search

apache / pulsar

Apache Pulsar - distributed pub-sub messaging system
https://pulsar.apache.org/
Apache License 2.0
14.12k stars 3.57k forks source link

[Doc] Incomplete info re authenticationRefreshCheckSeconds #22124

Open damienburke opened 6 months ago

damienburke commented 6 months ago

Search before asking

What issue do you find in Pulsar docs?

In the blurb:

https://pulsar.apache.org/docs/next/security-overview/#how-authentication-works-in-pulsar

, it only talks about the need for clients to implement a refresh. I was surprised to learn that the pulsar broker does not support authenticationRefreshCheckSeconds for mTLS - and I feel that auth mechanisms that actually support this server (and client) side should be explicitly called out.

At the same time, I will create tickets to track mTLS support for authenticationRefreshCheckSeconds.

What is your suggestion?

Perhaps provide a table, listing all the auth plugins, and their support for authenticationRefreshCheckSeconds. This can be Yes, no or n/a

Or provide some info or how a dev can figure this out. For me, I looked at the broker code, and saw that the AuthenticationProviderTls class did not define / create an AuthenticationState instance (as compared to the token provider)

Any reference?

No response

Are you willing to submit a PR?

nodece commented 6 months ago

I was surprised to learn that the pulsar broker does not support authenticationRefreshCheckSeconds for mTLS

mTLS is different from other auth, and when used, your network is protected.

Once your certificate expires, the connection will be disconnected, and then the client will reconnect to the broker.

Please make sure your certificate is fine on the client and broker sides.

Perhaps provide a table, listing all the auth plugins, and their support for authenticationRefreshCheckSeconds. This can be Yes, no or n/a

Good idea! We can improve here.

damienburke commented 6 months ago

Once your certificate expires, the connection will be disconnected, and then the client will reconnect to the broker.

That sounds ideal, but based on my testing this is not the case. Would u have any more details around how the disconnection occurs? As have not seen any pulsar code that would do this.

nodece commented 6 months ago

I remember the connection will be disconnected, would you happen to have any logs? I can test this case tomorrow.

damienburke commented 6 months ago

expired_mtls_certs.log @nodece - my test case is:

  1. use TLS auth to connect a pulsar client to the broker. The tls cert has a ttl of ~1 minute
  2. the pulsar client stays connected - and continuously, successfully publishes messages (and this rans fine for a number of hours - with no disconnection, etc.)

The logs seems uneventful enough. I have DEBUG switched on for both pulsar client and broker, and have attached a snippet. This shows all the logging that occurs when publishing a message.

damienburke commented 6 months ago

fyi @nodece - i had also opened this ticket to refresh the TLS client certs. PR is work in progress, but u can see my changes here

Obviously this may now be moot - if u ware right, are TLS cert refreshing is supported... Thanks

nodece commented 6 months ago

Thank you for sharing, you are right, the pulsar client stays connected, and I think this is a bug.

Going to #22125.