You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by si...@apache.org on 2020/04/14 08:44:41 UTC
[pulsar] branch master updated: separate function worker and broker
client TLS configuration (#6602)
This is an automated email from the ASF dual-hosted git repository.
sijie pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/master by this push:
new 6f9eb5e separate function worker and broker client TLS configuration (#6602)
6f9eb5e is described below
commit 6f9eb5e3cd19db1017d317356ba9cc293786aafa
Author: luceneReader <54...@qq.com>
AuthorDate: Tue Apr 14 16:44:31 2020 +0800
separate function worker and broker client TLS configuration (#6602)
Fixes: #6521
### Motivation
Separate function worker and broker client TLS configuration
---
conf/functions_worker.yml | 6 ++++++
.../org/apache/pulsar/functions/worker/WorkerConfig.java | 10 +++++++++-
.../org/apache/pulsar/functions/worker/WorkerService.java | 13 +++++++++++--
3 files changed, 26 insertions(+), 3 deletions(-)
diff --git a/conf/functions_worker.yml b/conf/functions_worker.yml
index 73314e5..2a90992 100644
--- a/conf/functions_worker.yml
+++ b/conf/functions_worker.yml
@@ -192,6 +192,12 @@ tlsAllowInsecureConnection: false
# Tls cert refresh duration in seconds (set 0 to check on every new connection)
tlsCertRefreshCheckDurationSec: 300
+############################################
+# security settings for pulsar broker client
+############################################
+# The path to trusted certificates used by the Pulsar client to authenticate with Pulsar brokers
+brokerClientTrustCertsFilePath:
+
########################
# State Management
########################
diff --git a/pulsar-functions/runtime/src/main/java/org/apache/pulsar/functions/worker/WorkerConfig.java b/pulsar-functions/runtime/src/main/java/org/apache/pulsar/functions/worker/WorkerConfig.java
index 24883df..4ffffe9 100644
--- a/pulsar-functions/runtime/src/main/java/org/apache/pulsar/functions/worker/WorkerConfig.java
+++ b/pulsar-functions/runtime/src/main/java/org/apache/pulsar/functions/worker/WorkerConfig.java
@@ -268,7 +268,7 @@ public class WorkerConfig implements Serializable, PulsarConfiguration {
)
private String tlsKeyFilePath;
@FieldContext(
- category = CATEGORY_SECURITY,
+ category = CATEGORY_WORKER_SECURITY,
doc = "Path for the trusted TLS certificate file"
)
private String tlsTrustCertsFilePath = "";
@@ -333,6 +333,14 @@ public class WorkerConfig implements Serializable, PulsarConfiguration {
return tlsEnabled || workerPortTls != null;
}
+ /******** security settings for pulsar broker client **********/
+
+ @FieldContext(
+ category = CATEGORY_CLIENT_SECURITY,
+ doc = "The path to trusted certificates used by the Pulsar client to authenticate with Pulsar brokers"
+ )
+ private String brokerClientTrustCertsFilePath;
+
/******** Function Runtime configurations **********/
diff --git a/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/WorkerService.java b/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/WorkerService.java
index b23c707..6fe7500 100644
--- a/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/WorkerService.java
+++ b/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/WorkerService.java
@@ -125,9 +125,18 @@ public class WorkerService {
: workerConfig.getWorkerWebAddress();
if (workerConfig.isAuthenticationEnabled()) {
+ // for compatible, if user do not define brokerClientTrustCertsFilePath, we will use tlsTrustCertsFilePath,
+ // otherwise we will use brokerClientTrustCertsFilePath
+ final String pulsarClientTlsTrustCertsFilePath;
+ if (StringUtils.isNotBlank(workerConfig.getBrokerClientTrustCertsFilePath())) {
+ pulsarClientTlsTrustCertsFilePath = workerConfig.getBrokerClientTrustCertsFilePath();
+ } else {
+ pulsarClientTlsTrustCertsFilePath = workerConfig.getTlsTrustCertsFilePath();
+ }
+
this.brokerAdmin = WorkerUtils.getPulsarAdminClient(workerConfig.getPulsarWebServiceUrl(),
workerConfig.getClientAuthenticationPlugin(), workerConfig.getClientAuthenticationParameters(),
- workerConfig.getTlsTrustCertsFilePath(), workerConfig.isTlsAllowInsecureConnection(),
+ pulsarClientTlsTrustCertsFilePath, workerConfig.isTlsAllowInsecureConnection(),
workerConfig.isTlsHostnameVerificationEnable());
this.functionAdmin = WorkerUtils.getPulsarAdminClient(functionWebServiceUrl,
@@ -138,7 +147,7 @@ public class WorkerService {
this.client = WorkerUtils.getPulsarClient(this.workerConfig.getPulsarServiceUrl(),
workerConfig.getClientAuthenticationPlugin(),
workerConfig.getClientAuthenticationParameters(),
- workerConfig.isUseTls(), workerConfig.getTlsTrustCertsFilePath(),
+ workerConfig.isUseTls(), pulsarClientTlsTrustCertsFilePath,
workerConfig.isTlsAllowInsecureConnection(), workerConfig.isTlsHostnameVerificationEnable());
} else {
this.brokerAdmin = WorkerUtils.getPulsarAdminClient(workerConfig.getPulsarWebServiceUrl());