search

apache / pulsar-helm-chart

Official Apache Pulsar Helm Chart
https://pulsar.apache.org/
Apache License 2.0
212 stars 224 forks source link

OpenID: introducing support for OpenID configuration #509

Open brunodomenici opened 5 months ago

brunodomenici commented 5 months ago

BREAKING CHANGE: provider configuration changed from auth.authentication.provider to auth.authentication.jwt.enabled

Motivation

Allow the configuration of the OpenID authentication provider along side with JWT.

Modifications

Provider configuration auth.authentication.provider (only 'jwt' value was accepted) was decommissioned in favor of auth.authentication.jwt.enabled:

From:

auth:
  authentication:
    enabled: false
    provider: "jwt"

To:

# Enable or disable broker authentication and authorization.
auth:
  authentication:
    enabled: false
    jwt:
      enabled: false
      # Enable JWT authentication
      # If the token is generated by a secret key, set the usingSecretKey as true.
      # If the token is generated by a private key, set the usingSecretKey as false.
      usingSecretKey: false
    openid:
      enabled: false
#     # https://pulsar.apache.org/docs/next/security-openid-connect/#enable-openid-connect-authentication-in-the-broker-and-proxy
      openIDAllowedTokenIssuers: []
      openIDAllowedAudiences: []
      openIDTokenIssuerTrustCertsFilePath:
      openIDRoleClaim:
      openIDAcceptedTimeLeewaySeconds: "0"
      openIDCacheSize: "5"
      openIDCacheRefreshAfterWriteSeconds: "64800"
      openIDCacheExpirationSeconds: "86400"
      openIDHttpConnectionTimeoutMillis: "10000"
      openIDHttpReadTimeoutMillis: "10000"
      openIDKeyIdCacheMissRefreshSeconds: "300"
      openIDRequireIssuersUseHttps: "true"
      openIDFallbackDiscoveryMode: "DISABLED"

Verifying this change

frankjkelly commented 5 months ago

Very cool - is there any presumption of what happens when the JWT token expires? Or if the client id / secret are rotated?

brunodomenici commented 5 months ago

Very cool - is there any presumption of what happens when the JWT token expires? Or if the client id / secret are rotated?

According with the doc, the client will handle the refresh:

  1. When the token expires, the Pulsar Server challenges the client to re-authenticate with the Identity Provider and provide a new access token. If the client fails to re-authenticate, the Pulsar Server closes the connection.

I'm performing some tests. I let you know ;)