Re: [D] Variations for TLS connectivity support in Pulsar Clients [pulsar]

Fri, 14 Feb 2025 06:45:37 -0800 


GitHub user shasank112001 edited a discussion: Variations for TLS connectivity 
support in Pulsar Clients

So, I noticed something in the way Pulsar Client's are built that has me 
confused a bit. I see there are a few ways to implement Authentication using 
TLS, and I would like to know your opinion on which is the best way.

In Java we have the following:
```java
PulsarClient client = PulsarClient.builder()
            .allowTlsInsecureConnection(false)
            .serviceUrl(<SERVICE-URL>)
            .useKeyStoreTls(true)
            .tlsTrustStoreType("JKS")
            .tlsTrustStorePath(<PATH>)
            .tlsTrustStorePassword(***)
            .tlsKeyStoreType("JKS")
            .tlsKeyStorePath(<PATH>)
            .tlsKeyStorePassword(***)
            .build()
```

But we also have this:
```java
PulsarClient client = PulsarClient.builder()
    .serviceUrl("pulsar+ssl://broker.example.com:6651/")
    .enableTls(true)
    .tlsTrustCertsFilePath("/path/to/ca.cert.pem")
    .authentication("org.apache.pulsar.client.impl.auth.AuthenticationTls",
                    
"tlsCertFile:/path/to/my-role.cert.pem,tlsKeyFile:/path/to/my-role.key-pk8.pem")
    .build();
```

If we move over to the C# library then we have the following:
```c#
var client = PulsarClient.Builder()
                         .AuthenticateUsingClientCertificate(clientCertificate)
                         .Build();
                         
```
<b>This requires us to not use any Authentication class as was in Method 1 of 
Java.</b>

However, If we now look at Python:

```python
auth = AuthenticationTLS("/path/to/my-role.cert.pem", 
"/path/to/my-role.key-pk8.pem")
client = Client("pulsar+ssl://broker.example.com:6651/",
                tls_trust_certs_file_path="/path/to/ca.cert.pem",
                tls_allow_insecure_connection=False,
                                authentication=auth)
```

<b>We have this, with not way of providing TLS information without the use of 
an Authentication object.</b>

These inconsistencies are a bit confusing, especially as the pulsar docs 
advertise the different java implementations on the different pages.

Now my bigger concern is as TLS is important, so much so that it is often used 
as a base layer, while using JWT as Authentication, how does the community see 
this happening?

In Java, C# and GO this combination is possible because of the TLS fields being 
available outside of the Authentication Scope, however in Python this is not 
possible (atleast to my knowledge).




GitHub link: https://github.com/apache/pulsar/discussions/23987

----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to: [email protected]

Reply via email to