+1 to Sijie's suggestion to keep this inside a managed ledger. On Mon, Aug 13, 2018 at 3:34 PM Sijie Guo <guosi...@gmail.com> wrote:
> Ivan, > > Thank you for writing this up. This PIP looks great to me! +1 > > just one question: > > > This will add the subject key identifier to zookeeper under > /tls/revoked/<subject-key-id>. All brokers and proxies cache the children > /tls/revoked. > > Instead of using zookeeper, can we consider using a managed ledger or a > system topic for keeping all these revoked keys? > > - Sijie > > On Tue, Aug 7, 2018 at 1:12 AM Ivan Kelly <iv...@apache.org> wrote: > > > Hi folks, > > > > This is a PIP to add a mechanism to block TLS client certs from > > accessing Pulsar if they have been compromised. > > > > This is a relatively small change, but I thought it best to put it to > > the community before moving ahead with it, as people may have opinions > > on the approach. > > > > The PIP is here: > > > > > https://github.com/apache/incubator-pulsar/wiki/PIP-20%3A-Mechanism-to-revoke-TLS-authentication > > > > Cheers, > > Ivan > > >
