Thanks for your clarification. Let’s continue maintaining these configs in `ClientBuilder`.
Thanks, Yunze > 2022年5月9日 13:54,Zixuan Liu <node...@gmail.com> 写道: > > Hi Yunze, > > Thanks for your suggestion, your idea is great, but we have the > `tlsProtocols()` and `tlsCiphers()` in `ClientBuilder`, so I use this style. > > Thanks, > Zixuan > > Yunze Xu <y...@streamnative.io.invalid> 于2022年5月9日周一 13:31写道: > >> It totally LGTM. I have a suggestion that it might be better to configure a >> class like `TlsConfiguration` instead of multiple TLS related configs >> added to >> `ClientBuilder`. >> >> Thanks, >> Yunze >> >> >> >> >>> 2022年4月24日 14:15,Zixuan Liu <node...@gmail.com> 写道: >>> >>> Hi Pulsar community, >>> >>> I open a https://github.com/apache/pulsar/issues/15289 for Split client >> TLS >>> transport encryption from authentication. >>> >>> Let me know what you think. >>> >>> Thanks, >>> Zixuan >>> >>> ------ >>> >>> Motivation >>> >>> The client supports TLS transport encryption and TLS authentication, this >>> code so like: >>> >>> PulsarClient client = PulsarClient.builder() >>> .serviceUrl("pulsar+ssl://localhost:6651") >>> .tlsTrustCertsFilePath("/path/to/cacert.pem") >>> .authentication(AuthenticationTls.class.getName(), >> authParams) >>> .build() >>> >>> This causes an issue that cannot use other authentication with TLS >>> transport encryption, and also made our confusion if we use TLS transport >>> encryption by setting authentication. >>> Goal >>> >>> Split client TLS transport encryption from authentication is used to >>> support TLS transport encryption with any authentication. >>> API Changes >>> >>> - Add new methods in org.apache.pulsar.client.api.ClientBuilder >>> >>> public interface ClientBuilder extends Serializable, Cloneable { >>> /** * Set the path to the TLS key file. * * @param >>> tlsKeyFilePath * @return the client builder instance */ >>> ClientBuilder tlsKeyFilePath(String tlsKeyFilePath); >>> >>> /** * Set the path to the TLS certificate file. * * >>> @param tlsCertificateFilePath * @return the client builder >>> instance */ >>> ClientBuilder tlsCertificateFilePath(String tlsCertificateFilePath); >>> } >>> >>> ImplementationTLS transport encryption >>> >>> We can call the tlsKeyFilePath(), tlsCertificateFilePath() and >>> tlsTrustCertsFilePath() to configurate the TLS transport encryption, the >>> code so like: >>> >>> PulsarClient client = PulsarClient.builder() >>> .serviceUrl("pulsar+ssl://my-host:6650") >>> .tlsTrustCertsFilePath("/path/to/cacert.pem") >>> .tlsKeyFilePath("/path/to/client-key.pem") >>> .tlsCertificateFilePath("/path/to/client-cert.pem") >>> .build(); >>> >>> TLS transport encryption with any authentication >>> >>> We can call the tlsKeyFilePath(), tlsCertificateFilePath(), >>> tlsTrustCertsFilePath() and authentication() to configurate the TLS >>> transport encryption with any authentication, the code so like: >>> >>> PulsarClient client = PulsarClient.builder() >>> .serviceUrl("pulsar+ssl://my-host:6650") >>> .tlsTrustCertsFilePath("/path/to/cacert.pem") >>> .tlsKeyFilePath("/path/to/client-key.pem") >>> .tlsCertificateFilePath("/path/to/client-cert.pem") >>> .authentication(AuthenticationTls.class.getName() /* >>> AuthenticationToken.class.getName()*/, authParams) >>> .builder() >>> >>> For AuthenticationTls, we need to do check the authParams, when the >>> authParams is empty, we need to read TLS config from ClientBuilder, >>> otherwise read from the authParams >>> Compatibility >>> >>> None. >> >>
