This is an automated email from the ASF dual-hosted git repository.
ivank pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-pulsar.wiki.git
The following commit(s) were added to refs/heads/master by this push:
new 7230b1a Updated PIP 20: Mechanism to revoke TLS authentication
(markdown)
7230b1a is described below
commit 7230b1a2f488b43efa60998b67ae1e2ad6942014
Author: Ivan Kelly <[email protected]>
AuthorDate: Thu Sep 6 10:54:47 2018 +0200
Updated PIP 20: Mechanism to revoke TLS authentication (markdown)
---
PIP-20:-Mechanism-to-revoke-TLS-authentication.md | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/PIP-20:-Mechanism-to-revoke-TLS-authentication.md
b/PIP-20:-Mechanism-to-revoke-TLS-authentication.md
index 7f598e8..2696e57 100644
--- a/PIP-20:-Mechanism-to-revoke-TLS-authentication.md
+++ b/PIP-20:-Mechanism-to-revoke-TLS-authentication.md
@@ -26,19 +26,20 @@ openssl x509 -in admin.cert.pem -noout -text
To revoke a certs access, there is a CLI tool.
```bash
-bin/pulsar-admin tls-certs revoke -r "Someone stole the key" \
+bin/pulsar-admin brokers revoke-tls-cert \
13:33:30:00:38:9F:60:5E:F4:12:4B:B0:5E:DF:EA:A6:AD:BD:64:54
```
-This will add the subject key identifier to zookeeper under
```/tls/revoked/<subject-key-id>```. All brokers and proxies cache the children
```/tls/revoked```. When a client connects and attempts TLS auth, the server
will check the authenticating cert against this list. When the list changes,
each server will go through the list of connected authenticated clients and
check the cert in use against this list.
+This will add the subject key identifier to the broker dynamic configuration
under the key, tls-revoked-certs. Each broker will listen for changes on this
dynamic configuration key.
+
+When a client connects and attempts TLS auth, the server will check the
authenticating cert against this list. When the list changes, each server will
go through the list of connected authenticated clients and check the cert in
use against this list.
# Changes
The following changes are needed.
-1. A rest endpoint for adding subject key identifiers to zookeeper.
-2. A cli for pushing subject key identifiers to the rest endpoint.
-3. SecurityUtility.java should wrap all TrustManagers in a wrapper, that,
after calling the parent method, checks the subject key identifier against the
revoked list. The trust managers are used by both jetty and netty connections
for negotiation (see
[demo](https://github.com/ivankelly/incubator-pulsar/commit/216c0c9ea22fb8431c2c5f1c9f597183ee400981)).
-4. Each service watches the list, and on update checks all existing
connections:
+1. A cli for adding subject key identifiers to the dynamic configuration.
+2. SecurityUtility.java should wrap all TrustManagers in a wrapper, that,
after calling the parent method, checks the subject key identifier against the
revoked list. The trust managers are used by both jetty and netty connections
for negotiation (see
[demo](https://github.com/ivankelly/incubator-pulsar/commit/216c0c9ea22fb8431c2c5f1c9f597183ee400981)).
+3. Each service watches the list, and on update checks all existing
connections:
- For netty, each TLS channel should be added to a ChannelGroup which we
can iterate over. To check a channel, the peer cert can be retrieved by
```channel.getPipeline().getHandler(SslHandler.class).getEngine().getSession().getPeerCertificateChain()```.
- For jetty, all connections can be retrieved with
```getConnectedEndpoint()```. The ```Connection``` objects can be accessed from
the returned list, and checked if they are instances of ```SSLConnection```.
Once you have an ```SSLConnection```, the peer cert can be accessed via
```sslconn.getEngine().getSession().getPeerCertificateChain()```.
