https://github.com/apache/pulsar/issues/4696 is different from this PIP. When using mTLS authentication, the users must set the common name in the cert, when using mTLS transport, the common name is unnecessary.
This PIP's goal is how to get the role from the TLS certificate. > Environments like SPIFFE would get out-of-the-box support from pulsar Today I learned again about SPIFFE, which is widely used in the k8s environment. This is a benefit for the pulsar. > Are you suggesting the pulsar community wont benefit from this and host it > in other git repo as separate plugin ? I don't object to this PIP, I just feel that it introduces a lot of configuration values(san-ip,san-dns.....). Let's wait for feedback from others. Thanks, Zixuan naresh <vnareshku...@gmail.com> 于2024年6月22日周六 14:05写道: > Hi Liu, > > Only 2 new properties are added. I have already implemented code extending > AuthenticationProviderTls > > I have gone through older tickets which asked for this feature > https://github.com/apache/pulsar/issues/4696 > > Environments like SPIFFE would get out-of-the-box support from pulsar with > this PIP as well as above ticket. > > Are you suggesting the pulsar community wont benefit from this and host it > in other git repo as separate plugin ? > > Thanks > Naresh > On Thu, 20 Jun 2024 at 7:54 PM, Zixuan Liu <node...@gmail.com> wrote: > > > Hi naresh, > > > > Right now the Pulsar can only get the role from a common name, your PIP > is > > an awesome idea that supports URI, DNS, RID, IP based Token as role, and > is > > very helpful for large organizations. > > > > In this PIP, you will introduce many configurations of identity > mechanisms, > > which are complex if users are not clear about their application > scenarios. > > > > I voted 0 for this PIP, and I suggest you implement your authentication > > provider by https://pulsar.apache.org/docs/next/security-extending. > > > > Thanks, > > Zixuan > > > > naresh <vnareshku...@gmail.com> 于2024年6月15日周六 16:24写道: > > > > > Hello, > > > > > > This is my PIP Request at https://github.com/apache/pulsar/pull/22917 > > > > > > If this PIP is acceptable, i am considering the following for the code > > > changes: > > > > > > 1. Enhance the existing > > > org.apache.pulsar.broker.authentication.AuthenticationProviderTls > > class > > > to > > > support these changes > > > 2. Create a new class > > > org.apache.pulsar.broker.authentication.AuthenticationProviderTlsSan > > > thats > > > backward compatible with current implementation > > > > > > Currently, I have made code changes on my local to support option-2. > > Before > > > I go far, requesting some feedback on the overall proposal. > > > > > > Thanks > > > Naresh > > > > > >
