morazow commented on code in PR #2506:
URL: https://github.com/apache/fluss/pull/2506#discussion_r2851653984
##########
website/docs/install-deploy/deploying-with-helm.md:
##########
@@ -245,16 +253,69 @@ The chart automatically configures listeners for internal
cluster communication
- **Internal Port (9123)**: Used for internal communication within the cluster
- **Client Port (9124)**: Used for client connections
-Custom listener configuration:
+Default listeners configuration:
```yaml
listeners:
internal:
+ protocol: PLAINTEXT
port: 9123
+ security:
+ mechanism: PLAIN
+ users: []
client:
+ protocol: PLAINTEXT
port: 9124
+ security:
+ mechanism: PLAIN
+ users: []
```
+To enable SASL based authentication, set any of the protocols to `SASL`.
+
+### Enabling Secure Connection
+
+With the helm deployment, you can specify authentication protocols when
connecting to the Fluss cluster.
+
+The following table shows the supported protocols and security they provide:
+
+| Method | Authentication | TLS Encryption |
+|-------------|:--------------:|:------------------:|
+| `PLAINTEXT` | No | No |
+| `SASL` | Yes | No |
+
+By default, the `PLAINTEXT` protocol is used.
+
+The SASL authentication will be enabled if any of the listener protocols is
using `SASL`.
+
+Set these values for additional configurations:
+
+```yaml
+listeners:
+ internal:
+ protocol: SASL
+ port: 9123
+ security:
+ mechanism: PLAIN
+ users:
Review Comment:
Hello @loserwang1024 👋 ,
Yes, indeed. It works because of the SASL listener prefix,
[JaasContext#126](https://github.com/apache/fluss/blob/main/fluss-common/src/main/java/org/apache/fluss/security/auth/sasl/jaas/JaasContext.java#L126).
For example, with both internal and client SASL enabled, the following jaas
file will be created:
_$ root@coordinator-server-0:/opt/fluss# cat /etc/fluss/conf/jaas.conf_
```
internal.FlussServer {
org.apache.fluss.security.auth.sasl.plain.PlainLoginModule required
"user_internal-hfpjhuc1gtbq"="yOxDGiWv4QD0XILF2KBlXoStM9ITavux";
};
client.FlussServer {
org.apache.fluss.security.auth.sasl.plain.PlainLoginModule required
"user_mtoraz"="passWA";
};
FlussClient {
org.apache.fluss.security.auth.sasl.plain.PlainLoginModule required
username="internal-hfpjhuc1gtbq"
password="yOxDGiWv4QD0XILF2KBlXoStM9ITavux";
};
ZookeeperClient {
org.apache.fluss.shaded.zookeeper3.org.apache.zookeeper.server.auth.DigestLoginModule
required
username="zk-admin"
password="zk-password";
};
```
As you can see the FlussServer is prefixed for internal and client. The
FlussClient doesn't have any prefix, but it is fine since here it acts as
client only for the internal communications.
The to run the client jobs:
```
FLUSS_TEST_BOOTSTRAP=coordinator-server-0.coordinator-server-hs.fluss.svc.cluster.local:9124
FLUSS_TEST_USERNAME=mtoraz FLUSS_TEST_PASSWORD=passWA java -jar
fluss-smoke-test-sasl.jar test
```
users can use the client username and password.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
