You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by lh...@apache.org on 2022/06/01 07:56:15 UTC
[pulsar] branch branch-2.9 updated (817e617dd1c -> 50d95028a21)
This is an automated email from the ASF dual-hosted git repository.
lhotari pushed a change to branch branch-2.9
in repository https://gitbox.apache.org/repos/asf/pulsar.git
from 817e617dd1c [fix][python]Fix generated Python protobuf code not compatible with latest protobuf package (#15846)
new 0cdf66ab7fc Switch to rely on Netty for Hostname Verification (#15824)
new 50d95028a21 Configure DLog Bookie, Pulsar, and Admin clients via pass through config (#15818)
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../resources/authentication/tls/broker-cert.pem | 74 ++++++-------
.../test/resources/authentication/tls/cacert.pem | 110 ++++++++++----------
.../resources/authentication/tls/client-cert.pem | 74 ++++++-------
build/regenerate_certs_for_tests.sh | 25 ++---
conf/broker.conf | 14 ++-
conf/functions_worker.yml | 20 ++++
conf/proxy.conf | 4 +
conf/websocket.conf | 4 +
.../pulsar/broker/BookKeeperClientFactoryImpl.java | 16 ++-
.../org/apache/pulsar/broker/PulsarService.java | 29 ++++--
.../pulsar/broker/namespace/NamespaceService.java | 6 ++
.../pulsar/broker/service/BrokerService.java | 21 +++-
.../apache/pulsar/compaction/CompactorTool.java | 6 ++
...kerInternalClientConfigurationOverrideTest.java | 115 +++++++++++++++++++++
.../AuthenticationTlsHostnameVerificationTest.java | 34 ++----
.../PulsarClientConfigurationOverrideTest.java | 56 ++++++++++
.../websocket/proxy/ProxyConfigurationTest.java | 6 ++
.../pulsar/client/admin/PulsarAdminBuilder.java | 23 +++++
.../admin/internal/PulsarAdminBuilderImpl.java | 9 +-
.../admin/internal/http/AsyncHttpConnector.java | 9 +-
.../pulsar/client/internal/PropertiesUtils.java | 64 ++++++++++++
.../org/apache/pulsar/client/impl/ClientCnx.java | 48 ---------
.../org/apache/pulsar/client/impl/HttpClient.java | 1 +
.../client/impl/PulsarChannelInitializer.java | 7 ++
.../util/NettyClientSslContextRefresher.java | 3 +-
.../apache/pulsar/common/util/SecurityUtility.java | 10 ++
.../src/test/resources/test_worker_config.yml | 3 +
.../functions/worker/PulsarWorkerService.java | 12 ++-
.../pulsar/functions/worker/WorkerUtils.java | 45 +++++++-
.../pulsar/functions/worker/WorkerUtilsTest.java | 19 ++++
.../bookkeeper/BookKeeperPackagesStorage.java | 8 ++
.../BookKeeperPackagesStorageConfiguration.java | 4 +
.../core/PackagesStorageConfiguration.java | 6 ++
.../impl/DefaultPackagesStorageConfiguration.java | 5 +
.../pulsar/proxy/server/AdminProxyHandler.java | 7 +-
.../pulsar/proxy/server/DirectProxyHandler.java | 101 +++++++++++++-----
.../pulsar/proxy/server/ProxyConnection.java | 24 +++--
.../proxy/server/ServiceChannelInitializer.java | 66 +-----------
.../proxy/server/ProxyWithAuthorizationTest.java | 70 +++++++------
.../ProxyWithAuthorizationTest/broker-cacert.pem | 110 ++++++++++----------
.../tls/ProxyWithAuthorizationTest/broker-cert.pem | 74 ++++++-------
.../ProxyWithAuthorizationTest/client-cacert.pem | 110 ++++++++++----------
.../tls/ProxyWithAuthorizationTest/client-cert.pem | 74 ++++++-------
.../ProxyWithAuthorizationTest/proxy-cacert.pem | 110 ++++++++++----------
.../tls/ProxyWithAuthorizationTest/proxy-cert.pem | 74 ++++++-------
.../test/resources/authentication/tls/cacert.pem | 110 ++++++++++----------
.../resources/authentication/tls/client-cert.pem | 74 ++++++-------
.../resources/authentication/tls/server-cert.pem | 74 ++++++-------
.../apache/pulsar/websocket/WebSocketService.java | 7 +-
site2/docs/reference-configuration.md | 21 ++++
50 files changed, 1218 insertions(+), 778 deletions(-)
create mode 100644 pulsar-broker/src/test/java/org/apache/pulsar/broker/service/BrokerInternalClientConfigurationOverrideTest.java
create mode 100644 pulsar-broker/src/test/java/org/apache/pulsar/client/impl/PulsarClientConfigurationOverrideTest.java
create mode 100644 pulsar-client-api/src/main/java/org/apache/pulsar/client/internal/PropertiesUtils.java
[pulsar] 02/02: Configure DLog Bookie, Pulsar, and Admin clients via pass through config (#15818)
Posted by lh...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
lhotari pushed a commit to branch branch-2.9
in repository https://gitbox.apache.org/repos/asf/pulsar.git
commit 50d95028a21e9284299b60704873a8daaa42c410
Author: Michael Marshall <mm...@apache.org>
AuthorDate: Wed Jun 1 02:14:49 2022 -0500
Configure DLog Bookie, Pulsar, and Admin clients via pass through config (#15818)
(cherry picked from commit aa673498f88d0ed4f9d5788a5036355834ea5119)
---
conf/broker.conf | 14 ++-
conf/functions_worker.yml | 20 ++++
conf/proxy.conf | 4 +
conf/websocket.conf | 4 +
.../pulsar/broker/BookKeeperClientFactoryImpl.java | 16 ++-
.../org/apache/pulsar/broker/PulsarService.java | 29 ++++--
.../pulsar/broker/namespace/NamespaceService.java | 6 ++
.../pulsar/broker/service/BrokerService.java | 21 +++-
.../apache/pulsar/compaction/CompactorTool.java | 6 ++
...kerInternalClientConfigurationOverrideTest.java | 115 +++++++++++++++++++++
.../PulsarClientConfigurationOverrideTest.java | 56 ++++++++++
.../websocket/proxy/ProxyConfigurationTest.java | 6 ++
.../pulsar/client/admin/PulsarAdminBuilder.java | 23 +++++
.../admin/internal/PulsarAdminBuilderImpl.java | 9 +-
.../pulsar/client/internal/PropertiesUtils.java | 64 ++++++++++++
.../src/test/resources/test_worker_config.yml | 3 +
.../functions/worker/PulsarWorkerService.java | 12 ++-
.../pulsar/functions/worker/WorkerUtils.java | 45 +++++++-
.../pulsar/functions/worker/WorkerUtilsTest.java | 19 ++++
.../bookkeeper/BookKeeperPackagesStorage.java | 8 ++
.../BookKeeperPackagesStorageConfiguration.java | 4 +
.../core/PackagesStorageConfiguration.java | 6 ++
.../impl/DefaultPackagesStorageConfiguration.java | 5 +
.../pulsar/proxy/server/ProxyConnection.java | 15 ++-
.../apache/pulsar/websocket/WebSocketService.java | 7 +-
site2/docs/reference-configuration.md | 21 ++++
26 files changed, 504 insertions(+), 34 deletions(-)
diff --git a/conf/broker.conf b/conf/broker.conf
index 3d11ce2538a..db8b618fff8 100644
--- a/conf/broker.conf
+++ b/conf/broker.conf
@@ -656,6 +656,9 @@ brokerClientTlsCiphers=
# used by the internal client to authenticate with Pulsar brokers
brokerClientTlsProtocols=
+# You can add extra configuration options for the Pulsar Client and the Pulsar Admin Client
+# by prefixing them with "brokerClient_". These configurations are applied after hard coded configuration
+# and before the above brokerClient configurations named above.
### --- Authentication --- ###
@@ -897,8 +900,11 @@ managedLedgerDefaultAckQuorum=2
# in case of lack of enough bookies
#bookkeeper_opportunisticStriping=false
-# you can add other configuration options for the BookKeeper client
-# by prefixing them with bookkeeper_
+# You can add other configuration options for the BookKeeper client
+# by prefixing them with "bookkeeper_". These configurations are applied
+# to all bookkeeper clients started by the broker (including the managed ledger bookkeeper clients as well as
+# the BookkeeperPackagesStorage bookkeeper client), except the distributed log bookkeeper client.
+# The dlog bookkeeper client is configured in the functions worker configuration file.
# How frequently to flush the cursor positions that were accumulated due to rate limiting. (seconds).
# Default is 60 seconds
@@ -1349,4 +1355,8 @@ packagesReplicas=1
# The bookkeeper ledger root path
packagesManagementLedgerRootPath=/ledgers
+# When using BookKeeperPackagesStorageProvider, you can configure the
+# bookkeeper client by prefixing configurations with "bookkeeper_".
+# This config applies to managed ledger bookkeeper clients, as well.
+
### --- Packages management service configuration variables (end) --- ###
diff --git a/conf/functions_worker.yml b/conf/functions_worker.yml
index 0b228d26a58..a0449cbb236 100644
--- a/conf/functions_worker.yml
+++ b/conf/functions_worker.yml
@@ -362,3 +362,23 @@ validateConnectorConfig: false
# Whether to initialize distributed log metadata by runtime.
# If it is set to true, you must ensure that it has been initialized by "bin/pulsar initialize-cluster-metadata" command.
initializedDlogMetadata: false
+###########################
+# Arbitrary Configuration
+###########################
+# When a configuration parameter is not explicitly named in the WorkerConfig class, it is only accessible from the
+# properties map. This map can be configured by supplying values to the properties map in this config file.
+
+# Configure the DLog bookkeeper client by prefixing configurations with "bookkeeper_". Because these are arbitrary, they
+# must be added to the properties map to get correctly applied. This configuration applies to the Dlog bookkeeper client
+# in both the standalone function workers and function workers initialized in the broker.
+
+# You can add extra configuration options for the Pulsar Client and the Pulsar Admin Client
+# by prefixing them with "brokerClient_". These configurations are applied after hard coded configuration
+# and before the above brokerClient configurations named above.
+
+## For example, when using the token authentication provider (AuthenticationProviderToken), you must configure several
+## custom configurations. Here is a sample for configuring one of the necessary configs:
+#properties:
+# tokenPublicKey: "file:///path/to/my/key"
+# tokenPublicAlg: "RSA256"
+
diff --git a/conf/proxy.conf b/conf/proxy.conf
index 77129ccc71d..2454b9bf20c 100644
--- a/conf/proxy.conf
+++ b/conf/proxy.conf
@@ -163,6 +163,10 @@ tlsEnabledWithBroker=false
# Tls cert refresh duration in seconds (set 0 to check on every new connection)
tlsCertRefreshCheckDurationSec=300
+# You can add extra configuration options for the Pulsar Client
+# by prefixing them with "brokerClient_". These configurations are applied after hard coded configuration
+# and before the above brokerClient configurations named above.
+
##### --- Rate Limiting --- #####
# Max concurrent inbound connections. The proxy will reject requests beyond that.
diff --git a/conf/websocket.conf b/conf/websocket.conf
index 535fade4ea6..4fe6f7e37b6 100644
--- a/conf/websocket.conf
+++ b/conf/websocket.conf
@@ -92,6 +92,10 @@ brokerClientAuthenticationPlugin=
brokerClientAuthenticationParameters=
brokerClientTrustCertsFilePath=
+# You can add extra configuration options for the Pulsar Client
+# by prefixing them with "brokerClient_". These configurations are applied after hard coded configuration
+# and before the above brokerClient configurations named above.
+
# When this parameter is not empty, unauthenticated users perform as anonymousUserRole
anonymousUserRole=
diff --git a/pulsar-broker/src/main/java/org/apache/pulsar/broker/BookKeeperClientFactoryImpl.java b/pulsar-broker/src/main/java/org/apache/pulsar/broker/BookKeeperClientFactoryImpl.java
index 9a09deb166b..ce91ecf907c 100644
--- a/pulsar-broker/src/main/java/org/apache/pulsar/broker/BookKeeperClientFactoryImpl.java
+++ b/pulsar-broker/src/main/java/org/apache/pulsar/broker/BookKeeperClientFactoryImpl.java
@@ -29,7 +29,6 @@ import io.netty.channel.EventLoopGroup;
import java.io.IOException;
import java.util.Map;
import java.util.Optional;
-import java.util.Properties;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicReference;
import lombok.extern.slf4j.Slf4j;
@@ -42,6 +41,7 @@ import org.apache.bookkeeper.conf.ClientConfiguration;
import org.apache.bookkeeper.stats.NullStatsLogger;
import org.apache.bookkeeper.stats.StatsLogger;
import org.apache.commons.lang3.StringUtils;
+import org.apache.pulsar.client.internal.PropertiesUtils;
import org.apache.pulsar.common.allocator.PulsarByteBufAllocator;
import org.apache.pulsar.common.protocol.Commands;
import org.apache.pulsar.zookeeper.ZkBookieRackAffinityMapping;
@@ -147,15 +147,11 @@ public class BookKeeperClientFactoryImpl implements BookKeeperClientFactory {
conf.getBookkeeperClientGetBookieInfoIntervalSeconds(), TimeUnit.SECONDS);
bkConf.setGetBookieInfoRetryIntervalSeconds(
conf.getBookkeeperClientGetBookieInfoRetryIntervalSeconds(), TimeUnit.SECONDS);
- Properties allProps = conf.getProperties();
- allProps.forEach((key, value) -> {
- String sKey = key.toString();
- if (sKey.startsWith("bookkeeper_") && value != null) {
- String bkExtraConfigKey = sKey.substring(11);
- log.info("Extra BookKeeper client configuration {}, setting {}={}", sKey, bkExtraConfigKey, value);
- bkConf.setProperty(bkExtraConfigKey, value);
- }
- });
+ PropertiesUtils.filterAndMapProperties(conf.getProperties(), "bookkeeper_")
+ .forEach((key, value) -> {
+ log.info("Applying BookKeeper client configuration setting {}={}", key, value);
+ bkConf.setProperty(key, value);
+ });
return bkConf;
}
diff --git a/pulsar-broker/src/main/java/org/apache/pulsar/broker/PulsarService.java b/pulsar-broker/src/main/java/org/apache/pulsar/broker/PulsarService.java
index a777ced4f95..85f21e0bf8f 100644
--- a/pulsar-broker/src/main/java/org/apache/pulsar/broker/PulsarService.java
+++ b/pulsar-broker/src/main/java/org/apache/pulsar/broker/PulsarService.java
@@ -127,6 +127,8 @@ import org.apache.pulsar.client.api.PulsarClientException;
import org.apache.pulsar.client.api.transaction.TransactionBufferClient;
import org.apache.pulsar.client.impl.PulsarClientImpl;
import org.apache.pulsar.client.impl.conf.ClientConfigurationData;
+import org.apache.pulsar.client.impl.conf.ConfigurationDataUtils;
+import org.apache.pulsar.client.internal.PropertiesUtils;
import org.apache.pulsar.client.util.ExecutorProvider;
import org.apache.pulsar.common.conf.InternalConfigurationData;
import org.apache.pulsar.common.configuration.PulsarConfigurationLoader;
@@ -1328,7 +1330,16 @@ public class PulsarService implements AutoCloseable, ShutdownService {
public synchronized PulsarClient getClient() throws PulsarServerException {
if (this.client == null) {
try {
- ClientConfigurationData conf = new ClientConfigurationData();
+ ClientConfigurationData initialConf = new ClientConfigurationData();
+ initialConf.setStatsIntervalSeconds(0);
+
+ // Apply all arbitrary configuration. This must be called before setting any fields annotated as
+ // @Secret on the ClientConfigurationData object because of the way they are serialized.
+ // See https://github.com/apache/pulsar/issues/8509 for more information.
+ Map<String, Object> overrides = PropertiesUtils
+ .filterAndMapProperties(this.getConfiguration().getProperties(), "brokerClient_");
+ ClientConfigurationData conf =
+ ConfigurationDataUtils.loadData(overrides, initialConf, ClientConfigurationData.class);
conf.setServiceUrl(this.getConfiguration().isTlsEnabled()
? this.brokerServiceUrlTls : this.brokerServiceUrl);
conf.setTlsAllowInsecureConnection(this.getConfiguration().isTlsAllowInsecureConnection());
@@ -1356,8 +1367,6 @@ public class PulsarService implements AutoCloseable, ShutdownService {
this.getConfiguration().getBrokerClientAuthenticationPlugin(),
this.getConfiguration().getBrokerClientAuthenticationParameters()));
}
-
- conf.setStatsIntervalSeconds(0);
this.client = new PulsarClientImpl(conf, ioEventLoopGroup);
} catch (Exception e) {
throw new PulsarServerException(e);
@@ -1377,10 +1386,16 @@ public class PulsarService implements AutoCloseable, ShutdownService {
+ ", webServiceAddressTls: " + webServiceAddressTls
+ ", webServiceAddress: " + webServiceAddress);
}
- PulsarAdminBuilder builder = PulsarAdmin.builder().serviceHttpUrl(adminApiUrl) //
- .authentication(//
- conf.getBrokerClientAuthenticationPlugin(), //
- conf.getBrokerClientAuthenticationParameters());
+ PulsarAdminBuilder builder = PulsarAdmin.builder().serviceHttpUrl(adminApiUrl);
+
+ // Apply all arbitrary configuration. This must be called before setting any fields annotated as
+ // @Secret on the ClientConfigurationData object because of the way they are serialized.
+ // See https://github.com/apache/pulsar/issues/8509 for more information.
+ builder.loadConf(PropertiesUtils.filterAndMapProperties(config.getProperties(), "brokerClient_"));
+
+ builder.authentication(
+ conf.getBrokerClientAuthenticationPlugin(),
+ conf.getBrokerClientAuthenticationParameters());
if (conf.isBrokerClientTlsEnabled()) {
builder.tlsCiphers(config.getBrokerClientTlsCiphers())
diff --git a/pulsar-broker/src/main/java/org/apache/pulsar/broker/namespace/NamespaceService.java b/pulsar-broker/src/main/java/org/apache/pulsar/broker/namespace/NamespaceService.java
index 58c39ac9143..4d910cb901d 100644
--- a/pulsar-broker/src/main/java/org/apache/pulsar/broker/namespace/NamespaceService.java
+++ b/pulsar-broker/src/main/java/org/apache/pulsar/broker/namespace/NamespaceService.java
@@ -67,6 +67,7 @@ import org.apache.pulsar.client.api.PulsarClientException;
import org.apache.pulsar.client.impl.ClientBuilderImpl;
import org.apache.pulsar.client.impl.PulsarClientImpl;
import org.apache.pulsar.client.impl.conf.ClientConfigurationData;
+import org.apache.pulsar.client.internal.PropertiesUtils;
import org.apache.pulsar.common.api.proto.CommandGetTopicsOfNamespace.Mode;
import org.apache.pulsar.common.lookup.data.LookupData;
import org.apache.pulsar.common.naming.NamespaceBundle;
@@ -1272,6 +1273,11 @@ public class NamespaceService implements AutoCloseable {
.enableTcpNoDelay(false)
.statsInterval(0, TimeUnit.SECONDS);
+ // Apply all arbitrary configuration. This must be called before setting any fields annotated as
+ // @Secret on the ClientConfigurationData object because of the way they are serialized.
+ // See https://github.com/apache/pulsar/issues/8509 for more information.
+ clientBuilder.loadConf(PropertiesUtils.filterAndMapProperties(config.getProperties(), "brokerClient_"));
+
if (pulsar.getConfiguration().isAuthenticationEnabled()) {
clientBuilder.authentication(pulsar.getConfiguration().getBrokerClientAuthenticationPlugin(),
pulsar.getConfiguration().getBrokerClientAuthenticationParameters());
diff --git a/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/BrokerService.java b/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/BrokerService.java
index 5dc5edf9f08..a932e2fa505 100644
--- a/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/BrokerService.java
+++ b/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/BrokerService.java
@@ -127,6 +127,7 @@ import org.apache.pulsar.client.api.PulsarClient;
import org.apache.pulsar.client.impl.ClientBuilderImpl;
import org.apache.pulsar.client.impl.PulsarClientImpl;
import org.apache.pulsar.client.impl.conf.ClientConfigurationData;
+import org.apache.pulsar.client.internal.PropertiesUtils;
import org.apache.pulsar.common.allocator.PulsarByteBufAllocator;
import org.apache.pulsar.common.configuration.BindAddress;
import org.apache.pulsar.common.configuration.FieldContext;
@@ -1135,6 +1136,12 @@ public class BrokerService implements Closeable {
.enableTcpNoDelay(false)
.connectionsPerBroker(pulsar.getConfiguration().getReplicationConnectionsPerBroker())
.statsInterval(0, TimeUnit.SECONDS);
+ // Apply all arbitrary configuration. This must be called before setting any fields annotated as
+ // @Secret on the ClientConfigurationData object because of the way they are serialized.
+ // See https://github.com/apache/pulsar/issues/8509 for more information.
+ clientBuilder.loadConf(PropertiesUtils.filterAndMapProperties(pulsar.getConfiguration().getProperties(),
+ "brokerClient_"));
+
if (data.getAuthenticationPlugin() != null && data.getAuthenticationParameters() != null) {
clientBuilder.authentication(data.getAuthenticationPlugin(), data.getAuthenticationParameters());
} else if (pulsar.getConfiguration().isAuthenticationEnabled()) {
@@ -1210,10 +1217,16 @@ public class BrokerService implements Closeable {
boolean isTlsUrl = conf.isBrokerClientTlsEnabled() && isNotBlank(data.getServiceUrlTls());
String adminApiUrl = isTlsUrl ? data.getServiceUrlTls() : data.getServiceUrl();
- PulsarAdminBuilder builder = PulsarAdmin.builder().serviceHttpUrl(adminApiUrl)
- .authentication(
- conf.getBrokerClientAuthenticationPlugin(),
- conf.getBrokerClientAuthenticationParameters());
+ PulsarAdminBuilder builder = PulsarAdmin.builder().serviceHttpUrl(adminApiUrl);
+
+ // Apply all arbitrary configuration. This must be called before setting any fields annotated as
+ // @Secret on the ClientConfigurationData object because of the way they are serialized.
+ // See https://github.com/apache/pulsar/issues/8509 for more information.
+ builder.loadConf(PropertiesUtils.filterAndMapProperties(conf.getProperties(), "brokerClient_"));
+
+ builder.authentication(
+ conf.getBrokerClientAuthenticationPlugin(),
+ conf.getBrokerClientAuthenticationParameters());
if (isTlsUrl) {
builder.allowTlsInsecureConnection(conf.isTlsAllowInsecureConnection());
diff --git a/pulsar-broker/src/main/java/org/apache/pulsar/compaction/CompactorTool.java b/pulsar-broker/src/main/java/org/apache/pulsar/compaction/CompactorTool.java
index ac028ef871b..35ca089e5df 100644
--- a/pulsar-broker/src/main/java/org/apache/pulsar/compaction/CompactorTool.java
+++ b/pulsar-broker/src/main/java/org/apache/pulsar/compaction/CompactorTool.java
@@ -37,6 +37,7 @@ import org.apache.pulsar.broker.ServiceConfiguration;
import org.apache.pulsar.broker.ServiceConfigurationUtils;
import org.apache.pulsar.client.api.ClientBuilder;
import org.apache.pulsar.client.api.PulsarClient;
+import org.apache.pulsar.client.internal.PropertiesUtils;
import org.apache.pulsar.common.configuration.PulsarConfigurationLoader;
import org.apache.pulsar.common.util.CmdGenerateDocs;
import org.apache.pulsar.common.util.netty.EventLoopUtil;
@@ -105,6 +106,11 @@ public class CompactorTool {
ClientBuilder clientBuilder = PulsarClient.builder();
+ // Apply all arbitrary configuration. This must be called before setting any fields annotated as
+ // @Secret on the ClientConfigurationData object because of the way they are serialized.
+ // See https://github.com/apache/pulsar/issues/8509 for more information.
+ clientBuilder.loadConf(PropertiesUtils.filterAndMapProperties(brokerConfig.getProperties(), "brokerClient_"));
+
if (isNotBlank(brokerConfig.getBrokerClientAuthenticationPlugin())) {
clientBuilder.authentication(brokerConfig.getBrokerClientAuthenticationPlugin(),
brokerConfig.getBrokerClientAuthenticationParameters());
diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/broker/service/BrokerInternalClientConfigurationOverrideTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/broker/service/BrokerInternalClientConfigurationOverrideTest.java
new file mode 100644
index 00000000000..775636c9489
--- /dev/null
+++ b/pulsar-broker/src/test/java/org/apache/pulsar/broker/service/BrokerInternalClientConfigurationOverrideTest.java
@@ -0,0 +1,115 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.pulsar.broker.service;
+
+import org.apache.pulsar.broker.PulsarServerException;
+import org.apache.pulsar.client.admin.internal.PulsarAdminImpl;
+import org.apache.pulsar.client.impl.PulsarClientImpl;
+import org.apache.pulsar.client.impl.conf.ClientConfigurationData;
+import org.apache.pulsar.common.policies.data.ClusterData;
+import org.apache.pulsar.common.policies.data.ClusterDataImpl;
+import org.testng.Assert;
+import org.testng.annotations.AfterClass;
+import org.testng.annotations.BeforeClass;
+import org.testng.annotations.Test;
+
+import java.util.Optional;
+import java.util.Properties;
+
+public class BrokerInternalClientConfigurationOverrideTest extends BrokerTestBase {
+
+ @BeforeClass
+ @Override
+ protected void setup() throws Exception {
+ super.baseSetup();
+ }
+
+ @AfterClass(alwaysRun = true)
+ @Override
+ protected void cleanup() throws Exception {
+ super.internalCleanup();
+ }
+
+ @Test
+ public void testPulsarServiceAdminClientConfiguration() throws PulsarServerException {
+ Properties config = pulsar.getConfiguration().getProperties();
+ config.setProperty("brokerClient_operationTimeoutMs", "60000");
+ config.setProperty("brokerClient_statsIntervalSeconds", "10");
+ ClientConfigurationData clientConf = ((PulsarAdminImpl) pulsar.getAdminClient()).getClientConfigData();
+ Assert.assertEquals(clientConf.getOperationTimeoutMs(), 60000);
+ Assert.assertEquals(clientConf.getStatsIntervalSeconds(), 10);
+ }
+
+ @Test
+ public void testPulsarServicePulsarClientConfiguration() throws PulsarServerException {
+ Properties config = pulsar.getConfiguration().getProperties();
+ config.setProperty("brokerClient_operationTimeoutMs", "60000");
+ config.setProperty("brokerClient_statsIntervalSeconds", "10");
+ pulsar.getConfiguration().setBrokerClientAuthenticationParameters("sensitive");
+ ClientConfigurationData clientConf = ((PulsarClientImpl) pulsar.getClient()).getConfiguration();
+ Assert.assertEquals(clientConf.getOperationTimeoutMs(), 60000);
+ // Config should override internal default, which is 0.
+ Assert.assertEquals(clientConf.getStatsIntervalSeconds(), 10);
+ Assert.assertEquals(clientConf.getAuthParams(), "sensitive");
+ }
+
+ @Test
+ public void testBrokerServicePulsarClientConfiguration() {
+ // This data only needs to have the service url for this test.
+ ClusterData data = ClusterData.builder().serviceUrl("http://localhost:8080").build();
+
+ // Set the configs and set some configs that won't apply
+ Properties config = pulsar.getConfiguration().getProperties();
+ config.setProperty("brokerClient_operationTimeoutMs", "60000");
+ config.setProperty("brokerClient_statsIntervalSeconds", "10");
+ config.setProperty("memoryLimitBytes", "10");
+ config.setProperty("brokerClient_memoryLimitBytes", "100000");
+
+ PulsarClientImpl client = (PulsarClientImpl) pulsar.getBrokerService()
+ .getReplicationClient("an_arbitrary_name", Optional.of(data));
+ ClientConfigurationData clientConf = client.getConfiguration();
+ Assert.assertEquals(clientConf.getOperationTimeoutMs(), 60000);
+ // Config should override internal default, which is 0.
+ Assert.assertEquals(clientConf.getStatsIntervalSeconds(), 10);
+ // This config defaults to 0 (for good reason), but it could be overridden by configuration.
+ Assert.assertEquals(clientConf.getMemoryLimitBytes(), 100000);
+ }
+
+ @Test
+ public void testNamespaceServicePulsarClientConfiguration() {
+ // This data only needs to have the service url for this test.
+ ClusterDataImpl data = (ClusterDataImpl) ClusterData.builder().serviceUrl("http://localhost:8080").build();
+
+ // Set the configs and set some configs that won't apply
+ Properties config = pulsar.getConfiguration().getProperties();
+ config.setProperty("brokerClient_operationTimeoutMs", "60000");
+ config.setProperty("brokerClient_statsIntervalSeconds", "10");
+ config.setProperty("memoryLimitBytes", "10");
+ config.setProperty("brokerClient_memoryLimitBytes", "100000");
+
+ PulsarClientImpl client = pulsar.getNamespaceService().getNamespaceClient(data);
+ ClientConfigurationData clientConf = client.getConfiguration();
+ Assert.assertEquals(clientConf.getOperationTimeoutMs(), 60000);
+ // Config should override internal default, which is 0.
+ Assert.assertEquals(clientConf.getStatsIntervalSeconds(), 10);
+ // This config defaults to 0 (for good reason), but it could be overridden by configuration.
+ Assert.assertEquals(clientConf.getMemoryLimitBytes(), 100000);
+ }
+
+}
diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/PulsarClientConfigurationOverrideTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/PulsarClientConfigurationOverrideTest.java
new file mode 100644
index 00000000000..4f885ecc46b
--- /dev/null
+++ b/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/PulsarClientConfigurationOverrideTest.java
@@ -0,0 +1,56 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.pulsar.client.impl;
+
+import org.apache.pulsar.broker.ServiceConfiguration;
+import org.apache.pulsar.client.api.ClientBuilder;
+import org.apache.pulsar.client.api.PulsarClient;
+import org.apache.pulsar.client.internal.PropertiesUtils;
+import org.testng.Assert;
+import org.testng.annotations.Test;
+
+import java.util.Map;
+
+public class PulsarClientConfigurationOverrideTest {
+ @Test
+ public void testFilterAndMapProperties() {
+ // Create a default config
+ ServiceConfiguration conf = new ServiceConfiguration();
+ conf.getProperties().setProperty("keepAliveIntervalSeconds", "15");
+ conf.getProperties().setProperty("brokerClient_keepAliveIntervalSeconds", "25");
+
+ // Apply the filtering and mapping logic
+ Map<String, Object> result = PropertiesUtils.filterAndMapProperties(conf.getProperties(), "brokerClient_");
+
+ // Ensure the results match expectations
+ Assert.assertEquals(result.size(), 1, "The filtered map should have one entry.");
+ Assert.assertNull(result.get("brokerClient_keepAliveIntervalSeconds"),
+ "The mapped prop should not be in the result.");
+ Assert.assertEquals(result.get("keepAliveIntervalSeconds"), "25", "The original value is overridden.");
+
+ // Create sample ClientBuilder
+ ClientBuilder builder = PulsarClient.builder();
+ Assert.assertEquals(
+ ((ClientBuilderImpl) builder).getClientConfigurationData().getKeepAliveIntervalSeconds(), 30);
+ // Note: this test would fail if any @Secret fields were set before the loadConf and the accessed afterwards.
+ builder.loadConf(result);
+ Assert.assertEquals(
+ ((ClientBuilderImpl) builder).getClientConfigurationData().getKeepAliveIntervalSeconds(), 25);
+ }
+}
diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/websocket/proxy/ProxyConfigurationTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/websocket/proxy/ProxyConfigurationTest.java
index ec4937bdd21..184f86340fa 100644
--- a/pulsar-broker/src/test/java/org/apache/pulsar/websocket/proxy/ProxyConfigurationTest.java
+++ b/pulsar-broker/src/test/java/org/apache/pulsar/websocket/proxy/ProxyConfigurationTest.java
@@ -66,6 +66,9 @@ public class ProxyConfigurationTest extends ProducerConsumerBase {
public void configTest(int numIoThreads, int connectionsPerBroker) throws Exception {
config.setWebSocketNumIoThreads(numIoThreads);
config.setWebSocketConnectionsPerBroker(connectionsPerBroker);
+ config.getProperties().setProperty("brokerClient_serviceUrl", "https://broker.com:8080");
+ config.setServiceUrl("http://localhost:8080");
+ config.getProperties().setProperty("brokerClient_lookupTimeoutMs", "100");
WebSocketService service = spyWithClassAndConstructorArgs(WebSocketService.class, config);
doReturn(new ZKMetadataStore(mockZooKeeperGlobal)).when(service).createMetadataStore(anyString(), anyInt());
service.start();
@@ -73,6 +76,9 @@ public class ProxyConfigurationTest extends ProducerConsumerBase {
PulsarClientImpl client = (PulsarClientImpl) service.getPulsarClient();
assertEquals(client.getConfiguration().getNumIoThreads(), numIoThreads);
assertEquals(client.getConfiguration().getConnectionsPerBroker(), connectionsPerBroker);
+ assertEquals(client.getConfiguration().getServiceUrl(), "http://localhost:8080",
+ "brokerClient_ configs take precedence");
+ assertEquals(client.getConfiguration().getLookupTimeoutMs(), 100);
service.close();
}
diff --git a/pulsar-client-admin-api/src/main/java/org/apache/pulsar/client/admin/PulsarAdminBuilder.java b/pulsar-client-admin-api/src/main/java/org/apache/pulsar/client/admin/PulsarAdminBuilder.java
index 9f8b4be1409..c685c1f7793 100644
--- a/pulsar-client-admin-api/src/main/java/org/apache/pulsar/client/admin/PulsarAdminBuilder.java
+++ b/pulsar-client-admin-api/src/main/java/org/apache/pulsar/client/admin/PulsarAdminBuilder.java
@@ -36,6 +36,29 @@ public interface PulsarAdminBuilder {
*/
PulsarAdmin build() throws PulsarClientException;
+ /**
+ * Load the configuration from provided <tt>config</tt> map.
+ *
+ * <p>Example:
+ *
+ * <pre>
+ * {@code
+ * Map<String, Object> config = new HashMap<>();
+ * config.put("serviceHttpUrl", "http://localhost:6650");
+ *
+ * PulsarAdminBuilder builder = ...;
+ * builder = builder.loadConf(config);
+ *
+ * PulsarAdmin client = builder.build();
+ * }
+ * </pre>
+ *
+ * @param config
+ * configuration to load
+ * @return the client builder instance
+ */
+ PulsarAdminBuilder loadConf(Map<String, Object> config);
+
/**
* Create a copy of the current client builder.
* <p/>
diff --git a/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/PulsarAdminBuilderImpl.java b/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/PulsarAdminBuilderImpl.java
index 70463b7fb4e..d86b9e73457 100644
--- a/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/PulsarAdminBuilderImpl.java
+++ b/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/PulsarAdminBuilderImpl.java
@@ -28,10 +28,11 @@ import org.apache.pulsar.client.api.AuthenticationFactory;
import org.apache.pulsar.client.api.PulsarClientException;
import org.apache.pulsar.client.api.PulsarClientException.UnsupportedAuthenticationException;
import org.apache.pulsar.client.impl.conf.ClientConfigurationData;
+import org.apache.pulsar.client.impl.conf.ConfigurationDataUtils;
public class PulsarAdminBuilderImpl implements PulsarAdminBuilder {
- protected final ClientConfigurationData conf;
+ protected ClientConfigurationData conf;
private int connectTimeout = PulsarAdminImpl.DEFAULT_CONNECT_TIMEOUT_SECONDS;
private int readTimeout = PulsarAdminImpl.DEFAULT_READ_TIMEOUT_SECONDS;
private int requestTimeout = PulsarAdminImpl.DEFAULT_REQUEST_TIMEOUT_SECONDS;
@@ -62,6 +63,12 @@ public class PulsarAdminBuilderImpl implements PulsarAdminBuilder {
return new PulsarAdminBuilderImpl(conf.clone());
}
+ @Override
+ public PulsarAdminBuilder loadConf(Map<String, Object> config) {
+ conf = ConfigurationDataUtils.loadData(config, conf, ClientConfigurationData.class);
+ return this;
+ }
+
@Override
public PulsarAdminBuilder serviceHttpUrl(String serviceHttpUrl) {
conf.setServiceUrl(serviceHttpUrl);
diff --git a/pulsar-client-api/src/main/java/org/apache/pulsar/client/internal/PropertiesUtils.java b/pulsar-client-api/src/main/java/org/apache/pulsar/client/internal/PropertiesUtils.java
new file mode 100644
index 00000000000..4a418b1d515
--- /dev/null
+++ b/pulsar-client-api/src/main/java/org/apache/pulsar/client/internal/PropertiesUtils.java
@@ -0,0 +1,64 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.pulsar.client.internal;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Properties;
+
+/**
+ * Internal utility methods for filtering and mapping {@link Properties} objects.
+ */
+public class PropertiesUtils {
+
+ /**
+ * Filters the {@link Properties} object so that only properties with the configured prefix are retained,
+ * and then removes that prefix and puts the key value pairs into the result map.
+ * @param props - the properties object to filter
+ * @param prefix - the prefix to filter against and then remove for keys in the resulting map
+ * @return a map of properties
+ */
+ public static Map<String, Object> filterAndMapProperties(Properties props, String prefix) {
+ return filterAndMapProperties(props, prefix, "");
+ }
+
+ /**
+ * Filters the {@link Properties} object so that only properties with the configured prefix are retained,
+ * and then replaces the srcPrefix with the targetPrefix when putting the key value pairs in the resulting map.
+ * @param props - the properties object to filter
+ * @param srcPrefix - the prefix to filter against and then remove for keys in the resulting map
+ * @param targetPrefix - the prefix to add to keys in the result map
+ * @return a map of properties
+ */
+ public static Map<String, Object> filterAndMapProperties(Properties props, String srcPrefix, String targetPrefix) {
+ Map<String, Object> result = new HashMap<>();
+ int prefixLength = srcPrefix.length();
+ props.forEach((keyObject, value) -> {
+ if (!(keyObject instanceof String)) {
+ return;
+ }
+ String key = (String) keyObject;
+ if (key.startsWith(srcPrefix) && value != null) {
+ String truncatedKey = key.substring(prefixLength);
+ result.put(targetPrefix + truncatedKey, value);
+ }
+ });
+ return result;
+ }
+}
diff --git a/pulsar-functions/src/test/resources/test_worker_config.yml b/pulsar-functions/src/test/resources/test_worker_config.yml
index 4614ca3cfd1..f0ecf2bd71b 100644
--- a/pulsar-functions/src/test/resources/test_worker_config.yml
+++ b/pulsar-functions/src/test/resources/test_worker_config.yml
@@ -23,4 +23,7 @@ pulsarServiceUrl: pulsar://localhost:6650
functionMetadataTopicName: test-function-metadata-topic
numFunctionPackageReplicas: 3
maxPendingAsyncRequests: 200
+properties:
+ # Fake Bookkeeper Client config to be applied to the DLog Bookkeeper Client
+ bookkeeper_testKey: "fakeValue"
diff --git a/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/PulsarWorkerService.java b/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/PulsarWorkerService.java
index ef92e85853b..9ac03746756 100644
--- a/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/PulsarWorkerService.java
+++ b/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/PulsarWorkerService.java
@@ -133,7 +133,8 @@ public class PulsarWorkerService implements WorkerService {
workerConfig.getBrokerClientAuthenticationParameters(),
workerConfig.getBrokerClientTrustCertsFilePath(),
workerConfig.isTlsAllowInsecureConnection(),
- workerConfig.isTlsEnableHostnameVerification());
+ workerConfig.isTlsEnableHostnameVerification(),
+ workerConfig);
} else {
return WorkerUtils.getPulsarAdminClient(
pulsarServiceUrl,
@@ -141,7 +142,8 @@ public class PulsarWorkerService implements WorkerService {
null,
null,
workerConfig.isTlsAllowInsecureConnection(),
- workerConfig.isTlsEnableHostnameVerification());
+ workerConfig.isTlsEnableHostnameVerification(),
+ workerConfig);
}
}
@@ -156,7 +158,8 @@ public class PulsarWorkerService implements WorkerService {
workerConfig.isUseTls(),
workerConfig.getBrokerClientTrustCertsFilePath(),
workerConfig.isTlsAllowInsecureConnection(),
- workerConfig.isTlsEnableHostnameVerification());
+ workerConfig.isTlsEnableHostnameVerification(),
+ workerConfig);
} else {
return WorkerUtils.getPulsarClient(
pulsarServiceUrl,
@@ -165,7 +168,8 @@ public class PulsarWorkerService implements WorkerService {
null,
null,
workerConfig.isTlsAllowInsecureConnection(),
- workerConfig.isTlsEnableHostnameVerification());
+ workerConfig.isTlsEnableHostnameVerification(),
+ workerConfig);
}
}
};
diff --git a/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/WorkerUtils.java b/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/WorkerUtils.java
index 4f3ee042866..741a89bc397 100644
--- a/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/WorkerUtils.java
+++ b/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/WorkerUtils.java
@@ -40,6 +40,7 @@ import org.apache.pulsar.client.api.PulsarClient;
import org.apache.pulsar.client.api.PulsarClientException;
import org.apache.pulsar.client.api.Reader;
import org.apache.pulsar.client.api.ReaderBuilder;
+import org.apache.pulsar.client.internal.PropertiesUtils;
import org.apache.pulsar.common.conf.InternalConfigurationData;
import org.apache.pulsar.common.functions.WorkerInfo;
import org.apache.pulsar.common.policies.data.FunctionInstanceStatsDataImpl;
@@ -158,6 +159,13 @@ public final class WorkerUtils {
workerConfig.getBookkeeperClientAuthenticationParameters());
}
}
+ // Map arbitrary bookkeeper client configuration into DLog Config. Note that this only configures the
+ // bookie client.
+ PropertiesUtils.filterAndMapProperties(workerConfig.getProperties(), "bookkeeper_", "bkc.")
+ .forEach((key, value) -> {
+ log.info("Applying DLog BookKeeper client configuration setting {}={}", key, value);
+ conf.setProperty(key, value);
+ });
return conf;
}
@@ -194,12 +202,20 @@ public final class WorkerUtils {
}
public static PulsarAdmin getPulsarAdminClient(String pulsarWebServiceUrl) {
- return getPulsarAdminClient(pulsarWebServiceUrl, null, null, null, null, null);
+ return getPulsarAdminClient(pulsarWebServiceUrl, null, null, null, null, null, null);
}
public static PulsarAdmin getPulsarAdminClient(String pulsarWebServiceUrl, String authPlugin, String authParams,
String tlsTrustCertsFilePath, Boolean allowTlsInsecureConnection,
Boolean enableTlsHostnameVerificationEnable) {
+ return getPulsarAdminClient(pulsarWebServiceUrl, authPlugin, authParams, tlsTrustCertsFilePath,
+ allowTlsInsecureConnection, enableTlsHostnameVerificationEnable, null);
+ }
+
+ public static PulsarAdmin getPulsarAdminClient(String pulsarWebServiceUrl, String authPlugin, String authParams,
+ String tlsTrustCertsFilePath, Boolean allowTlsInsecureConnection,
+ Boolean enableTlsHostnameVerificationEnable,
+ WorkerConfig workerConfig) {
log.info("Create Pulsar Admin to service url {}: "
+ "authPlugin = {}, authParams = {}, "
+ "tlsTrustCerts = {}, allowTlsInsecureConnector = {}, enableTlsHostnameVerification = {}",
@@ -207,6 +223,13 @@ public final class WorkerUtils {
tlsTrustCertsFilePath, allowTlsInsecureConnection, enableTlsHostnameVerificationEnable);
try {
PulsarAdminBuilder adminBuilder = PulsarAdmin.builder().serviceHttpUrl(pulsarWebServiceUrl);
+ if (workerConfig != null) {
+ // Apply all arbitrary configuration. This must be called before setting any fields annotated as
+ // @Secret on the ClientConfigurationData object because of the way they are serialized.
+ // See https://github.com/apache/pulsar/issues/8509 for more information.
+ adminBuilder.loadConf(
+ PropertiesUtils.filterAndMapProperties(workerConfig.getProperties(), "brokerClient_"));
+ }
if (isNotBlank(authPlugin) && isNotBlank(authParams)) {
adminBuilder.authentication(authPlugin, authParams);
}
@@ -219,6 +242,7 @@ public final class WorkerUtils {
if (enableTlsHostnameVerificationEnable != null) {
adminBuilder.enableTlsHostnameVerification(enableTlsHostnameVerificationEnable);
}
+
return adminBuilder.build();
} catch (PulsarClientException e) {
log.error("Error creating pulsar admin client", e);
@@ -228,17 +252,33 @@ public final class WorkerUtils {
public static PulsarClient getPulsarClient(String pulsarServiceUrl) {
return getPulsarClient(pulsarServiceUrl, null, null, null,
- null, null, null);
+ null, null, null, null);
}
public static PulsarClient getPulsarClient(String pulsarServiceUrl, String authPlugin, String authParams,
Boolean useTls, String tlsTrustCertsFilePath,
Boolean allowTlsInsecureConnection,
Boolean enableTlsHostnameVerificationEnable) {
+ return getPulsarClient(pulsarServiceUrl, authPlugin, authParams, useTls, tlsTrustCertsFilePath,
+ allowTlsInsecureConnection, enableTlsHostnameVerificationEnable, null);
+ }
+
+ public static PulsarClient getPulsarClient(String pulsarServiceUrl, String authPlugin, String authParams,
+ Boolean useTls, String tlsTrustCertsFilePath,
+ Boolean allowTlsInsecureConnection,
+ Boolean enableTlsHostnameVerificationEnable,
+ WorkerConfig workerConfig) {
try {
ClientBuilder clientBuilder = PulsarClient.builder().serviceUrl(pulsarServiceUrl);
+ if (workerConfig != null) {
+ // Apply all arbitrary configuration. This must be called before setting any fields annotated as
+ // @Secret on the ClientConfigurationData object because of the way they are serialized.
+ // See https://github.com/apache/pulsar/issues/8509 for more information.
+ clientBuilder.loadConf(
+ PropertiesUtils.filterAndMapProperties(workerConfig.getProperties(), "brokerClient_"));
+ }
if (isNotBlank(authPlugin)
&& isNotBlank(authParams)) {
clientBuilder.authentication(authPlugin, authParams);
@@ -255,7 +295,6 @@ public final class WorkerUtils {
if (enableTlsHostnameVerificationEnable != null) {
clientBuilder.enableTlsHostnameVerification(enableTlsHostnameVerificationEnable);
}
-
return clientBuilder.build();
} catch (PulsarClientException e) {
log.error("Error creating pulsar client", e);
diff --git a/pulsar-functions/worker/src/test/java/org/apache/pulsar/functions/worker/WorkerUtilsTest.java b/pulsar-functions/worker/src/test/java/org/apache/pulsar/functions/worker/WorkerUtilsTest.java
index d899db13237..b2e0f0f354c 100644
--- a/pulsar-functions/worker/src/test/java/org/apache/pulsar/functions/worker/WorkerUtilsTest.java
+++ b/pulsar-functions/worker/src/test/java/org/apache/pulsar/functions/worker/WorkerUtilsTest.java
@@ -40,8 +40,13 @@ import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
+import static org.testng.Assert.assertEquals;
import static org.testng.Assert.assertNotNull;
import static org.testng.Assert.fail;
+import java.io.IOException;
+import java.net.URISyntaxException;
+import java.net.URL;
+import org.apache.distributedlog.DistributedLogConfiguration;
public class WorkerUtilsTest {
@@ -99,4 +104,18 @@ public class WorkerUtilsTest {
}
}
+
+ @Test
+ public void testDLogConfiguration() throws URISyntaxException, IOException {
+ // The config yml is seeded with a fake bookie config.
+ URL yamlUrl = getClass().getClassLoader().getResource("test_worker_config.yml");
+ WorkerConfig config = WorkerConfig.load(yamlUrl.toURI().getPath());
+
+ // Map the config.
+ DistributedLogConfiguration dlogConf = WorkerUtils.getDlogConf(config);
+
+ // Verify the outcome.
+ assertEquals(dlogConf.getString("bkc.testKey"), "fakeValue",
+ "The bookkeeper client config mapping should apply.");
+ }
}
\ No newline at end of file
diff --git a/pulsar-package-management/bookkeeper-storage/src/main/java/org/apache/pulsar/packages/management/storage/bookkeeper/BookKeeperPackagesStorage.java b/pulsar-package-management/bookkeeper-storage/src/main/java/org/apache/pulsar/packages/management/storage/bookkeeper/BookKeeperPackagesStorage.java
index f0db59351f5..e3147c0e8bc 100644
--- a/pulsar-package-management/bookkeeper-storage/src/main/java/org/apache/pulsar/packages/management/storage/bookkeeper/BookKeeperPackagesStorage.java
+++ b/pulsar-package-management/bookkeeper-storage/src/main/java/org/apache/pulsar/packages/management/storage/bookkeeper/BookKeeperPackagesStorage.java
@@ -36,6 +36,7 @@ import org.apache.distributedlog.exceptions.ZKException;
import org.apache.distributedlog.impl.metadata.BKDLConfig;
import org.apache.distributedlog.metadata.DLMetadata;
import org.apache.distributedlog.namespace.NamespaceDriver;
+import org.apache.pulsar.client.internal.PropertiesUtils;
import org.apache.pulsar.packages.management.core.PackagesStorage;
import org.apache.pulsar.packages.management.core.PackagesStorageConfiguration;
import org.apache.zookeeper.KeeperException;
@@ -72,6 +73,13 @@ public class BookKeeperPackagesStorage implements PackagesStorage {
configuration.getBookkeeperClientAuthenticationParameters());
}
}
+ // Map arbitrary bookkeeper client configuration into DLog Config. Note that this only configures the
+ // bookie client.
+ PropertiesUtils.filterAndMapProperties(configuration.getProperties(), "bookkeeper_", "bkc.")
+ .forEach((key, value) -> {
+ log.info("Applying DLog BookKeeper client configuration setting {}={}", key, value);
+ conf.setProperty(key, value);
+ });
try {
this.namespace = NamespaceBuilder.newBuilder()
.conf(conf).clientId(NS_CLIENT_ID).uri(initializeDlogNamespace()).build();
diff --git a/pulsar-package-management/bookkeeper-storage/src/main/java/org/apache/pulsar/packages/management/storage/bookkeeper/BookKeeperPackagesStorageConfiguration.java b/pulsar-package-management/bookkeeper-storage/src/main/java/org/apache/pulsar/packages/management/storage/bookkeeper/BookKeeperPackagesStorageConfiguration.java
index 226b80abeaa..ce6acecdd51 100644
--- a/pulsar-package-management/bookkeeper-storage/src/main/java/org/apache/pulsar/packages/management/storage/bookkeeper/BookKeeperPackagesStorageConfiguration.java
+++ b/pulsar-package-management/bookkeeper-storage/src/main/java/org/apache/pulsar/packages/management/storage/bookkeeper/BookKeeperPackagesStorageConfiguration.java
@@ -58,6 +58,10 @@ public class BookKeeperPackagesStorageConfiguration implements PackagesStorageCo
return getProperty("bookkeeperClientAuthenticationParameters");
}
+ @Override
+ public Properties getProperties() {
+ return configuration.getProperties();
+ }
@Override
public String getProperty(String key) {
diff --git a/pulsar-package-management/core/src/main/java/org/apache/pulsar/packages/management/core/PackagesStorageConfiguration.java b/pulsar-package-management/core/src/main/java/org/apache/pulsar/packages/management/core/PackagesStorageConfiguration.java
index b4044a6338c..5c346a0d05c 100644
--- a/pulsar-package-management/core/src/main/java/org/apache/pulsar/packages/management/core/PackagesStorageConfiguration.java
+++ b/pulsar-package-management/core/src/main/java/org/apache/pulsar/packages/management/core/PackagesStorageConfiguration.java
@@ -50,4 +50,10 @@ public interface PackagesStorageConfiguration {
* a group of the property
*/
void setProperty(Properties properties);
+
+ /**
+ * Get all properties for the configuration.
+ * @return all properties for the configuration
+ */
+ Properties getProperties();
}
diff --git a/pulsar-package-management/core/src/main/java/org/apache/pulsar/packages/management/core/impl/DefaultPackagesStorageConfiguration.java b/pulsar-package-management/core/src/main/java/org/apache/pulsar/packages/management/core/impl/DefaultPackagesStorageConfiguration.java
index cb35048a360..d3c5d7494b3 100644
--- a/pulsar-package-management/core/src/main/java/org/apache/pulsar/packages/management/core/impl/DefaultPackagesStorageConfiguration.java
+++ b/pulsar-package-management/core/src/main/java/org/apache/pulsar/packages/management/core/impl/DefaultPackagesStorageConfiguration.java
@@ -39,4 +39,9 @@ public class DefaultPackagesStorageConfiguration implements PackagesStorageConfi
public void setProperty(Properties properties) {
this.properties = properties;
}
+
+ @Override
+ public Properties getProperties() {
+ return this.properties;
+ }
}
diff --git a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConnection.java b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConnection.java
index d9f0f5db38f..0f41208fde2 100644
--- a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConnection.java
+++ b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConnection.java
@@ -28,6 +28,7 @@ import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.util.Collections;
import java.util.List;
+import java.util.Map;
import java.util.Optional;
import java.util.concurrent.RejectedExecutionException;
import java.util.concurrent.ThreadLocalRandom;
@@ -47,6 +48,8 @@ import org.apache.pulsar.client.impl.ClientCnx;
import org.apache.pulsar.client.impl.ConnectionPool;
import org.apache.pulsar.client.impl.PulsarChannelInitializer;
import org.apache.pulsar.client.impl.conf.ClientConfigurationData;
+import org.apache.pulsar.client.impl.conf.ConfigurationDataUtils;
+import org.apache.pulsar.client.internal.PropertiesUtils;
import org.apache.pulsar.common.api.AuthData;
import org.apache.pulsar.common.protocol.Commands;
import org.apache.pulsar.common.protocol.PulsarHandler;
@@ -521,9 +524,17 @@ public class ProxyConnection extends PulsarHandler {
}
ClientConfigurationData createClientConfiguration() {
- ClientConfigurationData clientConf = new ClientConfigurationData();
- clientConf.setServiceUrl(service.getServiceUrl());
+ ClientConfigurationData initialConf = new ClientConfigurationData();
+ initialConf.setServiceUrl(service.getServiceUrl());
ProxyConfiguration proxyConfig = service.getConfiguration();
+ // Apply all arbitrary configuration. This must be called before setting any fields annotated as
+ // @Secret on the ClientConfigurationData object because of the way they are serialized.
+ // See https://github.com/apache/pulsar/issues/8509 for more information.
+ Map<String, Object> overrides = PropertiesUtils
+ .filterAndMapProperties(proxyConfig.getProperties(), "brokerClient_");
+ ClientConfigurationData clientConf = ConfigurationDataUtils
+ .loadData(overrides, initialConf, ClientConfigurationData.class);
+
clientConf.setAuthentication(this.getClientAuthentication());
if (proxyConfig.isTlsEnabledWithBroker()) {
clientConf.setUseTls(true);
diff --git a/pulsar-websocket/src/main/java/org/apache/pulsar/websocket/WebSocketService.java b/pulsar-websocket/src/main/java/org/apache/pulsar/websocket/WebSocketService.java
index b2873d778ab..7a0f19bad10 100644
--- a/pulsar-websocket/src/main/java/org/apache/pulsar/websocket/WebSocketService.java
+++ b/pulsar-websocket/src/main/java/org/apache/pulsar/websocket/WebSocketService.java
@@ -37,6 +37,7 @@ import org.apache.pulsar.broker.resources.PulsarResources;
import org.apache.pulsar.client.api.ClientBuilder;
import org.apache.pulsar.client.api.PulsarClient;
import org.apache.pulsar.client.api.PulsarClientException;
+import org.apache.pulsar.client.internal.PropertiesUtils;
import org.apache.pulsar.common.configuration.PulsarConfigurationLoader;
import org.apache.pulsar.common.policies.data.ClusterData;
import org.apache.pulsar.common.util.collections.ConcurrentOpenHashMap;
@@ -181,6 +182,11 @@ public class WebSocketService implements Closeable {
.ioThreads(config.getWebSocketNumIoThreads()) //
.connectionsPerBroker(config.getWebSocketConnectionsPerBroker());
+ // Apply all arbitrary configuration. This must be called before setting any fields annotated as
+ // @Secret on the ClientConfigurationData object because of the way they are serialized.
+ // See https://github.com/apache/pulsar/issues/8509 for more information.
+ clientBuilder.loadConf(PropertiesUtils.filterAndMapProperties(config.getProperties(), "brokerClient_"));
+
if (isNotBlank(config.getBrokerClientAuthenticationPlugin())
&& isNotBlank(config.getBrokerClientAuthenticationParameters())) {
clientBuilder.authentication(config.getBrokerClientAuthenticationPlugin(),
@@ -198,7 +204,6 @@ public class WebSocketService implements Closeable {
} else {
clientBuilder.serviceUrl(clusterData.getServiceUrl());
}
-
return clientBuilder.build();
}
diff --git a/site2/docs/reference-configuration.md b/site2/docs/reference-configuration.md
index f8d1e87f890..3226007209f 100644
--- a/site2/docs/reference-configuration.md
+++ b/site2/docs/reference-configuration.md
@@ -352,6 +352,15 @@ brokerServiceCompactionThresholdInBytes|If the estimated backlog size is greater
| managedLedgerInfoCompressionType | Compression type of managed ledger information. <br><br>Available options are `NONE`, `LZ4`, `ZLIB`, `ZSTD`, and `SNAPPY`). <br><br>If this value is `NONE` or invalid, the `managedLedgerInfo` is not compressed. <br><br>**Note** that after enabling this configuration, if you want to degrade a broker, you need to change the value to `NONE` and make sure all ledger metadata is saved without compression. | None |
| additionalServlets | Additional servlet name. <br><br>If you have multiple additional servlets, separate them by commas. <br><br>For example, additionalServlet_1, additionalServlet_2 | N/A |
| additionalServletDirectory | Location of broker additional servlet NAR directory | ./brokerAdditionalServlet |
+#### Configuration Override For Clients Internal to Broker
+
+It's possible to configure some clients by using the appropriate prefix.
+
+|Prefix|Description|
+|brokerClient_| Configure **all** the broker's Pulsar Clients and Pulsar Admin Clients. These configurations are applied after hard coded configuration and before the above brokerClient configurations named above.|
+|bookkeeper_| Configure the broker's bookkeeper clients used by managed ledgers and the BookkeeperPackagesStorage bookkeeper client. Takes precedence over most other configuration values.|
+
+Note: when running the function worker within the broker, these prefixed configurations do not apply to any of those clients. You must instead configure those clients using the `functions_worker.yml`.
## Client
@@ -677,6 +686,12 @@ You can set the log level and configuration in the [log4j2.yaml](https://github
|tlsCertificateFilePath|||
|tlsKeyFilePath |||
|tlsTrustCertsFilePath|||
+#### Configuration Override For Clients Internal to WebSocket
+
+It's possible to configure some clients by using the appropriate prefix.
+
+|Prefix|Description|
+|brokerClient_| Configure **all** the broker's Pulsar Clients. These configurations are applied after hard coded configuration and before the above brokerClient configurations named above.|
## Pulsar proxy
@@ -734,6 +749,12 @@ The [Pulsar proxy](concepts-architecture-overview.md#pulsar-proxy) can be config
|haProxyProtocolEnabled | Enable or disable the [HAProxy](http://www.haproxy.org/) protocol. |false|
| numIOThreads | Number of threads used for Netty IO. | 2 * Runtime.getRuntime().availableProcessors() |
| numAcceptorThreads | Number of threads used for Netty Acceptor. | 1 |
+#### Configuration Override For Clients Internal to Proxy
+
+It's possible to configure some clients by using the appropriate prefix.
+
+|Prefix|Description|
+|brokerClient_| Configure **all** the proxy's Pulsar Clients. These configurations are applied after hard coded configuration and before the above brokerClient configurations named above.|
## ZooKeeper
[pulsar] 01/02: Switch to rely on Netty for Hostname Verification (#15824)
Posted by lh...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
lhotari pushed a commit to branch branch-2.9
in repository https://gitbox.apache.org/repos/asf/pulsar.git
commit 0cdf66ab7fc1a3681edf5776fe9bf817274bad96
Author: Michael Marshall <mm...@apache.org>
AuthorDate: Wed Jun 1 00:00:01 2022 -0500
Switch to rely on Netty for Hostname Verification (#15824)
* Switch to relying on Netty for Hostname Verification
- Add "subjectAltName = DNS:localhost, IP:127.0.0.1" to unit test certs
Co-authored-by: Lari Hotari <lh...@apache.org>
(cherry picked from commit aa7700dbf45303fab8c874bd9e5fcf95745d2777)
---
.../resources/authentication/tls/broker-cert.pem | 74 +++++++-------
.../test/resources/authentication/tls/cacert.pem | 110 ++++++++++-----------
.../resources/authentication/tls/client-cert.pem | 74 +++++++-------
build/regenerate_certs_for_tests.sh | 25 +++--
.../AuthenticationTlsHostnameVerificationTest.java | 34 +++----
.../admin/internal/http/AsyncHttpConnector.java | 9 +-
.../org/apache/pulsar/client/impl/ClientCnx.java | 48 ---------
.../org/apache/pulsar/client/impl/HttpClient.java | 1 +
.../client/impl/PulsarChannelInitializer.java | 7 ++
.../util/NettyClientSslContextRefresher.java | 3 +-
.../apache/pulsar/common/util/SecurityUtility.java | 10 ++
.../pulsar/proxy/server/AdminProxyHandler.java | 7 +-
.../pulsar/proxy/server/DirectProxyHandler.java | 101 +++++++++++++------
.../pulsar/proxy/server/ProxyConnection.java | 9 +-
.../proxy/server/ServiceChannelInitializer.java | 66 +------------
.../proxy/server/ProxyWithAuthorizationTest.java | 70 +++++++------
.../ProxyWithAuthorizationTest/broker-cacert.pem | 110 ++++++++++-----------
.../tls/ProxyWithAuthorizationTest/broker-cert.pem | 74 +++++++-------
.../ProxyWithAuthorizationTest/client-cacert.pem | 110 ++++++++++-----------
.../tls/ProxyWithAuthorizationTest/client-cert.pem | 74 +++++++-------
.../ProxyWithAuthorizationTest/proxy-cacert.pem | 110 ++++++++++-----------
.../tls/ProxyWithAuthorizationTest/proxy-cert.pem | 74 +++++++-------
.../test/resources/authentication/tls/cacert.pem | 110 ++++++++++-----------
.../resources/authentication/tls/client-cert.pem | 74 +++++++-------
.../resources/authentication/tls/server-cert.pem | 74 +++++++-------
25 files changed, 714 insertions(+), 744 deletions(-)
diff --git a/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/broker-cert.pem b/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/broker-cert.pem
index 7f9effa6e92..e9be840d3a0 100644
--- a/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/broker-cert.pem
+++ b/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/broker-cert.pem
@@ -1,13 +1,13 @@
Certificate:
Data:
- Version: 1 (0x0)
+ Version: 3 (0x2)
Serial Number:
- 0c:26:15:df:8f:71:1d:6a:31:d0:da:af:64:ef:80:de:ac:9a:46:76
+ 61:e6:1b:07:90:6a:4f:f7:cd:46:b9:59:1d:3e:1c:39:0d:f2:5e:05
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: C = US, ST = CA, O = Apache, OU = Apache Pulsar, CN = localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
@@ -32,37 +32,41 @@ Certificate:
a0:1a:81:9d:d2:e1:66:dd:c4:cc:fc:63:04:ac:ec:
a7:35
Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Alternative Name:
+ DNS:localhost, IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
- 3a:38:c8:85:48:ed:84:c9:f4:bc:ef:b4:4b:a1:46:9c:97:9b:
- 5f:7e:1a:ff:9b:dc:93:0e:7e:ab:de:09:21:30:1f:7f:2a:f7:
- 94:d1:b3:07:3d:b1:71:4f:72:90:1f:41:3d:fe:34:14:ac:5a:
- 39:02:f1:a4:8a:d1:d3:c0:48:da:6f:37:dc:b5:1d:60:29:e6:
- c5:b0:ce:b4:52:8d:f6:6b:59:0b:e4:c8:f1:1a:40:3a:4f:bd:
- e2:dd:32:2f:21:3c:33:d7:61:5f:86:cd:94:31:31:f1:ff:c6:
- 08:9e:67:bc:8f:9d:bf:38:a8:8c:ff:3f:1f:fb:24:ab:bb:7c:
- fb:1b:c3:1b:62:b4:dd:21:d3:7b:19:92:16:b7:7d:f6:95:ee:
- 14:a0:83:de:c5:05:d8:af:44:1d:f7:eb:32:e2:03:ac:c9:12:
- df:11:b6:af:f8:b9:24:ae:55:3e:25:ae:2a:b2:d3:b6:6a:e9:
- f9:28:e6:e0:46:98:66:2c:0d:a3:fe:c7:82:48:13:80:f2:b2:
- d1:5c:7d:bb:11:1c:60:62:1b:f7:1a:11:e1:ee:29:70:f1:95:
- c1:67:c4:f1:e2:d5:f4:24:49:0d:6e:2f:65:7b:48:cd:40:f9:
- c9:26:a3:c7:41:20:d1:6e:2c:38:8e:1b:bc:93:fa:22:39:3d:
- 2a:f6:ba:77
+ 88:1d:a7:42:a1:1c:87:45:4a:e6:5e:aa:9c:7b:71:2e:5c:9e:
+ 11:85:0f:a3:c5:b4:ea:73:9e:b7:61:9d:4a:e9:cd:1a:c5:2e:
+ 03:be:a3:2b:b6:12:6a:15:03:04:3f:fb:4a:09:0d:84:0e:dd:
+ c0:63:2b:0f:13:fb:1f:98:64:49:48:e7:96:d5:41:c4:ca:94:
+ bf:ab:c5:ea:80:2c:ee:1f:ab:12:54:74:f1:f1:56:ea:03:c0:
+ 1c:0d:8d:b9:6e:b0:d0:5f:21:c1:d3:e3:45:df:cf:64:69:13:
+ 6c:54:79:06:7d:53:46:77:3c:21:cc:c4:6a:5f:f9:9a:07:0f:
+ a5:95:20:f0:0e:93:07:48:96:a9:2c:28:50:21:d7:f8:13:4f:
+ b8:ca:aa:1f:a6:41:7c:71:1f:ad:11:3f:3d:1e:e9:81:3c:86:
+ c1:af:2d:39:a0:13:9f:99:ec:9a:47:44:df:28:02:a7:1d:6a:
+ 8d:c0:1e:24:e8:19:fc:1d:dc:67:29:04:be:0a:d6:c5:81:59:
+ 27:2c:f5:e5:df:ba:0b:c6:50:e5:b3:bd:73:12:3e:2c:ef:a6:
+ 8a:ed:eb:86:9a:45:45:52:a3:44:78:12:60:17:e2:3a:32:92:
+ 03:6e:89:89:16:c5:e0:bc:be:a7:cb:93:4b:d8:56:33:a0:a0:
+ 53:b2:0d:a5
-----BEGIN CERTIFICATE-----
-MIIC7zCCAdcCFAwmFd+PcR1qMdDar2TvgN6smkZ2MA0GCSqGSIb3DQEBCwUAMBEx
-DzANBgNVBAMMBkNBUm9vdDAeFw0yMTA0MjMxNzA4NTFaFw0zMTA0MjExNzA4NTFa
-MFcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEPMA0GA1UEChMGQXBhY2hlMRYw
-FAYDVQQLEw1BcGFjaGUgUHVsc2FyMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvv7ctmK2d9tqjE9RiD5i+HKKJIrpv
-1f0fZ+ORA5iAgQ7t2PZwfyw2aD1T6lg6ptWJZku9HldxE21LEeVApXaEJJJAWICW
-yR8sxFXro3lzcFw3montL7pr44J8aUoCVIuBXjy/TIrL6ixeg+e3EAhfglijidHa
-kroqKO4wKD9brhBxlsfhEsWwGq1Eb0Q6EUqaPA+NBoB7NO8/bPRexURUHsjdx4CF
-gNlo5sZTA3fh/hhhB3cFTO1ZvF1BOGrvXaGyYJjUSCiVAooO/c97G9IRzBAMUHPX
-zDhsg915JqqQyJuEhrxZ6WJp9JgbxIB4fqAagZ3S4WbdxMz8YwSs7Kc1AgMBAAEw
-DQYJKoZIhvcNAQELBQADggEBADo4yIVI7YTJ9LzvtEuhRpyXm19+Gv+b3JMOfqve
-CSEwH38q95TRswc9sXFPcpAfQT3+NBSsWjkC8aSK0dPASNpvN9y1HWAp5sWwzrRS
-jfZrWQvkyPEaQDpPveLdMi8hPDPXYV+GzZQxMfH/xgieZ7yPnb84qIz/Px/7JKu7
-fPsbwxtitN0h03sZkha3ffaV7hSgg97FBdivRB336zLiA6zJEt8Rtq/4uSSuVT4l
-riqy07Zq6fko5uBGmGYsDaP+x4JIE4DystFcfbsRHGBiG/caEeHuKXDxlcFnxPHi
-1fQkSQ1uL2V7SM1A+ckmo8dBINFuLDiOG7yT+iI5PSr2unc=
+MIIDFDCCAfygAwIBAgIUYeYbB5BqT/fNRrlZHT4cOQ3yXgUwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowVzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQ8wDQYDVQQKEwZBcGFj
+aGUxFjAUBgNVBAsTDUFwYWNoZSBQdWxzYXIxEjAQBgNVBAMTCWxvY2FsaG9zdDCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+/ty2YrZ322qMT1GIPmL4c
+ookium/V/R9n45EDmICBDu3Y9nB/LDZoPVPqWDqm1YlmS70eV3ETbUsR5UCldoQk
+kkBYgJbJHyzEVeujeXNwXDeaie0vumvjgnxpSgJUi4FePL9MisvqLF6D57cQCF+C
+WKOJ0dqSuioo7jAoP1uuEHGWx+ESxbAarURvRDoRSpo8D40GgHs07z9s9F7FRFQe
+yN3HgIWA2WjmxlMDd+H+GGEHdwVM7Vm8XUE4au9dobJgmNRIKJUCig79z3sb0hHM
+EAxQc9fMOGyD3XkmqpDIm4SGvFnpYmn0mBvEgHh+oBqBndLhZt3EzPxjBKzspzUC
+AwEAAaMeMBwwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEB
+CwUAA4IBAQCIHadCoRyHRUrmXqqce3EuXJ4RhQ+jxbTqc563YZ1K6c0axS4DvqMr
+thJqFQMEP/tKCQ2EDt3AYysPE/sfmGRJSOeW1UHEypS/q8XqgCzuH6sSVHTx8Vbq
+A8AcDY25brDQXyHB0+NF389kaRNsVHkGfVNGdzwhzMRqX/maBw+llSDwDpMHSJap
+LChQIdf4E0+4yqofpkF8cR+tET89HumBPIbBry05oBOfmeyaR0TfKAKnHWqNwB4k
+6Bn8HdxnKQS+CtbFgVknLPXl37oLxlDls71zEj4s76aK7euGmkVFUqNEeBJgF+I6
+MpIDbomJFsXgvL6ny5NL2FYzoKBTsg2l
-----END CERTIFICATE-----
diff --git a/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/cacert.pem b/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/cacert.pem
index 90fbb9b8898..21bbaba213f 100644
--- a/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/cacert.pem
+++ b/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/cacert.pem
@@ -2,76 +2,76 @@ Certificate:
Data:
Version: 3 (0x2)
Serial Number:
- 10:50:a0:5c:8e:cf:88:33:b6:b5:d2:1e:38:bf:78:56:2a:f1:09:22
+ 70:4c:6b:e0:aa:cc:01:77:f2:1f:04:8c:d4:72:03:a5:32:5f:c7:be
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: CN = CARoot
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
- 00:c4:92:ca:40:ce:8d:71:dd:e9:2b:e3:3b:b7:17:
- 1d:25:bf:12:66:c0:cb:32:18:32:3e:24:ea:e1:26:
- 1a:97:e8:85:4b:19:8e:c0:0a:da:a6:57:ec:31:a6:
- a8:68:d9:8e:5c:a2:00:54:30:11:47:a6:0e:84:0d:
- 6d:e3:48:a8:a6:e3:42:63:97:ef:91:c0:3a:bc:db:
- 77:77:3b:d0:45:fc:c5:a8:3a:74:dc:82:4e:83:ed:
- f9:9d:a0:30:11:0c:d9:20:7b:a6:04:60:a1:9c:41:
- 33:c6:04:d2:a7:e8:b1:46:e6:35:5e:fd:ca:2e:42:
- 2f:f4:0c:f7:6e:8d:60:f5:cf:82:7a:e3:eb:ed:d0:
- a1:51:a9:78:8d:14:2d:ca:ea:cc:fa:ae:a9:f9:6c:
- df:5c:cb:83:4a:42:22:5c:48:3e:a6:63:70:43:63:
- ff:3f:d8:1f:88:e1:91:7b:49:b9:67:10:8a:60:51:
- 24:68:db:68:24:5f:10:a5:a2:b3:95:83:7e:3c:88:
- 9c:1c:52:6a:2c:03:52:aa:90:90:85:21:78:a7:20:
- b0:e2:dc:79:b4:b7:57:f0:be:df:3b:fc:21:23:ee:
- ff:63:5d:0b:0d:3d:ab:61:54:8c:2d:96:44:7b:42:
- 10:60:3b:1d:a8:ab:33:01:e7:96:74:08:a6:f9:9d:
- ba:cf
+ 00:dc:9c:01:30:5f:c5:42:48:10:78:30:5d:66:20:
+ 0e:74:61:f6:82:74:9f:6f:b2:ed:00:9e:6c:21:b6:
+ 83:21:6b:54:34:e8:a9:dc:81:83:7a:0e:9f:cc:3d:
+ eb:97:ee:cf:ca:0e:5f:96:81:dc:e7:75:88:91:2f:
+ d5:65:74:c2:d8:67:58:d8:41:6a:5f:a9:79:dc:29:
+ 36:4a:b8:39:20:d2:f8:a8:59:9f:e3:be:f9:61:80:
+ 1b:ce:63:bb:12:56:06:b9:77:4e:6a:40:65:9b:bf:
+ 5b:f8:27:88:f5:ff:40:ee:47:bc:2d:8e:c3:a6:62:
+ 0d:18:76:d1:f5:af:1a:6b:25:4e:d4:55:15:f0:e3:
+ 97:1b:68:eb:75:b8:80:ea:64:ef:7e:e2:f0:5c:da:
+ 6d:d6:16:7b:0f:5e:ae:72:47:5a:df:0b:8a:e0:74:
+ c1:b7:82:0d:97:41:d7:84:16:51:40:37:15:a1:eb:
+ 70:0c:f1:5a:26:39:11:1e:97:b9:36:32:ce:16:b9:
+ 42:ad:31:5b:1e:89:f5:3e:07:0e:d6:fc:9a:46:8e:
+ 87:89:90:5c:f3:00:e4:9b:ce:7b:93:fe:9a:d8:65:
+ ec:49:5c:e8:eb:41:3d:53:bc:ce:e8:6d:44:ec:76:
+ 3f:e6:9b:13:e4:f8:d0:1c:00:e6:4f:73:e1:b0:27:
+ 6f:99
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
- C6:91:71:A0:C9:1F:A9:5A:87:7B:E5:10:FB:9A:2A:12:90:44:7D:A0
+ 8B:30:D2:81:7C:BE:AB:4D:76:37:19:2B:69:5E:DB:F7:81:95:73:F5
X509v3 Authority Key Identifier:
- keyid:C6:91:71:A0:C9:1F:A9:5A:87:7B:E5:10:FB:9A:2A:12:90:44:7D:A0
+ keyid:8B:30:D2:81:7C:BE:AB:4D:76:37:19:2B:69:5E:DB:F7:81:95:73:F5
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
- 5d:c2:68:9e:66:fb:67:39:fc:5e:2f:ba:4c:f0:20:3f:f9:4a:
- e2:b9:05:56:d6:5e:da:01:c7:8b:1a:70:e6:67:61:84:71:67:
- a8:11:bc:7c:4d:58:d0:52:44:71:19:47:87:60:cb:16:12:25:
- b2:b0:95:13:ff:52:00:36:78:2d:d3:ce:4e:c6:7d:1b:e5:8e:
- 37:23:8a:ef:c2:44:88:e2:bc:47:c4:ef:23:f5:8b:6d:fc:39:
- 3c:cb:7e:70:7c:60:51:33:5a:38:3a:fd:cc:8f:2c:08:d5:07:
- 06:f9:89:77:96:8e:60:21:e5:05:98:37:d6:c4:b7:a3:43:9e:
- 87:13:9d:12:c4:8f:6a:ad:a9:67:c4:3a:7e:14:77:c3:75:72:
- 95:e6:25:a2:14:e7:77:4d:8f:dd:45:ae:f0:f6:f3:fe:2b:cf:
- ea:0e:f8:61:66:45:db:9f:6b:e4:5e:b8:d4:04:41:68:e9:7c:
- a4:7e:c8:1c:4d:ec:49:49:57:a4:46:95:e8:0f:55:ea:08:2e:
- b9:7a:62:e2:be:05:00:d5:81:5f:60:60:58:4e:19:bc:24:ee:
- 0e:17:63:da:fd:40:44:c2:5f:7d:e9:26:b4:80:4d:db:88:4f:
- 31:a4:16:93:fd:a8:70:94:50:f1:23:92:20:fb:26:c3:9a:71:
- b1:9c:c9:db
+ 02:4c:80:4f:a4:b5:f4:70:be:82:cf:3a:ed:40:f9:97:17:22:
+ 07:5d:e0:9b:4e:54:f8:4b:64:99:f5:07:7f:87:5b:9c:60:ec:
+ 9f:69:e6:00:97:5a:cd:14:59:31:45:be:b7:bd:c4:ce:57:82:
+ 1a:4a:62:ce:8e:c8:59:d5:62:43:8b:94:c0:ab:c2:cc:3a:a0:
+ 69:d3:65:15:82:35:de:85:64:e6:7b:d9:3a:22:12:77:f7:71:
+ 82:86:d7:6c:e5:69:d5:3a:f2:a7:25:f7:dc:f3:6f:cb:eb:85:
+ 48:44:63:e2:6d:3c:82:eb:3a:c0:e1:bd:9d:3a:12:11:66:1f:
+ 05:8f:49:65:31:d6:cf:26:06:46:ba:73:c7:ad:61:fc:14:5f:
+ 68:d1:ee:02:5f:4b:98:b6:5b:0c:98:4e:61:7b:cb:35:ee:44:
+ a1:ce:e1:00:a2:56:f0:0d:72:3b:58:66:e8:9a:dc:62:d5:95:
+ 3e:5a:48:21:a8:7c:f8:1f:5a:13:db:53:33:11:3e:e6:14:39:
+ cd:2b:3f:77:5b:ee:f7:0c:59:69:2f:46:9a:34:56:89:05:8e:
+ 40:94:94:3f:95:f6:fa:f9:1a:e8:1a:80:7b:1d:f7:0c:a1:be:
+ e2:38:98:fd:0f:e7:68:4d:7d:fe:ae:5f:e3:32:c6:5d:37:77:
+ 7a:28:ce:cc
-----BEGIN CERTIFICATE-----
-MIIDAzCCAeugAwIBAgIUEFCgXI7PiDO2tdIeOL94VirxCSIwDQYJKoZIhvcNAQEL
-BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIxMDQyMzE3MDg1MVoXDTMxMDQyMTE3
-MDg1MVowETEPMA0GA1UEAwwGQ0FSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAxJLKQM6Ncd3pK+M7txcdJb8SZsDLMhgyPiTq4SYal+iFSxmOwAra
-plfsMaaoaNmOXKIAVDARR6YOhA1t40iopuNCY5fvkcA6vNt3dzvQRfzFqDp03IJO
-g+35naAwEQzZIHumBGChnEEzxgTSp+ixRuY1Xv3KLkIv9Az3bo1g9c+CeuPr7dCh
-Ual4jRQtyurM+q6p+WzfXMuDSkIiXEg+pmNwQ2P/P9gfiOGRe0m5ZxCKYFEkaNto
-JF8QpaKzlYN+PIicHFJqLANSqpCQhSF4pyCw4tx5tLdX8L7fO/whI+7/Y10LDT2r
-YVSMLZZEe0IQYDsdqKszAeeWdAim+Z26zwIDAQABo1MwUTAdBgNVHQ4EFgQUxpFx
-oMkfqVqHe+UQ+5oqEpBEfaAwHwYDVR0jBBgwFoAUxpFxoMkfqVqHe+UQ+5oqEpBE
-faAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAXcJonmb7Zzn8
-Xi+6TPAgP/lK4rkFVtZe2gHHixpw5mdhhHFnqBG8fE1Y0FJEcRlHh2DLFhIlsrCV
-E/9SADZ4LdPOTsZ9G+WONyOK78JEiOK8R8TvI/WLbfw5PMt+cHxgUTNaODr9zI8s
-CNUHBvmJd5aOYCHlBZg31sS3o0OehxOdEsSPaq2pZ8Q6fhR3w3VyleYlohTnd02P
-3UWu8Pbz/ivP6g74YWZF259r5F641ARBaOl8pH7IHE3sSUlXpEaV6A9V6gguuXpi
-4r4FANWBX2BgWE4ZvCTuDhdj2v1ARMJffekmtIBN24hPMaQWk/2ocJRQ8SOSIPsm
-w5pxsZzJ2w==
+MIIDAzCCAeugAwIBAgIUcExr4KrMAXfyHwSM1HIDpTJfx74wDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowETEPMA0GA1UEAwwGQ0FSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA3JwBMF/FQkgQeDBdZiAOdGH2gnSfb7LtAJ5sIbaDIWtUNOip3IGD
+eg6fzD3rl+7Pyg5floHc53WIkS/VZXTC2GdY2EFqX6l53Ck2Srg5INL4qFmf4775
+YYAbzmO7ElYGuXdOakBlm79b+CeI9f9A7ke8LY7DpmINGHbR9a8aayVO1FUV8OOX
+G2jrdbiA6mTvfuLwXNpt1hZ7D16uckda3wuK4HTBt4INl0HXhBZRQDcVoetwDPFa
+JjkRHpe5NjLOFrlCrTFbHon1PgcO1vyaRo6HiZBc8wDkm857k/6a2GXsSVzo60E9
+U7zO6G1E7HY/5psT5PjQHADmT3PhsCdvmQIDAQABo1MwUTAdBgNVHQ4EFgQUizDS
+gXy+q012NxkraV7b94GVc/UwHwYDVR0jBBgwFoAUizDSgXy+q012NxkraV7b94GV
+c/UwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAAkyAT6S19HC+
+gs867UD5lxciB13gm05U+EtkmfUHf4dbnGDsn2nmAJdazRRZMUW+t73EzleCGkpi
+zo7IWdViQ4uUwKvCzDqgadNlFYI13oVk5nvZOiISd/dxgobXbOVp1TrypyX33PNv
+y+uFSERj4m08gus6wOG9nToSEWYfBY9JZTHWzyYGRrpzx61h/BRfaNHuAl9LmLZb
+DJhOYXvLNe5Eoc7hAKJW8A1yO1hm6JrcYtWVPlpIIah8+B9aE9tTMxE+5hQ5zSs/
+d1vu9wxZaS9GmjRWiQWOQJSUP5X2+vka6BqAex33DKG+4jiY/Q/naE19/q5f4zLG
+XTd3eijOzA==
-----END CERTIFICATE-----
diff --git a/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/client-cert.pem b/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/client-cert.pem
index e79bac70987..e5d9e6e74b2 100644
--- a/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/client-cert.pem
+++ b/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/client-cert.pem
@@ -1,13 +1,13 @@
Certificate:
Data:
- Version: 1 (0x0)
+ Version: 3 (0x2)
Serial Number:
- 0c:26:15:df:8f:71:1d:6a:31:d0:da:af:64:ef:80:de:ac:9a:46:77
+ 61:e6:1b:07:90:6a:4f:f7:cd:46:b9:59:1d:3e:1c:39:0d:f2:5e:06
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: C = US, ST = CA, O = Apache, OU = Apache Pulsar, CN = superUser
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
@@ -32,37 +32,41 @@ Certificate:
b6:98:ef:dd:03:82:58:a3:32:dc:90:a1:b6:a6:1e:
e1:0b
Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Alternative Name:
+ DNS:localhost, IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
- 6f:c2:2f:41:a4:a0:45:10:33:61:20:27:d2:74:40:f9:80:3b:
- 06:88:91:c3:b8:4d:1a:c4:fd:39:9e:3a:c8:41:de:31:4e:ef:
- 8b:06:ce:17:e2:8e:b5:ee:43:92:0a:44:3d:55:e9:85:81:49:
- c9:19:44:15:f1:bd:ec:1e:cb:34:44:b1:01:c0:96:49:30:a4:
- 5a:64:44:6e:59:d9:b1:17:bf:01:13:b7:45:53:8c:8d:a7:79:
- fc:19:b4:a9:b5:9b:6f:16:8e:b3:de:5e:2a:db:01:f2:3e:b0:
- 8f:23:4f:8f:49:ee:d5:b7:98:54:6e:b5:be:8b:fc:05:87:e3:
- 8b:2e:70:28:2c:75:75:c3:76:a4:0d:5e:71:67:30:ec:69:cc:
- 2b:43:69:3b:e8:78:89:51:98:07:cb:21:e9:7a:76:a9:b3:e8:
- e6:19:e7:32:ae:3a:b8:24:c4:20:d8:c2:dc:91:99:d1:9b:8f:
- 77:3c:e7:a8:53:ee:91:fe:ed:2b:86:18:0a:55:44:46:78:a1:
- 78:41:a5:e9:fe:8b:db:bb:10:2e:72:52:b7:54:81:84:8b:f7:
- 29:f3:86:29:7f:f8:e2:d8:51:d8:b2:3c:c2:78:7c:a4:11:9c:
- 0a:42:64:1b:13:cc:91:1a:08:d9:ed:f1:23:5f:fd:b3:89:bb:
- 7a:cc:96:8d
+ 90:62:ba:7b:6f:45:95:7a:71:2f:e7:88:0c:64:b8:6c:05:86:
+ 7f:47:08:ce:d6:e2:5a:32:13:0c:82:ad:a7:af:f0:a2:f7:86:
+ 79:87:1a:89:78:95:b1:9f:be:c5:8b:39:fd:12:94:b6:e1:69:
+ ff:fa:1e:c3:82:d8:6c:03:80:45:ac:1c:06:70:bb:77:c3:41:
+ 5f:b6:9d:fe:36:6f:ae:23:6c:bf:43:79:8e:74:85:8e:96:89:
+ a9:c4:6d:d9:fa:05:ba:a8:11:7c:82:45:94:3d:9f:b6:7c:2f:
+ 4e:6d:37:c3:fb:79:7e:0c:d2:15:fa:0e:ea:2d:c9:24:f3:34:
+ 13:6f:db:d7:55:e1:0c:2f:7e:fe:4c:3b:fa:7e:03:26:0f:6a:
+ 95:d2:22:ce:27:71:6a:97:ac:36:0a:20:ec:19:a0:78:23:0c:
+ 54:f3:b1:dd:33:36:7c:b7:61:23:70:8f:7f:c8:5f:e8:9e:b5:
+ 02:31:4d:b3:40:b0:7b:b2:ee:14:a7:69:22:8b:38:85:5d:04:
+ 6e:d5:44:41:31:a7:4b:71:86:fb:81:cd:3d:db:96:23:0b:bc:
+ e1:67:46:0e:87:86:91:4e:1a:35:37:af:a4:ac:9a:de:e3:4f:
+ 82:47:f1:c4:16:58:11:8f:76:d2:4d:df:a1:c6:a2:8f:33:6d:
+ 72:15:28:76
-----BEGIN CERTIFICATE-----
-MIIC7zCCAdcCFAwmFd+PcR1qMdDar2TvgN6smkZ3MA0GCSqGSIb3DQEBCwUAMBEx
-DzANBgNVBAMMBkNBUm9vdDAeFw0yMTA0MjMxNzA4NTFaFw0zMTA0MjExNzA4NTFa
-MFcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEPMA0GA1UEChMGQXBhY2hlMRYw
-FAYDVQQLEw1BcGFjaGUgUHVsc2FyMRIwEAYDVQQDEwlzdXBlclVzZXIwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNQ32YQPmwW7yu28ALrSaQluBiOO1o
-sXBGO95E+RRRhhDrypDniOj5kYXg3bW0FLl444bVVG1o7BSStPgiWwU97TElZQgF
-hMrmDCESWDLHGmCjT9JKnigZfEWEAIyJ3N6K5U+Ikcyk8YFFTH3C/+LBicYSc5Xi
-Nr3brotaaGqQUd4riF+qZ/So42PcvhmCzJ1/5o37gr4iAT1WEztbBLToxRjmLg36
-ukqN6MZaoVGaSmLXr920/OLVza6ZbFxhVgvXDBp3XPU6alS1njOsqXUomnav0HpX
-ABuREzH9QoghRwUQAS9Zu8c62eFYTBtscbaY790DglijMtyQobamHuELAgMBAAEw
-DQYJKoZIhvcNAQELBQADggEBAG/CL0GkoEUQM2EgJ9J0QPmAOwaIkcO4TRrE/Tme
-OshB3jFO74sGzhfijrXuQ5IKRD1V6YWBSckZRBXxveweyzREsQHAlkkwpFpkRG5Z
-2bEXvwETt0VTjI2nefwZtKm1m28WjrPeXirbAfI+sI8jT49J7tW3mFRutb6L/AWH
-44sucCgsdXXDdqQNXnFnMOxpzCtDaTvoeIlRmAfLIel6dqmz6OYZ5zKuOrgkxCDY
-wtyRmdGbj3c856hT7pH+7SuGGApVREZ4oXhBpen+i9u7EC5yUrdUgYSL9ynzhil/
-+OLYUdiyPMJ4fKQRnApCZBsTzJEaCNnt8SNf/bOJu3rMlo0=
+MIIDFDCCAfygAwIBAgIUYeYbB5BqT/fNRrlZHT4cOQ3yXgYwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowVzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQ8wDQYDVQQKEwZBcGFj
+aGUxFjAUBgNVBAsTDUFwYWNoZSBQdWxzYXIxEjAQBgNVBAMTCXN1cGVyVXNlcjCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM1DfZhA+bBbvK7bwAutJpCW
+4GI47WixcEY73kT5FFGGEOvKkOeI6PmRheDdtbQUuXjjhtVUbWjsFJK0+CJbBT3t
+MSVlCAWEyuYMIRJYMscaYKNP0kqeKBl8RYQAjInc3orlT4iRzKTxgUVMfcL/4sGJ
+xhJzleI2vduui1poapBR3iuIX6pn9KjjY9y+GYLMnX/mjfuCviIBPVYTO1sEtOjF
+GOYuDfq6So3oxlqhUZpKYtev3bT84tXNrplsXGFWC9cMGndc9TpqVLWeM6ypdSia
+dq/QelcAG5ETMf1CiCFHBRABL1m7xzrZ4VhMG2xxtpjv3QOCWKMy3JChtqYe4QsC
+AwEAAaMeMBwwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEB
+CwUAA4IBAQCQYrp7b0WVenEv54gMZLhsBYZ/RwjO1uJaMhMMgq2nr/Ci94Z5hxqJ
+eJWxn77Fizn9EpS24Wn/+h7DgthsA4BFrBwGcLt3w0Fftp3+Nm+uI2y/Q3mOdIWO
+lompxG3Z+gW6qBF8gkWUPZ+2fC9ObTfD+3l+DNIV+g7qLckk8zQTb9vXVeEML37+
+TDv6fgMmD2qV0iLOJ3Fql6w2CiDsGaB4IwxU87HdMzZ8t2EjcI9/yF/onrUCMU2z
+QLB7su4Up2kiiziFXQRu1URBMadLcYb7gc0925YjC7zhZ0YOh4aRTho1N6+krJre
+40+CR/HEFlgRj3bSTd+hxqKPM21yFSh2
-----END CERTIFICATE-----
diff --git a/build/regenerate_certs_for_tests.sh b/build/regenerate_certs_for_tests.sh
index 7e4cf8474e2..fb0274cc193 100755
--- a/build/regenerate_certs_for_tests.sh
+++ b/build/regenerate_certs_for_tests.sh
@@ -34,7 +34,7 @@ function reissue_certificate() {
keyfile=$1
certfile=$2
openssl x509 -x509toreq -in $certfile -signkey $keyfile -out ${certfile}.csr
- openssl x509 -req -CA ca-cert.pem -CAkey ca-key -in ${certfile}.csr -text -outform pem -out $certfile -days 3650 -CAcreateserial
+ openssl x509 -req -CA ca-cert.pem -CAkey ca-key -in ${certfile}.csr -text -outform pem -out $certfile -days 3650 -CAcreateserial -extfile <(printf "subjectAltName = DNS:localhost, IP:127.0.0.1")
}
generate_ca
@@ -44,6 +44,16 @@ reissue_certificate $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls
reissue_certificate $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/server-key.pem \
$ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/server-cert.pem
+# use same CA key and cert for ProxyWithAuthorizationTest/client-cacert.pem
+cp ca-cert.pem $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cacert.pem
+reissue_certificate $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-key.pem \
+ $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cert.pem
+
+# use same CA key and cert for ProxyWithAuthorizationTest/proxy-cacert.pem
+cp ca-cert.pem $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cacert.pem
+reissue_certificate $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-key.pem \
+ $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cert.pem
+
generate_ca
cp ca-cert.pem $ROOT_DIR/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/cacert.pem
reissue_certificate $ROOT_DIR/bouncy-castle/bcfips-include-test/src/test/resources/authentication/tls/broker-key.pem \
@@ -56,18 +66,5 @@ cp ca-cert.pem $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/Prox
reissue_certificate $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-key.pem \
$ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cert.pem
-generate_ca
-cp ca-cert.pem $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cacert.pem
-reissue_certificate $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-key.pem \
- $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cert.pem
-
-generate_ca
-cp ca-cert.pem $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cacert.pem
-reissue_certificate $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-key.pem \
- $ROOT_DIR/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cert.pem
-
-
-
-
cd $ROOT_DIR
rm -rf /tmp/keygendir$$
diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthenticationTlsHostnameVerificationTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthenticationTlsHostnameVerificationTest.java
index bb8a02143e5..157b35a8aa9 100644
--- a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthenticationTlsHostnameVerificationTest.java
+++ b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthenticationTlsHostnameVerificationTest.java
@@ -18,8 +18,7 @@
*/
package org.apache.pulsar.client.api;
-import static org.mockito.Mockito.spy;
-
+import com.google.common.collect.Sets;
import java.lang.reflect.Method;
import java.util.HashMap;
import java.util.HashSet;
@@ -27,16 +26,12 @@ import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.TimeUnit;
-
import org.apache.pulsar.broker.authentication.AuthenticationProviderBasic;
import org.apache.pulsar.broker.authentication.AuthenticationProviderTls;
-import org.apache.pulsar.client.admin.PulsarAdmin;
import org.apache.pulsar.client.impl.auth.AuthenticationTls;
-import org.apache.pulsar.common.policies.data.ClusterData;
import org.apache.pulsar.common.tls.PublicSuffixMatcher;
import org.apache.pulsar.common.tls.TlsHostnameVerifier;
import org.apache.pulsar.common.policies.data.ClusterDataImpl;
-import org.apache.pulsar.common.policies.data.TenantInfoImpl;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.testng.Assert;
@@ -44,8 +39,6 @@ import org.testng.annotations.AfterMethod;
import org.testng.annotations.DataProvider;
import org.testng.annotations.Test;
-import com.google.common.collect.Sets;
-
@Test(groups = "broker-api")
public class AuthenticationTlsHostnameVerificationTest extends ProducerConsumerBase {
private static final Logger log = LoggerFactory.getLogger(AuthenticationTlsHostnameVerificationTest.class);
@@ -65,8 +58,13 @@ public class AuthenticationTlsHostnameVerificationTest extends ProducerConsumerB
private final String BASIC_CONF_FILE_PATH = "./src/test/resources/authentication/basic/.htpasswd";
private boolean hostnameVerificationEnabled = true;
+ private String clientTrustCertFilePath = TLS_TRUST_CERT_FILE_PATH;
protected void setup() throws Exception {
+ super.internalSetup();
+ super.producerBaseSetup();
+ super.stopBroker();
+
if (methodName.equals("testAnonymousSyncProducerAndConsumer")) {
conf.setAnonymousUserRole("anonymousUser");
}
@@ -74,7 +72,7 @@ public class AuthenticationTlsHostnameVerificationTest extends ProducerConsumerB
conf.setAuthenticationEnabled(true);
conf.setAuthorizationEnabled(true);
- conf.setTlsAllowInsecureConnection(true);
+ conf.setTlsAllowInsecureConnection(false);
Set<String> superUserRoles = new HashSet<>();
superUserRoles.add("localhost");
@@ -96,7 +94,7 @@ public class AuthenticationTlsHostnameVerificationTest extends ProducerConsumerB
conf.setClusterName("test");
conf.setNumExecutorThreadPoolSize(5);
- super.init();
+ startBroker();
setupClient();
}
@@ -109,22 +107,11 @@ public class AuthenticationTlsHostnameVerificationTest extends ProducerConsumerB
Authentication authTls = new AuthenticationTls();
authTls.configure(authParams);
- admin = spy(PulsarAdmin.builder().serviceHttpUrl(brokerUrlTls.toString())
- .tlsTrustCertsFilePath(TLS_MIM_TRUST_CERT_FILE_PATH).allowTlsInsecureConnection(true)
- .authentication(authTls).build());
replacePulsarClient(PulsarClient.builder()
.serviceUrl(pulsar.getBrokerServiceUrlTls())
.statsInterval(0, TimeUnit.SECONDS)
- .tlsTrustCertsFilePath(TLS_MIM_TRUST_CERT_FILE_PATH).allowTlsInsecureConnection(true)
+ .tlsTrustCertsFilePath(clientTrustCertFilePath)
.authentication(authTls).enableTls(true).enableTlsHostnameVerification(hostnameVerificationEnabled));
-
- admin.clusters().createCluster("test", ClusterData.builder()
- .serviceUrl(brokerUrl.toString())
- .build());
-
- admin.tenants().createTenant("my-property",
- new TenantInfoImpl(Sets.newHashSet("appid1", "appid2"), Sets.newHashSet("test")));
- admin.namespaces().createNamespace("my-property/my-ns", Sets.newHashSet("test"));
}
@AfterMethod(alwaysRun = true)
@@ -157,10 +144,11 @@ public class AuthenticationTlsHostnameVerificationTest extends ProducerConsumerB
log.info("-- Starting {} test --", methodName);
this.hostnameVerificationEnabled = hostnameVerificationEnabled;
+ clientTrustCertFilePath = TLS_MIM_TRUST_CERT_FILE_PATH;
// setup broker cert which has CN = "pulsar" different than broker's hostname="localhost"
conf.setBrokerServicePortTls(Optional.of(0));
conf.setWebServicePortTls(Optional.of(0));
- conf.setTlsTrustCertsFilePath(TLS_MIM_TRUST_CERT_FILE_PATH);
+ conf.setTlsTrustCertsFilePath(TLS_TRUST_CERT_FILE_PATH);
conf.setTlsCertificateFilePath(TLS_MIM_SERVER_CERT_FILE_PATH);
conf.setTlsKeyFilePath(TLS_MIM_SERVER_KEY_FILE_PATH);
conf.setBrokerClientAuthenticationParameters(
diff --git a/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/http/AsyncHttpConnector.java b/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/http/AsyncHttpConnector.java
index 95ea0717b97..2b08bfc0048 100644
--- a/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/http/AsyncHttpConnector.java
+++ b/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/http/AsyncHttpConnector.java
@@ -129,7 +129,7 @@ public class AsyncHttpConnector implements Connector {
params != null ? params.getKeyStoreType() : null,
params != null ? params.getKeyStorePath() : null,
params != null ? params.getKeyStorePassword() : null,
- conf.isTlsAllowInsecureConnection() || !conf.isTlsHostnameVerificationEnable(),
+ conf.isTlsAllowInsecureConnection(),
conf.getTlsTrustStoreType(),
conf.getTlsTrustStorePath(),
conf.getTlsTrustStorePassword(),
@@ -148,12 +148,12 @@ public class AsyncHttpConnector implements Connector {
sslCtx = authData.getTlsTrustStoreStream() == null
? SecurityUtility.createAutoRefreshSslContextForClient(
sslProvider,
- conf.isTlsAllowInsecureConnection() || !conf.isTlsHostnameVerificationEnable(),
+ conf.isTlsAllowInsecureConnection(),
conf.getTlsTrustCertsFilePath(), authData.getTlsCerificateFilePath(),
authData.getTlsPrivateKeyFilePath(), null, autoCertRefreshTimeSeconds, delayer)
: SecurityUtility.createNettySslContextForClient(
sslProvider,
- conf.isTlsAllowInsecureConnection() || !conf.isTlsHostnameVerificationEnable(),
+ conf.isTlsAllowInsecureConnection(),
authData.getTlsTrustStoreStream(), authData.getTlsCertificates(),
authData.getTlsPrivateKey(),
conf.getTlsCiphers(),
@@ -161,7 +161,7 @@ public class AsyncHttpConnector implements Connector {
} else {
sslCtx = SecurityUtility.createNettySslContextForClient(
sslProvider,
- conf.isTlsAllowInsecureConnection() || !conf.isTlsHostnameVerificationEnable(),
+ conf.isTlsAllowInsecureConnection(),
conf.getTlsTrustCertsFilePath(),
conf.getTlsCiphers(),
conf.getTlsProtocols());
@@ -169,6 +169,7 @@ public class AsyncHttpConnector implements Connector {
confBuilder.setSslContext(sslCtx);
}
}
+ confBuilder.setDisableHttpsEndpointIdentificationAlgorithm(!conf.isTlsHostnameVerificationEnable());
}
httpClient = new DefaultAsyncHttpClient(confBuilder.build());
this.readTimeout = Duration.ofMillis(readTimeoutMs);
diff --git a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/ClientCnx.java b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/ClientCnx.java
index 3b71f6a6222..20325ade4f6 100644
--- a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/ClientCnx.java
+++ b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/ClientCnx.java
@@ -26,12 +26,10 @@ import static org.apache.pulsar.common.util.Runnables.catchingAndLoggingThrowabl
import com.google.common.collect.Queues;
import io.netty.buffer.ByteBuf;
import io.netty.channel.Channel;
-import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.EventLoopGroup;
import io.netty.channel.unix.Errors.NativeIoException;
import io.netty.handler.codec.LengthFieldBasedFrameDecoder;
-import io.netty.handler.ssl.SslHandler;
import io.netty.util.concurrent.Promise;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
@@ -48,7 +46,6 @@ import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.Semaphore;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicIntegerFieldUpdater;
-import javax.net.ssl.SSLSession;
import lombok.Getter;
import org.apache.commons.lang3.exception.ExceptionUtils;
import org.apache.commons.lang3.tuple.Pair;
@@ -156,9 +153,6 @@ public class ClientCnx extends PulsarHandler {
protected String proxyToTargetBrokerAddress = null;
// Remote hostName with which client is connected
protected String remoteHostName = null;
- private boolean isTlsHostnameVerificationEnable;
-
- private static final TlsHostnameVerifier HOSTNAME_VERIFIER = new TlsHostnameVerifier();
private ScheduledFuture<?> timeoutTask;
private SocketAddress localAddress;
@@ -224,7 +218,6 @@ public class ClientCnx extends PulsarHandler {
this.maxNumberOfRejectedRequestPerConnection = conf.getMaxNumberOfRejectedRequestPerConnection();
this.operationTimeoutMs = conf.getOperationTimeoutMs();
this.state = State.None;
- this.isTlsHostnameVerificationEnable = conf.isTlsHostnameVerificationEnable();
this.protocolVersion = protocolVersion;
}
@@ -325,14 +318,6 @@ public class ClientCnx extends PulsarHandler {
@Override
protected void handleConnected(CommandConnected connected) {
-
- if (isTlsHostnameVerificationEnable && remoteHostName != null && !verifyTlsHostName(remoteHostName, ctx)) {
- // close the connection if host-verification failed with the broker
- log.warn("[{}] Failed to verify hostname of {}", ctx.channel(), remoteHostName);
- ctx.close();
- return;
- }
-
checkArgument(state == State.SentConnectFrame || state == State.Connecting);
if (connected.hasMaxMessageSize()) {
if (log.isDebugEnabled()) {
@@ -1084,39 +1069,6 @@ public class ClientCnx extends PulsarHandler {
}
}
- /**
- * verifies host name provided in x509 Certificate in tls session
- *
- * it matches hostname with below scenarios
- *
- * <pre>
- * 1. Supports IPV4 and IPV6 host matching
- * 2. Supports wild card matching for DNS-name
- * eg:
- * HostName CN Result
- * 1. localhost localhost PASS
- * 2. localhost local* PASS
- * 3. pulsar1-broker.com pulsar*.com PASS
- * </pre>
- *
- * @param ctx
- * @return true if hostname is verified else return false
- */
- private boolean verifyTlsHostName(String hostname, ChannelHandlerContext ctx) {
- ChannelHandler sslHandler = ctx.channel().pipeline().get("tls");
-
- SSLSession sslSession = null;
- if (sslHandler != null) {
- sslSession = ((SslHandler) sslHandler).engine().getSession();
- if (log.isDebugEnabled()) {
- log.debug("Verifying HostName for {}, Cipher {}, Protocols {}", hostname, sslSession.getCipherSuite(),
- sslSession.getProtocol());
- }
- return HOSTNAME_VERIFIER.verify(hostname, sslSession);
- }
- return false;
- }
-
void registerConsumer(final long consumerId, final ConsumerImpl<?> consumer) {
consumers.put(consumerId, consumer);
}
diff --git a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java
index 285a7202c72..323f3bcad5e 100644
--- a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java
+++ b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/HttpClient.java
@@ -137,6 +137,7 @@ public class HttpClient implements Closeable {
}
confBuilder.setUseInsecureTrustManager(conf.isTlsAllowInsecureConnection());
+ confBuilder.setDisableHttpsEndpointIdentificationAlgorithm(!conf.isTlsHostnameVerificationEnable());
} catch (GeneralSecurityException e) {
throw new PulsarClientException.InvalidConfigurationException(e);
} catch (Exception e) {
diff --git a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/PulsarChannelInitializer.java b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/PulsarChannelInitializer.java
index 497793d792d..bac1cd9ba41 100644
--- a/pulsar-client/src/main/java/org/apache/pulsar/client/impl/PulsarChannelInitializer.java
+++ b/pulsar-client/src/main/java/org/apache/pulsar/client/impl/PulsarChannelInitializer.java
@@ -51,6 +51,7 @@ public class PulsarChannelInitializer extends ChannelInitializer<SocketChannel>
private final Supplier<ClientCnx> clientCnxSupplier;
@Getter
private final boolean tlsEnabled;
+ private final boolean tlsHostnameVerificationEnabled;
private final boolean tlsEnabledWithKeyStore;
private final InetSocketAddress socks5ProxyAddress;
private final String socks5ProxyUsername;
@@ -66,6 +67,7 @@ public class PulsarChannelInitializer extends ChannelInitializer<SocketChannel>
super();
this.clientCnxSupplier = clientCnxSupplier;
this.tlsEnabled = conf.isUseTls();
+ this.tlsHostnameVerificationEnabled = conf.isTlsHostnameVerificationEnable();
this.socks5ProxyAddress = conf.getSocks5ProxyAddress();
this.socks5ProxyUsername = conf.getSocks5ProxyUsername();
this.socks5ProxyPassword = conf.getSocks5ProxyPassword();
@@ -167,6 +169,11 @@ public class PulsarChannelInitializer extends ChannelInitializer<SocketChannel>
? new SslHandler(nettySSLContextAutoRefreshBuilder.get()
.createSSLEngine(sniHost.getHostString(), sniHost.getPort()))
: sslContextSupplier.get().newHandler(ch.alloc(), sniHost.getHostString(), sniHost.getPort());
+
+ if (tlsHostnameVerificationEnabled) {
+ SecurityUtility.configureSSLHandler(handler);
+ }
+
ch.pipeline().addFirst(TLS_HANDLER, handler);
initTlsFuture.complete(ch);
} catch (Throwable t) {
diff --git a/pulsar-common/src/main/java/org/apache/pulsar/common/util/NettyClientSslContextRefresher.java b/pulsar-common/src/main/java/org/apache/pulsar/common/util/NettyClientSslContextRefresher.java
index e1fef9aaa9b..9e050b7058d 100644
--- a/pulsar-common/src/main/java/org/apache/pulsar/common/util/NettyClientSslContextRefresher.java
+++ b/pulsar-common/src/main/java/org/apache/pulsar/common/util/NettyClientSslContextRefresher.java
@@ -49,8 +49,7 @@ public class NettyClientSslContextRefresher extends SslContextAutoRefreshBuilder
AuthenticationDataProvider authData,
Set<String> ciphers,
Set<String> protocols,
- long delayInSeconds)
- throws IOException, GeneralSecurityException {
+ long delayInSeconds) {
super(delayInSeconds);
this.tlsAllowInsecureConnection = allowInsecure;
this.tlsTrustCertsFilePath = new FileModifiedTimeUpdater(trustCertsFilePath);
diff --git a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java
index 6b715bbf6dc..5abad5924c4 100644
--- a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java
+++ b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java
@@ -21,6 +21,7 @@ package org.apache.pulsar.common.util;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
+import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslProvider;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import java.io.BufferedReader;
@@ -57,7 +58,9 @@ import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLParameters;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import lombok.extern.slf4j.Slf4j;
@@ -549,6 +552,13 @@ public class SecurityUtility {
}
}
+ public static void configureSSLHandler(SslHandler handler) {
+ SSLEngine sslEngine = handler.engine();
+ SSLParameters sslParameters = sslEngine.getSSLParameters();
+ sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
+ sslEngine.setSSLParameters(sslParameters);
+ }
+
public static Provider resolveProvider(String providerName) throws NoSuchAlgorithmException {
Provider provider = null;
if (!StringUtils.isEmpty(providerName)) {
diff --git a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/AdminProxyHandler.java b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/AdminProxyHandler.java
index d4eb4774268..bd1bad27b2b 100644
--- a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/AdminProxyHandler.java
+++ b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/AdminProxyHandler.java
@@ -280,10 +280,11 @@ class AdminProxyHandler extends ProxyServlet {
);
}
-
- SslContextFactory contextFactory = new SslContextFactory.Client(true);
+ SslContextFactory contextFactory = new SslContextFactory.Client();
contextFactory.setSslContext(sslCtx);
-
+ if (!config.isTlsHostnameVerificationEnabled()) {
+ contextFactory.setEndpointIdentificationAlgorithm(null);
+ }
return new JettyHttpClient(contextFactory);
} catch (Exception e) {
LOG.error("new jetty http client exception ", e);
diff --git a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/DirectProxyHandler.java b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/DirectProxyHandler.java
index 24802f60a3d..8ffcdb0acd5 100644
--- a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/DirectProxyHandler.java
+++ b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/DirectProxyHandler.java
@@ -21,13 +21,13 @@ package org.apache.pulsar.proxy.server;
import static com.google.common.base.Preconditions.checkArgument;
import static com.google.common.base.Preconditions.checkState;
+import static org.apache.commons.lang3.StringUtils.isEmpty;
import io.netty.bootstrap.Bootstrap;
import io.netty.buffer.ByteBuf;
import io.netty.buffer.Unpooled;
import io.netty.channel.Channel;
import io.netty.channel.ChannelFuture;
import io.netty.channel.ChannelFutureListener;
-import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelInitializer;
import io.netty.channel.ChannelOption;
@@ -37,18 +37,19 @@ import io.netty.handler.codec.haproxy.HAProxyCommand;
import io.netty.handler.codec.haproxy.HAProxyMessage;
import io.netty.handler.codec.haproxy.HAProxyProtocolVersion;
import io.netty.handler.codec.haproxy.HAProxyProxiedProtocol;
+import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslHandler;
+import io.netty.handler.ssl.SslProvider;
import io.netty.handler.timeout.ReadTimeoutHandler;
import io.netty.util.CharsetUtil;
import java.net.InetSocketAddress;
import java.util.Arrays;
import java.util.concurrent.TimeUnit;
-import java.util.function.Supplier;
-import javax.net.ssl.SSLSession;
import lombok.Getter;
import org.apache.pulsar.PulsarVersion;
import org.apache.pulsar.client.api.Authentication;
import org.apache.pulsar.client.api.AuthenticationDataProvider;
+import org.apache.pulsar.client.api.AuthenticationFactory;
import org.apache.pulsar.client.api.PulsarClientException;
import org.apache.pulsar.common.allocator.PulsarByteBufAllocator;
import org.apache.pulsar.common.api.AuthData;
@@ -57,7 +58,10 @@ import org.apache.pulsar.common.api.proto.CommandConnected;
import org.apache.pulsar.common.protocol.Commands;
import org.apache.pulsar.common.protocol.PulsarDecoder;
import org.apache.pulsar.common.stats.Rate;
-import org.apache.pulsar.common.tls.TlsHostnameVerifier;
+import org.apache.pulsar.common.util.NettyClientSslContextRefresher;
+import org.apache.pulsar.common.util.SecurityUtility;
+import org.apache.pulsar.common.util.SslContextAutoRefreshBuilder;
+import org.apache.pulsar.common.util.keystoretls.NettySSLContextAutoRefreshBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -79,6 +83,11 @@ public class DirectProxyHandler {
private AuthenticationDataProvider authenticationDataProvider;
private final ProxyService service;
private final Runnable onHandshakeCompleteAction;
+ private final boolean tlsHostnameVerificationEnabled;
+ private final boolean tlsEnabledWithKeyStore;
+ private final boolean tlsEnabledWithBroker;
+ private final SslContextAutoRefreshBuilder<SslContext> clientSslCtxRefresher;
+ private final NettySSLContextAutoRefreshBuilder clientSSLContextAutoRefreshBuilder;
public DirectProxyHandler(ProxyService service, ProxyConnection proxyConnection) {
this.service = service;
@@ -89,11 +98,59 @@ public class DirectProxyHandler {
this.originalPrincipal = proxyConnection.clientAuthRole;
this.clientAuthData = proxyConnection.clientAuthData;
this.clientAuthMethod = proxyConnection.clientAuthMethod;
+ this.tlsEnabledWithBroker = service.getConfiguration().isTlsEnabledWithBroker();
+ this.tlsHostnameVerificationEnabled = service.getConfiguration().isTlsHostnameVerificationEnabled();
+ this.tlsEnabledWithKeyStore = service.getConfiguration().isTlsEnabledWithKeyStore();
this.onHandshakeCompleteAction = proxyConnection::cancelKeepAliveTask;
+ ProxyConfiguration config = service.getConfiguration();
+
+ if (tlsEnabledWithBroker) {
+ AuthenticationDataProvider authData = null;
+
+ if (!isEmpty(config.getBrokerClientAuthenticationPlugin())) {
+ try {
+ authData = AuthenticationFactory.create(config.getBrokerClientAuthenticationPlugin(),
+ config.getBrokerClientAuthenticationParameters()).getAuthData();
+ } catch (PulsarClientException e) {
+ throw new RuntimeException(e);
+ }
+ }
+
+ if (tlsEnabledWithKeyStore) {
+ clientSSLContextAutoRefreshBuilder = new NettySSLContextAutoRefreshBuilder(
+ config.getBrokerClientSslProvider(),
+ config.isTlsAllowInsecureConnection(),
+ config.getBrokerClientTlsTrustStoreType(),
+ config.getBrokerClientTlsTrustStore(),
+ config.getBrokerClientTlsTrustStorePassword(),
+ config.getBrokerClientTlsCiphers(),
+ config.getBrokerClientTlsProtocols(),
+ config.getTlsCertRefreshCheckDurationSec(),
+ authData);
+ clientSslCtxRefresher = null;
+ } else {
+ SslProvider sslProvider = null;
+ if (config.getBrokerClientSslProvider() != null) {
+ sslProvider = SslProvider.valueOf(config.getBrokerClientSslProvider());
+ }
+ clientSslCtxRefresher = new NettyClientSslContextRefresher(
+ sslProvider,
+ config.isTlsAllowInsecureConnection(),
+ config.getBrokerClientTrustCertsFilePath(),
+ authData,
+ config.getBrokerClientTlsCiphers(),
+ config.getBrokerClientTlsProtocols(),
+ config.getTlsCertRefreshCheckDurationSec()
+ );
+ clientSSLContextAutoRefreshBuilder = null;
+ }
+ } else {
+ clientSSLContextAutoRefreshBuilder = null;
+ clientSslCtxRefresher = null;
+ }
}
- public void connect(String brokerHostAndPort, InetSocketAddress targetBrokerAddress,
- int protocolVersion, Supplier<SslHandler> sslHandlerSupplier) {
+ public void connect(String brokerHostAndPort, InetSocketAddress targetBrokerAddress, int protocolVersion) {
ProxyConfiguration config = service.getConfiguration();
// Start the connection attempt.
@@ -121,8 +178,16 @@ public class DirectProxyHandler {
b.handler(new ChannelInitializer<SocketChannel>() {
@Override
protected void initChannel(SocketChannel ch) {
- if (sslHandlerSupplier != null) {
- ch.pipeline().addLast(TLS_HANDLER, sslHandlerSupplier.get());
+ if (tlsEnabledWithBroker) {
+ String host = targetBrokerAddress.getHostString();
+ int port = targetBrokerAddress.getPort();
+ SslHandler handler = tlsEnabledWithKeyStore
+ ? new SslHandler(clientSSLContextAutoRefreshBuilder.get().createSSLEngine(host, port))
+ : clientSslCtxRefresher.get().newHandler(ch.alloc(), host, port);
+ if (tlsHostnameVerificationEnabled) {
+ SecurityUtility.configureSSLHandler(handler);
+ }
+ ch.pipeline().addLast(TLS_HANDLER, handler);
}
int brokerProxyReadTimeoutMs = service.getConfiguration().getBrokerProxyReadTimeoutMs();
if (brokerProxyReadTimeoutMs > 0) {
@@ -338,15 +403,6 @@ public class DirectProxyHandler {
log.debug("[{}] [{}] Received Connected from broker", inboundChannel, outboundChannel);
}
- if (config.isTlsHostnameVerificationEnabled() && remoteHostName != null
- && !verifyTlsHostName(remoteHostName, ctx)) {
- // close the connection if host-verification failed with the
- // broker
- log.warn("[{}] Failed to verify hostname of {}", ctx.channel(), remoteHostName);
- ctx.close();
- return;
- }
-
state = BackendState.HandshakeCompleted;
onHandshakeCompleteAction.run();
@@ -409,17 +465,6 @@ public class DirectProxyHandler {
log.warn("[{}] [{}] Caught exception: {}", inboundChannel, outboundChannel, cause.getMessage(), cause);
ctx.close();
}
-
- private boolean verifyTlsHostName(String hostname, ChannelHandlerContext ctx) {
- ChannelHandler sslHandler = ctx.channel().pipeline().get("tls");
-
- SSLSession sslSession;
- if (sslHandler != null) {
- sslSession = ((SslHandler) sslHandler).engine().getSession();
- return (new TlsHostnameVerifier()).verify(hostname, sslSession);
- }
- return false;
- }
}
private static final Logger log = LoggerFactory.getLogger(DirectProxyHandler.class);
diff --git a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConnection.java b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConnection.java
index eeabced97b0..d9f0f5db38f 100644
--- a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConnection.java
+++ b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConnection.java
@@ -82,7 +82,6 @@ public class ProxyConnection extends PulsarHandler {
private final DnsAddressResolverGroup dnsAddressResolverGroup;
AuthenticationDataSource authenticationData;
private State state;
- private final Supplier<SslHandler> sslHandlerSupplier;
private LookupProxyHandler lookupProxyHandler = null;
@Getter
@@ -131,13 +130,11 @@ public class ProxyConnection extends PulsarHandler {
return connectionPool;
}
- public ProxyConnection(ProxyService proxyService, Supplier<SslHandler> sslHandlerSupplier,
- DnsAddressResolverGroup dnsAddressResolverGroup) {
+ public ProxyConnection(ProxyService proxyService, DnsAddressResolverGroup dnsAddressResolverGroup) {
super(30, TimeUnit.SECONDS);
this.service = proxyService;
this.dnsAddressResolverGroup = dnsAddressResolverGroup;
this.state = State.Init;
- this.sslHandlerSupplier = sslHandlerSupplier;
this.brokerProxyValidator = service.getBrokerProxyValidator();
}
@@ -360,8 +357,7 @@ public class ProxyConnection extends PulsarHandler {
private void connectToBroker(InetSocketAddress brokerAddress) {
checkState(ctx.executor().inEventLoop(), "This method should be called in the event loop");
DirectProxyHandler directProxyHandler = new DirectProxyHandler(service, this);
- directProxyHandler.connect(proxyToBrokerUrl, brokerAddress,
- protocolVersionToAdvertise, sslHandlerSupplier);
+ directProxyHandler.connect(proxyToBrokerUrl, brokerAddress, protocolVersionToAdvertise);
}
public void brokerConnected(DirectProxyHandler directProxyHandler, CommandConnected connected) {
@@ -531,6 +527,7 @@ public class ProxyConnection extends PulsarHandler {
clientConf.setAuthentication(this.getClientAuthentication());
if (proxyConfig.isTlsEnabledWithBroker()) {
clientConf.setUseTls(true);
+ clientConf.setTlsHostnameVerificationEnable(proxyConfig.isTlsHostnameVerificationEnabled());
if (proxyConfig.isBrokerClientTlsEnabledWithKeyStore()) {
clientConf.setUseKeyStoreTls(true);
clientConf.setTlsTrustStoreType(proxyConfig.getBrokerClientTlsTrustStoreType());
diff --git a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ServiceChannelInitializer.java b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ServiceChannelInitializer.java
index 2ce2a93819f..db2574f0df1 100644
--- a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ServiceChannelInitializer.java
+++ b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ServiceChannelInitializer.java
@@ -18,18 +18,13 @@
*/
package org.apache.pulsar.proxy.server;
-import static org.apache.commons.lang3.StringUtils.isEmpty;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslProvider;
import io.netty.handler.timeout.ReadTimeoutHandler;
import java.util.concurrent.TimeUnit;
-import java.util.function.Supplier;
-import org.apache.pulsar.client.api.AuthenticationDataProvider;
-import org.apache.pulsar.client.api.AuthenticationFactory;
import org.apache.pulsar.common.protocol.Commands;
import org.apache.pulsar.common.protocol.OptionalProxyProtocolDecoder;
-import org.apache.pulsar.common.util.NettyClientSslContextRefresher;
import org.apache.pulsar.common.util.NettyServerSslContextBuilder;
import io.netty.channel.ChannelInitializer;
@@ -52,9 +47,7 @@ public class ServiceChannelInitializer extends ChannelInitializer<SocketChannel>
private final int brokerProxyReadTimeoutMs;
private SslContextAutoRefreshBuilder<SslContext> serverSslCtxRefresher;
- private SslContextAutoRefreshBuilder<SslContext> clientSslCtxRefresher;
private NettySSLContextAutoRefreshBuilder serverSSLContextAutoRefreshBuilder;
- private NettySSLContextAutoRefreshBuilder clientSSLContextAutoRefreshBuilder;
public ServiceChannelInitializer(ProxyService proxyService, ProxyConfiguration serviceConfig, boolean enableTls)
throws Exception {
@@ -95,44 +88,6 @@ public class ServiceChannelInitializer extends ChannelInitializer<SocketChannel>
} else {
this.serverSslCtxRefresher = null;
}
-
- if (serviceConfig.isTlsEnabledWithBroker()) {
- AuthenticationDataProvider authData = null;
-
- if (!isEmpty(serviceConfig.getBrokerClientAuthenticationPlugin())) {
- authData = AuthenticationFactory.create(serviceConfig.getBrokerClientAuthenticationPlugin(),
- serviceConfig.getBrokerClientAuthenticationParameters()).getAuthData();
- }
-
- if (tlsEnabledWithKeyStore) {
- clientSSLContextAutoRefreshBuilder = new NettySSLContextAutoRefreshBuilder(
- serviceConfig.getBrokerClientSslProvider(),
- serviceConfig.isTlsAllowInsecureConnection(),
- serviceConfig.getBrokerClientTlsTrustStoreType(),
- serviceConfig.getBrokerClientTlsTrustStore(),
- serviceConfig.getBrokerClientTlsTrustStorePassword(),
- serviceConfig.getBrokerClientTlsCiphers(),
- serviceConfig.getBrokerClientTlsProtocols(),
- serviceConfig.getTlsCertRefreshCheckDurationSec(),
- authData);
- } else {
- SslProvider sslProvider = null;
- if (serviceConfig.getBrokerClientSslProvider() != null) {
- sslProvider = SslProvider.valueOf(serviceConfig.getBrokerClientSslProvider());
- }
- clientSslCtxRefresher = new NettyClientSslContextRefresher(
- sslProvider,
- serviceConfig.isTlsAllowInsecureConnection(),
- serviceConfig.getBrokerClientTrustCertsFilePath(),
- authData,
- serviceConfig.getBrokerClientTlsCiphers(),
- serviceConfig.getBrokerClientTlsProtocols(),
- serviceConfig.getTlsCertRefreshCheckDurationSec()
- );
- }
- } else {
- this.clientSslCtxRefresher = null;
- }
}
@Override
@@ -156,25 +111,6 @@ public class ServiceChannelInitializer extends ChannelInitializer<SocketChannel>
ch.pipeline().addLast("frameDecoder", new LengthFieldBasedFrameDecoder(
Commands.DEFAULT_MAX_MESSAGE_SIZE + Commands.MESSAGE_SIZE_FRAME_PADDING, 0, 4, 0, 4));
- Supplier<SslHandler> sslHandlerSupplier = null;
- if (clientSslCtxRefresher != null) {
- sslHandlerSupplier = new Supplier<SslHandler>() {
- @Override
- public SslHandler get() {
- return clientSslCtxRefresher.get().newHandler(ch.alloc());
- }
- };
- } else if (clientSSLContextAutoRefreshBuilder != null) {
- sslHandlerSupplier = new Supplier<SslHandler>() {
- @Override
- public SslHandler get() {
- return new SslHandler(clientSSLContextAutoRefreshBuilder.get().createSSLEngine());
- }
- };
- }
-
- ch.pipeline().addLast("handler",
- new ProxyConnection(proxyService, sslHandlerSupplier, proxyService.getDnsAddressResolverGroup()));
-
+ ch.pipeline().addLast("handler", new ProxyConnection(proxyService, proxyService.getDnsAddressResolverGroup()));
}
}
diff --git a/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyWithAuthorizationTest.java b/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyWithAuthorizationTest.java
index d813777f7eb..dd06f33b79a 100644
--- a/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyWithAuthorizationTest.java
+++ b/pulsar-proxy/src/test/java/org/apache/pulsar/proxy/server/ProxyWithAuthorizationTest.java
@@ -19,15 +19,13 @@
package org.apache.pulsar.proxy.server;
import static org.mockito.Mockito.spy;
-
import com.google.common.collect.Sets;
-
+import java.util.Collections;
import java.util.HashSet;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.TimeUnit;
-
import lombok.Cleanup;
import org.apache.pulsar.broker.authentication.AuthenticationProviderTls;
import org.apache.pulsar.broker.authentication.AuthenticationService;
@@ -145,20 +143,24 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
};
}
- @BeforeMethod
@Override
- protected void setup() throws Exception {
-
+ protected void doInitConf() throws Exception {
+ super.doInitConf();
// enable tls and auth&auth at broker
conf.setAuthenticationEnabled(true);
conf.setAuthorizationEnabled(true);
+ conf.setTopicLevelPoliciesEnabled(false);
+ conf.setProxyRoles(Collections.singleton("Proxy"));
+ conf.setAdvertisedAddress(null);
conf.setBrokerServicePortTls(Optional.of(0));
+ conf.setBrokerServicePort(Optional.empty());
conf.setWebServicePortTls(Optional.of(0));
+ conf.setWebServicePort(Optional.empty());
conf.setTlsTrustCertsFilePath(TLS_PROXY_TRUST_CERT_FILE_PATH);
conf.setTlsCertificateFilePath(TLS_BROKER_CERT_FILE_PATH);
conf.setTlsKeyFilePath(TLS_BROKER_KEY_FILE_PATH);
- conf.setTlsAllowInsecureConnection(true);
+ conf.setTlsAllowInsecureConnection(false);
Set<String> superUserRoles = new HashSet<>();
superUserRoles.add("superUser");
@@ -168,20 +170,24 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
conf.setBrokerClientAuthenticationParameters(
"tlsCertFile:" + TLS_BROKER_CERT_FILE_PATH + "," + "tlsKeyFile:" + TLS_BROKER_KEY_FILE_PATH);
conf.setBrokerClientTrustCertsFilePath(TLS_BROKER_TRUST_CERT_FILE_PATH);
- Set<String> providers = new HashSet<>();
- providers.add(AuthenticationProviderTls.class.getName());
- conf.setAuthenticationProviders(providers);
+ conf.setAuthenticationProviders(Collections.singleton(AuthenticationProviderTls.class.getName()));
conf.setClusterName("proxy-authorization");
conf.setNumExecutorThreadPoolSize(5);
+ }
+ @BeforeMethod
+ @Override
+ protected void setup() throws Exception {
super.init();
// start proxy service
proxyConfig.setAuthenticationEnabled(true);
proxyConfig.setAuthorizationEnabled(false);
+ proxyConfig.setForwardAuthorizationCredentials(true);
proxyConfig.setBrokerServiceURL(pulsar.getBrokerServiceUrl());
proxyConfig.setBrokerServiceURLTLS(pulsar.getBrokerServiceUrlTls());
+ proxyConfig.setAdvertisedAddress(null);
proxyConfig.setServicePort(Optional.of(0));
proxyConfig.setBrokerProxyAllowedTargetPorts("*");
@@ -198,7 +204,7 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
proxyConfig.setBrokerClientAuthenticationPlugin(AuthenticationTls.class.getName());
proxyConfig.setBrokerClientAuthenticationParameters(
"tlsCertFile:" + TLS_PROXY_CERT_FILE_PATH + "," + "tlsKeyFile:" + TLS_PROXY_KEY_FILE_PATH);
- proxyConfig.setAuthenticationProviders(providers);
+ proxyConfig.setAuthenticationProviders(Collections.singleton(AuthenticationProviderTls.class.getName()));
proxyService = Mockito.spy(new ProxyService(proxyConfig,
new AuthenticationService(
@@ -240,11 +246,11 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
@Cleanup
PulsarClient proxyClient = createPulsarClient(proxyService.getServiceUrlTls(), PulsarClient.builder());
- String namespaceName = "my-property/proxy-authorization/my-ns";
+ String namespaceName = "my-tenant/my-ns";
- admin.clusters().createCluster("proxy-authorization", ClusterData.builder().serviceUrl(brokerUrl.toString()).build());
+ admin.clusters().createCluster("proxy-authorization", ClusterData.builder().serviceUrlTls(brokerUrlTls.toString()).build());
- admin.tenants().createTenant("my-property",
+ admin.tenants().createTenant("my-tenant",
new TenantInfoImpl(Sets.newHashSet("appid1", "appid2"), Sets.newHashSet("proxy-authorization")));
admin.namespaces().createNamespace(namespaceName);
@@ -254,11 +260,11 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
Sets.newHashSet(AuthAction.consume, AuthAction.produce));
Consumer<byte[]> consumer = proxyClient.newConsumer()
- .topic("persistent://my-property/proxy-authorization/my-ns/my-topic1")
+ .topic("persistent://my-tenant/my-ns/my-topic1")
.subscriptionName("my-subscriber-name").subscribe();
Producer<byte[]> producer = proxyClient.newProducer(Schema.BYTES)
- .topic("persistent://my-property/proxy-authorization/my-ns/my-topic1").create();
+ .topic("persistent://my-tenant/my-ns/my-topic1").create();
final int msgs = 10;
for (int i = 0; i < msgs; i++) {
String message = "my-message-" + i;
@@ -294,11 +300,11 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
PulsarClient proxyClient = createPulsarClient(proxyService.getServiceUrlTls(),
PulsarClient.builder().enableTlsHostnameVerification(hostnameVerificationEnabled));
- String namespaceName = "my-property/proxy-authorization/my-ns";
+ String namespaceName = "my-tenant/my-ns";
- admin.clusters().createCluster("proxy-authorization", ClusterData.builder().serviceUrl(brokerUrl.toString()).build());
+ admin.clusters().createCluster("proxy-authorization", ClusterData.builder().serviceUrl(brokerUrlTls.toString()).build());
- admin.tenants().createTenant("my-property",
+ admin.tenants().createTenant("my-tenant",
new TenantInfoImpl(Sets.newHashSet("appid1", "appid2"), Sets.newHashSet("proxy-authorization")));
admin.namespaces().createNamespace(namespaceName);
@@ -308,7 +314,7 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
Sets.newHashSet(AuthAction.consume, AuthAction.produce));
try {
- proxyClient.newConsumer().topic("persistent://my-property/proxy-authorization/my-ns/my-topic1")
+ proxyClient.newConsumer().topic("persistent://my-tenant/my-ns/my-topic1")
.subscriptionName("my-subscriber-name").subscribe();
if (hostnameVerificationEnabled) {
Assert.fail("Connection should be failed due to hostnameVerification enabled");
@@ -344,13 +350,13 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
// create a client which connects to proxy over tls and pass authData
@Cleanup
PulsarClient proxyClient = createPulsarClient(proxyService.getServiceUrlTls(),
- PulsarClient.builder().operationTimeout(1, TimeUnit.SECONDS));
+ PulsarClient.builder().operationTimeout(15, TimeUnit.SECONDS));
- String namespaceName = "my-property/proxy-authorization/my-ns";
+ String namespaceName = "my-tenant/my-ns";
- admin.clusters().createCluster("proxy-authorization", ClusterData.builder().serviceUrl(brokerUrl.toString()).build());
+ admin.clusters().createCluster("proxy-authorization", ClusterData.builder().serviceUrlTls(brokerUrlTls.toString()).build());
- admin.tenants().createTenant("my-property",
+ admin.tenants().createTenant("my-tenant",
new TenantInfoImpl(Sets.newHashSet("appid1", "appid2"), Sets.newHashSet("proxy-authorization")));
admin.namespaces().createNamespace(namespaceName);
@@ -360,7 +366,7 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
Sets.newHashSet(AuthAction.consume, AuthAction.produce));
try {
- proxyClient.newConsumer().topic("persistent://my-property/proxy-authorization/my-ns/my-topic1")
+ proxyClient.newConsumer().topic("persistent://my-tenant/my-ns/my-topic1")
.subscriptionName("my-subscriber-name").subscribe();
if (hostnameVerificationEnabled) {
Assert.fail("Connection should be failed due to hostnameVerification enabled");
@@ -382,12 +388,12 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
public void tlsCiphersAndProtocols(Set<String> tlsCiphers, Set<String> tlsProtocols, boolean expectFailure)
throws Exception {
log.info("-- Starting {} test --", methodName);
- String namespaceName = "my-property/proxy-authorization/my-ns";
+ String namespaceName = "my-tenant/my-ns";
createAdminClient();
- admin.clusters().createCluster("proxy-authorization", ClusterData.builder().serviceUrl(brokerUrl.toString()).build());
+ admin.clusters().createCluster("proxy-authorization", ClusterData.builder().serviceUrl(brokerUrlTls.toString()).build());
- admin.tenants().createTenant("my-property",
+ admin.tenants().createTenant("my-tenant",
new TenantInfoImpl(Sets.newHashSet("appid1", "appid2"), Sets.newHashSet("proxy-authorization")));
admin.namespaces().createNamespace(namespaceName);
@@ -399,8 +405,10 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
ProxyConfiguration proxyConfig = new ProxyConfiguration();
proxyConfig.setAuthenticationEnabled(true);
proxyConfig.setAuthorizationEnabled(false);
+ proxyConfig.setForwardAuthorizationCredentials(true);
proxyConfig.setBrokerServiceURL(pulsar.getBrokerServiceUrl());
proxyConfig.setBrokerServiceURLTLS(pulsar.getBrokerServiceUrlTls());
+ proxyConfig.setAdvertisedAddress(null);
proxyConfig.setServicePort(Optional.of(0));
proxyConfig.setBrokerProxyAllowedTargetPorts("*");
@@ -447,7 +455,7 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
@Cleanup
PulsarClient proxyClient = createPulsarClient("pulsar://localhost:" + proxyService.getListenPortTls().get(), PulsarClient.builder());
Consumer<byte[]> consumer = proxyClient.newConsumer()
- .topic("persistent://my-property/proxy-authorization/my-ns/my-topic1")
+ .topic("persistent://my-tenant/my-ns/my-topic1")
.subscriptionName("my-subscriber-name").subscribe();
if (expectFailure) {
@@ -469,7 +477,7 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
authParams.put("tlsKeyFile", TLS_SUPERUSER_CLIENT_KEY_FILE_PATH);
admin = spy(PulsarAdmin.builder().serviceHttpUrl(brokerUrlTls.toString())
- .tlsTrustCertsFilePath(TLS_PROXY_TRUST_CERT_FILE_PATH).allowTlsInsecureConnection(true)
+ .tlsTrustCertsFilePath(TLS_BROKER_TRUST_CERT_FILE_PATH)
.authentication(AuthenticationTls.class.getName(), authParams).build());
}
@@ -483,7 +491,7 @@ public class ProxyWithAuthorizationTest extends ProducerConsumerBase {
authTls.configure(authParams);
return clientBuilder.serviceUrl(proxyServiceUrl).statsInterval(0, TimeUnit.SECONDS)
- .tlsTrustCertsFilePath(TLS_PROXY_TRUST_CERT_FILE_PATH).allowTlsInsecureConnection(true)
+ .tlsTrustCertsFilePath(TLS_PROXY_TRUST_CERT_FILE_PATH)
.authentication(authTls).enableTls(true)
.operationTimeout(1000, TimeUnit.MILLISECONDS).build();
}
diff --git a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cacert.pem b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cacert.pem
index df21a4968bf..7d2d58d8d7a 100644
--- a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cacert.pem
+++ b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cacert.pem
@@ -2,76 +2,76 @@ Certificate:
Data:
Version: 3 (0x2)
Serial Number:
- 37:55:7a:ae:71:6b:5f:f0:0d:f7:11:df:b5:f9:ce:e1:65:a4:0c:a4
+ 40:cd:a5:a5:35:76:ee:02:57:8b:30:8f:2a:12:34:03:45:c5:96:8c
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: CN = CARoot
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
- 00:ce:29:c8:45:af:07:8e:79:1e:55:66:7b:93:af:
- 09:2c:72:fd:d5:33:38:30:a9:b5:50:92:90:33:b0:
- 55:b0:c4:6b:37:4a:ba:5b:76:4d:52:0b:9f:58:b2:
- c5:95:8c:47:6d:2b:07:0a:f5:74:43:ec:7d:36:bf:
- 3e:8c:d6:13:31:ce:fc:d1:77:b0:ac:3c:ae:69:4b:
- bd:5d:93:bd:84:57:51:a7:ef:03:2e:ae:3e:93:73:
- 8b:1e:39:90:8b:32:e2:0a:dd:b8:20:83:98:76:91:
- 75:d6:d5:db:43:7b:f4:c9:4e:23:52:e3:11:55:05:
- 48:b8:82:47:ea:32:0b:56:1b:07:11:f3:06:c7:4a:
- d5:6b:87:c2:2e:e2:9a:8c:9d:54:ca:5e:96:08:02:
- 5d:17:42:4d:73:86:08:ab:6e:2e:f3:a8:c3:a3:c1:
- bd:88:63:5e:69:7e:fa:af:31:8d:3a:49:ed:e8:cf:
- 80:15:ca:d4:2b:fe:84:3d:aa:27:7e:98:36:48:4f:
- 3b:27:90:1d:c1:fe:4e:13:b0:5e:a5:32:6e:16:38:
- 2e:b7:d1:f3:6b:18:a5:3e:b6:d7:07:42:21:c7:d9:
- 8e:d6:8c:a5:bf:25:9e:5c:fc:c7:12:18:59:23:b9:
- 3d:39:45:3d:1c:81:e2:f2:29:91:05:20:46:b2:52:
- 06:51
+ 00:d8:d5:00:e0:6b:4f:4e:8a:67:08:e9:e3:3f:23:
+ ef:15:1d:82:10:85:f3:3b:77:9c:96:c1:aa:eb:90:
+ 41:0b:5b:ae:77:d9:a3:f1:cf:2a:32:40:78:33:6a:
+ 81:b9:c2:cd:91:36:98:df:41:84:c0:62:8a:a1:03:
+ 89:8d:2b:b8:91:49:a9:e8:a2:90:ad:b9:cd:23:84:
+ bc:60:1f:6f:b5:81:9f:9c:cf:d5:26:a8:a5:b6:4d:
+ 59:5f:5c:7f:da:e8:1d:3d:04:f3:b8:ef:f8:d5:73:
+ c6:fd:6a:b1:91:ae:16:b7:45:21:9a:1a:1a:76:74:
+ 01:40:ee:fc:3c:67:be:6a:7f:f4:a3:82:37:ee:43:
+ 41:f5:67:d5:d5:64:9c:d8:53:75:34:4d:23:80:b5:
+ 59:13:c2:27:47:8e:20:32:6f:f6:b3:70:bf:5e:15:
+ 08:7e:d1:bf:aa:4d:06:6b:0d:17:21:eb:95:47:52:
+ fa:d7:97:ef:1a:5d:63:26:17:36:01:20:ac:57:50:
+ 34:f0:57:49:38:3d:9c:68:6a:87:91:38:b6:76:9d:
+ bc:e9:4e:c2:58:54:8d:8a:32:05:9e:ba:cb:f0:d0:
+ ec:91:67:1d:77:bf:d5:02:77:d4:22:78:94:f4:9a:
+ 49:fa:ef:b2:9b:30:1a:8a:f0:a7:9a:2b:e5:e9:c7:
+ 36:c5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
- EF:DA:58:74:AA:21:F9:9E:19:7E:44:2B:84:32:93:F4:0F:79:18:3B
+ DD:AC:A0:40:6E:E9:2B:49:F2:35:DB:B4:E9:98:AD:58:7B:37:6B:55
X509v3 Authority Key Identifier:
- keyid:EF:DA:58:74:AA:21:F9:9E:19:7E:44:2B:84:32:93:F4:0F:79:18:3B
+ keyid:DD:AC:A0:40:6E:E9:2B:49:F2:35:DB:B4:E9:98:AD:58:7B:37:6B:55
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
- 2e:f5:b6:f7:fc:50:89:16:1e:ea:8c:ec:57:54:f6:ca:d3:19:
- 65:fe:da:c5:73:53:f6:d0:1e:26:96:f2:d3:03:55:8d:6e:c4:
- cd:8c:2d:7a:ea:fa:38:6c:ed:fa:d5:23:b8:52:c1:e3:52:04:
- 3d:46:8c:2d:b6:b2:47:68:41:92:f6:47:24:50:78:47:5e:2a:
- 9b:df:85:a8:92:0d:49:17:eb:51:e8:b2:69:3c:4a:f3:9f:5f:
- ea:fd:b2:08:3c:30:1a:93:be:d3:c3:b3:c7:60:7c:ea:f4:15:
- 43:bd:3f:b1:d0:69:3c:84:5b:05:01:55:d7:d5:87:fb:58:53:
- 03:d8:91:5f:e8:e0:37:88:82:ea:dc:1c:2d:a0:8d:82:68:65:
- 6e:ea:0d:2a:e1:aa:cc:b3:d1:ce:a8:2b:2d:ed:e4:ba:0f:7f:
- 51:48:d2:4b:2f:7c:eb:02:01:4f:2c:b6:06:c1:9a:97:2c:b7:
- 6c:b7:06:86:d1:8b:cc:d6:d4:c3:ff:b5:65:c5:92:eb:9c:68:
- 6d:99:d8:4a:6d:7a:ac:fe:dc:f3:12:f8:bb:2b:0a:b9:d8:1e:
- 87:b6:e9:8b:51:32:f3:7b:0b:1a:29:57:4c:7d:5a:b6:9c:83:
- 23:e5:35:2b:98:83:aa:7c:ef:24:3a:74:a8:86:22:32:06:fb:
- 03:b7:01:9d
+ 07:0c:90:05:fa:2c:c9:4e:05:ec:6b:7d:99:9c:52:2a:20:34:
+ 46:ac:8d:24:81:f9:a7:f3:1d:03:32:45:82:9a:61:af:1f:63:
+ 25:6b:97:ca:93:78:e5:d7:87:81:b6:29:22:d4:0d:8d:ed:0e:
+ bd:85:80:6c:38:e9:86:3c:bd:ee:ff:26:78:0a:f0:a7:54:0b:
+ af:27:9e:8b:83:b7:10:e9:44:0d:4a:7e:a8:e2:aa:1c:06:f8:
+ 18:f1:c4:c9:e4:bb:17:41:59:94:b4:dc:78:53:fb:1b:43:57:
+ 82:59:de:6c:03:52:9a:28:cb:e4:9e:ea:c5:00:93:e0:27:b4:
+ 4b:e6:b3:c5:88:2d:14:33:10:ff:b0:23:4e:5d:ea:17:97:7d:
+ f4:e2:c8:fe:c3:4a:77:83:64:ef:c9:b6:3e:77:64:32:07:91:
+ bd:e1:58:9a:e1:38:ab:eb:d2:e3:cb:05:7c:c7:f3:2b:47:bf:
+ 36:64:7e:32:5a:62:44:07:c8:8e:9d:55:1a:99:c4:14:5a:66:
+ ed:5f:8b:ab:dd:eb:36:28:cd:77:47:84:00:ae:a7:34:0e:0d:
+ 77:df:67:72:08:94:75:52:1b:4a:71:4d:31:5d:aa:1b:aa:b6:
+ e0:d6:86:52:7c:26:ae:1f:96:ab:06:32:cb:7a:f3:bb:76:3e:
+ 08:53:9f:64
-----BEGIN CERTIFICATE-----
-MIIDAzCCAeugAwIBAgIUN1V6rnFrX/AN9xHftfnO4WWkDKQwDQYJKoZIhvcNAQEL
-BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIxMDQyMzE3MDg1MVoXDTMxMDQyMTE3
-MDg1MVowETEPMA0GA1UEAwwGQ0FSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAzinIRa8HjnkeVWZ7k68JLHL91TM4MKm1UJKQM7BVsMRrN0q6W3ZN
-UgufWLLFlYxHbSsHCvV0Q+x9Nr8+jNYTMc780XewrDyuaUu9XZO9hFdRp+8DLq4+
-k3OLHjmQizLiCt24IIOYdpF11tXbQ3v0yU4jUuMRVQVIuIJH6jILVhsHEfMGx0rV
-a4fCLuKajJ1Uyl6WCAJdF0JNc4YIq24u86jDo8G9iGNeaX76rzGNOknt6M+AFcrU
-K/6EPaonfpg2SE87J5Adwf5OE7BepTJuFjgut9HzaxilPrbXB0Ihx9mO1oylvyWe
-XPzHEhhZI7k9OUU9HIHi8imRBSBGslIGUQIDAQABo1MwUTAdBgNVHQ4EFgQU79pY
-dKoh+Z4ZfkQrhDKT9A95GDswHwYDVR0jBBgwFoAU79pYdKoh+Z4ZfkQrhDKT9A95
-GDswDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEALvW29/xQiRYe
-6ozsV1T2ytMZZf7axXNT9tAeJpby0wNVjW7EzYwteur6OGzt+tUjuFLB41IEPUaM
-LbayR2hBkvZHJFB4R14qm9+FqJINSRfrUeiyaTxK859f6v2yCDwwGpO+08Ozx2B8
-6vQVQ70/sdBpPIRbBQFV19WH+1hTA9iRX+jgN4iC6twcLaCNgmhlbuoNKuGqzLPR
-zqgrLe3kug9/UUjSSy986wIBTyy2BsGalyy3bLcGhtGLzNbUw/+1ZcWS65xobZnY
-Sm16rP7c8xL4uysKudgeh7bpi1Ey83sLGilXTH1atpyDI+U1K5iDqnzvJDp0qIYi
-Mgb7A7cBnQ==
+MIIDAzCCAeugAwIBAgIUQM2lpTV27gJXizCPKhI0A0XFlowwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowETEPMA0GA1UEAwwGQ0FSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA2NUA4GtPTopnCOnjPyPvFR2CEIXzO3eclsGq65BBC1uud9mj8c8q
+MkB4M2qBucLNkTaY30GEwGKKoQOJjSu4kUmp6KKQrbnNI4S8YB9vtYGfnM/VJqil
+tk1ZX1x/2ugdPQTzuO/41XPG/Wqxka4Wt0UhmhoadnQBQO78PGe+an/0o4I37kNB
+9WfV1WSc2FN1NE0jgLVZE8InR44gMm/2s3C/XhUIftG/qk0Gaw0XIeuVR1L615fv
+Gl1jJhc2ASCsV1A08FdJOD2caGqHkTi2dp286U7CWFSNijIFnrrL8NDskWcdd7/V
+AnfUIniU9JpJ+u+ymzAaivCnmivl6cc2xQIDAQABo1MwUTAdBgNVHQ4EFgQU3ayg
+QG7pK0nyNdu06ZitWHs3a1UwHwYDVR0jBBgwFoAU3aygQG7pK0nyNdu06ZitWHs3
+a1UwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEABwyQBfosyU4F
+7Gt9mZxSKiA0RqyNJIH5p/MdAzJFgpphrx9jJWuXypN45deHgbYpItQNje0OvYWA
+bDjphjy97v8meArwp1QLryeei4O3EOlEDUp+qOKqHAb4GPHEyeS7F0FZlLTceFP7
+G0NXglnebANSmijL5J7qxQCT4Ce0S+azxYgtFDMQ/7AjTl3qF5d99OLI/sNKd4Nk
+78m2PndkMgeRveFYmuE4q+vS48sFfMfzK0e/NmR+MlpiRAfIjp1VGpnEFFpm7V+L
+q93rNijNd0eEAK6nNA4Nd99ncgiUdVIbSnFNMV2qG6q24NaGUnwmrh+WqwYyy3rz
+u3Y+CFOfZA==
-----END CERTIFICATE-----
diff --git a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cert.pem b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cert.pem
index edd9a025176..31743d06846 100644
--- a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cert.pem
+++ b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/broker-cert.pem
@@ -1,13 +1,13 @@
Certificate:
Data:
- Version: 1 (0x0)
+ Version: 3 (0x2)
Serial Number:
- 0c:26:15:df:8f:71:1d:6a:31:d0:da:af:64:ef:80:de:ac:9a:46:78
+ 61:e6:1b:07:90:6a:4f:f7:cd:46:b9:59:1d:3e:1c:39:0d:f2:5e:07
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: C = US, ST = CA, O = Apache Pulsar, OU = Broker, CN = Broker
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
@@ -32,37 +32,41 @@ Certificate:
07:f0:b0:06:4f:2c:4c:75:c2:37:ff:35:0d:b1:42:
06:0b
Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Alternative Name:
+ DNS:localhost, IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
- 46:84:81:7e:4a:91:2a:c0:d7:0c:5a:a2:fb:6e:a2:e1:66:15:
- b9:b3:50:1c:93:8c:68:ba:90:42:07:2c:d1:d9:22:53:c4:e7:
- 74:a9:ac:0c:25:cb:ae:c9:a1:c9:35:49:5d:10:c6:ee:08:2a:
- 23:f3:a4:87:24:92:c4:4e:35:b8:23:8e:be:ad:8c:5b:25:df:
- 25:d4:49:8c:d6:11:bf:79:43:a2:88:7f:70:87:8c:fb:51:9a:
- 4c:73:8d:10:e7:5b:fa:fb:76:f9:88:7a:6a:d0:bf:0f:65:1e:
- 26:22:87:57:31:9a:c9:4c:62:cf:ef:00:2b:4e:2f:ee:d4:d8:
- 0d:2f:7f:2e:14:21:d5:c3:25:ce:29:a3:f0:ee:c6:3d:d2:dc:
- 7b:80:34:57:50:97:e7:79:d9:ca:39:10:73:2d:46:f4:98:de:
- ec:be:98:1a:17:12:c3:9e:1f:0d:25:c8:4e:17:a1:4a:8d:6a:
- 21:11:42:56:1a:16:79:12:e2:db:39:e1:5d:c4:2e:03:31:54:
- d9:97:53:21:bc:f0:60:e1:ba:ff:f6:a5:4b:c1:39:4f:e1:87:
- b7:63:9a:63:fa:a2:83:1c:b5:8e:fd:48:be:d5:50:40:0b:69:
- 34:81:1e:d1:ca:c5:34:ff:bc:c3:ec:22:a5:3e:ca:31:fe:43:
- 39:00:79:72
+ 8d:1d:69:d2:44:1f:af:68:30:80:c1:91:b2:2f:9a:7e:ca:ff:
+ 38:46:8e:28:59:02:2d:e7:74:c4:3c:b3:ac:b3:22:53:e9:54:
+ 3a:e2:4d:4d:65:63:47:dd:38:86:ec:d1:7d:4f:fe:5d:c6:c8:
+ c8:10:b8:33:5a:4d:9e:83:e3:92:97:c5:f1:d8:e3:97:6d:01:
+ 50:03:de:25:d8:e4:de:62:70:b8:c4:55:5b:9f:8c:61:b8:d7:
+ f0:8f:6c:2d:80:cc:b8:7b:8b:b4:54:9a:d6:e1:f9:7f:52:99:
+ 7b:ef:23:88:61:e5:7c:85:5c:57:98:cc:a6:98:4b:71:84:5c:
+ ab:5e:82:48:5a:da:5f:d6:84:b5:52:43:df:3c:0f:95:06:29:
+ 00:94:f8:98:94:6d:1c:c8:76:21:7a:2f:61:34:ab:bd:27:59:
+ d1:41:99:91:69:68:f7:b6:65:21:e8:9a:b1:9b:ac:72:12:17:
+ 54:0b:56:08:bd:9d:6b:0e:35:4a:f8:97:b6:83:00:55:96:0c:
+ 66:13:06:c9:27:5f:cc:d0:81:4b:3e:6e:d2:85:cd:79:7a:8c:
+ a0:1e:d8:9b:e4:da:e9:ba:51:f1:29:0f:69:00:df:24:a0:55:
+ 5e:cd:d0:84:c9:4a:a8:b4:12:33:29:6f:8a:8c:d7:a1:b4:8b:
+ 4a:7d:a2:30
-----BEGIN CERTIFICATE-----
-MIIC7DCCAdQCFAwmFd+PcR1qMdDar2TvgN6smkZ4MA0GCSqGSIb3DQEBCwUAMBEx
-DzANBgNVBAMMBkNBUm9vdDAeFw0yMTA0MjMxNzA4NTFaFw0zMTA0MjExNzA4NTFa
-MFQxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEChMNQXBhY2hlIFB1
-bHNhcjEPMA0GA1UECxMGQnJva2VyMQ8wDQYDVQQDEwZCcm9rZXIwggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKd9wqEyUkyyliBhJfqJLJU9Y/B8qqCl9y
-ks236kVHcfBjT1gaPfrOpnOQwKn3JfB2de2yAxe+2IpW809qTH4DZZXlReuNR+hg
-Xp44dFBUZaDs2FxlYDQbloN9cdRdf+NiWWfo8NYkfcBuNwNUTD0MMzmbM+FSRMVD
-2uruLPMcFi5GTHyfXU1u/owjnvd+nznBcQZS9CaaItTPxSU5qdLkJMbYSkii7nYl
-yzzwv80Qd/+BEUMhzDvMEHoHhPzMAqJF3pEta9HtFxrQRvSufbOJ+DF3leVGsakx
-1tjjRwCygYHbihzZ8c3jTTX2OJEN6gfwsAZPLEx1wjf/NQ2xQgYLAgMBAAEwDQYJ
-KoZIhvcNAQELBQADggEBAEaEgX5KkSrA1wxaovtuouFmFbmzUByTjGi6kEIHLNHZ
-IlPE53SprAwly67Jock1SV0Qxu4IKiPzpIckksRONbgjjr6tjFsl3yXUSYzWEb95
-Q6KIf3CHjPtRmkxzjRDnW/r7dvmIemrQvw9lHiYih1cxmslMYs/vACtOL+7U2A0v
-fy4UIdXDJc4po/Duxj3S3HuANFdQl+d52co5EHMtRvSY3uy+mBoXEsOeHw0lyE4X
-oUqNaiERQlYaFnkS4ts54V3ELgMxVNmXUyG88GDhuv/2pUvBOU/hh7djmmP6ooMc
-tY79SL7VUEALaTSBHtHKxTT/vMPsIqU+yjH+QzkAeXI=
+MIIDETCCAfmgAwIBAgIUYeYbB5BqT/fNRrlZHT4cOQ3yXgcwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowVDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQKEw1BcGFj
+aGUgUHVsc2FyMQ8wDQYDVQQLEwZCcm9rZXIxDzANBgNVBAMTBkJyb2tlcjCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMp33CoTJSTLKWIGEl+okslT1j8H
+yqoKX3KSzbfqRUdx8GNPWBo9+s6mc5DAqfcl8HZ17bIDF77YilbzT2pMfgNlleVF
+641H6GBenjh0UFRloOzYXGVgNBuWg31x1F1/42JZZ+jw1iR9wG43A1RMPQwzOZsz
+4VJExUPa6u4s8xwWLkZMfJ9dTW7+jCOe936fOcFxBlL0Jpoi1M/FJTmp0uQkxthK
+SKLudiXLPPC/zRB3/4ERQyHMO8wQegeE/MwCokXekS1r0e0XGtBG9K59s4n4MXeV
+5UaxqTHW2ONHALKBgduKHNnxzeNNNfY4kQ3qB/CwBk8sTHXCN/81DbFCBgsCAwEA
+AaMeMBwwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEBCwUA
+A4IBAQCNHWnSRB+vaDCAwZGyL5p+yv84Ro4oWQIt53TEPLOssyJT6VQ64k1NZWNH
+3TiG7NF9T/5dxsjIELgzWk2eg+OSl8Xx2OOXbQFQA94l2OTeYnC4xFVbn4xhuNfw
+j2wtgMy4e4u0VJrW4fl/Upl77yOIYeV8hVxXmMymmEtxhFyrXoJIWtpf1oS1UkPf
+PA+VBikAlPiYlG0cyHYhei9hNKu9J1nRQZmRaWj3tmUh6Jqxm6xyEhdUC1YIvZ1r
+DjVK+Je2gwBVlgxmEwbJJ1/M0IFLPm7Shc15eoygHtib5NrpulHxKQ9pAN8koFVe
+zdCEyUqotBIzKW+KjNehtItKfaIw
-----END CERTIFICATE-----
diff --git a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cacert.pem b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cacert.pem
index dc75fe9506e..127f56dd777 100644
--- a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cacert.pem
+++ b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cacert.pem
@@ -2,76 +2,76 @@ Certificate:
Data:
Version: 3 (0x2)
Serial Number:
- 33:a3:2e:28:58:0b:7a:7b:3c:71:4e:51:1d:1d:16:f5:72:3d:99:01
+ 77:4f:f6:cf:99:ca:77:e8:a7:6e:1e:fd:e2:cf:ac:a9:da:68:d2:42
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: CN = CARoot
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
- 00:d9:06:95:38:4a:ed:0d:ef:57:12:26:5e:2f:ea:
- 3c:05:78:1e:36:90:6c:d6:8d:dc:18:e7:e0:24:d7:
- 72:ae:d3:af:6a:ff:32:1f:ee:d8:93:9e:f4:53:88:
- 0f:5d:d6:56:41:03:b9:1e:d7:d4:0d:d5:ae:27:20:
- d8:8f:e3:7d:65:79:d3:00:c9:cc:f4:ef:f5:c9:f6:
- 83:a4:45:b4:6d:11:ac:fc:55:f2:94:6b:75:74:d9:
- f7:23:b2:5a:ba:a3:21:b4:6e:5a:2d:fc:84:32:ef:
- 78:f5:d7:22:7c:e8:a8:15:aa:1d:9f:53:63:fd:77:
- f4:d7:20:cc:21:34:1c:7a:22:a9:6a:de:90:06:ae:
- 10:ff:96:21:61:9e:6d:21:f5:66:37:ef:a0:5a:a8:
- 51:5f:22:24:9f:a9:a9:b3:21:10:f4:7a:d9:ee:c3:
- 20:73:c3:48:0a:c7:98:7c:5f:04:7a:e1:eb:8c:d6:
- f0:18:d7:e9:0c:11:cd:a1:81:f4:d4:67:c0:72:0f:
- e3:90:86:92:97:bd:bc:44:df:b1:b3:6d:85:4f:6b:
- fa:bf:9e:6a:1d:9c:77:23:3b:6f:89:38:fb:45:ff:
- f5:76:b3:19:f7:7c:59:2b:07:ff:6a:4a:f5:93:4a:
- 62:ef:18:3b:ea:54:8f:2d:c2:34:c8:a3:6f:ee:f8:
- f2:a3
+ 00:b8:5e:c2:60:ed:c4:ee:3c:5b:ab:fc:64:52:f3:
+ 30:41:fc:10:5a:ac:a6:9b:0a:93:d0:d0:c9:bf:96:
+ 14:a7:cf:5c:3e:23:91:7e:54:ec:fe:2d:9f:c9:34:
+ d1:4e:95:2f:85:9c:cc:be:90:a3:a4:cb:4d:a4:72:
+ d2:84:e0:c7:42:c4:bf:70:b6:fa:d2:45:8b:83:66:
+ 1e:a4:e9:0e:06:a3:46:ea:a7:18:cd:33:b9:f1:ff:
+ 76:91:72:8f:cd:f9:93:43:c3:6e:17:1f:2d:86:df:
+ b6:fb:2d:d6:be:2d:98:ad:de:00:c7:de:f9:68:b5:
+ 40:40:56:49:ae:23:e5:a1:3b:5f:15:5a:44:50:da:
+ fb:02:d3:42:c6:87:0d:c0:8d:3a:e6:e2:aa:73:31:
+ ab:79:58:51:cd:03:80:f3:12:ce:2f:35:04:8b:39:
+ 5f:b0:cc:b8:41:99:47:c1:17:96:8b:c2:44:84:b5:
+ 21:8a:15:52:fe:1a:5a:f9:88:cc:11:17:ee:48:dd:
+ ba:bf:ed:67:6e:27:35:42:cf:07:5e:b1:8b:81:55:
+ 92:01:8e:61:fd:8e:82:74:b1:70:7a:3d:52:1f:16:
+ 78:12:bb:b5:09:62:ce:6d:18:4a:e9:f5:27:19:bc:
+ 93:4e:ed:dd:53:a8:c1:bb:48:b7:18:20:7b:79:48:
+ 48:9d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
- 86:1F:20:03:1D:EA:65:52:AA:D7:38:B7:A7:B1:DC:0A:02:F9:F2:02
+ 0F:46:61:3E:6F:71:22:E6:1F:32:37:7C:B2:81:A6:CC:DB:9D:F5:7C
X509v3 Authority Key Identifier:
- keyid:86:1F:20:03:1D:EA:65:52:AA:D7:38:B7:A7:B1:DC:0A:02:F9:F2:02
+ keyid:0F:46:61:3E:6F:71:22:E6:1F:32:37:7C:B2:81:A6:CC:DB:9D:F5:7C
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
- c3:8a:4d:5b:3a:01:28:08:cc:cd:8b:cc:37:0d:0b:0c:45:dd:
- c0:44:ee:36:9c:1d:7d:1f:b9:5a:a7:fd:9a:19:34:0f:8c:09:
- 9d:24:f1:7b:a2:22:ef:7f:f3:4f:31:e2:b8:a5:f2:ec:d5:32:
- 02:f3:10:c4:82:c4:a0:33:b0:50:53:b7:2e:3d:78:30:8e:b3:
- c1:f8:51:4d:30:5b:40:65:6f:ad:b8:99:be:d8:cc:3b:43:00:
- 2b:16:5c:9c:bd:83:24:a0:48:0d:cd:2e:29:74:a8:e6:bc:df:
- f0:7c:2c:1f:03:72:f4:47:4d:88:e6:8f:53:77:25:23:57:0a:
- 84:fb:38:e7:b0:84:57:2b:4d:5a:f0:94:34:8a:48:ca:dc:f7:
- 08:b5:d5:1e:64:b4:03:c9:f3:3d:dd:f5:27:ac:f8:2b:d5:80:
- ab:b5:b1:37:8e:ae:2f:03:c2:19:4d:37:d6:e2:76:24:a2:98:
- ed:c8:c5:d0:65:29:4d:ce:0a:bf:d0:a3:3f:f6:03:47:fa:75:
- 8c:06:22:fe:8a:13:9a:9c:17:f5:35:71:7d:66:b9:cd:ca:ac:
- 1e:c3:09:c6:76:b0:6c:2b:45:fd:5b:a9:02:7b:e8:fa:65:32:
- e3:8e:7d:25:6e:06:db:bc:fd:5b:ad:78:d3:e0:09:df:3d:9c:
- 3b:56:c5:69
+ 91:e8:d8:c4:32:2e:80:5c:d4:cb:24:7a:81:43:a9:c7:95:90:
+ 1a:2e:7a:d3:0c:5d:b6:21:05:67:4d:98:5a:0d:71:ea:80:01:
+ 95:42:fe:fa:f1:7c:dc:bd:76:ff:05:26:3b:f0:94:b3:09:2c:
+ 34:dd:43:56:46:2b:15:35:99:d9:94:54:22:cf:a6:68:b0:d1:
+ 79:e2:f0:9f:0b:02:7c:cf:1f:bd:d0:f6:49:c6:82:28:a5:c6:
+ ae:94:65:cf:fd:ad:a8:6c:c2:17:da:db:f3:be:30:1a:1b:b4:
+ 2c:fa:08:71:9d:64:09:45:02:92:02:ad:eb:15:47:14:43:5b:
+ a8:2d:1a:ec:14:93:dc:ff:bb:51:33:a3:d5:4d:e2:77:ca:e1:
+ a5:98:5c:7a:b6:10:19:d3:d7:f5:14:a5:d5:08:f1:97:18:3d:
+ 5f:a6:4e:a2:4a:0d:4b:d4:bb:56:6b:a8:44:35:62:c5:d8:c6:
+ 67:11:93:1c:22:64:3e:aa:15:08:dc:87:39:dd:f6:e0:a0:d5:
+ 00:db:27:79:3d:f4:35:7c:46:a9:fa:0c:fa:fc:74:f5:bf:f4:
+ fe:71:40:45:33:22:35:83:f7:1a:96:2a:fc:b2:33:e0:1a:e8:
+ 24:48:91:5d:90:5c:4c:93:33:4c:40:de:26:bb:24:ac:48:9b:
+ ae:fe:19:34
-----BEGIN CERTIFICATE-----
-MIIDAzCCAeugAwIBAgIUM6MuKFgLens8cU5RHR0W9XI9mQEwDQYJKoZIhvcNAQEL
-BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIxMDQyMzE3MDg1MVoXDTMxMDQyMTE3
-MDg1MVowETEPMA0GA1UEAwwGQ0FSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEA2QaVOErtDe9XEiZeL+o8BXgeNpBs1o3cGOfgJNdyrtOvav8yH+7Y
-k570U4gPXdZWQQO5HtfUDdWuJyDYj+N9ZXnTAMnM9O/1yfaDpEW0bRGs/FXylGt1
-dNn3I7JauqMhtG5aLfyEMu949dcifOioFaodn1Nj/Xf01yDMITQceiKpat6QBq4Q
-/5YhYZ5tIfVmN++gWqhRXyIkn6mpsyEQ9HrZ7sMgc8NICseYfF8EeuHrjNbwGNfp
-DBHNoYH01GfAcg/jkIaSl728RN+xs22FT2v6v55qHZx3IztviTj7Rf/1drMZ93xZ
-Kwf/akr1k0pi7xg76lSPLcI0yKNv7vjyowIDAQABo1MwUTAdBgNVHQ4EFgQUhh8g
-Ax3qZVKq1zi3p7HcCgL58gIwHwYDVR0jBBgwFoAUhh8gAx3qZVKq1zi3p7HcCgL5
-8gIwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAw4pNWzoBKAjM
-zYvMNw0LDEXdwETuNpwdfR+5Wqf9mhk0D4wJnSTxe6Ii73/zTzHiuKXy7NUyAvMQ
-xILEoDOwUFO3Lj14MI6zwfhRTTBbQGVvrbiZvtjMO0MAKxZcnL2DJKBIDc0uKXSo
-5rzf8HwsHwNy9EdNiOaPU3clI1cKhPs457CEVytNWvCUNIpIytz3CLXVHmS0A8nz
-Pd31J6z4K9WAq7WxN46uLwPCGU031uJ2JKKY7cjF0GUpTc4Kv9CjP/YDR/p1jAYi
-/ooTmpwX9TVxfWa5zcqsHsMJxnawbCtF/VupAnvo+mUy4459JW4G27z9W6140+AJ
-3z2cO1bFaQ==
+MIIDAzCCAeugAwIBAgIUd0/2z5nKd+inbh794s+sqdpo0kIwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowETEPMA0GA1UEAwwGQ0FSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuF7CYO3E7jxbq/xkUvMwQfwQWqymmwqT0NDJv5YUp89cPiORflTs
+/i2fyTTRTpUvhZzMvpCjpMtNpHLShODHQsS/cLb60kWLg2YepOkOBqNG6qcYzTO5
+8f92kXKPzfmTQ8NuFx8tht+2+y3Wvi2Yrd4Ax975aLVAQFZJriPloTtfFVpEUNr7
+AtNCxocNwI065uKqczGreVhRzQOA8xLOLzUEizlfsMy4QZlHwReWi8JEhLUhihVS
+/hpa+YjMERfuSN26v+1nbic1Qs8HXrGLgVWSAY5h/Y6CdLFwej1SHxZ4Eru1CWLO
+bRhK6fUnGbyTTu3dU6jBu0i3GCB7eUhInQIDAQABo1MwUTAdBgNVHQ4EFgQUD0Zh
+Pm9xIuYfMjd8soGmzNud9XwwHwYDVR0jBBgwFoAUD0ZhPm9xIuYfMjd8soGmzNud
+9XwwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkejYxDIugFzU
+yyR6gUOpx5WQGi560wxdtiEFZ02YWg1x6oABlUL++vF83L12/wUmO/CUswksNN1D
+VkYrFTWZ2ZRUIs+maLDReeLwnwsCfM8fvdD2ScaCKKXGrpRlz/2tqGzCF9rb874w
+Ghu0LPoIcZ1kCUUCkgKt6xVHFENbqC0a7BST3P+7UTOj1U3id8rhpZhcerYQGdPX
+9RSl1Qjxlxg9X6ZOokoNS9S7VmuoRDVixdjGZxGTHCJkPqoVCNyHOd324KDVANsn
+eT30NXxGqfoM+vx09b/0/nFARTMiNYP3GpYq/LIz4BroJEiRXZBcTJMzTEDeJrsk
+rEibrv4ZNA==
-----END CERTIFICATE-----
diff --git a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cert.pem b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cert.pem
index 0ac579026ef..1a21d9d4138 100644
--- a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cert.pem
+++ b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/client-cert.pem
@@ -1,13 +1,13 @@
Certificate:
Data:
- Version: 1 (0x0)
+ Version: 3 (0x2)
Serial Number:
- 0c:26:15:df:8f:71:1d:6a:31:d0:da:af:64:ef:80:de:ac:9a:46:79
+ 61:e6:1b:07:90:6a:4f:f7:cd:46:b9:59:1d:3e:1c:39:0d:f2:5e:03
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: C = US, ST = CA, O = Apache Pulsar, OU = Client, CN = Client
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
@@ -32,37 +32,41 @@ Certificate:
8e:18:48:4c:5f:19:e9:b0:7b:22:d3:bc:42:32:45:
9a:d1
Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Alternative Name:
+ DNS:localhost, IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
- a4:bb:d2:e4:ba:17:1f:07:13:26:ac:e1:71:df:1e:d4:d7:a7:
- 31:dd:df:ce:e6:bb:11:fb:cf:a5:66:d2:fb:0e:26:90:fd:94:
- 0d:d2:d6:91:f3:65:75:ae:16:b6:92:2e:0a:41:b5:fc:ba:33:
- 57:85:92:e8:a3:30:97:d9:26:dc:e0:37:da:c5:bd:5f:e9:dd:
- db:81:cb:38:96:99:6e:d2:a5:6d:92:a8:6d:be:03:6f:a9:48:
- 4a:a1:4b:91:f9:c3:11:85:79:1e:4e:77:98:ff:43:dd:e0:f9:
- 8e:95:fe:f3:e2:eb:48:72:cf:04:fe:3d:78:b3:a8:ee:56:c8:
- 12:c8:0a:3d:70:f4:86:42:d2:b9:54:4d:07:8c:45:ad:af:b9:
- 43:c8:f9:ee:fc:5d:96:a2:b6:d5:d9:48:57:4e:b5:7d:c7:8c:
- 35:21:99:13:9a:60:42:1f:39:4a:3a:1b:3b:e5:ab:1d:91:59:
- 8a:e1:82:9e:70:79:f9:9a:6e:bb:a9:99:30:4d:93:c8:bf:95:
- 91:a1:03:a3:ac:d8:cd:80:db:89:82:a7:e6:74:8d:53:b3:a6:
- 7a:b9:ca:93:14:a2:01:08:bd:9f:4e:2d:0d:50:b3:aa:e8:a6:
- a8:43:b5:d6:a4:1c:2f:62:7a:1f:1b:92:6b:2d:fa:12:c3:1a:
- ed:8b:11:fe
+ 8b:88:90:00:1a:15:fa:11:f2:f0:35:6f:0f:f2:76:74:fc:8d:
+ bc:03:ee:a5:c5:21:17:c9:01:6b:58:93:fa:3e:7b:e0:0d:6d:
+ db:1f:2a:48:fa:15:34:66:b7:cb:be:82:c6:28:91:99:42:5a:
+ 36:b6:0b:2f:bb:85:14:88:a9:ea:dd:0a:7a:be:c4:e7:b2:2d:
+ 82:a9:37:bc:d9:5c:aa:03:2e:54:68:b1:b7:e8:d6:45:a5:8f:
+ 48:45:2c:9c:7a:55:0a:4a:07:1b:30:8a:49:6d:f4:62:b1:9e:
+ 92:0e:d9:34:44:6c:6d:e7:a3:18:bb:85:58:6d:da:20:83:d5:
+ ca:65:63:1e:3b:e6:df:7b:97:40:4f:b1:59:63:a9:b5:80:6f:
+ 97:51:53:a1:d3:29:1f:1a:26:05:17:59:3e:16:4f:5f:38:36:
+ 76:30:c6:bf:1e:3e:ed:39:83:91:31:58:01:13:59:5c:c5:e9:
+ d6:61:e0:f3:5f:c7:47:8a:5f:af:23:98:89:7b:b4:e6:f6:51:
+ 98:a0:26:31:c8:67:91:6d:d5:68:75:3d:4d:48:44:5f:3b:9c:
+ df:a7:87:a0:11:02:d2:13:5f:c1:4c:3f:3e:09:59:2e:fc:cb:
+ c2:c5:f0:f8:91:df:c3:dd:ad:c8:fc:44:23:9b:78:0d:3b:f2:
+ 82:f6:02:82
-----BEGIN CERTIFICATE-----
-MIIC7DCCAdQCFAwmFd+PcR1qMdDar2TvgN6smkZ5MA0GCSqGSIb3DQEBCwUAMBEx
-DzANBgNVBAMMBkNBUm9vdDAeFw0yMTA0MjMxNzA4NTFaFw0zMTA0MjExNzA4NTFa
-MFQxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEChMNQXBhY2hlIFB1
-bHNhcjEPMA0GA1UECxMGQ2xpZW50MQ8wDQYDVQQDEwZDbGllbnQwggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeHhC9ZBPBbHpJhgE7q6sd7LKTQWxsIfLm
-FRtRzq1n/Rg+f3pkomJfLgtZtO3ZFw63vFBmQbfjxHHJc3M92G00gPLjuZiPK1QU
-lbNRG9aRhc23NKJQtvGGbgcw+q5VoF35fByRUGJ9uxSGkgqsKT4oG5nKMGPcqV8F
-+Dg+MBACn8yU10fgGvQcaJY9El5YIUEs7JatnghWg3qSX0vmvQEWcCivqicdxP6y
-Cb+ltEfZWEv+QYEOokZXwTl8jeSxpyXmtN3zniTJ58CMGrSr3bkzvxHLvrsi9/yt
-xEBB1+83CBqVRR/bFF8L+Ej/QSTLXI4YSExfGemweyLTvEIyRZrRAgMBAAEwDQYJ
-KoZIhvcNAQELBQADggEBAKS70uS6Fx8HEyas4XHfHtTXpzHd387muxH7z6Vm0vsO
-JpD9lA3S1pHzZXWuFraSLgpBtfy6M1eFkuijMJfZJtzgN9rFvV/p3duByziWmW7S
-pW2SqG2+A2+pSEqhS5H5wxGFeR5Od5j/Q93g+Y6V/vPi60hyzwT+PXizqO5WyBLI
-Cj1w9IZC0rlUTQeMRa2vuUPI+e78XZaittXZSFdOtX3HjDUhmROaYEIfOUo6Gzvl
-qx2RWYrhgp5wefmabrupmTBNk8i/lZGhA6Os2M2A24mCp+Z0jVOzpnq5ypMUogEI
-vZ9OLQ1Qs6ropqhDtdakHC9ieh8bkmst+hLDGu2LEf4=
+MIIDETCCAfmgAwIBAgIUYeYbB5BqT/fNRrlZHT4cOQ3yXgMwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowVDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQKEw1BcGFj
+aGUgUHVsc2FyMQ8wDQYDVQQLEwZDbGllbnQxDzANBgNVBAMTBkNsaWVudDCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN4eEL1kE8FsekmGATurqx3sspNB
+bGwh8uYVG1HOrWf9GD5/emSiYl8uC1m07dkXDre8UGZBt+PEcclzcz3YbTSA8uO5
+mI8rVBSVs1Eb1pGFzbc0olC28YZuBzD6rlWgXfl8HJFQYn27FIaSCqwpPigbmcow
+Y9ypXwX4OD4wEAKfzJTXR+Aa9Bxolj0SXlghQSzslq2eCFaDepJfS+a9ARZwKK+q
+Jx3E/rIJv6W0R9lYS/5BgQ6iRlfBOXyN5LGnJea03fOeJMnnwIwatKvduTO/Ecu+
+uyL3/K3EQEHX7zcIGpVFH9sUXwv4SP9BJMtcjhhITF8Z6bB7ItO8QjJFmtECAwEA
+AaMeMBwwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEBCwUA
+A4IBAQCLiJAAGhX6EfLwNW8P8nZ0/I28A+6lxSEXyQFrWJP6PnvgDW3bHypI+hU0
+ZrfLvoLGKJGZQlo2tgsvu4UUiKnq3Qp6vsTnsi2CqTe82VyqAy5UaLG36NZFpY9I
+RSycelUKSgcbMIpJbfRisZ6SDtk0RGxt56MYu4VYbdogg9XKZWMeO+bfe5dAT7FZ
+Y6m1gG+XUVOh0ykfGiYFF1k+Fk9fODZ2MMa/Hj7tOYORMVgBE1lcxenWYeDzX8dH
+il+vI5iJe7Tm9lGYoCYxyGeRbdVodT1NSERfO5zfp4egEQLSE1/BTD8+CVku/MvC
+xfD4kd/D3a3I/EQjm3gNO/KC9gKC
-----END CERTIFICATE-----
diff --git a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cacert.pem b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cacert.pem
index cb22ab50573..127f56dd777 100644
--- a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cacert.pem
+++ b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cacert.pem
@@ -2,76 +2,76 @@ Certificate:
Data:
Version: 3 (0x2)
Serial Number:
- 2d:fc:78:73:ca:55:1e:32:12:3e:ef:08:24:cf:63:95:1e:ad:ea:ae
+ 77:4f:f6:cf:99:ca:77:e8:a7:6e:1e:fd:e2:cf:ac:a9:da:68:d2:42
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: CN = CARoot
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
- 00:c3:e0:f7:5d:bb:9a:76:ee:84:c6:2d:79:3f:a6:
- 4b:3b:1f:32:31:d9:65:80:d3:02:13:23:2a:f1:2f:
- e6:ac:bc:24:d1:cb:b9:5b:ed:cb:63:fe:31:e4:e6:
- b8:f3:13:72:be:48:57:cb:d1:70:0f:67:16:6d:26:
- bc:23:1c:64:30:ee:c8:0e:0e:68:d9:43:7e:42:74:
- 7a:d4:59:a4:76:67:70:9f:85:aa:f3:9f:6c:e6:a1:
- b5:06:3c:1d:46:38:45:05:df:88:cc:3a:ad:6c:72:
- 96:69:55:d0:b2:a8:ed:fd:b8:07:6b:5c:6d:1c:0d:
- 98:c2:88:3f:59:3c:d6:6c:ab:df:dd:3a:c0:5c:fe:
- 86:74:38:bc:00:d4:f0:50:ea:f0:e6:74:23:48:6d:
- 63:77:c7:f6:e2:94:f8:1b:0f:51:98:f6:fb:e0:20:
- 58:c1:b6:a0:58:08:6f:ad:05:f7:71:90:b3:1a:5b:
- 24:88:0b:ed:71:26:aa:84:c2:21:97:76:e7:d5:77:
- 30:62:15:d4:30:5e:f9:aa:bc:7f:1f:50:5e:92:47:
- f2:92:c0:85:cf:ce:33:07:24:e9:ee:b7:04:0d:b7:
- 9f:82:ae:a0:b6:73:51:8f:fe:bd:2c:f3:b5:76:61:
- 3c:da:c6:c0:bd:44:46:6f:43:9d:47:b6:0a:80:a5:
- fe:3b
+ 00:b8:5e:c2:60:ed:c4:ee:3c:5b:ab:fc:64:52:f3:
+ 30:41:fc:10:5a:ac:a6:9b:0a:93:d0:d0:c9:bf:96:
+ 14:a7:cf:5c:3e:23:91:7e:54:ec:fe:2d:9f:c9:34:
+ d1:4e:95:2f:85:9c:cc:be:90:a3:a4:cb:4d:a4:72:
+ d2:84:e0:c7:42:c4:bf:70:b6:fa:d2:45:8b:83:66:
+ 1e:a4:e9:0e:06:a3:46:ea:a7:18:cd:33:b9:f1:ff:
+ 76:91:72:8f:cd:f9:93:43:c3:6e:17:1f:2d:86:df:
+ b6:fb:2d:d6:be:2d:98:ad:de:00:c7:de:f9:68:b5:
+ 40:40:56:49:ae:23:e5:a1:3b:5f:15:5a:44:50:da:
+ fb:02:d3:42:c6:87:0d:c0:8d:3a:e6:e2:aa:73:31:
+ ab:79:58:51:cd:03:80:f3:12:ce:2f:35:04:8b:39:
+ 5f:b0:cc:b8:41:99:47:c1:17:96:8b:c2:44:84:b5:
+ 21:8a:15:52:fe:1a:5a:f9:88:cc:11:17:ee:48:dd:
+ ba:bf:ed:67:6e:27:35:42:cf:07:5e:b1:8b:81:55:
+ 92:01:8e:61:fd:8e:82:74:b1:70:7a:3d:52:1f:16:
+ 78:12:bb:b5:09:62:ce:6d:18:4a:e9:f5:27:19:bc:
+ 93:4e:ed:dd:53:a8:c1:bb:48:b7:18:20:7b:79:48:
+ 48:9d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
- 4E:9B:EB:E2:41:17:D1:24:AF:39:02:BC:42:D6:81:B7:62:6D:E3:57
+ 0F:46:61:3E:6F:71:22:E6:1F:32:37:7C:B2:81:A6:CC:DB:9D:F5:7C
X509v3 Authority Key Identifier:
- keyid:4E:9B:EB:E2:41:17:D1:24:AF:39:02:BC:42:D6:81:B7:62:6D:E3:57
+ keyid:0F:46:61:3E:6F:71:22:E6:1F:32:37:7C:B2:81:A6:CC:DB:9D:F5:7C
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
- 16:01:53:ab:85:57:5f:92:b9:24:85:c5:70:02:fa:fe:ae:ff:
- e9:3e:36:24:6e:9e:34:dd:7c:56:f9:31:a1:d1:ae:63:af:3c:
- 2c:e5:8e:47:34:df:b0:1c:33:48:3f:e7:32:fd:a8:38:99:a6:
- ef:e1:7b:65:92:80:1e:68:e5:98:db:c5:50:4a:35:53:e5:86:
- 89:56:85:0c:6e:da:64:28:68:33:dc:29:3f:41:8b:cf:9c:ec:
- fc:74:15:19:ff:da:0a:ef:d0:51:67:97:ad:2f:e4:8a:94:52:
- 96:18:bd:77:b3:2b:79:9a:f8:de:af:0f:a2:65:c4:f2:88:3a:
- 57:79:18:e1:d8:7c:e0:52:da:35:8c:dd:d9:75:0d:72:e9:e8:
- d0:a7:a6:0b:49:88:6d:ed:86:45:25:72:15:4e:2a:0b:6f:9c:
- 2f:48:75:28:b0:aa:cd:15:7f:ae:b3:b7:ec:75:d9:63:c8:46:
- 8f:84:49:1c:e2:db:95:7b:3d:bb:fd:98:45:53:56:3c:3c:de:
- 60:16:f9:14:b8:7e:27:37:be:f0:69:b5:a0:18:bc:83:1e:c1:
- 3a:11:9b:a3:1d:1f:a6:9c:7e:c9:aa:7c:53:44:9e:1d:cb:ca:
- c8:22:7f:cc:ad:e6:fa:51:54:4d:b5:a1:e6:e3:04:4e:49:1e:
- 67:9c:93:30
+ 91:e8:d8:c4:32:2e:80:5c:d4:cb:24:7a:81:43:a9:c7:95:90:
+ 1a:2e:7a:d3:0c:5d:b6:21:05:67:4d:98:5a:0d:71:ea:80:01:
+ 95:42:fe:fa:f1:7c:dc:bd:76:ff:05:26:3b:f0:94:b3:09:2c:
+ 34:dd:43:56:46:2b:15:35:99:d9:94:54:22:cf:a6:68:b0:d1:
+ 79:e2:f0:9f:0b:02:7c:cf:1f:bd:d0:f6:49:c6:82:28:a5:c6:
+ ae:94:65:cf:fd:ad:a8:6c:c2:17:da:db:f3:be:30:1a:1b:b4:
+ 2c:fa:08:71:9d:64:09:45:02:92:02:ad:eb:15:47:14:43:5b:
+ a8:2d:1a:ec:14:93:dc:ff:bb:51:33:a3:d5:4d:e2:77:ca:e1:
+ a5:98:5c:7a:b6:10:19:d3:d7:f5:14:a5:d5:08:f1:97:18:3d:
+ 5f:a6:4e:a2:4a:0d:4b:d4:bb:56:6b:a8:44:35:62:c5:d8:c6:
+ 67:11:93:1c:22:64:3e:aa:15:08:dc:87:39:dd:f6:e0:a0:d5:
+ 00:db:27:79:3d:f4:35:7c:46:a9:fa:0c:fa:fc:74:f5:bf:f4:
+ fe:71:40:45:33:22:35:83:f7:1a:96:2a:fc:b2:33:e0:1a:e8:
+ 24:48:91:5d:90:5c:4c:93:33:4c:40:de:26:bb:24:ac:48:9b:
+ ae:fe:19:34
-----BEGIN CERTIFICATE-----
-MIIDAzCCAeugAwIBAgIULfx4c8pVHjISPu8IJM9jlR6t6q4wDQYJKoZIhvcNAQEL
-BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIxMDQyMzE3MDg1MVoXDTMxMDQyMTE3
-MDg1MVowETEPMA0GA1UEAwwGQ0FSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAw+D3Xbuadu6Exi15P6ZLOx8yMdllgNMCEyMq8S/mrLwk0cu5W+3L
-Y/4x5Oa48xNyvkhXy9FwD2cWbSa8IxxkMO7IDg5o2UN+QnR61Fmkdmdwn4Wq859s
-5qG1BjwdRjhFBd+IzDqtbHKWaVXQsqjt/bgHa1xtHA2Ywog/WTzWbKvf3TrAXP6G
-dDi8ANTwUOrw5nQjSG1jd8f24pT4Gw9RmPb74CBYwbagWAhvrQX3cZCzGlskiAvt
-cSaqhMIhl3bn1XcwYhXUMF75qrx/H1BekkfyksCFz84zByTp7rcEDbefgq6gtnNR
-j/69LPO1dmE82sbAvURGb0OdR7YKgKX+OwIDAQABo1MwUTAdBgNVHQ4EFgQUTpvr
-4kEX0SSvOQK8QtaBt2Jt41cwHwYDVR0jBBgwFoAUTpvr4kEX0SSvOQK8QtaBt2Jt
-41cwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAFgFTq4VXX5K5
-JIXFcAL6/q7/6T42JG6eNN18VvkxodGuY688LOWORzTfsBwzSD/nMv2oOJmm7+F7
-ZZKAHmjlmNvFUEo1U+WGiVaFDG7aZChoM9wpP0GLz5zs/HQVGf/aCu/QUWeXrS/k
-ipRSlhi9d7MreZr43q8PomXE8og6V3kY4dh84FLaNYzd2XUNcuno0KemC0mIbe2G
-RSVyFU4qC2+cL0h1KLCqzRV/rrO37HXZY8hGj4RJHOLblXs9u/2YRVNWPDzeYBb5
-FLh+Jze+8Gm1oBi8gx7BOhGbox0fppx+yap8U0SeHcvKyCJ/zK3m+lFUTbWh5uME
-TkkeZ5yTMA==
+MIIDAzCCAeugAwIBAgIUd0/2z5nKd+inbh794s+sqdpo0kIwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowETEPMA0GA1UEAwwGQ0FSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuF7CYO3E7jxbq/xkUvMwQfwQWqymmwqT0NDJv5YUp89cPiORflTs
+/i2fyTTRTpUvhZzMvpCjpMtNpHLShODHQsS/cLb60kWLg2YepOkOBqNG6qcYzTO5
+8f92kXKPzfmTQ8NuFx8tht+2+y3Wvi2Yrd4Ax975aLVAQFZJriPloTtfFVpEUNr7
+AtNCxocNwI065uKqczGreVhRzQOA8xLOLzUEizlfsMy4QZlHwReWi8JEhLUhihVS
+/hpa+YjMERfuSN26v+1nbic1Qs8HXrGLgVWSAY5h/Y6CdLFwej1SHxZ4Eru1CWLO
+bRhK6fUnGbyTTu3dU6jBu0i3GCB7eUhInQIDAQABo1MwUTAdBgNVHQ4EFgQUD0Zh
+Pm9xIuYfMjd8soGmzNud9XwwHwYDVR0jBBgwFoAUD0ZhPm9xIuYfMjd8soGmzNud
+9XwwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkejYxDIugFzU
+yyR6gUOpx5WQGi560wxdtiEFZ02YWg1x6oABlUL++vF83L12/wUmO/CUswksNN1D
+VkYrFTWZ2ZRUIs+maLDReeLwnwsCfM8fvdD2ScaCKKXGrpRlz/2tqGzCF9rb874w
+Ghu0LPoIcZ1kCUUCkgKt6xVHFENbqC0a7BST3P+7UTOj1U3id8rhpZhcerYQGdPX
+9RSl1Qjxlxg9X6ZOokoNS9S7VmuoRDVixdjGZxGTHCJkPqoVCNyHOd324KDVANsn
+eT30NXxGqfoM+vx09b/0/nFARTMiNYP3GpYq/LIz4BroJEiRXZBcTJMzTEDeJrsk
+rEibrv4ZNA==
-----END CERTIFICATE-----
diff --git a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cert.pem b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cert.pem
index a4c03e3c2ea..e2c1e5a230c 100644
--- a/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cert.pem
+++ b/pulsar-proxy/src/test/resources/authentication/tls/ProxyWithAuthorizationTest/proxy-cert.pem
@@ -1,13 +1,13 @@
Certificate:
Data:
- Version: 1 (0x0)
+ Version: 3 (0x2)
Serial Number:
- 0c:26:15:df:8f:71:1d:6a:31:d0:da:af:64:ef:80:de:ac:9a:46:7a
+ 61:e6:1b:07:90:6a:4f:f7:cd:46:b9:59:1d:3e:1c:39:0d:f2:5e:04
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: C = US, ST = CA, O = Apache Pulsar, OU = Proxy, CN = Proxy
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
@@ -32,37 +32,41 @@ Certificate:
29:e1:23:c4:ed:a0:1c:f6:2a:ed:dc:c0:df:97:a9:
f3:8d
Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Alternative Name:
+ DNS:localhost, IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
- 7b:27:a8:2a:54:35:76:e5:f8:a7:60:8d:e7:35:12:69:38:f3:
- 32:af:25:0f:69:1a:b1:af:79:e5:7c:94:5c:8f:aa:76:95:54:
- 35:b4:bb:64:20:1a:91:1e:b3:e4:d1:06:72:24:c3:35:bd:9c:
- f6:54:61:d9:39:22:99:42:08:d4:97:aa:7d:82:46:fc:77:58:
- df:93:29:03:6c:ba:1c:13:d1:42:49:32:f1:38:09:d3:3e:43:
- 89:1b:61:c4:40:f3:ac:4c:c1:36:2f:28:bd:57:a0:de:35:82:
- c9:da:93:5f:09:d6:e8:5b:cd:15:45:b3:28:22:7d:48:00:c4:
- 55:0f:f6:de:d9:c2:0a:39:5e:69:a4:50:9b:3f:e1:06:44:8a:
- 13:af:0b:56:8d:70:c4:9f:d1:a2:b4:25:09:8b:19:47:e8:d2:
- 98:49:2a:a0:8b:fe:8c:cb:23:d8:f8:e6:28:c6:d9:0b:10:7c:
- d3:ce:48:07:8d:c7:56:bb:c9:e8:d7:a8:a1:24:93:bf:5f:d2:
- a9:f1:35:b7:40:ad:08:bf:89:63:e5:49:40:13:e7:1e:6a:77:
- 7f:9a:5b:07:0c:eb:80:77:b0:ac:fa:8a:9d:b8:83:53:a1:1e:
- 0e:14:2b:c9:50:96:81:c2:c0:0b:d1:c6:b6:2e:ea:98:3e:7b:
- ee:5f:09:f7
+ 8d:b6:2c:5f:87:13:06:a8:66:ce:11:2a:2c:20:1e:c7:ee:50:
+ 75:a7:d1:7c:ad:c6:ec:d1:18:d0:fa:aa:00:fa:08:f9:0f:cc:
+ df:59:9a:6b:1c:18:07:15:84:d0:9a:24:8d:dd:46:79:9c:dc:
+ 9e:3e:97:10:24:b2:9d:d4:f6:c5:79:58:87:7c:a6:af:cf:69:
+ 23:fb:43:7a:0f:4d:26:e0:e9:66:c5:ad:fa:88:e2:c5:6e:6a:
+ ce:70:0c:8f:73:01:d6:fd:a9:1f:31:49:41:17:45:22:cc:a6:
+ 71:e4:f4:0f:0f:2e:3e:49:0b:5f:04:94:36:49:fa:72:42:c9:
+ 25:75:84:9a:dc:16:cb:69:44:44:e5:3a:ff:26:f6:44:42:4c:
+ 6c:e2:56:d6:3e:bc:f2:8b:83:de:e2:91:70:65:b9:d0:dd:a3:
+ d1:de:53:27:77:13:2d:86:27:c3:40:2f:c1:a5:50:1c:5a:44:
+ 51:b4:29:11:c3:30:9d:1a:96:25:7a:d6:05:70:ad:06:0d:f2:
+ 9b:b1:b6:82:39:06:c7:7c:b2:49:04:19:e4:7e:87:b8:d8:42:
+ 1d:ab:ed:d0:b0:7f:79:6b:89:75:2f:6a:26:67:3d:33:57:5f:
+ 5a:49:52:98:3b:2a:e5:43:d7:f9:97:ca:75:cd:6f:e9:e4:66:
+ b6:d6:c2:c7
-----BEGIN CERTIFICATE-----
-MIIC6jCCAdICFAwmFd+PcR1qMdDar2TvgN6smkZ6MA0GCSqGSIb3DQEBCwUAMBEx
-DzANBgNVBAMMBkNBUm9vdDAeFw0yMTA0MjMxNzA4NTFaFw0zMTA0MjExNzA4NTFa
-MFIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEChMNQXBhY2hlIFB1
-bHNhcjEOMAwGA1UECxMFUHJveHkxDjAMBgNVBAMTBVByb3h5MIIBIjANBgkqhkiG
-9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw1zFrRfc9NTE6hxgWiRGE9nPwM2DLi+CcOXg
-jTO9lbXPxvBU1Y29hw1ibB0/UmZ0/wYzHDzV7S5j2ZbG8ZiCx5RKvGTymzpU7IGZ
-vBSCQ4cMa9oDjKoLQdf+J8T5iIE0sf8q4G3QR93BEaVUqVMyzY/2dViOBeTZsaxp
-/rZUw602BKJ39VO2dIPVagHglrWir1CPtdedp8K9+DGGCV98CrLbNOGAJRdffW+L
-3I7V+c/P9faPav4+lgDJVrDQ40beuaaKXpuOf+oZzKJbdSI8HTZI5PIaAZVhwfB6
-J52DlnTMqQRCCFM0mC6344P58qMp4SPE7aAc9irt3MDfl6nzjQIDAQABMA0GCSqG
-SIb3DQEBCwUAA4IBAQB7J6gqVDV25finYI3nNRJpOPMyryUPaRqxr3nlfJRcj6p2
-lVQ1tLtkIBqRHrPk0QZyJMM1vZz2VGHZOSKZQgjUl6p9gkb8d1jfkykDbLocE9FC
-STLxOAnTPkOJG2HEQPOsTME2Lyi9V6DeNYLJ2pNfCdboW80VRbMoIn1IAMRVD/be
-2cIKOV5ppFCbP+EGRIoTrwtWjXDEn9GitCUJixlH6NKYSSqgi/6MyyPY+OYoxtkL
-EHzTzkgHjcdWu8no16ihJJO/X9Kp8TW3QK0Iv4lj5UlAE+ceand/mlsHDOuAd7Cs
-+oqduINToR4OFCvJUJaBwsAL0ca2LuqYPnvuXwn3
+MIIDDzCCAfegAwIBAgIUYeYbB5BqT/fNRrlZHT4cOQ3yXgQwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowUjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQKEw1BcGFj
+aGUgUHVsc2FyMQ4wDAYDVQQLEwVQcm94eTEOMAwGA1UEAxMFUHJveHkwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDXMWtF9z01MTqHGBaJEYT2c/AzYMu
+L4Jw5eCNM72Vtc/G8FTVjb2HDWJsHT9SZnT/BjMcPNXtLmPZlsbxmILHlEq8ZPKb
+OlTsgZm8FIJDhwxr2gOMqgtB1/4nxPmIgTSx/yrgbdBH3cERpVSpUzLNj/Z1WI4F
+5NmxrGn+tlTDrTYEonf1U7Z0g9VqAeCWtaKvUI+1152nwr34MYYJX3wKsts04YAl
+F199b4vcjtX5z8/19o9q/j6WAMlWsNDjRt65popem45/6hnMolt1IjwdNkjk8hoB
+lWHB8HonnYOWdMypBEIIUzSYLrfjg/nyoynhI8TtoBz2Ku3cwN+XqfONAgMBAAGj
+HjAcMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsFAAOC
+AQEAjbYsX4cTBqhmzhEqLCAex+5QdafRfK3G7NEY0PqqAPoI+Q/M31maaxwYBxWE
+0Jokjd1GeZzcnj6XECSyndT2xXlYh3ymr89pI/tDeg9NJuDpZsWt+ojixW5qznAM
+j3MB1v2pHzFJQRdFIsymceT0Dw8uPkkLXwSUNkn6ckLJJXWEmtwWy2lEROU6/yb2
+REJMbOJW1j688ouD3uKRcGW50N2j0d5TJ3cTLYYnw0AvwaVQHFpEUbQpEcMwnRqW
+JXrWBXCtBg3ym7G2gjkGx3yySQQZ5H6HuNhCHavt0LB/eWuJdS9qJmc9M1dfWklS
+mDsq5UPX+ZfKdc1v6eRmttbCxw==
-----END CERTIFICATE-----
diff --git a/pulsar-proxy/src/test/resources/authentication/tls/cacert.pem b/pulsar-proxy/src/test/resources/authentication/tls/cacert.pem
index b607fb9d131..127f56dd777 100644
--- a/pulsar-proxy/src/test/resources/authentication/tls/cacert.pem
+++ b/pulsar-proxy/src/test/resources/authentication/tls/cacert.pem
@@ -2,76 +2,76 @@ Certificate:
Data:
Version: 3 (0x2)
Serial Number:
- 7f:c3:12:28:23:73:86:8e:bb:d6:e6:21:43:e3:72:e8:01:17:3e:d1
+ 77:4f:f6:cf:99:ca:77:e8:a7:6e:1e:fd:e2:cf:ac:a9:da:68:d2:42
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: CN = CARoot
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
- 00:b3:6a:94:67:7c:33:90:4e:db:b9:94:b0:a6:1a:
- 69:77:bb:33:31:fe:3c:8b:6d:8a:f1:cf:07:d9:87:
- 86:ad:45:cf:4c:e3:e7:35:d5:4b:a3:76:27:9b:30:
- b1:82:3f:57:29:c9:f0:be:25:49:25:16:64:58:cc:
- b0:f1:01:2e:19:69:52:c8:38:64:61:16:b4:a7:ba:
- 76:2b:54:e6:a5:80:6c:b6:6c:8a:3c:c1:06:c2:e1:
- c1:f3:18:6b:87:08:4b:bb:54:f4:b3:72:1d:f2:ce:
- 47:18:5f:82:d3:88:c9:39:7b:71:fc:71:1a:aa:7e:
- 55:6c:35:7f:83:c1:60:e7:7d:b1:80:d0:17:7a:ed:
- e7:0d:87:8b:59:e3:18:47:e9:cf:de:0d:0e:c6:3e:
- 5c:eb:6e:f4:43:95:31:01:2d:e8:f2:ba:8a:bf:ed:
- 82:0c:7c:14:14:13:0e:fb:ae:f0:3a:7c:29:ee:55:
- 29:ca:46:7a:be:05:9f:fa:75:65:4c:f5:fb:cf:fe:
- 92:8d:78:e2:e1:41:55:32:2c:36:a2:ac:96:43:aa:
- e2:60:5a:ff:a6:e2:3f:5b:fc:d4:d3:af:cf:78:45:
- b5:e7:6e:7d:b6:fa:c4:05:84:a6:49:a7:ac:16:8e:
- b2:17:ac:75:76:f0:29:df:c8:da:a2:01:05:25:08:
- 4d:8f
+ 00:b8:5e:c2:60:ed:c4:ee:3c:5b:ab:fc:64:52:f3:
+ 30:41:fc:10:5a:ac:a6:9b:0a:93:d0:d0:c9:bf:96:
+ 14:a7:cf:5c:3e:23:91:7e:54:ec:fe:2d:9f:c9:34:
+ d1:4e:95:2f:85:9c:cc:be:90:a3:a4:cb:4d:a4:72:
+ d2:84:e0:c7:42:c4:bf:70:b6:fa:d2:45:8b:83:66:
+ 1e:a4:e9:0e:06:a3:46:ea:a7:18:cd:33:b9:f1:ff:
+ 76:91:72:8f:cd:f9:93:43:c3:6e:17:1f:2d:86:df:
+ b6:fb:2d:d6:be:2d:98:ad:de:00:c7:de:f9:68:b5:
+ 40:40:56:49:ae:23:e5:a1:3b:5f:15:5a:44:50:da:
+ fb:02:d3:42:c6:87:0d:c0:8d:3a:e6:e2:aa:73:31:
+ ab:79:58:51:cd:03:80:f3:12:ce:2f:35:04:8b:39:
+ 5f:b0:cc:b8:41:99:47:c1:17:96:8b:c2:44:84:b5:
+ 21:8a:15:52:fe:1a:5a:f9:88:cc:11:17:ee:48:dd:
+ ba:bf:ed:67:6e:27:35:42:cf:07:5e:b1:8b:81:55:
+ 92:01:8e:61:fd:8e:82:74:b1:70:7a:3d:52:1f:16:
+ 78:12:bb:b5:09:62:ce:6d:18:4a:e9:f5:27:19:bc:
+ 93:4e:ed:dd:53:a8:c1:bb:48:b7:18:20:7b:79:48:
+ 48:9d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
- 09:93:47:8E:5F:F3:BD:19:A2:77:FD:09:BA:13:A9:B6:C6:75:4E:B0
+ 0F:46:61:3E:6F:71:22:E6:1F:32:37:7C:B2:81:A6:CC:DB:9D:F5:7C
X509v3 Authority Key Identifier:
- keyid:09:93:47:8E:5F:F3:BD:19:A2:77:FD:09:BA:13:A9:B6:C6:75:4E:B0
+ keyid:0F:46:61:3E:6F:71:22:E6:1F:32:37:7C:B2:81:A6:CC:DB:9D:F5:7C
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
- a1:52:44:1e:c0:a1:73:48:98:dd:91:b9:a7:e1:da:c5:48:65:
- d2:6d:38:77:b5:fa:f6:f7:c5:e4:b7:51:28:ea:f1:6c:9e:82:
- 80:6d:6f:56:9c:3b:31:b8:71:0e:ad:17:f9:8e:c6:7e:87:a9:
- 5f:30:1c:0e:17:c8:c7:c2:3c:96:3d:7d:01:a9:ce:d0:cd:c3:
- 55:6b:ce:64:35:53:93:c6:8c:4c:3d:0d:38:01:17:7b:e2:d8:
- b3:a5:78:46:77:fc:7e:da:16:f8:96:d0:72:35:89:c3:15:8c:
- 38:37:8b:7f:ff:01:f9:84:b2:e9:8d:11:64:82:36:e7:ef:86:
- a6:de:11:d9:78:b4:07:6c:18:89:aa:d6:6d:a2:d8:24:98:40:
- 85:5d:ba:5c:36:75:ad:e8:25:03:2d:94:69:d1:ce:d9:8f:9b:
- fd:79:5d:4b:30:7a:de:18:08:5a:54:e9:7b:7d:e2:cb:20:65:
- 99:4c:5a:31:de:c8:2c:01:b1:c8:d1:30:1d:33:bd:ef:9b:43:
- 4d:ac:7d:20:1f:c3:10:53:2e:1a:99:d5:6c:62:0e:15:b3:bd:
- 3c:88:58:88:0c:4f:06:21:b7:a4:8c:eb:9f:63:2e:5e:1d:c8:
- 91:39:9a:2b:e3:bf:e4:0a:bd:6e:4d:71:15:4d:e1:af:01:15:
- 99:38:25:12
+ 91:e8:d8:c4:32:2e:80:5c:d4:cb:24:7a:81:43:a9:c7:95:90:
+ 1a:2e:7a:d3:0c:5d:b6:21:05:67:4d:98:5a:0d:71:ea:80:01:
+ 95:42:fe:fa:f1:7c:dc:bd:76:ff:05:26:3b:f0:94:b3:09:2c:
+ 34:dd:43:56:46:2b:15:35:99:d9:94:54:22:cf:a6:68:b0:d1:
+ 79:e2:f0:9f:0b:02:7c:cf:1f:bd:d0:f6:49:c6:82:28:a5:c6:
+ ae:94:65:cf:fd:ad:a8:6c:c2:17:da:db:f3:be:30:1a:1b:b4:
+ 2c:fa:08:71:9d:64:09:45:02:92:02:ad:eb:15:47:14:43:5b:
+ a8:2d:1a:ec:14:93:dc:ff:bb:51:33:a3:d5:4d:e2:77:ca:e1:
+ a5:98:5c:7a:b6:10:19:d3:d7:f5:14:a5:d5:08:f1:97:18:3d:
+ 5f:a6:4e:a2:4a:0d:4b:d4:bb:56:6b:a8:44:35:62:c5:d8:c6:
+ 67:11:93:1c:22:64:3e:aa:15:08:dc:87:39:dd:f6:e0:a0:d5:
+ 00:db:27:79:3d:f4:35:7c:46:a9:fa:0c:fa:fc:74:f5:bf:f4:
+ fe:71:40:45:33:22:35:83:f7:1a:96:2a:fc:b2:33:e0:1a:e8:
+ 24:48:91:5d:90:5c:4c:93:33:4c:40:de:26:bb:24:ac:48:9b:
+ ae:fe:19:34
-----BEGIN CERTIFICATE-----
-MIIDAzCCAeugAwIBAgIUf8MSKCNzho671uYhQ+Ny6AEXPtEwDQYJKoZIhvcNAQEL
-BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIxMDQyMzE3MDg1MVoXDTMxMDQyMTE3
-MDg1MVowETEPMA0GA1UEAwwGQ0FSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAs2qUZ3wzkE7buZSwphppd7szMf48i22K8c8H2YeGrUXPTOPnNdVL
-o3YnmzCxgj9XKcnwviVJJRZkWMyw8QEuGWlSyDhkYRa0p7p2K1TmpYBstmyKPMEG
-wuHB8xhrhwhLu1T0s3Id8s5HGF+C04jJOXtx/HEaqn5VbDV/g8Fg532xgNAXeu3n
-DYeLWeMYR+nP3g0Oxj5c6270Q5UxAS3o8rqKv+2CDHwUFBMO+67wOnwp7lUpykZ6
-vgWf+nVlTPX7z/6SjXji4UFVMiw2oqyWQ6riYFr/puI/W/zU06/PeEW15259tvrE
-BYSmSaesFo6yF6x1dvAp38jaogEFJQhNjwIDAQABo1MwUTAdBgNVHQ4EFgQUCZNH
-jl/zvRmid/0JuhOptsZ1TrAwHwYDVR0jBBgwFoAUCZNHjl/zvRmid/0JuhOptsZ1
-TrAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAoVJEHsChc0iY
-3ZG5p+HaxUhl0m04d7X69vfF5LdRKOrxbJ6CgG1vVpw7MbhxDq0X+Y7GfoepXzAc
-DhfIx8I8lj19AanO0M3DVWvOZDVTk8aMTD0NOAEXe+LYs6V4Rnf8ftoW+JbQcjWJ
-wxWMODeLf/8B+YSy6Y0RZII25++Gpt4R2Xi0B2wYiarWbaLYJJhAhV26XDZ1regl
-Ay2UadHO2Y+b/XldSzB63hgIWlTpe33iyyBlmUxaMd7ILAGxyNEwHTO975tDTax9
-IB/DEFMuGpnVbGIOFbO9PIhYiAxPBiG3pIzrn2MuXh3IkTmaK+O/5Aq9bk1xFU3h
-rwEVmTglEg==
+MIIDAzCCAeugAwIBAgIUd0/2z5nKd+inbh794s+sqdpo0kIwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowETEPMA0GA1UEAwwGQ0FSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAuF7CYO3E7jxbq/xkUvMwQfwQWqymmwqT0NDJv5YUp89cPiORflTs
+/i2fyTTRTpUvhZzMvpCjpMtNpHLShODHQsS/cLb60kWLg2YepOkOBqNG6qcYzTO5
+8f92kXKPzfmTQ8NuFx8tht+2+y3Wvi2Yrd4Ax975aLVAQFZJriPloTtfFVpEUNr7
+AtNCxocNwI065uKqczGreVhRzQOA8xLOLzUEizlfsMy4QZlHwReWi8JEhLUhihVS
+/hpa+YjMERfuSN26v+1nbic1Qs8HXrGLgVWSAY5h/Y6CdLFwej1SHxZ4Eru1CWLO
+bRhK6fUnGbyTTu3dU6jBu0i3GCB7eUhInQIDAQABo1MwUTAdBgNVHQ4EFgQUD0Zh
+Pm9xIuYfMjd8soGmzNud9XwwHwYDVR0jBBgwFoAUD0ZhPm9xIuYfMjd8soGmzNud
+9XwwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkejYxDIugFzU
+yyR6gUOpx5WQGi560wxdtiEFZ02YWg1x6oABlUL++vF83L12/wUmO/CUswksNN1D
+VkYrFTWZ2ZRUIs+maLDReeLwnwsCfM8fvdD2ScaCKKXGrpRlz/2tqGzCF9rb874w
+Ghu0LPoIcZ1kCUUCkgKt6xVHFENbqC0a7BST3P+7UTOj1U3id8rhpZhcerYQGdPX
+9RSl1Qjxlxg9X6ZOokoNS9S7VmuoRDVixdjGZxGTHCJkPqoVCNyHOd324KDVANsn
+eT30NXxGqfoM+vx09b/0/nFARTMiNYP3GpYq/LIz4BroJEiRXZBcTJMzTEDeJrsk
+rEibrv4ZNA==
-----END CERTIFICATE-----
diff --git a/pulsar-proxy/src/test/resources/authentication/tls/client-cert.pem b/pulsar-proxy/src/test/resources/authentication/tls/client-cert.pem
index 0fc458dbe53..192d686246f 100644
--- a/pulsar-proxy/src/test/resources/authentication/tls/client-cert.pem
+++ b/pulsar-proxy/src/test/resources/authentication/tls/client-cert.pem
@@ -1,13 +1,13 @@
Certificate:
Data:
- Version: 1 (0x0)
+ Version: 3 (0x2)
Serial Number:
- 0c:26:15:df:8f:71:1d:6a:31:d0:da:af:64:ef:80:de:ac:9a:46:74
+ 61:e6:1b:07:90:6a:4f:f7:cd:46:b9:59:1d:3e:1c:39:0d:f2:5e:01
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: C = US, ST = CA, O = Apache, OU = Apache Pulsar, CN = superUser
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
@@ -32,37 +32,41 @@ Certificate:
b6:98:ef:dd:03:82:58:a3:32:dc:90:a1:b6:a6:1e:
e1:0b
Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Alternative Name:
+ DNS:localhost, IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
- 33:40:2a:38:48:99:a0:fe:68:4d:07:3b:08:ae:af:a1:7c:ea:
- 70:ab:a7:c8:32:b4:ff:9f:5a:51:3b:2b:a2:aa:21:75:44:7d:
- be:e7:fb:08:b9:81:e5:4c:cf:01:86:f9:06:63:4f:ce:7a:1d:
- cb:1e:9e:8f:d5:0a:54:53:69:91:05:10:2c:b0:4f:d4:3a:b5:
- 25:0e:25:4c:eb:67:64:d7:85:29:77:63:30:da:2a:77:3f:59:
- c2:8c:e9:02:57:49:93:3a:51:91:1a:b2:59:4d:d5:69:c9:9d:
- cc:e2:4f:b2:6c:5b:ba:45:68:c7:f5:18:f4:1d:b8:0c:eb:fd:
- 0a:cf:10:5d:dc:3e:26:49:03:33:37:40:f7:96:88:82:99:5c:
- 38:8d:cc:3b:de:b5:b9:ee:f9:ac:ae:ce:03:9a:1e:a7:f8:02:
- 73:2e:af:e7:b0:22:cb:3d:a3:ca:85:16:e9:e6:e2:d6:bf:1c:
- 1a:4c:ea:14:49:52:84:67:38:97:c7:b3:30:72:cc:c6:08:e5:
- 40:0a:87:da:19:98:26:4f:0b:54:43:a2:a0:ea:51:b2:23:88:
- d2:b4:0e:82:4f:02:92:a4:fb:27:e2:06:15:76:e7:27:f2:a2:
- e4:23:7b:24:ca:e6:80:93:2b:cd:54:ca:1b:9b:fd:d9:59:d1:
- 96:31:25:7b
+ 96:c2:23:2d:46:d0:3d:23:0e:ab:3d:b6:1e:31:96:00:eb:ae:
+ 17:ac:6e:c0:d4:1a:8d:0f:36:63:27:02:49:4e:24:cf:d3:80:
+ 88:3a:4f:d0:f1:e5:1c:df:2d:8a:ab:ae:8d:48:77:a0:d0:dc:
+ d5:80:1c:a1:3d:0d:49:64:bf:cb:39:84:c9:f3:5d:e0:2d:ba:
+ a0:f2:ac:03:85:44:a1:97:6b:0b:de:ed:a7:49:19:46:b2:18:
+ 49:21:62:43:52:36:6f:47:6c:21:6b:5e:41:85:28:71:6c:22:
+ 27:35:76:82:ed:ac:ad:d7:fa:9d:4c:7d:6f:44:7e:06:dd:8a:
+ 11:32:0c:d9:d0:f6:63:2a:40:ae:0d:5a:df:9e:d7:91:8a:db:
+ 2d:95:f3:19:f0:8f:1e:34:e3:b2:31:67:38:74:fd:3f:e6:49:
+ 5e:53:eb:88:ae:b1:45:71:0e:67:97:3c:99:4e:c7:ea:1e:02:
+ 67:b4:54:ef:4f:10:55:4a:70:c0:eb:41:e4:50:d4:48:5e:70:
+ c5:0f:79:f2:06:3d:35:ea:ce:5d:13:8e:14:65:fc:98:21:16:
+ 2d:5d:6d:f8:e0:6b:c7:c6:e4:8a:ca:c9:38:1f:93:27:86:28:
+ ef:96:e7:ad:6c:4a:9e:10:78:48:00:f4:4a:43:dc:87:1d:e3:
+ d3:39:53:68
-----BEGIN CERTIFICATE-----
-MIIC7zCCAdcCFAwmFd+PcR1qMdDar2TvgN6smkZ0MA0GCSqGSIb3DQEBCwUAMBEx
-DzANBgNVBAMMBkNBUm9vdDAeFw0yMTA0MjMxNzA4NTFaFw0zMTA0MjExNzA4NTFa
-MFcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEPMA0GA1UEChMGQXBhY2hlMRYw
-FAYDVQQLEw1BcGFjaGUgUHVsc2FyMRIwEAYDVQQDEwlzdXBlclVzZXIwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNQ32YQPmwW7yu28ALrSaQluBiOO1o
-sXBGO95E+RRRhhDrypDniOj5kYXg3bW0FLl444bVVG1o7BSStPgiWwU97TElZQgF
-hMrmDCESWDLHGmCjT9JKnigZfEWEAIyJ3N6K5U+Ikcyk8YFFTH3C/+LBicYSc5Xi
-Nr3brotaaGqQUd4riF+qZ/So42PcvhmCzJ1/5o37gr4iAT1WEztbBLToxRjmLg36
-ukqN6MZaoVGaSmLXr920/OLVza6ZbFxhVgvXDBp3XPU6alS1njOsqXUomnav0HpX
-ABuREzH9QoghRwUQAS9Zu8c62eFYTBtscbaY790DglijMtyQobamHuELAgMBAAEw
-DQYJKoZIhvcNAQELBQADggEBADNAKjhImaD+aE0HOwiur6F86nCrp8gytP+fWlE7
-K6KqIXVEfb7n+wi5geVMzwGG+QZjT856Hcseno/VClRTaZEFECywT9Q6tSUOJUzr
-Z2TXhSl3YzDaKnc/WcKM6QJXSZM6UZEasllN1WnJncziT7JsW7pFaMf1GPQduAzr
-/QrPEF3cPiZJAzM3QPeWiIKZXDiNzDvetbnu+ayuzgOaHqf4AnMur+ewIss9o8qF
-Funm4ta/HBpM6hRJUoRnOJfHszByzMYI5UAKh9oZmCZPC1RDoqDqUbIjiNK0DoJP
-ApKk+yfiBhV25yfyouQjeyTK5oCTK81Uyhub/dlZ0ZYxJXs=
+MIIDFDCCAfygAwIBAgIUYeYbB5BqT/fNRrlZHT4cOQ3yXgEwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowVzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQ8wDQYDVQQKEwZBcGFj
+aGUxFjAUBgNVBAsTDUFwYWNoZSBQdWxzYXIxEjAQBgNVBAMTCXN1cGVyVXNlcjCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM1DfZhA+bBbvK7bwAutJpCW
+4GI47WixcEY73kT5FFGGEOvKkOeI6PmRheDdtbQUuXjjhtVUbWjsFJK0+CJbBT3t
+MSVlCAWEyuYMIRJYMscaYKNP0kqeKBl8RYQAjInc3orlT4iRzKTxgUVMfcL/4sGJ
+xhJzleI2vduui1poapBR3iuIX6pn9KjjY9y+GYLMnX/mjfuCviIBPVYTO1sEtOjF
+GOYuDfq6So3oxlqhUZpKYtev3bT84tXNrplsXGFWC9cMGndc9TpqVLWeM6ypdSia
+dq/QelcAG5ETMf1CiCFHBRABL1m7xzrZ4VhMG2xxtpjv3QOCWKMy3JChtqYe4QsC
+AwEAAaMeMBwwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEB
+CwUAA4IBAQCWwiMtRtA9Iw6rPbYeMZYA664XrG7A1BqNDzZjJwJJTiTP04CIOk/Q
+8eUc3y2Kq66NSHeg0NzVgByhPQ1JZL/LOYTJ813gLbqg8qwDhUShl2sL3u2nSRlG
+shhJIWJDUjZvR2wha15BhShxbCInNXaC7ayt1/qdTH1vRH4G3YoRMgzZ0PZjKkCu
+DVrfnteRitstlfMZ8I8eNOOyMWc4dP0/5kleU+uIrrFFcQ5nlzyZTsfqHgJntFTv
+TxBVSnDA60HkUNRIXnDFD3nyBj016s5dE44UZfyYIRYtXW344GvHxuSKysk4H5Mn
+hijvluetbEqeEHhIAPRKQ9yHHePTOVNo
-----END CERTIFICATE-----
diff --git a/pulsar-proxy/src/test/resources/authentication/tls/server-cert.pem b/pulsar-proxy/src/test/resources/authentication/tls/server-cert.pem
index 0f8bc17b9ed..c09434c85d2 100644
--- a/pulsar-proxy/src/test/resources/authentication/tls/server-cert.pem
+++ b/pulsar-proxy/src/test/resources/authentication/tls/server-cert.pem
@@ -1,13 +1,13 @@
Certificate:
Data:
- Version: 1 (0x0)
+ Version: 3 (0x2)
Serial Number:
- 0c:26:15:df:8f:71:1d:6a:31:d0:da:af:64:ef:80:de:ac:9a:46:75
+ 61:e6:1b:07:90:6a:4f:f7:cd:46:b9:59:1d:3e:1c:39:0d:f2:5e:02
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CARoot
Validity
- Not Before: Apr 23 17:08:51 2021 GMT
- Not After : Apr 21 17:08:51 2031 GMT
+ Not Before: May 30 13:38:24 2022 GMT
+ Not After : May 27 13:38:24 2032 GMT
Subject: C = US, ST = CA, O = Apache, OU = Apache Pulsar, CN = localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
@@ -32,37 +32,41 @@ Certificate:
a0:1a:81:9d:d2:e1:66:dd:c4:cc:fc:63:04:ac:ec:
a7:35
Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Alternative Name:
+ DNS:localhost, IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
- 81:a7:27:69:49:e6:1b:c0:f2:a6:10:c2:ef:c7:64:27:69:53:
- 3c:bd:8e:7c:b7:b8:bd:2a:02:d4:ab:4b:f3:7b:25:e8:1e:d8:
- 3d:88:00:04:6c:a0:da:67:57:65:5d:a2:b6:1d:9a:8c:c7:bd:
- 27:53:78:6a:61:3f:61:c1:23:d5:34:65:f1:49:ec:20:5d:f1:
- 01:90:99:e8:e6:99:17:ae:c3:ed:e5:da:c4:f1:8c:89:e8:38:
- c1:01:e0:84:27:bf:01:f5:ee:62:87:55:6c:63:fc:45:12:d3:
- 2f:f7:e2:b9:f0:33:d0:84:1e:6b:23:7b:3e:ae:25:f6:ff:11:
- 12:f4:12:63:b6:88:5d:01:aa:ce:c9:e4:d8:78:a2:2d:4c:9a:
- 50:4d:57:80:6a:4b:2d:19:4c:61:21:6a:7a:06:2b:cf:82:ae:
- f3:61:b0:ef:62:ae:3b:2d:2d:0d:c8:da:75:49:72:5a:1c:8b:
- 15:c2:bb:07:5b:37:81:f6:42:e4:84:29:4c:cb:fc:4d:e1:86:
- 9b:86:af:1f:03:08:58:b0:15:4c:72:fd:e6:62:e2:b2:37:ca:
- eb:a4:67:ec:12:8f:95:57:d7:e7:cf:fe:b5:f9:4a:55:66:c4:
- 2f:af:e9:65:a9:54:a8:9d:1a:1e:9a:9e:ec:60:bf:b5:ef:2b:
- b6:d5:02:e9
+ 88:89:d7:52:b3:61:49:73:7d:ee:aa:6f:47:11:cd:52:f1:ef:
+ 9a:63:5f:43:a9:4f:66:c8:36:dd:44:24:ba:4f:c3:6c:94:90:
+ 85:5e:29:fb:65:cf:03:3b:37:16:5e:88:07:70:97:54:93:f0:
+ f3:09:d7:65:60:09:00:fd:7f:dd:6a:ab:25:3a:30:c4:89:34:
+ 43:82:f6:f5:f4:2d:39:3d:21:90:c4:00:27:c5:6a:23:41:20:
+ c6:42:35:56:91:17:fa:31:90:09:6a:4c:e4:a7:53:ae:61:b6:
+ d3:5b:82:71:08:d0:0b:af:34:0f:9b:bd:bc:8c:1c:31:43:43:
+ 97:82:9a:ac:2a:53:ca:11:ce:6f:64:ac:86:c1:f0:62:14:aa:
+ c3:dd:15:5b:1c:02:6f:bb:40:87:17:b7:e5:9d:93:9a:51:c9:
+ 1e:7a:8c:d1:22:75:44:f1:9d:90:4b:3e:1f:6c:ab:6f:e3:be:
+ cd:c7:15:9d:04:84:4a:1b:a7:ac:64:5d:d7:3e:23:98:b9:49:
+ dd:85:dd:80:4c:46:08:9b:f5:df:eb:19:c8:57:70:ac:43:f9:
+ d6:9c:1b:1b:2a:94:cf:c1:35:56:a2:f4:b1:00:5d:9e:1e:36:
+ 54:72:ab:aa:ef:49:b2:f0:dc:cf:5b:22:51:bf:e4:c9:57:dc:
+ d0:48:0d:f2
-----BEGIN CERTIFICATE-----
-MIIC7zCCAdcCFAwmFd+PcR1qMdDar2TvgN6smkZ1MA0GCSqGSIb3DQEBCwUAMBEx
-DzANBgNVBAMMBkNBUm9vdDAeFw0yMTA0MjMxNzA4NTFaFw0zMTA0MjExNzA4NTFa
-MFcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEPMA0GA1UEChMGQXBhY2hlMRYw
-FAYDVQQLEw1BcGFjaGUgUHVsc2FyMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvv7ctmK2d9tqjE9RiD5i+HKKJIrpv
-1f0fZ+ORA5iAgQ7t2PZwfyw2aD1T6lg6ptWJZku9HldxE21LEeVApXaEJJJAWICW
-yR8sxFXro3lzcFw3montL7pr44J8aUoCVIuBXjy/TIrL6ixeg+e3EAhfglijidHa
-kroqKO4wKD9brhBxlsfhEsWwGq1Eb0Q6EUqaPA+NBoB7NO8/bPRexURUHsjdx4CF
-gNlo5sZTA3fh/hhhB3cFTO1ZvF1BOGrvXaGyYJjUSCiVAooO/c97G9IRzBAMUHPX
-zDhsg915JqqQyJuEhrxZ6WJp9JgbxIB4fqAagZ3S4WbdxMz8YwSs7Kc1AgMBAAEw
-DQYJKoZIhvcNAQELBQADggEBAIGnJ2lJ5hvA8qYQwu/HZCdpUzy9jny3uL0qAtSr
-S/N7Jege2D2IAARsoNpnV2VdorYdmozHvSdTeGphP2HBI9U0ZfFJ7CBd8QGQmejm
-mReuw+3l2sTxjInoOMEB4IQnvwH17mKHVWxj/EUS0y/34rnwM9CEHmsjez6uJfb/
-ERL0EmO2iF0Bqs7J5Nh4oi1MmlBNV4BqSy0ZTGEhanoGK8+CrvNhsO9irjstLQ3I
-2nVJclocixXCuwdbN4H2QuSEKUzL/E3hhpuGrx8DCFiwFUxy/eZi4rI3yuukZ+wS
-j5VX1+fP/rX5SlVmxC+v6WWpVKidGh6anuxgv7XvK7bVAuk=
+MIIDFDCCAfygAwIBAgIUYeYbB5BqT/fNRrlZHT4cOQ3yXgIwDQYJKoZIhvcNAQEL
+BQAwETEPMA0GA1UEAwwGQ0FSb290MB4XDTIyMDUzMDEzMzgyNFoXDTMyMDUyNzEz
+MzgyNFowVzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQ8wDQYDVQQKEwZBcGFj
+aGUxFjAUBgNVBAsTDUFwYWNoZSBQdWxzYXIxEjAQBgNVBAMTCWxvY2FsaG9zdDCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+/ty2YrZ322qMT1GIPmL4c
+ookium/V/R9n45EDmICBDu3Y9nB/LDZoPVPqWDqm1YlmS70eV3ETbUsR5UCldoQk
+kkBYgJbJHyzEVeujeXNwXDeaie0vumvjgnxpSgJUi4FePL9MisvqLF6D57cQCF+C
+WKOJ0dqSuioo7jAoP1uuEHGWx+ESxbAarURvRDoRSpo8D40GgHs07z9s9F7FRFQe
+yN3HgIWA2WjmxlMDd+H+GGEHdwVM7Vm8XUE4au9dobJgmNRIKJUCig79z3sb0hHM
+EAxQc9fMOGyD3XkmqpDIm4SGvFnpYmn0mBvEgHh+oBqBndLhZt3EzPxjBKzspzUC
+AwEAAaMeMBwwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3DQEB
+CwUAA4IBAQCIiddSs2FJc33uqm9HEc1S8e+aY19DqU9myDbdRCS6T8NslJCFXin7
+Zc8DOzcWXogHcJdUk/DzCddlYAkA/X/daqslOjDEiTRDgvb19C05PSGQxAAnxWoj
+QSDGQjVWkRf6MZAJakzkp1OuYbbTW4JxCNALrzQPm728jBwxQ0OXgpqsKlPKEc5v
+ZKyGwfBiFKrD3RVbHAJvu0CHF7flnZOaUckeeozRInVE8Z2QSz4fbKtv477NxxWd
+BIRKG6esZF3XPiOYuUndhd2ATEYIm/Xf6xnIV3CsQ/nWnBsbKpTPwTVWovSxAF2e
+HjZUcquq70my8NzPWyJRv+TJV9zQSA3y
-----END CERTIFICATE-----