[GitHub] [pulsar] michaeljmarshall commented on a diff in pull request #15121: [Authenticate] fix Invalid signature error when use Kerberos Authentication

[GitBox <gi...@apache.org>]

michaeljmarshall commented on code in PR #15121:
URL: https://github.com/apache/pulsar/pull/15121#discussion_r868810934


##########
conf/broker.conf:
##########
@@ -760,11 +760,16 @@ tokenAudience=
 # This is a regexp, which limits the range of possible ids which can connect to the Broker using SASL.
 # Default value: `SaslConstants.JAAS_CLIENT_ALLOWED_IDS_DEFAULT`, which is ".*pulsar.*",
 # so only clients whose id contains 'pulsar' are allowed to connect.
-saslJaasClientAllowedIds=
+saslJaasClientAllowedIds=.*pulsar.*
 
 # Service Principal, for login context name.
-# Default value `SaslConstants.JAAS_DEFAULT_BROKER_SECTION_NAME`, which is "Broker".
-saslJaasServerSectionName=
+# Default value `SaslConstants.JAAS_DEFAULT_BROKER_SECTION_NAME`, which is "PulsarBroker".
+saslJaasServerSectionName=PulsarBroker
+
+# Path to file containing the secret to be used to SaslRoleTokenSigner
+# The Path can be specified like:
+# saslJaasServerRoleTokenSignerSecretPath=file:///my/saslRoleTokenSignerSecret.key

Review Comment:
   Nit: we should document guidance on an appropriate minimum length for the secret. A short secret would lead to an easily brute forced discovery of the broker's secret, which would be very problematic.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org