You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2022/06/27 05:31:11 UTC

[GitHub] [pulsar] rdhabalia opened a new pull request, #16234: Support encryption in websocket proxy

rdhabalia opened a new pull request, #16234:
URL: https://github.com/apache/pulsar/pull/16234

   ### Motivation
   Websocket proxy can be used by user to deploy at client side to serve as a proxy between client app and broker. However, user also wants to enable encryption by publishing and consuming encrytepd messages. Therefore, user wants to enable encryption at websocket proxy which can encrypt publish/consume messages for user. So, we need encryption support at Websocket proxy which can use user-provided `CryptoKeyReader` implementation and load appropriate encryption keys to publish/consume encrypted message.
   
   ### Modification
   - Support configurable `CryptoKeyReaderFactory` at websocket proxy which can create `CryptoKeyReader` for websocket
   - websocket producer supports encryption-keys to encrypt message
   - websocket consumer supports message decryption
   
   ### Result
   Websocket supports encryption/decryption for producer/consumer/reader.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] github-actions[bot] commented on pull request #16234: Support encryption in websocket proxy

Posted by GitBox <gi...@apache.org>.

github-actions[bot] commented on PR #16234:
URL: https://github.com/apache/pulsar/pull/16234#issuecomment-1166889453

   @rdhabalia Please provide a correct documentation label for your PR.
   Instructions see [Pulsar Documentation Label Guide](https://docs.google.com/document/d/1Qw7LHQdXWBW9t2-r-A7QdFDBwmZh6ytB4guwMoXHqc0).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] merlimat commented on a diff in pull request #16234: Support encryption in websocket proxy

Posted by GitBox <gi...@apache.org>.

merlimat commented on code in PR #16234:
URL: https://github.com/apache/pulsar/pull/16234#discussion_r916097684


##########
pulsar-websocket/src/main/java/org/apache/pulsar/websocket/service/WebSocketProxyConfiguration.java:
##########
@@ -245,6 +245,11 @@ public class WebSocketProxyConfiguration implements PulsarConfiguration {
     )
     private Set<String> webServiceTlsCiphers = new TreeSet<>();
 
+    @FieldContext(
+            doc = "CryptoKeyReader factory classname to support encryption at websocket."
+    )
+    private String cryptoKeyReaderFactoryClassName;

Review Comment:
   Does this mean that the key needs to be available in the WebSocket server? 
   Wouldn't it be easier to have the keys submitted by the WS client application? Otherwise the WS server will have to store all the private keys for all the topics that need to be exposed in this way.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] rdhabalia merged pull request #16234: Support encryption in websocket proxy

Posted by GitBox <gi...@apache.org>.

rdhabalia merged PR #16234:
URL: https://github.com/apache/pulsar/pull/16234


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] rdhabalia commented on a diff in pull request #16234: Support encryption in websocket proxy

Posted by GitBox <gi...@apache.org>.

rdhabalia commented on code in PR #16234:
URL: https://github.com/apache/pulsar/pull/16234#discussion_r916343142


##########
pulsar-websocket/src/main/java/org/apache/pulsar/websocket/service/WebSocketProxyConfiguration.java:
##########
@@ -245,6 +245,11 @@ public class WebSocketProxyConfiguration implements PulsarConfiguration {
     )
     private Set<String> webServiceTlsCiphers = new TreeSet<>();
 
+    @FieldContext(
+            doc = "CryptoKeyReader factory classname to support encryption at websocket."
+    )
+    private String cryptoKeyReaderFactoryClassName;

Review Comment:
   Websocket proxy can be used at client side and user would like to take care entire encryption complexity at websocket. Keys are generally stored into CKMS. and cryptoKeyReader just utility to read those keys. So, producer provides name of encryption-key and websocket takes care rest of the complexity.
   so, this feature will be useful when single tenant deploys websocket proxy at client side and avoid any encryption complexity. 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org