Hi Michael, It's not the same here.
If you use AuthenticationTLS, which means you enable TLS authentication and
transport.
```
PulsarClient client = PulsarClient.builder()
.serviceUrl("pulsar://my-host:6651")
.tlsTrustCertsFilePath("/path/to/cacert.pem")
.tlsKeyFilePath("/path/to/client-key.pem")
.tlsCertificateFilePath("/path/to/client-cert.pem")
.authentication(AuthenticationTls.class.getName()) //
AuthenticationTls will uses the above certificate.
.build();
```
If you remove AuthenticationTLS, means we only use TLS transport.
Thanks,
Zixuan
Michael Marshall <mmarsh...@apache.org> 于2022年5月14日周六 13:27写道:
> Thanks for your responses, Zixuan.
>
> I think it might make sense to eventually deprecate the
> AuthenticationTLS class, if only because I think it can be confusing
> to give users two ways to configure the same thing. However, that is a
> minor detail. For now, we'll need to support both.
>
> Thanks,
> Michael
>
> On Thu, May 12, 2022 at 4:43 AM Zixuan Liu <node...@gmail.com> wrote:
> >
> > You can see the code in the implementation part, this will be consistent
> > with the actual document.
> >
> > Zixuan Liu <node...@gmail.com> 于2022年5月12日周四 17:03写道:
> >
> > > Hi Michael,
> > >
> > > Thanks for your feedback!
> > >
> > > > I notice that the PIP doesn't
> > > mention documentation. Since we're adding another way to configure
> > > mTLS, please make sure to document the recommended way that users
> > > should take advantage of this feature and how this feature relates to
> the
> > > existing AuthenticationTLS feature.
> > >
> > > Good idea, let me add a simple document that how to use TLS transport
> and
> > > TLS authentication.
> > >
> > > > We are removing the client's need to use the AuthenticationTLS class
> > > to perform TLS authentication of clients by the server.
> > >
> > > We don't remove the use of the AuthenticationTLS.
> > >
> > > > If a user wants to use TLS certificates for authorization, they can
> > > still put
> > > roles in their client certificates and continue to use the
> > > AuthenticationProviderTLS class to map a TLS certificate to a role on
> > > the server side.
> > >
> > > You are right, the users still can use the AuthenticationTLS to perform
> > > the TLS transport and TLS authentication.
> > >
> > > Currently, the AuthenticationTLS includes TLS transport and TLS
> > > authentication, if the user only uses the TLS transport, not use the
> TLS
> > > authentication, it is confusing, so I want to add a TLS transport
> config in
> > > `ClientBuilder`.
> > >
> > > Thanks,
> > > Zixuan
> > >
> > >
> > > Michael Marshall <mmarsh...@apache.org> 于2022年5月12日周四 01:51写道:
> > >
> > >> I agree that the current state of this feature is a bit confusing, and
> > >> I think the proposed changes make sense. I notice that the PIP doesn't
> > >> mention documentation. Since we're adding another way to configure
> > >> mTLS, please make sure to document the recommended way that users
> > >> should take advantage of this feature and how this feature relates to
> the
> > >> existing AuthenticationTLS feature.
> > >>
> > >> In order to make sure I understand the feature correctly, can you
> > >> confirm that the following is correct?
> > >>
> > >> We are removing the client's need to use the AuthenticationTLS class
> > >> to perform TLS authentication of clients by the server. If a user
> > >> wants to use TLS certificates for authorization, they can still put
> > >> roles in their client certificates and continue to use the
> > >> AuthenticationProviderTLS class to map a TLS certificate to a role on
> > >> the server side.
> > >>
> > >> Thanks,
> > >> Michael
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> On Mon, May 9, 2022 at 12:58 AM Yunze Xu <y...@streamnative.io.invalid
> >
> > >> wrote:
> > >> >
> > >> > Thanks for your clarification. Let’s continue maintaining these
> configs
> > >> in
> > >> > `ClientBuilder`.
> > >> >
> > >> > Thanks,
> > >> > Yunze
> > >> >
> > >> >
> > >> >
> > >> >
> > >> > > 2022年5月9日 13:54,Zixuan Liu <node...@gmail.com> 写道:
> > >> > >
> > >> > > Hi Yunze,
> > >> > >
> > >> > > Thanks for your suggestion, your idea is great, but we have the
> > >> > > `tlsProtocols()` and `tlsCiphers()` in `ClientBuilder`, so I use
> this
> > >> style.
> > >> > >
> > >> > > Thanks,
> > >> > > Zixuan
> > >> > >
> > >> > > Yunze Xu <y...@streamnative.io.invalid> 于2022年5月9日周一 13:31写道:
> > >> > >
> > >> > >> It totally LGTM. I have a suggestion that it might be better to
> > >> configure a
> > >> > >> class like `TlsConfiguration` instead of multiple TLS related
> configs
> > >> > >> added to
> > >> > >> `ClientBuilder`.
> > >> > >>
> > >> > >> Thanks,
> > >> > >> Yunze
> > >> > >>
> > >> > >>
> > >> > >>
> > >> > >>
> > >> > >>> 2022年4月24日 14:15,Zixuan Liu <node...@gmail.com> 写道:
> > >> > >>>
> > >> > >>> Hi Pulsar community,
> > >> > >>>
> > >> > >>> I open a https://github.com/apache/pulsar/issues/15289 for
> Split
> > >> client
> > >> > >> TLS
> > >> > >>> transport encryption from authentication.
> > >> > >>>
> > >> > >>> Let me know what you think.
> > >> > >>>
> > >> > >>> Thanks,
> > >> > >>> Zixuan
> > >> > >>>
> > >> > >>> ------
> > >> > >>>
> > >> > >>> Motivation
> > >> > >>>
> > >> > >>> The client supports TLS transport encryption and TLS
> > >> authentication, this
> > >> > >>> code so like:
> > >> > >>>
> > >> > >>> PulsarClient client = PulsarClient.builder()
> > >> > >>> .serviceUrl("pulsar+ssl://localhost:6651")
> > >> > >>> .tlsTrustCertsFilePath("/path/to/cacert.pem")
> > >> > >>> .authentication(AuthenticationTls.class.getName(),
> > >> > >> authParams)
> > >> > >>> .build()
> > >> > >>>
> > >> > >>> This causes an issue that cannot use other authentication with
> TLS
> > >> > >>> transport encryption, and also made our confusion if we use TLS
> > >> transport
> > >> > >>> encryption by setting authentication.
> > >> > >>> Goal
> > >> > >>>
> > >> > >>> Split client TLS transport encryption from authentication is
> used to
> > >> > >>> support TLS transport encryption with any authentication.
> > >> > >>> API Changes
> > >> > >>>
> > >> > >>> - Add new methods in org.apache.pulsar.client.api.ClientBuilder
> > >> > >>>
> > >> > >>> public interface ClientBuilder extends Serializable, Cloneable {
> > >> > >>> /** * Set the path to the TLS key file. * * @param
> > >> > >>> tlsKeyFilePath * @return the client builder instance */
> > >> > >>> ClientBuilder tlsKeyFilePath(String tlsKeyFilePath);
> > >> > >>>
> > >> > >>> /** * Set the path to the TLS certificate file. *
> *
> > >> > >>> @param tlsCertificateFilePath * @return the client builder
> > >> > >>> instance */
> > >> > >>> ClientBuilder tlsCertificateFilePath(String
> > >> tlsCertificateFilePath);
> > >> > >>> }
> > >> > >>>
> > >> > >>> ImplementationTLS transport encryption
> > >> > >>>
> > >> > >>> We can call the tlsKeyFilePath(), tlsCertificateFilePath() and
> > >> > >>> tlsTrustCertsFilePath() to configurate the TLS transport
> > >> encryption, the
> > >> > >>> code so like:
> > >> > >>>
> > >> > >>> PulsarClient client = PulsarClient.builder()
> > >> > >>> .serviceUrl("pulsar+ssl://my-host:6650")
> > >> > >>> .tlsTrustCertsFilePath("/path/to/cacert.pem")
> > >> > >>> .tlsKeyFilePath("/path/to/client-key.pem")
> > >> > >>> .tlsCertificateFilePath("/path/to/client-cert.pem")
> > >> > >>> .build();
> > >> > >>>
> > >> > >>> TLS transport encryption with any authentication
> > >> > >>>
> > >> > >>> We can call the tlsKeyFilePath(), tlsCertificateFilePath(),
> > >> > >>> tlsTrustCertsFilePath() and authentication() to configurate the
> TLS
> > >> > >>> transport encryption with any authentication, the code so like:
> > >> > >>>
> > >> > >>> PulsarClient client = PulsarClient.builder()
> > >> > >>> .serviceUrl("pulsar+ssl://my-host:6650")
> > >> > >>> .tlsTrustCertsFilePath("/path/to/cacert.pem")
> > >> > >>> .tlsKeyFilePath("/path/to/client-key.pem")
> > >> > >>> .tlsCertificateFilePath("/path/to/client-cert.pem")
> > >> > >>> .authentication(AuthenticationTls.class.getName() /*
> > >> > >>> AuthenticationToken.class.getName()*/, authParams)
> > >> > >>> .builder()
> > >> > >>>
> > >> > >>> For AuthenticationTls, we need to do check the authParams, when
> the
> > >> > >>> authParams is empty, we need to read TLS config from
> ClientBuilder,
> > >> > >>> otherwise read from the authParams
> > >> > >>> Compatibility
> > >> > >>>
> > >> > >>> None.
> > >> > >>
> > >> > >>
> > >> >
> > >>
> > >
>
