+ int prefixLength = srcPrefix.length();
+ props.forEach((keyObject, value) -> {
+ if (!(keyObject instanceof String)) {
+ return;
+ }
+ String key = (String) keyObject;
+ if (key.startsWith(srcPrefix) && value != null) {
+ String truncatedKey = key.substring(prefixLength);
+ result.put(targetPrefix + truncatedKey, value);
+ }
+ });
+ return result;
+ }
+}
diff --git a/pulsar-functions/src/test/resources/test_worker_config.yml b/pulsar-functions/src/test/resources/test_worker_config.yml
index 4614ca3cfd1..f0ecf2bd71b 100644
--- a/pulsar-functions/src/test/resources/test_worker_config.yml
+++ b/pulsar-functions/src/test/resources/test_worker_config.yml
@@ -23,4 +23,7 @@ pulsarServiceUrl: pulsar://localhost:6650
functionMetadataTopicName: test-function-metadata-topic
numFunctionPackageReplicas: 3
maxPendingAsyncRequests: 200
+properties:
+ # Fake Bookkeeper Client config to be applied to the DLog Bookkeeper Client
+ bookkeeper_testKey: "fakeValue"
diff --git a/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/PulsarWorkerService.java b/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/PulsarWorkerService.java
index e21949a4ebd..bd3140d7bc6 100644
--- a/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/PulsarWorkerService.java
+++ b/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/PulsarWorkerService.java
@@ -136,7 +136,8 @@ public class PulsarWorkerService implements WorkerService {
workerConfig.getBrokerClientAuthenticationParameters(),
workerConfig.getBrokerClientTrustCertsFilePath(),
workerConfig.isTlsAllowInsecureConnection(),
- workerConfig.isTlsEnableHostnameVerification());
+ workerConfig.isTlsEnableHostnameVerification(),
+ workerConfig);
} else {
return WorkerUtils.getPulsarAdminClient(
pulsarServiceUrl,
@@ -144,7 +145,8 @@ public class PulsarWorkerService implements WorkerService {
null,
null,
workerConfig.isTlsAllowInsecureConnection(),
- workerConfig.isTlsEnableHostnameVerification());
+ workerConfig.isTlsEnableHostnameVerification(),
+ workerConfig);
}
}
@@ -159,7 +161,8 @@ public class PulsarWorkerService implements WorkerService {
workerConfig.isUseTls(),
workerConfig.getBrokerClientTrustCertsFilePath(),
workerConfig.isTlsAllowInsecureConnection(),
- workerConfig.isTlsEnableHostnameVerification());
+ workerConfig.isTlsEnableHostnameVerification(),
+ workerConfig);
} else {
return WorkerUtils.getPulsarClient(
pulsarServiceUrl,
@@ -168,7 +171,8 @@ public class PulsarWorkerService implements WorkerService {
null,
null,
workerConfig.isTlsAllowInsecureConnection(),
- workerConfig.isTlsEnableHostnameVerification());
+ workerConfig.isTlsEnableHostnameVerification(),
+ workerConfig);
}
}
};
diff --git a/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/WorkerUtils.java b/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/WorkerUtils.java
index 52065f60242..5bbb6161fb8 100644
--- a/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/WorkerUtils.java
+++ b/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/WorkerUtils.java
@@ -40,6 +40,7 @@ import org.apache.pulsar.client.api.PulsarClient;
import org.apache.pulsar.client.api.PulsarClientException;
import org.apache.pulsar.client.api.Reader;
import org.apache.pulsar.client.api.ReaderBuilder;
+import org.apache.pulsar.client.internal.PropertiesUtils;
import org.apache.pulsar.common.conf.InternalConfigurationData;
import org.apache.pulsar.common.functions.WorkerInfo;
import org.apache.pulsar.common.policies.data.FunctionInstanceStatsDataImpl;
@@ -159,6 +160,13 @@ public final class WorkerUtils {
workerConfig.getBookkeeperClientAuthenticationParameters());
}
}
+ // Map arbitrary bookkeeper client configuration into DLog Config. Note that this only configures the
+ // bookie client.
+ PropertiesUtils.filterAndMapProperties(workerConfig.getProperties(), "bookkeeper_", "bkc.")
+ .forEach((key, value) -> {
+ log.info("Applying DLog BookKeeper client configuration setting {}={}", key, value);
+ conf.setProperty(key, value);
+ });
return conf;
}
@@ -195,12 +203,20 @@ public final class WorkerUtils {
}
public static PulsarAdmin getPulsarAdminClient(String pulsarWebServiceUrl) {
- return getPulsarAdminClient(pulsarWebServiceUrl, null, null, null, null, null);
+ return getPulsarAdminClient(pulsarWebServiceUrl, null, null, null, null, null, null);
}
public static PulsarAdmin getPulsarAdminClient(String pulsarWebServiceUrl, String authPlugin, String authParams,
String tlsTrustCertsFilePath, Boolean allowTlsInsecureConnection,
Boolean enableTlsHostnameVerificationEnable) {
+ return getPulsarAdminClient(pulsarWebServiceUrl, authPlugin, authParams, tlsTrustCertsFilePath,
+ allowTlsInsecureConnection, enableTlsHostnameVerificationEnable, null);
+ }
+
+ public static PulsarAdmin getPulsarAdminClient(String pulsarWebServiceUrl, String authPlugin, String authParams,
+ String tlsTrustCertsFilePath, Boolean allowTlsInsecureConnection,
+ Boolean enableTlsHostnameVerificationEnable,
+ WorkerConfig workerConfig) {
log.info("Create Pulsar Admin to service url {}: "
+ "authPlugin = {}, authParams = {}, "
+ "tlsTrustCerts = {}, allowTlsInsecureConnector = {}, enableTlsHostnameVerification = {}",
@@ -208,6 +224,13 @@ public final class WorkerUtils {
tlsTrustCertsFilePath, allowTlsInsecureConnection, enableTlsHostnameVerificationEnable);
try {
PulsarAdminBuilder adminBuilder = PulsarAdmin.builder().serviceHttpUrl(pulsarWebServiceUrl);
+ if (workerConfig != null) {
+ // Apply all arbitrary configuration. This must be called before setting any fields annotated as
+ // @Secret on the ClientConfigurationData object because of the way they are serialized.
+ // See https://github.com/apache/pulsar/issues/8509 for more information.
+ adminBuilder.loadConf(
+ PropertiesUtils.filterAndMapProperties(workerConfig.getProperties(), "brokerClient_"));
+ }
if (isNotBlank(authPlugin) && isNotBlank(authParams)) {
adminBuilder.authentication(authPlugin, authParams);
}
@@ -220,6 +243,7 @@ public final class WorkerUtils {
if (enableTlsHostnameVerificationEnable != null) {
adminBuilder.enableTlsHostnameVerification(enableTlsHostnameVerificationEnable);
}
+
return adminBuilder.build();
} catch (PulsarClientException e) {
log.error("Error creating pulsar admin client", e);
@@ -229,17 +253,33 @@ public final class WorkerUtils {
public static PulsarClient getPulsarClient(String pulsarServiceUrl) {
return getPulsarClient(pulsarServiceUrl, null, null, null,
- null, null, null);
+ null, null, null, null);
}
public static PulsarClient getPulsarClient(String pulsarServiceUrl, String authPlugin, String authParams,
Boolean useTls, String tlsTrustCertsFilePath,
Boolean allowTlsInsecureConnection,
Boolean enableTlsHostnameVerificationEnable) {
+ return getPulsarClient(pulsarServiceUrl, authPlugin, authParams, useTls, tlsTrustCertsFilePath,
+ allowTlsInsecureConnection, enableTlsHostnameVerificationEnable, null);
+ }
+
+ public static PulsarClient getPulsarClient(String pulsarServiceUrl, String authPlugin, String authParams,
+ Boolean useTls, String tlsTrustCertsFilePath,
+ Boolean allowTlsInsecureConnection,
+ Boolean enableTlsHostnameVerificationEnable,
+ WorkerConfig workerConfig) {
try {
ClientBuilder clientBuilder = PulsarClient.builder().serviceUrl(pulsarServiceUrl);
+ if (workerConfig != null) {
+ // Apply all arbitrary configuration. This must be called before setting any fields annotated as
+ // @Secret on the ClientConfigurationData object because of the way they are serialized.
+ // See https://github.com/apache/pulsar/issues/8509 for more information.
+ clientBuilder.loadConf(
+ PropertiesUtils.filterAndMapProperties(workerConfig.getProperties(), "brokerClient_"));
+ }
if (isNotBlank(authPlugin)
&& isNotBlank(authParams)) {
clientBuilder.authentication(authPlugin, authParams);
@@ -256,7 +296,6 @@ public final class WorkerUtils {
if (enableTlsHostnameVerificationEnable != null) {
clientBuilder.enableTlsHostnameVerification(enableTlsHostnameVerificationEnable);
}
-
return clientBuilder.build();
} catch (PulsarClientException e) {
log.error("Error creating pulsar client", e);
diff --git a/pulsar-functions/worker/src/test/java/org/apache/pulsar/functions/worker/WorkerUtilsTest.java b/pulsar-functions/worker/src/test/java/org/apache/pulsar/functions/worker/WorkerUtilsTest.java
index d899db13237..b2e0f0f354c 100644
--- a/pulsar-functions/worker/src/test/java/org/apache/pulsar/functions/worker/WorkerUtilsTest.java
+++ b/pulsar-functions/worker/src/test/java/org/apache/pulsar/functions/worker/WorkerUtilsTest.java
@@ -40,8 +40,13 @@ import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
+import static org.testng.Assert.assertEquals;
import static org.testng.Assert.assertNotNull;
import static org.testng.Assert.fail;
+import java.io.IOException;
+import java.net.URISyntaxException;
+import java.net.URL;
+import org.apache.distributedlog.DistributedLogConfiguration;
public class WorkerUtilsTest {
@@ -99,4 +104,18 @@ public class WorkerUtilsTest {
}
}
+
+ @Test
+ public void testDLogConfiguration() throws URISyntaxException, IOException {
+ // The config yml is seeded with a fake bookie config.
+ URL yamlUrl = getClass().getClassLoader().getResource("test_worker_config.yml");
+ WorkerConfig config = WorkerConfig.load(yamlUrl.toURI().getPath());
+
+ // Map the config.
+ DistributedLogConfiguration dlogConf = WorkerUtils.getDlogConf(config);
+
+ // Verify the outcome.
+ assertEquals(dlogConf.getString("bkc.testKey"), "fakeValue",
+ "The bookkeeper client config mapping should apply.");
+ }
}
\ No newline at end of file
diff --git a/pulsar-package-management/bookkeeper-storage/src/main/java/org/apache/pulsar/packages/management/storage/bookkeeper/BookKeeperPackagesStorage.java b/pulsar-package-management/bookkeeper-storage/src/main/java/org/apache/pulsar/packages/management/storage/bookkeeper/BookKeeperPackagesStorage.java
index f0db59351f5..e3147c0e8bc 100644
--- a/pulsar-package-management/bookkeeper-storage/src/main/java/org/apache/pulsar/packages/management/storage/bookkeeper/BookKeeperPackagesStorage.java
+++ b/pulsar-package-management/bookkeeper-storage/src/main/java/org/apache/pulsar/packages/management/storage/bookkeeper/BookKeeperPackagesStorage.java
@@ -36,6 +36,7 @@ import org.apache.distributedlog.exceptions.ZKException;
import org.apache.distributedlog.impl.metadata.BKDLConfig;
import org.apache.distributedlog.metadata.DLMetadata;
import org.apache.distributedlog.namespace.NamespaceDriver;
+import org.apache.pulsar.client.internal.PropertiesUtils;
import org.apache.pulsar.packages.management.core.PackagesStorage;
import org.apache.pulsar.packages.management.core.PackagesStorageConfiguration;
import org.apache.zookeeper.KeeperException;
@@ -72,6 +73,13 @@ public class BookKeeperPackagesStorage implements PackagesStorage {
configuration.getBookkeeperClientAuthenticationParameters());
}
}
+ // Map arbitrary bookkeeper client configuration into DLog Config. Note that this only configures the
+ // bookie client.
+ PropertiesUtils.filterAndMapProperties(configuration.getProperties(), "bookkeeper_", "bkc.")
+ .forEach((key, value) -> {
+ log.info("Applying DLog BookKeeper client configuration setting {}={}", key, value);
+ conf.setProperty(key, value);
+ });
try {
this.namespace = NamespaceBuilder.newBuilder()
.conf(conf).clientId(NS_CLIENT_ID).uri(initializeDlogNamespace()).build();
diff --git a/pulsar-package-management/bookkeeper-storage/src/main/java/org/apache/pulsar/packages/management/storage/bookkeeper/BookKeeperPackagesStorageConfiguration.java b/pulsar-package-management/bookkeeper-storage/src/main/java/org/apache/pulsar/packages/management/storage/bookkeeper/BookKeeperPackagesStorageConfiguration.java
index 226b80abeaa..ce6acecdd51 100644
--- a/pulsar-package-management/bookkeeper-storage/src/main/java/org/apache/pulsar/packages/management/storage/bookkeeper/BookKeeperPackagesStorageConfiguration.java
+++ b/pulsar-package-management/bookkeeper-storage/src/main/java/org/apache/pulsar/packages/management/storage/bookkeeper/BookKeeperPackagesStorageConfiguration.java
@@ -58,6 +58,10 @@ public class BookKeeperPackagesStorageConfiguration implements PackagesStorageCo
return getProperty("bookkeeperClientAuthenticationParameters");
}
+ @Override
+ public Properties getProperties() {
+ return configuration.getProperties();
+ }
@Override
public String getProperty(String key) {
diff --git a/pulsar-package-management/core/src/main/java/org/apache/pulsar/packages/management/core/PackagesStorageConfiguration.java b/pulsar-package-management/core/src/main/java/org/apache/pulsar/packages/management/core/PackagesStorageConfiguration.java
index b4044a6338c..5c346a0d05c 100644
--- a/pulsar-package-management/core/src/main/java/org/apache/pulsar/packages/management/core/PackagesStorageConfiguration.java
+++ b/pulsar-package-management/core/src/main/java/org/apache/pulsar/packages/management/core/PackagesStorageConfiguration.java
@@ -50,4 +50,10 @@ public interface PackagesStorageConfiguration {
* a group of the property
*/
void setProperty(Properties properties);
+
+ /**
+ * Get all properties for the configuration.
+ * @return all properties for the configuration
+ */
+ Properties getProperties();
}
diff --git a/pulsar-package-management/core/src/main/java/org/apache/pulsar/packages/management/core/impl/DefaultPackagesStorageConfiguration.java b/pulsar-package-management/core/src/main/java/org/apache/pulsar/packages/management/core/impl/DefaultPackagesStorageConfiguration.java
index cb35048a360..d3c5d7494b3 100644
--- a/pulsar-package-management/core/src/main/java/org/apache/pulsar/packages/management/core/impl/DefaultPackagesStorageConfiguration.java
+++ b/pulsar-package-management/core/src/main/java/org/apache/pulsar/packages/management/core/impl/DefaultPackagesStorageConfiguration.java
@@ -39,4 +39,9 @@ public class DefaultPackagesStorageConfiguration implements PackagesStorageConfi
public void setProperty(Properties properties) {
this.properties = properties;
}
+
+ @Override
+ public Properties getProperties() {
+ return this.properties;
+ }
}
diff --git a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConnection.java b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConnection.java
index d9f0f5db38f..0f41208fde2 100644
--- a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConnection.java
+++ b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConnection.java
@@ -28,6 +28,7 @@ import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.util.Collections;
import java.util.List;
+import java.util.Map;
import java.util.Optional;
import java.util.concurrent.RejectedExecutionException;
import java.util.concurrent.ThreadLocalRandom;
@@ -47,6 +48,8 @@ import org.apache.pulsar.client.impl.ClientCnx;
import org.apache.pulsar.client.impl.ConnectionPool;
import org.apache.pulsar.client.impl.PulsarChannelInitializer;
import org.apache.pulsar.client.impl.conf.ClientConfigurationData;
+import org.apache.pulsar.client.impl.conf.ConfigurationDataUtils;
+import org.apache.pulsar.client.internal.PropertiesUtils;
import org.apache.pulsar.common.api.AuthData;
import org.apache.pulsar.common.protocol.Commands;
import org.apache.pulsar.common.protocol.PulsarHandler;
@@ -521,9 +524,17 @@ public class ProxyConnection extends PulsarHandler {
}
ClientConfigurationData createClientConfiguration() {
- ClientConfigurationData clientConf = new ClientConfigurationData();
- clientConf.setServiceUrl(service.getServiceUrl());
+ ClientConfigurationData initialConf = new ClientConfigurationData();
+ initialConf.setServiceUrl(service.getServiceUrl());
ProxyConfiguration proxyConfig = service.getConfiguration();
+ // Apply all arbitrary configuration. This must be called before setting any fields annotated as
+ // @Secret on the ClientConfigurationData object because of the way they are serialized.
+ // See https://github.com/apache/pulsar/issues/8509 for more information.
+ Map<String, Object> overrides = PropertiesUtils
+ .filterAndMapProperties(proxyConfig.getProperties(), "brokerClient_");
+ ClientConfigurationData clientConf = ConfigurationDataUtils
+ .loadData(overrides, initialConf, ClientConfigurationData.class);
+
clientConf.setAuthentication(this.getClientAuthentication());
if (proxyConfig.isTlsEnabledWithBroker()) {
clientConf.setUseTls(true);
diff --git a/pulsar-websocket/src/main/java/org/apache/pulsar/websocket/WebSocketService.java b/pulsar-websocket/src/main/java/org/apache/pulsar/websocket/WebSocketService.java
index 1cce453541a..acbf1db3dd9 100644
--- a/pulsar-websocket/src/main/java/org/apache/pulsar/websocket/WebSocketService.java
+++ b/pulsar-websocket/src/main/java/org/apache/pulsar/websocket/WebSocketService.java
@@ -41,6 +41,7 @@ import org.apache.pulsar.broker.resources.PulsarResources;
import org.apache.pulsar.client.api.ClientBuilder;
import org.apache.pulsar.client.api.PulsarClient;
import org.apache.pulsar.client.api.PulsarClientException;
+import org.apache.pulsar.client.internal.PropertiesUtils;
import org.apache.pulsar.common.configuration.PulsarConfigurationLoader;
import org.apache.pulsar.common.policies.data.ClusterData;
import org.apache.pulsar.common.util.collections.ConcurrentOpenHashMap;
@@ -189,6 +190,11 @@ public class WebSocketService implements Closeable {
.ioThreads(config.getWebSocketNumIoThreads()) //
.connectionsPerBroker(config.getWebSocketConnectionsPerBroker());
+ // Apply all arbitrary configuration. This must be called before setting any fields annotated as
+ // @Secret on the ClientConfigurationData object because of the way they are serialized.
+ // See https://github.com/apache/pulsar/issues/8509 for more information.
+ clientBuilder.loadConf(PropertiesUtils.filterAndMapProperties(config.getProperties(), "brokerClient_"));
+
if (isNotBlank(config.getBrokerClientAuthenticationPlugin())
&& isNotBlank(config.getBrokerClientAuthenticationParameters())) {
clientBuilder.authentication(config.getBrokerClientAuthenticationPlugin(),
@@ -206,7 +212,6 @@ public class WebSocketService implements Closeable {
} else {
clientBuilder.serviceUrl(clusterData.getServiceUrl());
}
-
return clientBuilder.build();
}
diff --git a/site2/docs/reference-configuration.md b/site2/docs/reference-configuration.md
index 9f4326a5598..cc535cb9ce7 100644
--- a/site2/docs/reference-configuration.md
+++ b/site2/docs/reference-configuration.md
@@ -349,6 +349,15 @@ brokerServiceCompactionThresholdInBytes|If the estimated backlog size is greater
|haProxyProtocolEnabled | Enable or disable the [HAProxy](http://www.haproxy.org/) protocol. |false|
| maxTopicsPerNamespace | The maximum number of persistent topics that can be created in the namespace. When the number of topics reaches this threshold, the broker rejects the request of creating a new topic, including the auto-created topics by the producer or consumer, until the number of connected consumers decreases. The default value 0 disables the check. | 0 |
|subscriptionTypesEnabled| Enable all subscription types, which are exclusive, shared, failover, and key_shared. | Exclusive, Shared, Failover, Key_Shared |
+#### Configuration Override For Clients Internal to Broker
+
+It's possible to configure some clients by using the appropriate prefix.
+
+|Prefix|Description|
+|brokerClient_| Configure **all** the broker's Pulsar Clients and Pulsar Admin Clients. These configurations are applied after hard coded configuration and before the above brokerClient configurations named above.|
+|bookkeeper_| Configure the broker's bookkeeper clients used by managed ledgers and the BookkeeperPackagesStorage bookkeeper client. Takes precedence over most other configuration values.|
+
+Note: when running the function worker within the broker, these prefixed configurations do not apply to any of those clients. You must instead configure those clients using the `functions_worker.yml`.
## Client
@@ -691,6 +700,12 @@ You can set the log level and configuration in the [log4j2.yaml](https://github
|tlsCertificateFilePath|||
|tlsKeyFilePath |||
|tlsTrustCertsFilePath|||
+#### Configuration Override For Clients Internal to WebSocket
+
+It's possible to configure some clients by using the appropriate prefix.
+
+|Prefix|Description|
+|brokerClient_| Configure **all** the broker's Pulsar Clients. These configurations are applied after hard coded configuration and before the above brokerClient configurations named above.|
## Pulsar proxy
@@ -757,6 +772,12 @@ The [Pulsar proxy](concepts-architecture-overview.md#pulsar-proxy) can be config
|haProxyProtocolEnabled | Enable or disable the [HAProxy](http://www.haproxy.org/) protocol. |false|
| numIOThreads | Number of threads used for Netty IO. | 2 * Runtime.getRuntime().availableProcessors() |
| numAcceptorThreads | Number of threads used for Netty Acceptor. | 1 |
+#### Configuration Override For Clients Internal to Proxy
+
+It's possible to configure some clients by using the appropriate prefix.
+
+|Prefix|Description|
+|brokerClient_| Configure **all** the proxy's Pulsar Clients. These configurations are applied after hard coded configuration and before the above brokerClient configurations named above.|
## ZooKeeper