You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by rx...@apache.org on 2020/07/18 01:38:37 UTC
[pulsar] branch master updated: Improve security setting of Pulsar
Functions (#7578)
This is an automated email from the ASF dual-hosted git repository.
rxl pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/master by this push:
new 2374cd9 Improve security setting of Pulsar Functions (#7578)
2374cd9 is described below
commit 2374cd9c4260d9528e911878c49dc107508a2067
Author: 冉小龙 <rx...@apache.org>
AuthorDate: Sat Jul 18 09:38:19 2020 +0800
Improve security setting of Pulsar Functions (#7578)
Signed-off-by: xiaolong.ran <rx...@apache.org>
### Motivation
Improve security setting of Pulsar Functions
### Modifications
- Add `TLS Authentication` example
- Improve `TLS Transport` config
- Add `authorizationProvider` filed for **Authorization**
---
site2/docs/functions-worker.md | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/site2/docs/functions-worker.md b/site2/docs/functions-worker.md
index 0a4664f..35bfd9a 100644
--- a/site2/docs/functions-worker.md
+++ b/site2/docs/functions-worker.md
@@ -105,10 +105,17 @@ If you want to enable security on functions workers, you *should*:
To enable TLS transport encryption, configure the following settings.
```
+useTLS: true
+pulsarServiceUrl: pulsar+ssl://localhost:6651/
+pulsarWebServiceUrl: https://localhost:8443
+
tlsEnabled: true
tlsCertificateFilePath: /path/to/functions-worker.cert.pem
tlsKeyFilePath: /path/to/functions-worker.key-pk8.pem
tlsTrustCertsFilePath: /path/to/ca.cert.pem
+
+// The path to trusted certificates used by the Pulsar client to authenticate with Pulsar brokers
+brokerClientTrustCertsFilePath: /path/to/ca.cert.pem
```
For details on TLS encryption, refer to [Transport Encryption using TLS](security-tls-transport.md).
@@ -124,6 +131,16 @@ authenticationEnabled: true
authenticationProviders: [ provider1, provider2 ]
```
+For *TLS Authentication* provider, follow the example below to add the necessary settings.
+See [TLS Authentication](security-tls-authentication.md) for more details.
+```
+brokerClientAuthenticationPlugin: org.apache.pulsar.client.impl.auth.AuthenticationTls
+brokerClientAuthenticationParameters: tlsCertFile:/path/to/admin.cert.pem,tlsKeyFile:/path/to/admin.key-pk8.pem
+
+authenticationEnabled: true
+authenticationProviders: ['org.apache.pulsar.broker.authentication.AuthenticationProviderTls']
+```
+
For *SASL Authentication* provider, add `saslJaasClientAllowedIds` and `saslJaasBrokerSectionName`
under `properties` if needed.
@@ -144,10 +161,11 @@ properties:
##### Enable Authorization Provider
-To enable authorization on Functions Worker, you need to configure `authorizationEnabled` and `configurationStoreServers`. The authentication provider connects to `configurationStoreServers` to receive namespace policies.
+To enable authorization on Functions Worker, you need to configure `authorizationEnabled`, `authorizationProvider` and `configurationStoreServers`. The authentication provider connects to `configurationStoreServers` to receive namespace policies.
```yaml
authorizationEnabled: true
+authorizationProvider: org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider
configurationStoreServers: <configuration-store-servers>
```