Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Separating configuration for client and server trust store #1246

Merged
merged 3 commits into from Feb 23, 2018
Merged

Separating configuration for client and server trust store #1246

merged 3 commits into from Feb 23, 2018

Conversation

jai1
Copy link
Contributor

@jai1 jai1 commented Feb 18, 2018

This PR separates the trust store used for incoming connections (Client Side) from the Outgoing (Broker Side)

We have a use case where we want to trust only a specific trust store for Client Authentication (eg. athens) but our broker certs could be signed by any other CA.

Also created new certs with 10years expiry

@jai1 jai1 self-assigned this Feb 18, 2018
maskit
maskit approved these changes Feb 18, 2018
View reviewed changes
Copy link
Member

@maskit maskit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds reasonable to me. 👍

merlimat
merlimat reviewed Feb 18, 2018
View reviewed changes
Copy link
Contributor

@merlimat merlimat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to add the settings in broker.conf and standalone.conf

pulsar-broker-common/src/main/java/org/apache/pulsar/broker/ServiceConfiguration.java
@@ -894,6 +896,14 @@ public void setBrokerClientAuthenticationParameters(String brokerClientAuthentic
this.brokerClientAuthenticationParameters = brokerClientAuthenticationParameters;
}

public String getBrokerClientTrustCertsFilePath() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this default to the server trust store if empty?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel it will make setting the trust store a bit complicated. Right now it is simple to set one trust store for client side and one for server.
But if you feel strongly about it - let me know I will set the default to server trust store.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@merlimat - waiting for your reply before merging

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, sounds good. We can revisit later if needed.

@merlimat merlimat added this to the 2.0.0-incubating milestone Feb 18, 2018
@merlimat merlimat added the type/enhancement The enhancements for the existing features or docs. e.g. reduce memory usage of the delayed messages label Feb 18, 2018
@jai1
Copy link
Contributor Author

jai1 commented Feb 19, 2018

retest this please

@merlimat merlimat merged commit c351026 into apache:master Feb 23, 2018
@jai1 jai1 deleted the twoDifferentTrustStores branch February 27, 2018 07:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@merlimat merlimat merlimat left review comments

@maskit maskit maskit approved these changes

@rdhabalia rdhabalia Awaiting requested review from rdhabalia

@nkurihar nkurihar Awaiting requested review from nkurihar

Assignees

@jai1 jai1

Labels
type/enhancement The enhancements for the existing features or docs. e.g. reduce memory usage of the delayed messages
Projects
None yet
Milestone
2.0.0-incubating
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jai1 @merlimat @maskit