[pulsar] branch branch-2.7 updated: Splitting the authentication logic of function worker and client (#8824)

Wed, 13 Jan 2021 18:51:04 -0800 

This is an automated email from the ASF dual-hosted git repository.

penghui pushed a commit to branch branch-2.7
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/branch-2.7 by this push:
     new 030c660  Splitting the authentication logic of function worker and 
client (#8824)
030c660 is described below

commit 030c6608cdb239ef6c89f3b50c7296328b61eb94
Author: Zixuan Liu <[email protected]>
AuthorDate: Mon Dec 7 16:33:35 2020 +0800

    Splitting the authentication logic of function worker and client (#8824)
    
    Fixes #8338
    
    ### Motivation
    
    >In some scenarios, users use their own function-worker to connect to an 
existing pulsar cluster. Their own function-worker and pulsar cluster have 
different authentication methods, In the following code, when both 
function-worker and client have enabled the authentication and authorization 
services, the authentication and authorization can take effect. A better way is 
to separate them. function-worker can enable and disable the authentication 
service, and the broker-client can also e [...]
    
    ### Modifications
    
    Add a configuration called `brokerClientAuthenticationEnabled` in the 
configuration file, which is disabled by default. It is used to control whether 
the broker-client of function-worker enable or disable the authentication.
    
    (cherry picked from commit 3464f46f1b2bc1a6f3eca4cab682e3a81bc2591c)
---
 conf/functions_worker.yml                                    |  1 +
 .../org/apache/pulsar/functions/worker/WorkerConfig.java     | 12 ++++++++++++
 .../org/apache/pulsar/functions/worker/WorkerService.java    |  4 ++--
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/conf/functions_worker.yml b/conf/functions_worker.yml
index ab4ba00..e1f675d 100644
--- a/conf/functions_worker.yml
+++ b/conf/functions_worker.yml
@@ -61,6 +61,7 @@ pulsarWebServiceUrl: http://localhost:8080
 ############################################
 # security settings for pulsar broker client
 ############################################
+brokerClientAuthenticationEnabled: false
 # The path to trusted certificates used by the Pulsar client to authenticate 
with Pulsar brokers
 # brokerClientTrustCertsFilePath:
 # the authentication plugin to be used by the pulsar client used in worker 
service
diff --git 
a/pulsar-functions/runtime/src/main/java/org/apache/pulsar/functions/worker/WorkerConfig.java
 
b/pulsar-functions/runtime/src/main/java/org/apache/pulsar/functions/worker/WorkerConfig.java
index 32acae8..18f1a96 100644
--- 
a/pulsar-functions/runtime/src/main/java/org/apache/pulsar/functions/worker/WorkerConfig.java
+++ 
b/pulsar-functions/runtime/src/main/java/org/apache/pulsar/functions/worker/WorkerConfig.java
@@ -274,6 +274,18 @@ public class WorkerConfig implements Serializable, 
PulsarConfiguration {
     )
     private long instanceLivenessCheckFreqMs;
     @FieldContext(
+            category = CATEGORY_CLIENT_SECURITY,
+            doc = "Whether to enable the broker client authentication used by 
function workers to talk to brokers"
+    )
+    private Boolean brokerClientAuthenticationEnabled = null;
+    public boolean isBrokerClientAuthenticationEnabled() {
+        if (brokerClientAuthenticationEnabled != null) {
+            return brokerClientAuthenticationEnabled;
+        } else {
+            return authenticationEnabled;
+        }
+    }
+    @FieldContext(
         category = CATEGORY_CLIENT_SECURITY,
         doc = "The authentication plugin used by function workers to talk to 
brokers"
     )
diff --git 
a/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/WorkerService.java
 
b/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/WorkerService.java
index 4b7e23c..4255d89 100644
--- 
a/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/WorkerService.java
+++ 
b/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/WorkerService.java
@@ -133,7 +133,8 @@ public class WorkerService {
                     ? workerConfig.getFunctionWebServiceUrl()
                     : workerConfig.getWorkerWebAddress();
 
-            if (workerConfig.isAuthenticationEnabled()) {
+             // using isBrokerClientAuthenticationEnabled instead of 
isAuthenticationEnabled in function-worker
+            if (workerConfig.isBrokerClientAuthenticationEnabled()) {
                 // for compatible, if user do not define 
brokerClientTrustCertsFilePath, we will use tlsTrustCertsFilePath,
                 // otherwise we will use brokerClientTrustCertsFilePath
                 final String pulsarClientTlsTrustCertsFilePath;
@@ -142,7 +143,6 @@ public class WorkerService {
                 } else {
                     pulsarClientTlsTrustCertsFilePath = 
workerConfig.getTlsTrustCertsFilePath();
                 }
-
                 this.brokerAdmin = 
WorkerUtils.getPulsarAdminClient(workerConfig.getPulsarWebServiceUrl(),
                     workerConfig.getBrokerClientAuthenticationPlugin(), 
workerConfig.getBrokerClientAuthenticationParameters(),
                     pulsarClientTlsTrustCertsFilePath, 
workerConfig.isTlsAllowInsecureConnection(),

Reply via email to