Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kerberos: authentication between client and broker #3821

Merged
merged 2 commits into from
Mar 19, 2019
Merged

kerberos: authentication between client and broker #3821

merged 2 commits into from
Mar 19, 2019

Conversation

jiazhai
Copy link
Member

@jiazhai jiazhai commented Mar 14, 2019
edited
Loading

Fixes #3652

Motivation
Currently both Zookeeper and BookKeeper could be secured by using Kerberos, It would be good to support Kerberos in Pulsar Broker and Client.
This is the sub-task for issue in #3491 to support Kerberos in Pulsar Broker and Client.
Will add proxy and web resource support in following prs.
The Kerberos authentication is similar to that in Zookeeper and BookKeeper, which leverage SASL and GSSAPI, so reused some of the code there.
PR #3658 is the first version of PR before #3677 .

Changes
provide both client and broker side support for authentication api;
add unit test.

@jiazhai jiazhai requested review from merlimat and sijie March 14, 2019 07:56
@jiazhai
Copy link
Member Author

jiazhai commented Mar 14, 2019

@eolivelli Thanks for the comments in #3658. This is the second version.

@eolivelli
Copy link
Contributor

@jiazhai I will take a look

eolivelli
eolivelli reviewed Mar 14, 2019
View reviewed changes
conf/broker.conf
### --- SASL Authentication Provider --- ###

# Whether Use SASL Authentication or not.
# TODO: used to bypass web resource check. will remove it after implementation the support.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @eolivelli , yes, there is a planed work.
current step is for client <-> broker. will add the web-resource/http support in the TODO issue.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

by this parameter we could bypass the web-resource/http checking temporary.

eolivelli
eolivelli approved these changes Mar 18, 2019
View reviewed changes
Copy link
Contributor

@eolivelli eolivelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lgtm

I really would like to see this feature usable in production (released)
It is the only gap from Kafka for my usecases

@sijie sijie added this to the 2.4.0 milestone Mar 19, 2019
@sijie sijie added the type/feature The PR added a new feature or issue requested a new feature label Mar 19, 2019
@sijie sijie merged commit 7064285 into apache:master Mar 19, 2019
@michaeljmarshall michaeljmarshall mentioned this pull request Nov 24, 2021
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eolivelli eolivelli eolivelli approved these changes

@sijie sijie sijie approved these changes

@merlimat merlimat Awaiting requested review from merlimat

Assignees

@jiazhai jiazhai

Labels
area/security type/feature The PR added a new feature or issue requested a new feature
Projects
None yet
Milestone
2.4.0
Development

Successfully merging this pull request may close these issues.
3 participants
@jiazhai @eolivelli @sijie