[cleanup][doc] Merge the broker and proxy authentication configuration#18343
Merged
RobertIndie merged 3 commits intoapache:masterfrom Nov 16, 2022
Merged
[cleanup][doc] Merge the broker and proxy authentication configuration#18343RobertIndie merged 3 commits intoapache:masterfrom
RobertIndie merged 3 commits intoapache:masterfrom
Conversation
Signed-off-by: Zixuan Liu <nodeces@gmail.com>
github-actions
bot
added
the
doc
RobertIndie
reviewed
Nov 7, 2022
momo-jun
reviewed
Nov 14, 2022
site2/docs/security-athenz.md
Outdated
| ::: | ||
|
|
||
| In the `conf/broker.conf` configuration file in your Pulsar installation, you need to provide the class name of the Athenz authentication provider as well as a comma-separated list of provider domain names. | ||
| To configure brokers/proxies to authenticate clients using Authenz, add the following parameters to the `conf/broker.conf` and the `conf/proxy.conf` file. If you use a standalone Pulsar, you need to add these parameters to the `conf/standalone.conf` file, you need to provide the class name of the Athenz authentication provider as well as a comma-separated list of provider domain names. |
Contributor
There was a problem hiding this comment.
Does provide the class name of the Athenz authentication provider as well as a comma-separated list of provider domain names also apply to broker.conf and proxy.conf? The proposed description seems it only applies to standalone.conf.
Member
Author
There was a problem hiding this comment.
This can apply to broker/proxy/standalone.
momo-jun
reviewed
Nov 14, 2022
site2/docs/security-overview.md
Outdated
| :::note | ||
|
|
||
| Starting from 2.11.0, [TLS authentication](security-tls-authentication.md) includes [TLS encryption](security-tls-transport.md) by default. If you configure TLS authentication first, then TLS encryption automatically applies; if you configure TLS encryption first, you can select any one of the above authentication providers. | ||
| Starting from 2.11.0, if you can configure [Mutual TLS](security-tls-transport.md) with any one of the above authentication providers. |
Contributor
There was a problem hiding this comment.
Suggested change
| Starting from 2.11.0, if you can configure [Mutual TLS](security-tls-transport.md) with any one of the above authentication providers. | |
| Starting from 2.11.0, you can configure [Mutual TLS](security-tls-transport.md) with any one of the above authentication providers. |
Is this what you mean?
momo-jun
reviewed
Nov 14, 2022
site2/docs/security-overview.md
Outdated
| ::: | ||
| **Important:** If your authentication data contains an expiration time, or your authorization provider depends on the authentication data, you must to: | ||
|
|
||
| 1. Ensure your authentication data of proxies no expiration time, brokers don't support refreshing this authentication data. |
Contributor
There was a problem hiding this comment.
Suggested change
| 1. Ensure your authentication data of proxies no expiration time, brokers don't support refreshing this authentication data. | |
| 1. Ensure your authentication data of proxies has no expiration time since brokers don't support refreshing this authentication data. |
Is brokers don't support refreshing this authentication data the reason or something users need to ensure?
momo-jun
reviewed
Nov 14, 2022
site2/docs/security-overview.md
Outdated
| When you use proxies between clients and brokers, there are two authentication data, one from proxies, one from clients, brokers only authenticate proxies (known as **self-authentication**) by default. To forward the authentication data from clients to brokers for client authentication (known as **original authentication**). | ||
|
|
||
| ::: | ||
| **Important:** If your authentication data contains an expiration time, or your authorization provider depends on the authentication data, you must to: |
Contributor
There was a problem hiding this comment.
Suggested change
| **Important:** If your authentication data contains an expiration time, or your authorization provider depends on the authentication data, you must to: | |
| **Important:** If your authentication data contains an expiration time, or your authorization provider depends on the authentication data, you must: |
momo-jun
reviewed
Nov 14, 2022
site2/docs/security-overview.md
Outdated
| When you use proxies between clients and brokers, brokers only authenticate proxies (known as **self-authentication**) by default. To forward the authentication data from clients to brokers for client authentication (known as **original authentication**), you need to: | ||
| 1. Set `forwardAuthorizationCredentials` to `true` in the `conf/proxy.conf` file. | ||
| 2. Set `authenticateOriginalAuthData` to `true` in the `conf/broker.conf` file, which ensures that brokers recheck the client authentication. | ||
| When you use proxies between clients and brokers, there are two authentication data, one from proxies, one from clients, brokers only authenticate proxies (known as **self-authentication**) by default. To forward the authentication data from clients to brokers for client authentication (known as **original authentication**). |
Contributor
There was a problem hiding this comment.
Suggested change
| When you use proxies between clients and brokers, there are two authentication data, one from proxies, one from clients, brokers only authenticate proxies (known as **self-authentication**) by default. To forward the authentication data from clients to brokers for client authentication (known as **original authentication**). | |
| When you use proxies between clients and brokers, there are two authentication data: | |
| * authentication data from proxies that brokers default to authenticate - known as **self-authentication**. | |
| * authentication data from clients that proxies forward to brokers for authenticating - known as **original authentication**. |
Is this what you mean?
Member
Author
There was a problem hiding this comment.
- authentication data from clients - known as original authentication.
To forward the authentication data from clients to brokers by the proxies (known as original authentication).
momo-jun
reviewed
Nov 14, 2022
Signed-off-by: Zixuan Liu <nodeces@gmail.com>
RobertIndie
approved these changes
Nov 15, 2022
momo-jun
reviewed
Nov 15, 2022
Co-authored-by: momo-jun <60642177+momo-jun@users.noreply.github.com>
tisonkun
pushed a commit
to tisonkun/pulsar
that referenced
this pull request
Jul 12, 2023
This commit sets the locale to en-US in order to avoid ambiguous decimal formattings that can cause the CPUResourceTest to fail. This closes apache#18343.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
Authentication documentation has too many duplicate configurations and some unnecessary configurations.
Documentation
docdoc-requireddoc-not-neededdoc-completeMatching PR in forked repository
PR in forked repository: