[GitHub] [pulsar] Jennifer88huang commented on a change in pull request #7302: [PIP-55][Doc]--Update security overview

[GitBox <gi...@apache.org>]

Jennifer88huang commented on a change in pull request #7302:
URL: https://github.com/apache/pulsar/pull/7302#discussion_r442837901



##########
File path: site2/docs/security-overview.md
##########
@@ -10,6 +10,10 @@ By default, Pulsar configures no encryption, authentication, or authorization. A
 
 Pulsar supports a pluggable authentication mechanism. And Pulsar clients use this mechanism to authenticate with brokers and proxies. You can also configure Pulsar to support multiple authentication sources.
 
+The Pulsar broker validates the authentication credentials when a connection is established. After the initial connection is authenticated, the "principal" token is stored for authorization though the connection is not re-authenticated. The broker periodically checks the expiration status of every `ServerCnx` object. You can set the `authenticationRefreshCheckSeconds` on the broker to control the frequency to check the expiration status. By default, the `authenticationRefreshCheckSeconds` is set to 60s. When the authentication is expired, the broker forces to re-authenticate the connection. If the re-authentication fails, the broker disconnects the client .
+
+The broker knows whether a particular client supports authentication refreshing. If a client supports authentication refreshing and the credential is expired, the authentication provider calls the `refreshAuthentication` method to initiate the refreshing process. If a client does not support authentication refreshing and the credential is expired, the broker disconnects the client.
+
 You had better secure the service components in your Apache Pulsar deployment.

Review comment:
       "knows" is not a good verb here, we can use another verb to avoid attributing human qualities to software or hardware.
   For details, refer to attribute human qualities to software or hardware
   

##########
File path: site2/docs/security-overview.md
##########
@@ -10,6 +10,10 @@ By default, Pulsar configures no encryption, authentication, or authorization. A
 
 Pulsar supports a pluggable authentication mechanism. And Pulsar clients use this mechanism to authenticate with brokers and proxies. You can also configure Pulsar to support multiple authentication sources.
 
+The Pulsar broker validates the authentication credentials when a connection is established. After the initial connection is authenticated, the "principal" token is stored for authorization though the connection is not re-authenticated. The broker periodically checks the expiration status of every `ServerCnx` object. You can set the `authenticationRefreshCheckSeconds` on the broker to control the frequency to check the expiration status. By default, the `authenticationRefreshCheckSeconds` is set to 60s. When the authentication is expired, the broker forces to re-authenticate the connection. If the re-authentication fails, the broker disconnects the client .

Review comment:
       remove the redundant space before the last period.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org