[DISCUSS] PIP-158: Split client TLS transport encryption from authentication

Sat, 23 Apr 2022 23:15:53 -0700 

Hi Pulsar community,

I open a https://github.com/apache/pulsar/issues/15289 for Split client TLS
transport encryption from authentication.

Let me know what you think.

Thanks,
Zixuan

------

Motivation

The client supports TLS transport encryption and TLS authentication, this
code so like:

PulsarClient client = PulsarClient.builder()
                .serviceUrl("pulsar+ssl://localhost:6651")
                .tlsTrustCertsFilePath("/path/to/cacert.pem")
                .authentication(AuthenticationTls.class.getName(), authParams)
                .build()

This causes an issue that cannot use other authentication with TLS
transport encryption, and also made our confusion if we use TLS transport
encryption by setting authentication.
Goal

Split client TLS transport encryption from authentication is used to
support TLS transport encryption with any authentication.
API Changes

   - Add new methods in org.apache.pulsar.client.api.ClientBuilder

public interface ClientBuilder extends Serializable, Cloneable {
    /**     * Set the path to the TLS key file.     *     * @param
tlsKeyFilePath     * @return the client builder instance     */
    ClientBuilder tlsKeyFilePath(String tlsKeyFilePath);

    /**     * Set the path to the TLS certificate file.     *     *
@param tlsCertificateFilePath     * @return the client builder
instance     */
    ClientBuilder tlsCertificateFilePath(String tlsCertificateFilePath);
}

ImplementationTLS transport encryption

We can call the tlsKeyFilePath(), tlsCertificateFilePath() and
tlsTrustCertsFilePath() to configurate the TLS transport encryption, the
code so like:

PulsarClient client = PulsarClient.builder()
        .serviceUrl("pulsar+ssl://my-host:6650")
        .tlsTrustCertsFilePath("/path/to/cacert.pem")
        .tlsKeyFilePath("/path/to/client-key.pem")
        .tlsCertificateFilePath("/path/to/client-cert.pem")
        .build();

TLS transport encryption with any authentication

We can call the tlsKeyFilePath(), tlsCertificateFilePath(),
tlsTrustCertsFilePath() and authentication() to configurate the TLS
transport encryption with any authentication, the code so like:

PulsarClient client = PulsarClient.builder()
        .serviceUrl("pulsar+ssl://my-host:6650")
        .tlsTrustCertsFilePath("/path/to/cacert.pem")
        .tlsKeyFilePath("/path/to/client-key.pem")
        .tlsCertificateFilePath("/path/to/client-cert.pem")
        .authentication(AuthenticationTls.class.getName() /*
AuthenticationToken.class.getName()*/, authParams)
        .builder()

For AuthenticationTls, we need to do check the authParams, when the
authParams is empty, we need to read TLS config from ClientBuilder,
otherwise read from the authParams
Compatibility

None.

Reply via email to