[improve] Simplify enabling Broker, WS Proxy hostname verification #19674
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
michaeljmarshall
added
area/config
area/broker
area/websocket
doc-not-needed
michaeljmarshall
changed the title
nicoloboschi
approved these changes
Mar 1, 2023
michaeljmarshall
added a commit
that referenced
this pull request
Mar 1, 2023
…19674) When we merged #15818 in order to make the broker's client configurable, we did not add an explicit config for hostname verification. This PR adds that config to the broker and the websocket proxy. I chose the name `tlsHostnameVerificationEnabled` because that is what is already used in the proxy. It diverges from the function worker's config of `tlsEnableHostnameVerification`. Before this PR, you would have enabled hostname verification by configuring `brokerClient_tlsHostnameVerificationEnable=true` in the broker and WS proxy configs. (Note that the variable name is slightly different because the `ClientConfiguration` does not have a `d` at the end of its name. The remaining follow up work will be to update the `ClusterData` objects to configure hostname verification there to make it easier to configure hostname verification for remote clusters. * Add `tlsHostnameVerificationEnabled` to the `broker.conf` and the `proxy.conf` * Update all of the relevant locations that were previously only relying on `brokerClient_tlsHostnameVerificationEnable` I added a single test to ensure that the `WebSocketProxyConfiguration` properly converts to the `ServiceConfiguration` object. Otherwise, I verified that anywhere we are using `"brokerClient_"`, this PR also adds the right configuration. This PR introduces a "new" configuration key, but not a new concept. All underlying behaviors are unchanged. - [x] `doc-not-needed` Docs are automatically updated by these changes. (cherry picked from commit 6621fd3)
michaeljmarshall
added a commit
that referenced
this pull request
Mar 1, 2023
…19674) When we merged #15818 in order to make the broker's client configurable, we did not add an explicit config for hostname verification. This PR adds that config to the broker and the websocket proxy. I chose the name `tlsHostnameVerificationEnabled` because that is what is already used in the proxy. It diverges from the function worker's config of `tlsEnableHostnameVerification`. Before this PR, you would have enabled hostname verification by configuring `brokerClient_tlsHostnameVerificationEnable=true` in the broker and WS proxy configs. (Note that the variable name is slightly different because the `ClientConfiguration` does not have a `d` at the end of its name. The remaining follow up work will be to update the `ClusterData` objects to configure hostname verification there to make it easier to configure hostname verification for remote clusters. * Add `tlsHostnameVerificationEnabled` to the `broker.conf` and the `proxy.conf` * Update all of the relevant locations that were previously only relying on `brokerClient_tlsHostnameVerificationEnable` I added a single test to ensure that the `WebSocketProxyConfiguration` properly converts to the `ServiceConfiguration` object. Otherwise, I verified that anywhere we are using `"brokerClient_"`, this PR also adds the right configuration. This PR introduces a "new" configuration key, but not a new concept. All underlying behaviors are unchanged. - [x] `doc-not-needed` Docs are automatically updated by these changes. (cherry picked from commit 6621fd3) (cherry picked from commit b8083b0)
michaeljmarshall
added a commit
that referenced
this pull request
Mar 1, 2023
…19674) When we merged #15818 in order to make the broker's client configurable, we did not add an explicit config for hostname verification. This PR adds that config to the broker and the websocket proxy. I chose the name `tlsHostnameVerificationEnabled` because that is what is already used in the proxy. It diverges from the function worker's config of `tlsEnableHostnameVerification`. Before this PR, you would have enabled hostname verification by configuring `brokerClient_tlsHostnameVerificationEnable=true` in the broker and WS proxy configs. (Note that the variable name is slightly different because the `ClientConfiguration` does not have a `d` at the end of its name. The remaining follow up work will be to update the `ClusterData` objects to configure hostname verification there to make it easier to configure hostname verification for remote clusters. * Add `tlsHostnameVerificationEnabled` to the `broker.conf` and the `proxy.conf` * Update all of the relevant locations that were previously only relying on `brokerClient_tlsHostnameVerificationEnable` I added a single test to ensure that the `WebSocketProxyConfiguration` properly converts to the `ServiceConfiguration` object. Otherwise, I verified that anywhere we are using `"brokerClient_"`, this PR also adds the right configuration. This PR introduces a "new" configuration key, but not a new concept. All underlying behaviors are unchanged. - [x] `doc-not-needed` Docs are automatically updated by these changes. (cherry picked from commit 6621fd3) (cherry picked from commit b8083b0) (cherry picked from commit a3a242c)
michaeljmarshall
added a commit
that referenced
this pull request
Mar 1, 2023
…19674) When we merged #15818 in order to make the broker's client configurable, we did not add an explicit config for hostname verification. This PR adds that config to the broker and the websocket proxy. I chose the name `tlsHostnameVerificationEnabled` because that is what is already used in the proxy. It diverges from the function worker's config of `tlsEnableHostnameVerification`. Before this PR, you would have enabled hostname verification by configuring `brokerClient_tlsHostnameVerificationEnable=true` in the broker and WS proxy configs. (Note that the variable name is slightly different because the `ClientConfiguration` does not have a `d` at the end of its name. The remaining follow up work will be to update the `ClusterData` objects to configure hostname verification there to make it easier to configure hostname verification for remote clusters. * Add `tlsHostnameVerificationEnabled` to the `broker.conf` and the `proxy.conf` * Update all of the relevant locations that were previously only relying on `brokerClient_tlsHostnameVerificationEnable` I added a single test to ensure that the `WebSocketProxyConfiguration` properly converts to the `ServiceConfiguration` object. Otherwise, I verified that anywhere we are using `"brokerClient_"`, this PR also adds the right configuration. This PR introduces a "new" configuration key, but not a new concept. All underlying behaviors are unchanged. - [x] `doc-not-needed` Docs are automatically updated by these changes. (cherry picked from commit 6621fd3) (cherry picked from commit b8083b0) (cherry picked from commit a3a242c) (cherry picked from commit c84c3b7)
michaeljmarshall
added
cherry-picked/branch-2.8
4 tasks
Annavar-satish
pushed a commit
to pandio-com/pulsar
that referenced
this pull request
Mar 6, 2023
…pache#19674) When we merged apache#15818 in order to make the broker's client configurable, we did not add an explicit config for hostname verification. This PR adds that config to the broker and the websocket proxy. I chose the name `tlsHostnameVerificationEnabled` because that is what is already used in the proxy. It diverges from the function worker's config of `tlsEnableHostnameVerification`. Before this PR, you would have enabled hostname verification by configuring `brokerClient_tlsHostnameVerificationEnable=true` in the broker and WS proxy configs. (Note that the variable name is slightly different because the `ClientConfiguration` does not have a `d` at the end of its name. The remaining follow up work will be to update the `ClusterData` objects to configure hostname verification there to make it easier to configure hostname verification for remote clusters. * Add `tlsHostnameVerificationEnabled` to the `broker.conf` and the `proxy.conf` * Update all of the relevant locations that were previously only relying on `brokerClient_tlsHostnameVerificationEnable` I added a single test to ensure that the `WebSocketProxyConfiguration` properly converts to the `ServiceConfiguration` object. Otherwise, I verified that anywhere we are using `"brokerClient_"`, this PR also adds the right configuration. This PR introduces a "new" configuration key, but not a new concept. All underlying behaviors are unchanged. - [x] `doc-not-needed` Docs are automatically updated by these changes. (cherry picked from commit 6621fd3) (cherry picked from commit b8083b0) (cherry picked from commit a3a242c)
nicoloboschi
pushed a commit
to datastax/pulsar
that referenced
this pull request
Mar 9, 2023
…pache#19674) When we merged apache#15818 in order to make the broker's client configurable, we did not add an explicit config for hostname verification. This PR adds that config to the broker and the websocket proxy. I chose the name `tlsHostnameVerificationEnabled` because that is what is already used in the proxy. It diverges from the function worker's config of `tlsEnableHostnameVerification`. Before this PR, you would have enabled hostname verification by configuring `brokerClient_tlsHostnameVerificationEnable=true` in the broker and WS proxy configs. (Note that the variable name is slightly different because the `ClientConfiguration` does not have a `d` at the end of its name. The remaining follow up work will be to update the `ClusterData` objects to configure hostname verification there to make it easier to configure hostname verification for remote clusters. * Add `tlsHostnameVerificationEnabled` to the `broker.conf` and the `proxy.conf` * Update all of the relevant locations that were previously only relying on `brokerClient_tlsHostnameVerificationEnable` I added a single test to ensure that the `WebSocketProxyConfiguration` properly converts to the `ServiceConfiguration` object. Otherwise, I verified that anywhere we are using `"brokerClient_"`, this PR also adds the right configuration. This PR introduces a "new" configuration key, but not a new concept. All underlying behaviors are unchanged. - [x] `doc-not-needed` Docs are automatically updated by these changes. (cherry picked from commit 6621fd3) (cherry picked from commit b8083b0) (cherry picked from commit a3a242c)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
When we merged #15818 in order to make the broker's client configurable, we did not add an explicit config for hostname verification. This PR adds that config to the broker and the websocket proxy. I chose the name
tlsHostnameVerificationEnabledbecause that is what is already used in the proxy. It diverges from the function worker's config oftlsEnableHostnameVerification.Before this PR, you would have enabled hostname verification by configuring
brokerClient_tlsHostnameVerificationEnable=truein the broker and WS proxy configs. (Note that the variable name is slightly different because theClientConfigurationdoes not have adat the end of its name.The remaining follow up work will be to update the
ClusterDataobjects to configure hostname verification there to make it easier to configure hostname verification for remote clusters.Modifications
tlsHostnameVerificationEnabledto thebroker.confand theproxy.confbrokerClient_tlsHostnameVerificationEnableVerifying this change
I added a single test to ensure that the
WebSocketProxyConfigurationproperly converts to theServiceConfigurationobject.Otherwise, I verified that anywhere we are using
"brokerClient_", this PR also adds the right configuration.Does this pull request potentially affect one of the following parts:
This PR introduces a "new" configuration key, but not a new concept. All underlying behaviors are unchanged.
Documentation
doc-not-neededDocs are automatically updated by these changes.