Hi Yunze, Thanks for your suggestion, your idea is great, but we have the `tlsProtocols()` and `tlsCiphers()` in `ClientBuilder`, so I use this style.
Thanks, Zixuan Yunze Xu <y...@streamnative.io.invalid> 于2022年5月9日周一 13:31写道: > It totally LGTM. I have a suggestion that it might be better to configure a > class like `TlsConfiguration` instead of multiple TLS related configs > added to > `ClientBuilder`. > > Thanks, > Yunze > > > > > > 2022年4月24日 14:15,Zixuan Liu <node...@gmail.com> 写道: > > > > Hi Pulsar community, > > > > I open a https://github.com/apache/pulsar/issues/15289 for Split client > TLS > > transport encryption from authentication. > > > > Let me know what you think. > > > > Thanks, > > Zixuan > > > > ------ > > > > Motivation > > > > The client supports TLS transport encryption and TLS authentication, this > > code so like: > > > > PulsarClient client = PulsarClient.builder() > > .serviceUrl("pulsar+ssl://localhost:6651") > > .tlsTrustCertsFilePath("/path/to/cacert.pem") > > .authentication(AuthenticationTls.class.getName(), > authParams) > > .build() > > > > This causes an issue that cannot use other authentication with TLS > > transport encryption, and also made our confusion if we use TLS transport > > encryption by setting authentication. > > Goal > > > > Split client TLS transport encryption from authentication is used to > > support TLS transport encryption with any authentication. > > API Changes > > > > - Add new methods in org.apache.pulsar.client.api.ClientBuilder > > > > public interface ClientBuilder extends Serializable, Cloneable { > > /** * Set the path to the TLS key file. * * @param > > tlsKeyFilePath * @return the client builder instance */ > > ClientBuilder tlsKeyFilePath(String tlsKeyFilePath); > > > > /** * Set the path to the TLS certificate file. * * > > @param tlsCertificateFilePath * @return the client builder > > instance */ > > ClientBuilder tlsCertificateFilePath(String tlsCertificateFilePath); > > } > > > > ImplementationTLS transport encryption > > > > We can call the tlsKeyFilePath(), tlsCertificateFilePath() and > > tlsTrustCertsFilePath() to configurate the TLS transport encryption, the > > code so like: > > > > PulsarClient client = PulsarClient.builder() > > .serviceUrl("pulsar+ssl://my-host:6650") > > .tlsTrustCertsFilePath("/path/to/cacert.pem") > > .tlsKeyFilePath("/path/to/client-key.pem") > > .tlsCertificateFilePath("/path/to/client-cert.pem") > > .build(); > > > > TLS transport encryption with any authentication > > > > We can call the tlsKeyFilePath(), tlsCertificateFilePath(), > > tlsTrustCertsFilePath() and authentication() to configurate the TLS > > transport encryption with any authentication, the code so like: > > > > PulsarClient client = PulsarClient.builder() > > .serviceUrl("pulsar+ssl://my-host:6650") > > .tlsTrustCertsFilePath("/path/to/cacert.pem") > > .tlsKeyFilePath("/path/to/client-key.pem") > > .tlsCertificateFilePath("/path/to/client-cert.pem") > > .authentication(AuthenticationTls.class.getName() /* > > AuthenticationToken.class.getName()*/, authParams) > > .builder() > > > > For AuthenticationTls, we need to do check the authParams, when the > > authParams is empty, we need to read TLS config from ClientBuilder, > > otherwise read from the authParams > > Compatibility > > > > None. > >
