[GitHub] [pulsar] xiaotongwang1 opened a new pull request #10012: [issue][improve] add SCRAM-SHA256 support for SASL

Mon, 22 Mar 2021 20:37:24 -0700 


xiaotongwang1 opened a new pull request #10012:
URL: https://github.com/apache/pulsar/pull/10012


   
   Fixes part of #8670 #9367 i feedback
   
   ### Motivation
   
   1、SASL-SCRAM-SHA256 auth is more lightweight than SASL-Kerberos ,not need 
depend on a third part modules like KDC ,and can use use without TLS in 
Intranet.
   
   2、we can save scram user info (salt、serverkey、storekeyiterations) to meta 
center (zookeeoer now )
   
   3、in admin scenario ,we can use hmacsha256 sign value as a token , than we 
can use curl、postman httpclient to send a admin request ,it is more easier and 
safer than get a sha token after SASL-kerberos auth  and it is also suggest use 
https to protected your hmacValue
   
      http header : HmacAuthRoleToken like SaslAuthRoleToken 
      value format 
:u=pulsarAdmin&i=scram&e=1616416871193&s=C4681422F1C98DB5C02F7E5812D54E61AB5219841CC1BA3ECEF89E31FA60105
   
   ### Modifications
   
   1、extend a new sasl SCRAM-Sha256 ,will effect after user open it 
   2、add a interface Decryption ,it is better store your password 、scram info 
with encrypted ,and we will invoke your Decryption impl ,when use load data to 
mem
   
   
   
   ### Verifying this change
   
   
   This change is already covered by existing tests, such as 
SaslSCRAMAuthenticateTest,SaslScramDataTest 
   like the sasl-kerboer testcase SaslAuthenticateTest and 
SaslServerTokenSignerTest
   
   ### Does this pull request potentially affect one of the following parts:
   
   *If `yes` was chosen, please highlight the changes*
   
     - Dependencies (does it add or upgrade a dependency): (no)
     - The public API: ( no)
     - The schema: (no)
     - The default values of configurations: ( no)
     - The wire protocol: (no)
     - The rest endpoints: (no)
     - The admin cli options: (no)
     - Anything that affects deployment: (no)
   
   ### Documentation
   
     - Does this pull request introduce a new feature? (yes)
     - If yes, how is the feature documented? (not documented now ,and if this 
feature can be merge ,will update the doc ,now it can be check the useage by 
testcase)
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to