Add KeyStore support in WebSocket, Function Worker HTTPS Servers #15084
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@michaeljmarshall:Thanks for your contribution. For this PR, do we need to update docs? |
michaeljmarshall
added
type/feature
michaeljmarshall
requested review from
addisonj,
codelipenghui,
eolivelli,
hezhangjian,
jiazhai,
lhotari,
merlimat and
sijie
michaeljmarshall
changed the title
nicoloboschi
approved these changes
Apr 8, 2022
Member
Author
|
@nodece - you might be interested in this work, too. Note that using a KeyStore automatically supports additional algorithms, like ECDSA, for keys, and also adds support for loading many keys. |
michaeljmarshall
added a commit
to datastax/pulsar
that referenced
this pull request
Apr 8, 2022
See apache#15084 for additional context.
nodece
reviewed
Apr 9, 2022
| + "When using TLS authentication with CACert, the valid value is either OPENSSL or JDK.\n" | ||
| + "When using TLS authentication with KeyStore, available values can be SunJSSE, Conscrypt and etc." | ||
| ) | ||
| private String tlsProvider = null; |
Member
There was a problem hiding this comment.
Update this doc like available values can be SunJSSE, Conscrypt and etc.
nodece
reviewed
Apr 9, 2022
...websocket/src/main/java/org/apache/pulsar/websocket/service/WebSocketProxyConfiguration.java
Outdated
Show resolved
Hide resolved
nodece
reviewed
Apr 9, 2022
...websocket/src/main/java/org/apache/pulsar/websocket/service/WebSocketProxyConfiguration.java
Outdated
Show resolved
Hide resolved
nodece
reviewed
Apr 9, 2022
...websocket/src/main/java/org/apache/pulsar/websocket/service/WebSocketProxyConfiguration.java
Outdated
Show resolved
Hide resolved
nodece
reviewed
Apr 9, 2022
...websocket/src/main/java/org/apache/pulsar/websocket/service/WebSocketProxyConfiguration.java
Outdated
Show resolved
Hide resolved
nodece
reviewed
Apr 9, 2022
...websocket/src/main/java/org/apache/pulsar/websocket/service/WebSocketProxyConfiguration.java
Outdated
Show resolved
Hide resolved
nodece
reviewed
Apr 9, 2022
...websocket/src/main/java/org/apache/pulsar/websocket/service/WebSocketProxyConfiguration.java
Outdated
Show resolved
Hide resolved
nodece
reviewed
Apr 9, 2022
...websocket/src/main/java/org/apache/pulsar/websocket/service/WebSocketProxyConfiguration.java
Outdated
Show resolved
Hide resolved
nodece
requested changes
Apr 9, 2022
Member
nodece
left a comment
nodece
left a comment
There was a problem hiding this comment.
Thanks, this PR is great, I left my comments.
nodece
reviewed
Apr 9, 2022
...websocket/src/main/java/org/apache/pulsar/websocket/service/WebSocketProxyConfiguration.java
Show resolved
Hide resolved
nodece
reviewed
Apr 9, 2022
...websocket/src/main/java/org/apache/pulsar/websocket/service/WebSocketProxyConfiguration.java
Show resolved
Hide resolved
nodece
reviewed
Apr 9, 2022
pulsar-functions/runtime/src/main/java/org/apache/pulsar/functions/worker/WorkerConfig.java
Show resolved
Hide resolved
nodece
reviewed
Apr 9, 2022
pulsar-functions/runtime/src/main/java/org/apache/pulsar/functions/worker/WorkerConfig.java
Show resolved
Hide resolved
nodece
approved these changes
Apr 12, 2022
michaeljmarshall
force-pushed
the
add-more-keystore-support
branch
from
5fde6dd to
e6570ee
Compare
Member
Author
|
Rebased to resolve conflicts. I didn't make any code changes. |
nicoloboschi
pushed a commit
to datastax/pulsar
that referenced
this pull request
Apr 28, 2022
…che#15084) * Add KeyStore support in WebSocket, Function Worker HTTPS Servers * Avoid leaking worker config password * Fix checkstyle * Replace broker with appropriate text in annotations * Update python script for new configs Co-authored-by: Lari Hotari <lhotari@apache.org> We support configuring KeyStores for the broker and the proxy, but not the WebSocket or the Function Worker. By adding this support, users are able to provide KeyStores of type PCKS12 or JKS, which adds flexibility. Further, these KeyStores simplify support for additional algorithms because we rely on the TLS provider to load the KeyStore instead of loading keys ourselves. * Add `KeyStoreSSLContext`s to the function worker server * Add `KeyStoreSSLContext`s to the web socket server * Add configurations to the function worker, the web socket, and the proxy configuration files to simply configuration * Rely on `toString`, not `ObjectMapper`, when converting the `WorkerConfig` to a string so that we don't log the KeyStore password. (Add a test to verify this logic. Note that we don't want the `ObjectMapper` to ignore the field because we use mappers when converting configuration classes.) I manually verified that this change works in a minikube cluster. The underlying method named `KeyStoreSSLContext#createSslContextFactory` is already used and tested, so I don't believe we need additional testing on that component. This change adds a new way to configure TLS in the WebSocket and Function Worker HTTPS Servers. As such, it adds new configuration. This configuration is named in the same way that the broker and proxy configuration is named, so it is consistent. I've documented the new configuration in the appropriate configuration files. (cherry picked from commit a410396)
codelipenghui
pushed a commit
that referenced
this pull request
May 5, 2022
) * Add KeyStore support in WebSocket, Function Worker HTTPS Servers * Avoid leaking worker config password * Fix checkstyle * Replace broker with appropriate text in annotations * Update python script for new configs Co-authored-by: Lari Hotari <lhotari@apache.org> We support configuring KeyStores for the broker and the proxy, but not the WebSocket or the Function Worker. By adding this support, users are able to provide KeyStores of type PCKS12 or JKS, which adds flexibility. Further, these KeyStores simplify support for additional algorithms because we rely on the TLS provider to load the KeyStore instead of loading keys ourselves. * Add `KeyStoreSSLContext`s to the function worker server * Add `KeyStoreSSLContext`s to the web socket server * Add configurations to the function worker, the web socket, and the proxy configuration files to simply configuration * Rely on `toString`, not `ObjectMapper`, when converting the `WorkerConfig` to a string so that we don't log the KeyStore password. (Add a test to verify this logic. Note that we don't want the `ObjectMapper` to ignore the field because we use mappers when converting configuration classes.) I manually verified that this change works in a minikube cluster. The underlying method named `KeyStoreSSLContext#createSslContextFactory` is already used and tested, so I don't believe we need additional testing on that component. This change adds a new way to configure TLS in the WebSocket and Function Worker HTTPS Servers. As such, it adds new configuration. This configuration is named in the same way that the broker and proxy configuration is named, so it is consistent. I've documented the new configuration in the appropriate configuration files. (cherry picked from commit a410396)
codelipenghui
added
release/2.9.3
release/2.8.4
release/2.10.1
cherry-picked/branch-2.8
codelipenghui
pushed a commit
that referenced
this pull request
May 5, 2022
) * Add KeyStore support in WebSocket, Function Worker HTTPS Servers * Avoid leaking worker config password * Fix checkstyle * Replace broker with appropriate text in annotations * Update python script for new configs Co-authored-by: Lari Hotari <lhotari@apache.org> We support configuring KeyStores for the broker and the proxy, but not the WebSocket or the Function Worker. By adding this support, users are able to provide KeyStores of type PCKS12 or JKS, which adds flexibility. Further, these KeyStores simplify support for additional algorithms because we rely on the TLS provider to load the KeyStore instead of loading keys ourselves. * Add `KeyStoreSSLContext`s to the function worker server * Add `KeyStoreSSLContext`s to the web socket server * Add configurations to the function worker, the web socket, and the proxy configuration files to simply configuration * Rely on `toString`, not `ObjectMapper`, when converting the `WorkerConfig` to a string so that we don't log the KeyStore password. (Add a test to verify this logic. Note that we don't want the `ObjectMapper` to ignore the field because we use mappers when converting configuration classes.) I manually verified that this change works in a minikube cluster. The underlying method named `KeyStoreSSLContext#createSslContextFactory` is already used and tested, so I don't believe we need additional testing on that component. This change adds a new way to configure TLS in the WebSocket and Function Worker HTTPS Servers. As such, it adds new configuration. This configuration is named in the same way that the broker and proxy configuration is named, so it is consistent. I've documented the new configuration in the appropriate configuration files. (cherry picked from commit a410396)
codelipenghui
pushed a commit
that referenced
this pull request
May 20, 2022
) * Add KeyStore support in WebSocket, Function Worker HTTPS Servers * Avoid leaking worker config password * Fix checkstyle * Replace broker with appropriate text in annotations * Update python script for new configs Co-authored-by: Lari Hotari <lhotari@apache.org> We support configuring KeyStores for the broker and the proxy, but not the WebSocket or the Function Worker. By adding this support, users are able to provide KeyStores of type PCKS12 or JKS, which adds flexibility. Further, these KeyStores simplify support for additional algorithms because we rely on the TLS provider to load the KeyStore instead of loading keys ourselves. * Add `KeyStoreSSLContext`s to the function worker server * Add `KeyStoreSSLContext`s to the web socket server * Add configurations to the function worker, the web socket, and the proxy configuration files to simply configuration * Rely on `toString`, not `ObjectMapper`, when converting the `WorkerConfig` to a string so that we don't log the KeyStore password. (Add a test to verify this logic. Note that we don't want the `ObjectMapper` to ignore the field because we use mappers when converting configuration classes.) I manually verified that this change works in a minikube cluster. The underlying method named `KeyStoreSSLContext#createSslContextFactory` is already used and tested, so I don't believe we need additional testing on that component. This change adds a new way to configure TLS in the WebSocket and Function Worker HTTPS Servers. As such, it adds new configuration. This configuration is named in the same way that the broker and proxy configuration is named, so it is consistent. I've documented the new configuration in the appropriate configuration files. (cherry picked from commit a410396)
nicoloboschi
pushed a commit
to datastax/pulsar
that referenced
this pull request
May 23, 2022
…che#15084) * Add KeyStore support in WebSocket, Function Worker HTTPS Servers * Avoid leaking worker config password * Fix checkstyle * Replace broker with appropriate text in annotations * Update python script for new configs Co-authored-by: Lari Hotari <lhotari@apache.org> We support configuring KeyStores for the broker and the proxy, but not the WebSocket or the Function Worker. By adding this support, users are able to provide KeyStores of type PCKS12 or JKS, which adds flexibility. Further, these KeyStores simplify support for additional algorithms because we rely on the TLS provider to load the KeyStore instead of loading keys ourselves. * Add `KeyStoreSSLContext`s to the function worker server * Add `KeyStoreSSLContext`s to the web socket server * Add configurations to the function worker, the web socket, and the proxy configuration files to simply configuration * Rely on `toString`, not `ObjectMapper`, when converting the `WorkerConfig` to a string so that we don't log the KeyStore password. (Add a test to verify this logic. Note that we don't want the `ObjectMapper` to ignore the field because we use mappers when converting configuration classes.) I manually verified that this change works in a minikube cluster. The underlying method named `KeyStoreSSLContext#createSslContextFactory` is already used and tested, so I don't believe we need additional testing on that component. This change adds a new way to configure TLS in the WebSocket and Function Worker HTTPS Servers. As such, it adds new configuration. This configuration is named in the same way that the broker and proxy configuration is named, so it is consistent. I've documented the new configuration in the appropriate configuration files. (cherry picked from commit a410396) (cherry picked from commit e6b5ec9)
nicoloboschi
pushed a commit
to datastax/pulsar
that referenced
this pull request
Jun 1, 2022
…che#15084) * Add KeyStore support in WebSocket, Function Worker HTTPS Servers * Avoid leaking worker config password * Fix checkstyle * Replace broker with appropriate text in annotations * Update python script for new configs Co-authored-by: Lari Hotari <lhotari@apache.org> We support configuring KeyStores for the broker and the proxy, but not the WebSocket or the Function Worker. By adding this support, users are able to provide KeyStores of type PCKS12 or JKS, which adds flexibility. Further, these KeyStores simplify support for additional algorithms because we rely on the TLS provider to load the KeyStore instead of loading keys ourselves. * Add `KeyStoreSSLContext`s to the function worker server * Add `KeyStoreSSLContext`s to the web socket server * Add configurations to the function worker, the web socket, and the proxy configuration files to simply configuration * Rely on `toString`, not `ObjectMapper`, when converting the `WorkerConfig` to a string so that we don't log the KeyStore password. (Add a test to verify this logic. Note that we don't want the `ObjectMapper` to ignore the field because we use mappers when converting configuration classes.) I manually verified that this change works in a minikube cluster. The underlying method named `KeyStoreSSLContext#createSslContextFactory` is already used and tested, so I don't believe we need additional testing on that component. This change adds a new way to configure TLS in the WebSocket and Function Worker HTTPS Servers. As such, it adds new configuration. This configuration is named in the same way that the broker and proxy configuration is named, so it is consistent. I've documented the new configuration in the appropriate configuration files. (cherry picked from commit a410396) (cherry picked from commit 55d41be)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
We support configuring KeyStores for the broker and the proxy, but not the WebSocket or the Function Worker. By adding this support, users are able to provide KeyStores of type PCKS12 or JKS, which adds flexibility. Further, these KeyStores simplify support for additional algorithms because we rely on the TLS provider to load the KeyStore instead of loading keys ourselves.
Modifications
KeyStoreSSLContexts to the function worker serverKeyStoreSSLContexts to the web socket servertoString, notObjectMapper, when converting theWorkerConfigto a string so that we don't log the KeyStore password. (Add a test to verify this logic. Note that we don't want theObjectMapperto ignore the field because we use mappers when converting configuration classes.)Verifying this change
I manually verified that this change works in a minikube cluster. The underlying method named
KeyStoreSSLContext#createSslContextFactoryis already used and tested, so I don't believe we need additional testing on that component.Does this pull request potentially affect one of the following parts:
This change adds a new way to configure TLS in the WebSocket and Function Worker HTTPS Servers. As such, it adds new configuration. This configuration is named in the same way that the broker and proxy configuration is named, so it is consistent.
Documentation
I've documented the new configuration in the appropriate configuration files.