You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2020/06/18 13:20:00 UTC

[GitHub] [pulsar] Huanli-Meng opened a new pull request #7302: [PIP-55][Doc]--Update security overview

Huanli-Meng opened a new pull request #7302:
URL: https://github.com/apache/pulsar/pull/7302


   
   
   This PR is to update docs for PIP-55: https://github.com/apache/pulsar/pull/6074
   
   ### Motivation
   
   provide general doc description about implementing the authentication refreshing functionality.
   
   ### Modifications
   
   Update the Security overview for PIP 55.
   
   the `authenticationRefreshCheckSeconds` config has been added through the PR: https://github.com/apache/pulsar/pull/6074 


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] Huanli-Meng commented on a change in pull request #7302: [PIP-55][Doc]--Update security overview

Posted by GitBox <gi...@apache.org>.

Huanli-Meng commented on a change in pull request #7302:
URL: https://github.com/apache/pulsar/pull/7302#discussion_r443283635



##########
File path: site2/docs/security-overview.md
##########
@@ -10,6 +10,10 @@ By default, Pulsar configures no encryption, authentication, or authorization. A
 
 Pulsar supports a pluggable authentication mechanism. And Pulsar clients use this mechanism to authenticate with brokers and proxies. You can also configure Pulsar to support multiple authentication sources.
 
+The Pulsar broker validates the authentication credentials when a connection is established. After the initial connection is authenticated, the "principal" token is stored for authorization though the connection is not re-authenticated. The broker periodically checks the expiration status of every `ServerCnx` object. You can set the `authenticationRefreshCheckSeconds` on the broker to control the frequency to check the expiration status. By default, the `authenticationRefreshCheckSeconds` is set to 60s. When the authentication is expired, the broker forces to re-authenticate the connection. If the re-authentication fails, the broker disconnects the client .
+
+The broker knows whether a particular client supports authentication refreshing. If a client supports authentication refreshing and the credential is expired, the authentication provider calls the `refreshAuthentication` method to initiate the refreshing process. If a client does not support authentication refreshing and the credential is expired, the broker disconnects the client.
+
 You had better secure the service components in your Apache Pulsar deployment.

Review comment:
       updated
   




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] Huanli-Meng commented on pull request #7302: [PIP-55][Doc]--Update security overview

Posted by GitBox <gi...@apache.org>.

Huanli-Meng commented on pull request #7302:
URL: https://github.com/apache/pulsar/pull/7302#issuecomment-646012414


   @jiazhai , please help review the document.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] Jennifer88huang commented on a change in pull request #7302: [PIP-55][Doc]--Update security overview

Posted by GitBox <gi...@apache.org>.

Jennifer88huang commented on a change in pull request #7302:
URL: https://github.com/apache/pulsar/pull/7302#discussion_r442837901



##########
File path: site2/docs/security-overview.md
##########
@@ -10,6 +10,10 @@ By default, Pulsar configures no encryption, authentication, or authorization. A
 
 Pulsar supports a pluggable authentication mechanism. And Pulsar clients use this mechanism to authenticate with brokers and proxies. You can also configure Pulsar to support multiple authentication sources.
 
+The Pulsar broker validates the authentication credentials when a connection is established. After the initial connection is authenticated, the "principal" token is stored for authorization though the connection is not re-authenticated. The broker periodically checks the expiration status of every `ServerCnx` object. You can set the `authenticationRefreshCheckSeconds` on the broker to control the frequency to check the expiration status. By default, the `authenticationRefreshCheckSeconds` is set to 60s. When the authentication is expired, the broker forces to re-authenticate the connection. If the re-authentication fails, the broker disconnects the client .
+
+The broker knows whether a particular client supports authentication refreshing. If a client supports authentication refreshing and the credential is expired, the authentication provider calls the `refreshAuthentication` method to initiate the refreshing process. If a client does not support authentication refreshing and the credential is expired, the broker disconnects the client.
+
 You had better secure the service components in your Apache Pulsar deployment.

Review comment:
       "knows" is not a good verb here, we can use another verb to avoid attributing human qualities to software or hardware.
   For details, refer to attribute human qualities to software or hardware
   

##########
File path: site2/docs/security-overview.md
##########
@@ -10,6 +10,10 @@ By default, Pulsar configures no encryption, authentication, or authorization. A
 
 Pulsar supports a pluggable authentication mechanism. And Pulsar clients use this mechanism to authenticate with brokers and proxies. You can also configure Pulsar to support multiple authentication sources.
 
+The Pulsar broker validates the authentication credentials when a connection is established. After the initial connection is authenticated, the "principal" token is stored for authorization though the connection is not re-authenticated. The broker periodically checks the expiration status of every `ServerCnx` object. You can set the `authenticationRefreshCheckSeconds` on the broker to control the frequency to check the expiration status. By default, the `authenticationRefreshCheckSeconds` is set to 60s. When the authentication is expired, the broker forces to re-authenticate the connection. If the re-authentication fails, the broker disconnects the client .

Review comment:
       remove the redundant space before the last period.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] jiazhai merged pull request #7302: [PIP-55][Doc]--Update security overview

Posted by GitBox <gi...@apache.org>.

jiazhai merged pull request #7302:
URL: https://github.com/apache/pulsar/pull/7302


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] Huanli-Meng commented on pull request #7302: [PIP-55][Doc]--Update security overview

Posted by GitBox <gi...@apache.org>.

Huanli-Meng commented on pull request #7302:
URL: https://github.com/apache/pulsar/pull/7302#issuecomment-646067056


   once the doc is approved, it will be added to the release 2.6.0.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org