You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2020/06/28 06:18:47 UTC
[GitHub] [pulsar] wolfstudy opened a new issue #7379: Enable TLS auth of Pulsar Function in standalone mode
wolfstudy opened a new issue #7379:
URL: https://github.com/apache/pulsar/issues/7379
**Is your feature request related to a problem? Please describe.**
When we want to enable TLS related encryption in the function worker. Some parameters use brokers, but some parameters are not covered by the broker.
For example, in `PulsarStandalone.java`, if we want to enable authentication using TLS, then we need to configure TLS related parameters in functions_worker.yml, but Auth related parameters inherit the configuration in `broker.conf`
```
workerConfig.setAuthenticationEnabled(config.isAuthenticationEnabled());
workerConfig.setAuthenticationProviders(config.getAuthenticationProviders());
workerConfig.setAuthorizationEnabled(config.isAuthorizationEnabled());
workerConfig.setAuthorizationProvider(config.getAuthorizationProvider());
workerConfig.setConfigurationStoreServers(config.getConfigurationStoreServers());
workerConfig.setZooKeeperSessionTimeoutMillis(config.getZooKeeperSessionTimeoutMillis());
workerConfig.setZooKeeperOperationTimeoutSeconds(config.getZooKeeperOperationTimeoutSeconds());
workerConfig.setTlsHostnameVerificationEnable(false);
workerConfig.setTlsAllowInsecureConnection(config.isTlsAllowInsecureConnection());
workerConfig.setTlsTrustCertsFilePath(config.getTlsTrustCertsFilePath());
// client in worker will use this config to authenticate with broker
workerConfig.setClientAuthenticationPlugin(config.getBrokerClientAuthenticationPlugin());
workerConfig.setClientAuthenticationParameters(config.getBrokerClientAuthenticationParameters());
// inherit super users
workerConfig.setSuperUserRoles(config.getSuperUserRoles());
```
For encryption-related functions, if the function worker wants to inherit the broker-related configuration, then all the encryption-related options need to be inherited instead of a part of them.
**Describe the solution you'd like**
I think we can modify the current behavior. If the relevant functions are configured in functions_worker.yml, then we prefer to use the configuration in functions_worker.yml. If not, we can inherit the broker-related configuration.
Another thing is, if we want to turn on TLS related encryption, we need to configure `useTls: true` in functions_worker.yml. But unfortunately, I didn’t find any hint about this option in the existing documentation.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] sijie commented on issue #7379: Enable TLS auth of Pulsar Function in standalone mode
Posted by GitBox <gi...@apache.org>.
sijie commented on issue #7379:
URL: https://github.com/apache/pulsar/issues/7379#issuecomment-650865388
@wolfstudy The behavior is correct but there are a few places that we can improve.
In function worker, we need to separate client TLS settings from server TLS settings. #6602 already did that.
But we need to rename the following settings to make those broker client TLS settings clearer.
```
# the authentication plugin to be used by the pulsar client used in worker service
# clientAuthenticationPlugin:
# the authentication parameter to be used by the pulsar client used in worker service
# clientAuthenticationParameters:
# Accept untrusted TLS certificate from client
tlsAllowInsecureConnection: false
```
Add a setting for `tlsEnableHostnameVerification`.
After that, we need to enhance the logic in the broker to set the TLS settings to inherit from broker.conf for both client and server components.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] sijie commented on issue #7379: Enable TLS auth of Pulsar Function in standalone mode
Posted by GitBox <gi...@apache.org>.
sijie commented on issue #7379:
URL: https://github.com/apache/pulsar/issues/7379#issuecomment-650863114
@wolfstudy I think that is expected. If Function Worker is running as part of broker, Function Worker will use the security settings from the broker. We should probably update the security-related documentation for Function Worker.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] codelipenghui closed issue #7379: Enable TLS auth of Pulsar Function in standalone mode
Posted by GitBox <gi...@apache.org>.
codelipenghui closed issue #7379:
URL: https://github.com/apache/pulsar/issues/7379
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org