It totally LGTM. I have a suggestion that it might be better to configure a class like `TlsConfiguration` instead of multiple TLS related configs added to `ClientBuilder`.
Thanks, Yunze > 2022年4月24日 14:15,Zixuan Liu <node...@gmail.com> 写道: > > Hi Pulsar community, > > I open a https://github.com/apache/pulsar/issues/15289 for Split client TLS > transport encryption from authentication. > > Let me know what you think. > > Thanks, > Zixuan > > ------ > > Motivation > > The client supports TLS transport encryption and TLS authentication, this > code so like: > > PulsarClient client = PulsarClient.builder() > .serviceUrl("pulsar+ssl://localhost:6651") > .tlsTrustCertsFilePath("/path/to/cacert.pem") > .authentication(AuthenticationTls.class.getName(), authParams) > .build() > > This causes an issue that cannot use other authentication with TLS > transport encryption, and also made our confusion if we use TLS transport > encryption by setting authentication. > Goal > > Split client TLS transport encryption from authentication is used to > support TLS transport encryption with any authentication. > API Changes > > - Add new methods in org.apache.pulsar.client.api.ClientBuilder > > public interface ClientBuilder extends Serializable, Cloneable { > /** * Set the path to the TLS key file. * * @param > tlsKeyFilePath * @return the client builder instance */ > ClientBuilder tlsKeyFilePath(String tlsKeyFilePath); > > /** * Set the path to the TLS certificate file. * * > @param tlsCertificateFilePath * @return the client builder > instance */ > ClientBuilder tlsCertificateFilePath(String tlsCertificateFilePath); > } > > ImplementationTLS transport encryption > > We can call the tlsKeyFilePath(), tlsCertificateFilePath() and > tlsTrustCertsFilePath() to configurate the TLS transport encryption, the > code so like: > > PulsarClient client = PulsarClient.builder() > .serviceUrl("pulsar+ssl://my-host:6650") > .tlsTrustCertsFilePath("/path/to/cacert.pem") > .tlsKeyFilePath("/path/to/client-key.pem") > .tlsCertificateFilePath("/path/to/client-cert.pem") > .build(); > > TLS transport encryption with any authentication > > We can call the tlsKeyFilePath(), tlsCertificateFilePath(), > tlsTrustCertsFilePath() and authentication() to configurate the TLS > transport encryption with any authentication, the code so like: > > PulsarClient client = PulsarClient.builder() > .serviceUrl("pulsar+ssl://my-host:6650") > .tlsTrustCertsFilePath("/path/to/cacert.pem") > .tlsKeyFilePath("/path/to/client-key.pem") > .tlsCertificateFilePath("/path/to/client-cert.pem") > .authentication(AuthenticationTls.class.getName() /* > AuthenticationToken.class.getName()*/, authParams) > .builder() > > For AuthenticationTls, we need to do check the authParams, when the > authParams is empty, we need to read TLS config from ClientBuilder, > otherwise read from the authParams > Compatibility > > None.
