You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by zh...@apache.org on 2020/06/27 23:54:02 UTC
[pulsar] branch master updated: [PIP-55][Doc]--Update security
overview (#7302)
This is an automated email from the ASF dual-hosted git repository.
zhaijia pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/master by this push:
new 29b81ed [PIP-55][Doc]--Update security overview (#7302)
29b81ed is described below
commit 29b81ed090390506dd0d34beed66c719888a558c
Author: HuanliMeng <48...@users.noreply.github.com>
AuthorDate: Sun Jun 28 07:53:49 2020 +0800
[PIP-55][Doc]--Update security overview (#7302)
This PR is to update docs for PIP-55: https://github.com/apache/pulsar/pull/6074
### Motivation
provide general doc description about implementing the authentication refreshing functionality.
### Modifications
Update the Security overview for PIP 55.
the `authenticationRefreshCheckSeconds` config has been added through the PR: https://github.com/apache/pulsar/pull/6074
---
site2/docs/security-overview.md | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/site2/docs/security-overview.md b/site2/docs/security-overview.md
index 7fc177e..a6de902 100644
--- a/site2/docs/security-overview.md
+++ b/site2/docs/security-overview.md
@@ -10,6 +10,10 @@ By default, Pulsar configures no encryption, authentication, or authorization. A
Pulsar supports a pluggable authentication mechanism. And Pulsar clients use this mechanism to authenticate with brokers and proxies. You can also configure Pulsar to support multiple authentication sources.
+The Pulsar broker validates the authentication credentials when a connection is established. After the initial connection is authenticated, the "principal" token is stored for authorization though the connection is not re-authenticated. The broker periodically checks the expiration status of every `ServerCnx` object. You can set the `authenticationRefreshCheckSeconds` on the broker to control the frequency to check the expiration status. By default, the `authenticationRefreshCheckSeconds [...]
+
+The broker supports learning whether a particular client supports authentication refreshing. If a client supports authentication refreshing and the credential is expired, the authentication provider calls the `refreshAuthentication` method to initiate the refreshing process. If a client does not support authentication refreshing and the credential is expired, the broker disconnects the client.
+
You had better secure the service components in your Apache Pulsar deployment.
## Role tokens