You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@pulsar.apache.org by Zixuan Liu <no...@gmail.com> on 2022/05/10 08:46:26 UTC
[VOTE] [PIP-158] Split client TLS transport encryption from authentication
Hi Pulsar community,
Voting for https://github.com/apache/pulsar/issues/15289
Discussion thread:
https://lists.apache.org/thread/fblmm8oc7h907cfnppvk71o2cbp5mk8q
Thanks,
Zixuan
------
## Motivation
The client supports TLS transport encryption and TLS authentication, this
code so like:
```java
PulsarClient client = PulsarClient.builder()
.serviceUrl("pulsar+ssl://localhost:6651")
.tlsTrustCertsFilePath("/path/to/cacert.pem")
.authentication(AuthenticationTls.class.getName(),
authParams)
.build()
```
This causes an issue that cannot use other authentication with TLS
transport encryption, and also made our confusion if we use TLS transport
encryption by setting `authentication`.
## Goal
Split client TLS transport encryption from authentication is used to
support TLS transport encryption with any authentication.
## API Changes
- Add new methods in `org.apache.pulsar.client.api.ClientBuilder`
```java
public interface ClientBuilder extends Serializable, Cloneable {
/**
* Set the path to the TLS key file.
*
* @param tlsKeyFilePath
* @return the client builder instance
*/
ClientBuilder tlsKeyFilePath(String tlsKeyFilePath);
/**
* Set the path to the TLS certificate file.
*
* @param tlsCertificateFilePath
* @return the client builder instance
*/
ClientBuilder tlsCertificateFilePath(String tlsCertificateFilePath);
/**
* The file format of the key store file.
*
* @param tlsKeyStoreType
* @return the client builder instance
*/
ClientBuilder tlsKeyStoreType(String tlsKeyStoreType);
/**
* The location of the key store file.
*
* @param tlsTrustStorePath
* @return the client builder instance
*/
ClientBuilder tlsKeyStorePath(String tlsTrustStorePath);
/**
* The store password for the key store file.
*
* @param tlsKeyStorePassword
* @return the client builder instance
*/
ClientBuilder tlsKeyStorePassword(String tlsKeyStorePassword);
}
```
## Implementation
### TLS transport encryption
We can call the `tlsKeyFilePath()`, `tlsCertificateFilePath()` and
`tlsTrustCertsFilePath()` to configurate the TLS transport encryption, the
code so like:
```java
PulsarClient client = PulsarClient.builder()
.serviceUrl("pulsar+ssl://my-host:6650")
.tlsTrustCertsFilePath("/path/to/cacert.pem")
.tlsKeyFilePath("/path/to/client-key.pem")
.tlsCertificateFilePath("/path/to/client-cert.pem")
.build();
```
Call the `tlsKeyFilePath()`, `tlsTrustStorePath()` to configurate the JKS
TLS transport encryption, the code so like:
```java
PulsarClient client = PulsarClient.builder()
.serviceUrl("pulsar+ssl://my-host:6650")
.tlsKeyFilePath("/path/key.jks")
.tlsKeyStorePassword("hello")
.tlsTrustStorePath("/path/trust.jks")
.tlsTrustStorePassword("hello")
.build();
```
### TLS transport encryption with any authentication
We can call the `tlsKeyFilePath()`, `tlsCertificateFilePath()`,
`tlsTrustCertsFilePath()` and `authentication()` to configurate the TLS
transport encryption with any authentication, the code so like:
```java
PulsarClient client = PulsarClient.builder()
.serviceUrl("pulsar+ssl://my-host:6650")
.tlsTrustCertsFilePath("/path/to/cacert.pem")
.tlsKeyFilePath("/path/to/client-key.pem")
.tlsCertificateFilePath("/path/to/client-cert.pem")
.authentication(AuthenticationTls.class.getName() /*
AuthenticationToken.class.getName()*/, authParams)
.builder()
```
Call the `tlsKeyFilePath()`, `tlsTrustStorePath()` to configurate the JKS
TLS transport encryption, the code so like:
```java
PulsarClient client = PulsarClient.builder()
.serviceUrl("pulsar+ssl://my-host:6650")
.tlsKeyFilePath("/path/key.jks")
.tlsKeyStorePassword("hello")
.tlsTrustStorePath("/path/trust.jks")
.authentication(AuthenticationTls.class.getName() /*
AuthenticationToken.class.getName()*/, authParams)
.build();
```
For `AuthenticationTls`, we need to check the authParams, when the
authParams is empty, we need to read TLS config from `ClientBuilder`,
otherwise read from the authParams, the authParams can override the config
from `ClientBuilder`, if still is empty, we read TLS config from
`ClientBuilder`.
### Plan test
- Verify TLS transport encryption without authentication
- Verify TLS transport encryption with token authentication
- Verify TLS transport encryption with TLS authentication
- Verify JKS TLS transport encryption without authentication
- Verify JKS TLS transport encryption with token authentication
- Verify JKS TLS transport encryption with TLS authentication
### Compatibility
None.
Re: [VOTE] [PIP-158] Split client TLS transport encryption from authentication
Posted by Lan Liang <li...@163.com>.
+1, NB
Thanks for your work.
Best Regards,
Lan Liang
On 5/10/2022 19:31,mattison chao<ma...@gmail.com> wrote:
+1 (non-binding)
Best,
Mattison
On Tue, 10 May 2022 at 19:00, Yunze Xu <yz...@streamnative.io.invalid> wrote:
+1 (non-binding)
Thanks,
Yunze
Re: [VOTE] [PIP-158] Split client TLS transport encryption from authentication
Posted by mattison chao <ma...@gmail.com>.
+1 (non-binding)
Best,
Mattison
On Tue, 10 May 2022 at 19:00, Yunze Xu <yz...@streamnative.io.invalid> wrote:
> +1 (non-binding)
>
> Thanks,
> Yunze
>
Re: [VOTE] [PIP-158] Split client TLS transport encryption from authentication
Posted by Yunze Xu <yz...@streamnative.io.INVALID>.
+1 (non-binding)
Thanks,
Yunze
Re: [VOTE] [PIP-158] Split client TLS transport encryption from authentication
Posted by Zixuan Liu <no...@gmail.com>.
Thanks for your vote! Closed by 3 (+1) binding votes and 6 (+1) non-binding
votes.
Thanks,
Zixuan
Closed
Hang Chen <ch...@apache.org> 于2022年5月16日周一 13:16写道:
> +1 (binding)
>
> Thanks,
> Hang
>
> Yunze Xu <yz...@streamnative.io.invalid> 于2022年5月14日周六 18:04写道:
> >
> > +1 (non-binding)
> >
> > Thanks,
> > Yunze
> >
>
Re: [VOTE] [PIP-158] Split client TLS transport encryption from authentication
Posted by Hang Chen <ch...@apache.org>.
+1 (binding)
Thanks,
Hang
Yunze Xu <yz...@streamnative.io.invalid> 于2022年5月14日周六 18:04写道:
>
> +1 (non-binding)
>
> Thanks,
> Yunze
>
Re: [VOTE] [PIP-158] Split client TLS transport encryption from authentication
Posted by Yunze Xu <yz...@streamnative.io.INVALID>.
+1 (non-binding)
Thanks,
Yunze
Re: [VOTE] [PIP-158] Split client TLS transport encryption from authentication
Posted by Michael Marshall <mm...@apache.org>.
+1, great addition! (non-binding)
Thanks,
Michael
On Wed, May 11, 2022 at 11:19 PM Ran Gao <rg...@apache.org> wrote:
>
> +1 (non-binding)
>
> Best,
> Ran
>
> On 2022/05/10 08:46:26 Zixuan Liu wrote:
> > Hi Pulsar community,
> >
> > Voting for https://github.com/apache/pulsar/issues/15289
> >
> > Discussion thread:
> > https://lists.apache.org/thread/fblmm8oc7h907cfnppvk71o2cbp5mk8q
> >
> > Thanks,
> > Zixuan
> >
> > ------
> >
> > ## Motivation
> >
> > The client supports TLS transport encryption and TLS authentication, this
> > code so like:
> >
> > ```java
> > PulsarClient client = PulsarClient.builder()
> > .serviceUrl("pulsar+ssl://localhost:6651")
> > .tlsTrustCertsFilePath("/path/to/cacert.pem")
> > .authentication(AuthenticationTls.class.getName(),
> > authParams)
> > .build()
> > ```
> >
> > This causes an issue that cannot use other authentication with TLS
> > transport encryption, and also made our confusion if we use TLS transport
> > encryption by setting `authentication`.
> >
> > ## Goal
> >
> > Split client TLS transport encryption from authentication is used to
> > support TLS transport encryption with any authentication.
> >
> > ## API Changes
> >
> > - Add new methods in `org.apache.pulsar.client.api.ClientBuilder`
> >
> > ```java
> > public interface ClientBuilder extends Serializable, Cloneable {
> > /**
> > * Set the path to the TLS key file.
> > *
> > * @param tlsKeyFilePath
> > * @return the client builder instance
> > */
> > ClientBuilder tlsKeyFilePath(String tlsKeyFilePath);
> >
> > /**
> > * Set the path to the TLS certificate file.
> > *
> > * @param tlsCertificateFilePath
> > * @return the client builder instance
> > */
> > ClientBuilder tlsCertificateFilePath(String tlsCertificateFilePath);
> >
> > /**
> > * The file format of the key store file.
> > *
> > * @param tlsKeyStoreType
> > * @return the client builder instance
> > */
> > ClientBuilder tlsKeyStoreType(String tlsKeyStoreType);
> >
> > /**
> > * The location of the key store file.
> > *
> > * @param tlsTrustStorePath
> > * @return the client builder instance
> > */
> > ClientBuilder tlsKeyStorePath(String tlsTrustStorePath);
> >
> > /**
> > * The store password for the key store file.
> > *
> > * @param tlsKeyStorePassword
> > * @return the client builder instance
> > */
> > ClientBuilder tlsKeyStorePassword(String tlsKeyStorePassword);
> > }
> > ```
> >
> > ## Implementation
> >
> > ### TLS transport encryption
> >
> > We can call the `tlsKeyFilePath()`, `tlsCertificateFilePath()` and
> > `tlsTrustCertsFilePath()` to configurate the TLS transport encryption, the
> > code so like:
> >
> > ```java
> > PulsarClient client = PulsarClient.builder()
> > .serviceUrl("pulsar+ssl://my-host:6650")
> > .tlsTrustCertsFilePath("/path/to/cacert.pem")
> > .tlsKeyFilePath("/path/to/client-key.pem")
> > .tlsCertificateFilePath("/path/to/client-cert.pem")
> > .build();
> > ```
> >
> >
> > Call the `tlsKeyFilePath()`, `tlsTrustStorePath()` to configurate the JKS
> > TLS transport encryption, the code so like:
> >
> > ```java
> > PulsarClient client = PulsarClient.builder()
> > .serviceUrl("pulsar+ssl://my-host:6650")
> > .tlsKeyFilePath("/path/key.jks")
> > .tlsKeyStorePassword("hello")
> > .tlsTrustStorePath("/path/trust.jks")
> > .tlsTrustStorePassword("hello")
> > .build();
> > ```
> >
> >
> > ### TLS transport encryption with any authentication
> >
> > We can call the `tlsKeyFilePath()`, `tlsCertificateFilePath()`,
> > `tlsTrustCertsFilePath()` and `authentication()` to configurate the TLS
> > transport encryption with any authentication, the code so like:
> >
> > ```java
> > PulsarClient client = PulsarClient.builder()
> > .serviceUrl("pulsar+ssl://my-host:6650")
> > .tlsTrustCertsFilePath("/path/to/cacert.pem")
> > .tlsKeyFilePath("/path/to/client-key.pem")
> > .tlsCertificateFilePath("/path/to/client-cert.pem")
> > .authentication(AuthenticationTls.class.getName() /*
> > AuthenticationToken.class.getName()*/, authParams)
> > .builder()
> > ```
> >
> > Call the `tlsKeyFilePath()`, `tlsTrustStorePath()` to configurate the JKS
> > TLS transport encryption, the code so like:
> >
> > ```java
> > PulsarClient client = PulsarClient.builder()
> > .serviceUrl("pulsar+ssl://my-host:6650")
> > .tlsKeyFilePath("/path/key.jks")
> > .tlsKeyStorePassword("hello")
> > .tlsTrustStorePath("/path/trust.jks")
> > .authentication(AuthenticationTls.class.getName() /*
> > AuthenticationToken.class.getName()*/, authParams)
> > .build();
> > ```
> >
> > For `AuthenticationTls`, we need to check the authParams, when the
> > authParams is empty, we need to read TLS config from `ClientBuilder`,
> > otherwise read from the authParams, the authParams can override the config
> > from `ClientBuilder`, if still is empty, we read TLS config from
> > `ClientBuilder`.
> >
> > ### Plan test
> >
> > - Verify TLS transport encryption without authentication
> > - Verify TLS transport encryption with token authentication
> > - Verify TLS transport encryption with TLS authentication
> > - Verify JKS TLS transport encryption without authentication
> > - Verify JKS TLS transport encryption with token authentication
> > - Verify JKS TLS transport encryption with TLS authentication
> >
> > ### Compatibility
> >
> > None.
> >
Re: [VOTE] [PIP-158] Split client TLS transport encryption from authentication
Posted by Ran Gao <rg...@apache.org>.
+1 (non-binding)
Best,
Ran
On 2022/05/10 08:46:26 Zixuan Liu wrote:
> Hi Pulsar community,
>
> Voting for https://github.com/apache/pulsar/issues/15289
>
> Discussion thread:
> https://lists.apache.org/thread/fblmm8oc7h907cfnppvk71o2cbp5mk8q
>
> Thanks,
> Zixuan
>
> ------
>
> ## Motivation
>
> The client supports TLS transport encryption and TLS authentication, this
> code so like:
>
> ```java
> PulsarClient client = PulsarClient.builder()
> .serviceUrl("pulsar+ssl://localhost:6651")
> .tlsTrustCertsFilePath("/path/to/cacert.pem")
> .authentication(AuthenticationTls.class.getName(),
> authParams)
> .build()
> ```
>
> This causes an issue that cannot use other authentication with TLS
> transport encryption, and also made our confusion if we use TLS transport
> encryption by setting `authentication`.
>
> ## Goal
>
> Split client TLS transport encryption from authentication is used to
> support TLS transport encryption with any authentication.
>
> ## API Changes
>
> - Add new methods in `org.apache.pulsar.client.api.ClientBuilder`
>
> ```java
> public interface ClientBuilder extends Serializable, Cloneable {
> /**
> * Set the path to the TLS key file.
> *
> * @param tlsKeyFilePath
> * @return the client builder instance
> */
> ClientBuilder tlsKeyFilePath(String tlsKeyFilePath);
>
> /**
> * Set the path to the TLS certificate file.
> *
> * @param tlsCertificateFilePath
> * @return the client builder instance
> */
> ClientBuilder tlsCertificateFilePath(String tlsCertificateFilePath);
>
> /**
> * The file format of the key store file.
> *
> * @param tlsKeyStoreType
> * @return the client builder instance
> */
> ClientBuilder tlsKeyStoreType(String tlsKeyStoreType);
>
> /**
> * The location of the key store file.
> *
> * @param tlsTrustStorePath
> * @return the client builder instance
> */
> ClientBuilder tlsKeyStorePath(String tlsTrustStorePath);
>
> /**
> * The store password for the key store file.
> *
> * @param tlsKeyStorePassword
> * @return the client builder instance
> */
> ClientBuilder tlsKeyStorePassword(String tlsKeyStorePassword);
> }
> ```
>
> ## Implementation
>
> ### TLS transport encryption
>
> We can call the `tlsKeyFilePath()`, `tlsCertificateFilePath()` and
> `tlsTrustCertsFilePath()` to configurate the TLS transport encryption, the
> code so like:
>
> ```java
> PulsarClient client = PulsarClient.builder()
> .serviceUrl("pulsar+ssl://my-host:6650")
> .tlsTrustCertsFilePath("/path/to/cacert.pem")
> .tlsKeyFilePath("/path/to/client-key.pem")
> .tlsCertificateFilePath("/path/to/client-cert.pem")
> .build();
> ```
>
>
> Call the `tlsKeyFilePath()`, `tlsTrustStorePath()` to configurate the JKS
> TLS transport encryption, the code so like:
>
> ```java
> PulsarClient client = PulsarClient.builder()
> .serviceUrl("pulsar+ssl://my-host:6650")
> .tlsKeyFilePath("/path/key.jks")
> .tlsKeyStorePassword("hello")
> .tlsTrustStorePath("/path/trust.jks")
> .tlsTrustStorePassword("hello")
> .build();
> ```
>
>
> ### TLS transport encryption with any authentication
>
> We can call the `tlsKeyFilePath()`, `tlsCertificateFilePath()`,
> `tlsTrustCertsFilePath()` and `authentication()` to configurate the TLS
> transport encryption with any authentication, the code so like:
>
> ```java
> PulsarClient client = PulsarClient.builder()
> .serviceUrl("pulsar+ssl://my-host:6650")
> .tlsTrustCertsFilePath("/path/to/cacert.pem")
> .tlsKeyFilePath("/path/to/client-key.pem")
> .tlsCertificateFilePath("/path/to/client-cert.pem")
> .authentication(AuthenticationTls.class.getName() /*
> AuthenticationToken.class.getName()*/, authParams)
> .builder()
> ```
>
> Call the `tlsKeyFilePath()`, `tlsTrustStorePath()` to configurate the JKS
> TLS transport encryption, the code so like:
>
> ```java
> PulsarClient client = PulsarClient.builder()
> .serviceUrl("pulsar+ssl://my-host:6650")
> .tlsKeyFilePath("/path/key.jks")
> .tlsKeyStorePassword("hello")
> .tlsTrustStorePath("/path/trust.jks")
> .authentication(AuthenticationTls.class.getName() /*
> AuthenticationToken.class.getName()*/, authParams)
> .build();
> ```
>
> For `AuthenticationTls`, we need to check the authParams, when the
> authParams is empty, we need to read TLS config from `ClientBuilder`,
> otherwise read from the authParams, the authParams can override the config
> from `ClientBuilder`, if still is empty, we read TLS config from
> `ClientBuilder`.
>
> ### Plan test
>
> - Verify TLS transport encryption without authentication
> - Verify TLS transport encryption with token authentication
> - Verify TLS transport encryption with TLS authentication
> - Verify JKS TLS transport encryption without authentication
> - Verify JKS TLS transport encryption with token authentication
> - Verify JKS TLS transport encryption with TLS authentication
>
> ### Compatibility
>
> None.
>
Re: [VOTE] [PIP-158] Split client TLS transport encryption from authentication
Posted by PengHui Li <pe...@apache.org>.
+1 (binding)
Penghui
On Tue, May 10, 2022 at 4:47 PM Enrico Olivelli <eo...@gmail.com> wrote:
> +1 (binding)
>
> Enrico
>
> Il giorno mar 10 mag 2022 alle ore 10:46 Zixuan Liu
> <no...@gmail.com> ha scritto:
> >
> > Hi Pulsar community,
> >
> > Voting for https://github.com/apache/pulsar/issues/15289
> >
> > Discussion thread:
> > https://lists.apache.org/thread/fblmm8oc7h907cfnppvk71o2cbp5mk8q
> >
> > Thanks,
> > Zixuan
> >
> > ------
> >
> > ## Motivation
> >
> > The client supports TLS transport encryption and TLS authentication, this
> > code so like:
> >
> > ```java
> > PulsarClient client = PulsarClient.builder()
> > .serviceUrl("pulsar+ssl://localhost:6651")
> > .tlsTrustCertsFilePath("/path/to/cacert.pem")
> > .authentication(AuthenticationTls.class.getName(),
> > authParams)
> > .build()
> > ```
> >
> > This causes an issue that cannot use other authentication with TLS
> > transport encryption, and also made our confusion if we use TLS transport
> > encryption by setting `authentication`.
> >
> > ## Goal
> >
> > Split client TLS transport encryption from authentication is used to
> > support TLS transport encryption with any authentication.
> >
> > ## API Changes
> >
> > - Add new methods in `org.apache.pulsar.client.api.ClientBuilder`
> >
> > ```java
> > public interface ClientBuilder extends Serializable, Cloneable {
> > /**
> > * Set the path to the TLS key file.
> > *
> > * @param tlsKeyFilePath
> > * @return the client builder instance
> > */
> > ClientBuilder tlsKeyFilePath(String tlsKeyFilePath);
> >
> > /**
> > * Set the path to the TLS certificate file.
> > *
> > * @param tlsCertificateFilePath
> > * @return the client builder instance
> > */
> > ClientBuilder tlsCertificateFilePath(String tlsCertificateFilePath);
> >
> > /**
> > * The file format of the key store file.
> > *
> > * @param tlsKeyStoreType
> > * @return the client builder instance
> > */
> > ClientBuilder tlsKeyStoreType(String tlsKeyStoreType);
> >
> > /**
> > * The location of the key store file.
> > *
> > * @param tlsTrustStorePath
> > * @return the client builder instance
> > */
> > ClientBuilder tlsKeyStorePath(String tlsTrustStorePath);
> >
> > /**
> > * The store password for the key store file.
> > *
> > * @param tlsKeyStorePassword
> > * @return the client builder instance
> > */
> > ClientBuilder tlsKeyStorePassword(String tlsKeyStorePassword);
> > }
> > ```
> >
> > ## Implementation
> >
> > ### TLS transport encryption
> >
> > We can call the `tlsKeyFilePath()`, `tlsCertificateFilePath()` and
> > `tlsTrustCertsFilePath()` to configurate the TLS transport encryption,
> the
> > code so like:
> >
> > ```java
> > PulsarClient client = PulsarClient.builder()
> > .serviceUrl("pulsar+ssl://my-host:6650")
> > .tlsTrustCertsFilePath("/path/to/cacert.pem")
> > .tlsKeyFilePath("/path/to/client-key.pem")
> > .tlsCertificateFilePath("/path/to/client-cert.pem")
> > .build();
> > ```
> >
> >
> > Call the `tlsKeyFilePath()`, `tlsTrustStorePath()` to configurate the JKS
> > TLS transport encryption, the code so like:
> >
> > ```java
> > PulsarClient client = PulsarClient.builder()
> > .serviceUrl("pulsar+ssl://my-host:6650")
> > .tlsKeyFilePath("/path/key.jks")
> > .tlsKeyStorePassword("hello")
> > .tlsTrustStorePath("/path/trust.jks")
> > .tlsTrustStorePassword("hello")
> > .build();
> > ```
> >
> >
> > ### TLS transport encryption with any authentication
> >
> > We can call the `tlsKeyFilePath()`, `tlsCertificateFilePath()`,
> > `tlsTrustCertsFilePath()` and `authentication()` to configurate the TLS
> > transport encryption with any authentication, the code so like:
> >
> > ```java
> > PulsarClient client = PulsarClient.builder()
> > .serviceUrl("pulsar+ssl://my-host:6650")
> > .tlsTrustCertsFilePath("/path/to/cacert.pem")
> > .tlsKeyFilePath("/path/to/client-key.pem")
> > .tlsCertificateFilePath("/path/to/client-cert.pem")
> > .authentication(AuthenticationTls.class.getName() /*
> > AuthenticationToken.class.getName()*/, authParams)
> > .builder()
> > ```
> >
> > Call the `tlsKeyFilePath()`, `tlsTrustStorePath()` to configurate the JKS
> > TLS transport encryption, the code so like:
> >
> > ```java
> > PulsarClient client = PulsarClient.builder()
> > .serviceUrl("pulsar+ssl://my-host:6650")
> > .tlsKeyFilePath("/path/key.jks")
> > .tlsKeyStorePassword("hello")
> > .tlsTrustStorePath("/path/trust.jks")
> > .authentication(AuthenticationTls.class.getName() /*
> > AuthenticationToken.class.getName()*/, authParams)
> > .build();
> > ```
> >
> > For `AuthenticationTls`, we need to check the authParams, when the
> > authParams is empty, we need to read TLS config from `ClientBuilder`,
> > otherwise read from the authParams, the authParams can override the
> config
> > from `ClientBuilder`, if still is empty, we read TLS config from
> > `ClientBuilder`.
> >
> > ### Plan test
> >
> > - Verify TLS transport encryption without authentication
> > - Verify TLS transport encryption with token authentication
> > - Verify TLS transport encryption with TLS authentication
> > - Verify JKS TLS transport encryption without authentication
> > - Verify JKS TLS transport encryption with token authentication
> > - Verify JKS TLS transport encryption with TLS authentication
> >
> > ### Compatibility
> >
> > None.
>
Re: [VOTE] [PIP-158] Split client TLS transport encryption from authentication
Posted by Enrico Olivelli <eo...@gmail.com>.
+1 (binding)
Enrico
Il giorno mar 10 mag 2022 alle ore 10:46 Zixuan Liu
<no...@gmail.com> ha scritto:
>
> Hi Pulsar community,
>
> Voting for https://github.com/apache/pulsar/issues/15289
>
> Discussion thread:
> https://lists.apache.org/thread/fblmm8oc7h907cfnppvk71o2cbp5mk8q
>
> Thanks,
> Zixuan
>
> ------
>
> ## Motivation
>
> The client supports TLS transport encryption and TLS authentication, this
> code so like:
>
> ```java
> PulsarClient client = PulsarClient.builder()
> .serviceUrl("pulsar+ssl://localhost:6651")
> .tlsTrustCertsFilePath("/path/to/cacert.pem")
> .authentication(AuthenticationTls.class.getName(),
> authParams)
> .build()
> ```
>
> This causes an issue that cannot use other authentication with TLS
> transport encryption, and also made our confusion if we use TLS transport
> encryption by setting `authentication`.
>
> ## Goal
>
> Split client TLS transport encryption from authentication is used to
> support TLS transport encryption with any authentication.
>
> ## API Changes
>
> - Add new methods in `org.apache.pulsar.client.api.ClientBuilder`
>
> ```java
> public interface ClientBuilder extends Serializable, Cloneable {
> /**
> * Set the path to the TLS key file.
> *
> * @param tlsKeyFilePath
> * @return the client builder instance
> */
> ClientBuilder tlsKeyFilePath(String tlsKeyFilePath);
>
> /**
> * Set the path to the TLS certificate file.
> *
> * @param tlsCertificateFilePath
> * @return the client builder instance
> */
> ClientBuilder tlsCertificateFilePath(String tlsCertificateFilePath);
>
> /**
> * The file format of the key store file.
> *
> * @param tlsKeyStoreType
> * @return the client builder instance
> */
> ClientBuilder tlsKeyStoreType(String tlsKeyStoreType);
>
> /**
> * The location of the key store file.
> *
> * @param tlsTrustStorePath
> * @return the client builder instance
> */
> ClientBuilder tlsKeyStorePath(String tlsTrustStorePath);
>
> /**
> * The store password for the key store file.
> *
> * @param tlsKeyStorePassword
> * @return the client builder instance
> */
> ClientBuilder tlsKeyStorePassword(String tlsKeyStorePassword);
> }
> ```
>
> ## Implementation
>
> ### TLS transport encryption
>
> We can call the `tlsKeyFilePath()`, `tlsCertificateFilePath()` and
> `tlsTrustCertsFilePath()` to configurate the TLS transport encryption, the
> code so like:
>
> ```java
> PulsarClient client = PulsarClient.builder()
> .serviceUrl("pulsar+ssl://my-host:6650")
> .tlsTrustCertsFilePath("/path/to/cacert.pem")
> .tlsKeyFilePath("/path/to/client-key.pem")
> .tlsCertificateFilePath("/path/to/client-cert.pem")
> .build();
> ```
>
>
> Call the `tlsKeyFilePath()`, `tlsTrustStorePath()` to configurate the JKS
> TLS transport encryption, the code so like:
>
> ```java
> PulsarClient client = PulsarClient.builder()
> .serviceUrl("pulsar+ssl://my-host:6650")
> .tlsKeyFilePath("/path/key.jks")
> .tlsKeyStorePassword("hello")
> .tlsTrustStorePath("/path/trust.jks")
> .tlsTrustStorePassword("hello")
> .build();
> ```
>
>
> ### TLS transport encryption with any authentication
>
> We can call the `tlsKeyFilePath()`, `tlsCertificateFilePath()`,
> `tlsTrustCertsFilePath()` and `authentication()` to configurate the TLS
> transport encryption with any authentication, the code so like:
>
> ```java
> PulsarClient client = PulsarClient.builder()
> .serviceUrl("pulsar+ssl://my-host:6650")
> .tlsTrustCertsFilePath("/path/to/cacert.pem")
> .tlsKeyFilePath("/path/to/client-key.pem")
> .tlsCertificateFilePath("/path/to/client-cert.pem")
> .authentication(AuthenticationTls.class.getName() /*
> AuthenticationToken.class.getName()*/, authParams)
> .builder()
> ```
>
> Call the `tlsKeyFilePath()`, `tlsTrustStorePath()` to configurate the JKS
> TLS transport encryption, the code so like:
>
> ```java
> PulsarClient client = PulsarClient.builder()
> .serviceUrl("pulsar+ssl://my-host:6650")
> .tlsKeyFilePath("/path/key.jks")
> .tlsKeyStorePassword("hello")
> .tlsTrustStorePath("/path/trust.jks")
> .authentication(AuthenticationTls.class.getName() /*
> AuthenticationToken.class.getName()*/, authParams)
> .build();
> ```
>
> For `AuthenticationTls`, we need to check the authParams, when the
> authParams is empty, we need to read TLS config from `ClientBuilder`,
> otherwise read from the authParams, the authParams can override the config
> from `ClientBuilder`, if still is empty, we read TLS config from
> `ClientBuilder`.
>
> ### Plan test
>
> - Verify TLS transport encryption without authentication
> - Verify TLS transport encryption with token authentication
> - Verify TLS transport encryption with TLS authentication
> - Verify JKS TLS transport encryption without authentication
> - Verify JKS TLS transport encryption with token authentication
> - Verify JKS TLS transport encryption with TLS authentication
>
> ### Compatibility
>
> None.