You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by zh...@apache.org on 2020/06/27 23:54:02 UTC

[pulsar] branch master updated: [PIP-55][Doc]--Update security overview (#7302)

This is an automated email from the ASF dual-hosted git repository.

zhaijia pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/master by this push:
     new 29b81ed  [PIP-55][Doc]--Update security overview (#7302)
29b81ed is described below

commit 29b81ed090390506dd0d34beed66c719888a558c
Author: HuanliMeng <48...@users.noreply.github.com>
AuthorDate: Sun Jun 28 07:53:49 2020 +0800

    [PIP-55][Doc]--Update security overview (#7302)
    
    
    This PR is to update docs for PIP-55: https://github.com/apache/pulsar/pull/6074
    
    ### Motivation
    
    provide general doc description about implementing the authentication refreshing functionality.
    
    ### Modifications
    
    Update the Security overview for PIP 55.
    
    the `authenticationRefreshCheckSeconds` config has been added through the PR: https://github.com/apache/pulsar/pull/6074
---
 site2/docs/security-overview.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/site2/docs/security-overview.md b/site2/docs/security-overview.md
index 7fc177e..a6de902 100644
--- a/site2/docs/security-overview.md
+++ b/site2/docs/security-overview.md
@@ -10,6 +10,10 @@ By default, Pulsar configures no encryption, authentication, or authorization. A
 
 Pulsar supports a pluggable authentication mechanism. And Pulsar clients use this mechanism to authenticate with brokers and proxies. You can also configure Pulsar to support multiple authentication sources.
 
+The Pulsar broker validates the authentication credentials when a connection is established. After the initial connection is authenticated, the "principal" token is stored for authorization though the connection is not re-authenticated. The broker periodically checks the expiration status of every `ServerCnx` object. You can set the `authenticationRefreshCheckSeconds` on the broker to control the frequency to check the expiration status. By default, the `authenticationRefreshCheckSeconds [...]
+
+The broker supports learning whether a particular client supports authentication refreshing. If a client supports authentication refreshing and the credential is expired, the authentication provider calls the `refreshAuthentication` method to initiate the refreshing process. If a client does not support authentication refreshing and the credential is expired, the broker disconnects the client.
+
 You had better secure the service components in your Apache Pulsar deployment.
 
 ## Role tokens