Skip to content

[Issue 8382][Pulsar Function] Enable e2e encryption for Pulsar Function #8432

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sijie merged 4 commits into from
Nov 8, 2020
Merged

[Issue 8382][Pulsar Function] Enable e2e encryption for Pulsar Function #8432

sijie merged 4 commits into from
Nov 8, 2020

Conversation

@nlu90
Copy link
Member

@nlu90 nlu90 commented Nov 2, 2020
edited
Loading

(If this PR fixes a github issue, please add Fixes #<xyz>.)

Fixes #8382

Motivation

Add the e2e encryption support for Pulsar Functions

Modifications

  • Add CryptoConfig the encapsulate all the crypto related configs set by user
  • Add CryptoSpec to Function protobuf to container crypto information internally
  • Add CryptoUtils to help create instance, convert between CryptoConfig and CryptoSpec
  • Add crypto validation method in ValidatorUtils to ensure the provided CryptoKeyReader Class has a ctor with Map arg
  • Updated the cli to allow user set crypto for consumer/producer when submitting the function
  • Update PulsarSource, PulsarSink to use the crypto config if provided

Verifying this change

  • Make sure that the change passes the CI checks.

This change added tests and can be verified as follows:

(example:)

  • Added integration tests for end-to-end deployment with large payloads (10MB)
  • Extended integration test for recovery after broker failure

Does this pull request potentially affect one of the following parts:

If yes was chosen, please highlight the changes

  • Dependencies (does it add or upgrade a dependency): Added pulsar-client-messagecrypto-bc into puslar-function instance
  • The admin cli options: Added --producer-config to allow setting crypto related configs.

Documentation

  • Does this pull request introduce a new feature? Yes
  • If yes, how is the feature documented? not documented
  • If a feature is not documented yet in this PR, please create a followup issue for adding the documentation: #8431

Now user can enable e2e encryption as follows:

./bin/pulsar-admin functions create --jar pulsar-functions/java-examples/target/pulsar-functions-api-examples.jar \
--classname org.apache.pulsar.functions.api.examples.ExclamationFunction  \
--inputs "persistent://public/default/input" --output persistent://public/default/output --producer-config '{"cryptoConfig": {"cryptoKeyReaderClassName": "org.apache.pulsar.functions.api.examples.RawFileKeyReader", "cryptoKeyReaderConfig": {"PUBLIC": "/Users/nlu/workspace/stream-native/pulsar/keys/test_ecdsa_pubkey.pem", "PRIVATE":"/Users/nlu/workspace/stream-native/pulsar/keys/test_ecdsa_privkey.pem"}, "producerCryptoFailureAction": "FAIL", "encryptionKeys":["myapp1"]}}'
./bin/pulsar-admin functions create --jar pulsar-functions/java-examples/target/pulsar-functions-api-examples.jar \
--classname org.apache.pulsar.functions.api.examples.ExclamationFunction  \
--input-specs '{"persistent://public/default/output": {"cryptoConfig": {"cryptoKeyReaderClassName": "org.apache.pulsar.functions.api.examples.RawFileKeyReader", "cryptoKeyReaderConfig": {"PUBLIC": "/Users/nlu/workspace/stream-native/pulsar/keys/test_ecdsa_pubkey.pem", "PRIVATE":"/Users/nlu/workspace/stream-native/pulsar/keys/test_ecdsa_privkey_2.pem"}, "consumerCryptoFailureAction": "FAIL"}}}' \
--output persistent://public/default/output-2

One requirement is the provided cryptoKeyReaderClass must has a constructor with Map<String, Object> parameter for initialization. And the argument is provided via cryptoKeyReaderConfig in the cli

@wolfstudy wolfstudy added area/function doc-required Your PR changes impact docs and you will update later. labels Nov 3, 2020
@wolfstudy wolfstudy added this to the 2.7.0 milestone Nov 3, 2020
wolfstudy
wolfstudy reviewed Nov 3, 2020
View reviewed changes
pulsar-functions/proto/src/main/proto/Function.proto
DISCARD = 1;
CONSUME = 2;

SEND = 10;
Copy link
Member

@wolfstudy wolfstudy Nov 3, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why the SEND command value is 10, Is there any special meaning here? We still reserve the middle value?

Copy link
Member Author

@nlu90 nlu90 Nov 3, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reserve some single digit values just in case there're new actions added for the consumer failure.

Logically it's more clear. FAIL or 0 is the default behavior; 1~9 is for consumer; 10 and above is for producer.

@codelipenghui
Copy link
Contributor

codelipenghui commented Nov 6, 2020

ping @sijie @srkukarni Could you please help review this PR?

@sijie
Copy link
Member

sijie commented Nov 6, 2020

@nlu90 great contribution!

@sijie sijie merged commit 2c9fe27 into apache:master Nov 8, 2020
@sijie sijie deleted the neng/e2e-encryption-function branch November 8, 2020 08:45
@codelipenghui codelipenghui mentioned this pull request Nov 17, 2020
Closed
flowchartsman pushed a commit to flowchartsman/pulsar that referenced this pull request Nov 17, 2020
@nlu90 @flowchartsman
[Issue 8382][Pulsar Function] Enable e2e encryption for Pulsar Functi…
baf582c 
…on (apache#8432)

Fixes apache#8382 


### Motivation

Add the e2e encryption support for Pulsar Functions

### Modifications

- Add `CryptoConfig` the encapsulate all the crypto related configs set by user
- Add `CryptoSpec` to `Function` protobuf to container crypto information internally
- Add `CryptoUtils` to help create instance, convert between `CryptoConfig` and `CryptoSpec`
- Add crypto validation method in `ValidatorUtils` to ensure the provided `CryptoKeyReader` Class has a ctor with `Map` arg
- Updated the cli to allow user set crypto for consumer/producer when submitting the function
- Update `PulsarSource`, `PulsarSink` to use the crypto config if provided

### Verifying this change

- [x] Make sure that the change passes the CI checks.
@sijie sijie mentioned this pull request Nov 18, 2020
Merged
@wolfstudy wolfstudy mentioned this pull request Nov 18, 2020
Closed
@sijie sijie mentioned this pull request Nov 18, 2020
Open
@nlu90 nlu90 mentioned this pull request Dec 17, 2020
Open
@Anonymitaet Anonymitaet added doc-complete Your PR changes impact docs and the related docs have been already added. and removed doc-required Your PR changes impact docs and you will update later. labels Mar 29, 2022
@Anonymitaet
Copy link
Member

Anonymitaet commented Mar 29, 2022

Doc has been added in https://github.com/apache/pulsar/pull/8648/files

@lhotari lhotari mentioned this pull request Jun 20, 2024
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wolfstudy wolfstudy wolfstudy left review comments

@sijie sijie sijie approved these changes

@srkukarni srkukarni Awaiting requested review from srkukarni

@jerrypeng jerrypeng Awaiting requested review from jerrypeng

Assignees

@nlu90 nlu90

Labels

area/function doc-complete Your PR changes impact docs and the related docs have been already added.

Projects

None yet

Milestone

2.7.0

Development

Successfully merging this pull request may close these issues.

e2e encryption for pulsar functions

5 participants

@nlu90 @codelipenghui @sijie @Anonymitaet @wolfstudy