[GitHub] [pulsar] nodece opened a new issue, #15289: PIP-158: Split client TLS transport encryption from authentication

[GitBox]

nodece opened a new issue, #15289:
URL: https://github.com/apache/pulsar/issues/15289

   ## Motivation
   
   The client supports TLS transport encryption and TLS authentication, this 
code so like:
   
   ```java
   PulsarClient client = PulsarClient.builder()
                   .serviceUrl("pulsar+ssl://localhost:6651")
                   .tlsTrustCertsFilePath("/path/to/cacert.pem")
                   .authentication(AuthenticationTls.class.getName(), 
authParams)
                   .build()
   ```
   
   This causes an issue that cannot use other authentication with TLS transport 
encryption, and also made our confusion if we use TLS transport encryption by 
setting `authentication`.
   
   ## Goal
   
   Split client TLS transport encryption from authentication is used to support 
TLS transport encryption with any authentication.
   
   ## API Changes
   
   - Add new methods in `org.apache.pulsar.client.api.ClientBuilder`
   
   ```java
   public interface ClientBuilder extends Serializable, Cloneable {
       /**
        * Set the path to the TLS key file.
        *
        * @param tlsKeyFilePath
        * @return the client builder instance
        */
       ClientBuilder tlsKeyFilePath(String tlsKeyFilePath);
   
       /**
        * Set the path to the TLS certificate file.
        *
        * @param tlsCertificateFilePath
        * @return the client builder instance
        */
       ClientBuilder tlsCertificateFilePath(String tlsCertificateFilePath);
   }
   ```
   
   ## Implementation
   
   ### TLS transport encryption
   
   We can call the `tlsKeyFilePath()`, `tlsCertificateFilePath()` and 
`tlsTrustCertsFilePath()` to cofig the TLS transport encryption, the code so 
like:
   ```java
   PulsarClient client = PulsarClient.builder()
           .serviceUrl("pulsar+ssl://my-host:6650")
           .tlsTrustCertsFilePath("/path/to/cacert.pem")
           .tlsKeyFilePath("/path/to/client-key.pem")
           .tlsCertificateFilePath("/path/to/client-cert.pem")
           .build();
   ```
   
   ### TLS transport encryption with any authentication
   
   We can call the `tlsKeyFilePath()`, `tlsCertificateFilePath()`, 
`tlsTrustCertsFilePath()` and `authentication()` to cofig the TLS transport 
encryption with any authentication, the code so like:
   
   ```java
   PulsarClient client = PulsarClient.builder()
           .serviceUrl("pulsar+ssl://my-host:6650")
           .tlsTrustCertsFilePath("/path/to/cacert.pem")
           .tlsKeyFilePath("/path/to/client-key.pem")
           .tlsCertificateFilePath("/path/to/client-cert.pem")
           .authentication(AuthenticationTls.class.getName() /* 
AuthenticationToken.class.getName()*/, authParams)
           .builder()
   ```
   
   For `AuthenticationTls`, we need to do check the authParams, when the 
authParams is empty, we need to read TLS config from `ClientBuilder`, otherwise 
read from the authParams
   
   ### Compatibility
   
   None.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@pulsar.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org