Open damienburke opened 6 months ago
I was surprised to learn that the pulsar broker does not support authenticationRefreshCheckSeconds for mTLS
mTLS is different from other auth, and when used, your network is protected.
Once your certificate expires, the connection will be disconnected, and then the client will reconnect to the broker.
Please make sure your certificate is fine on the client and broker sides.
Perhaps provide a table, listing all the auth plugins, and their support for authenticationRefreshCheckSeconds. This can be Yes, no or n/a
Good idea! We can improve here.
Once your certificate expires, the connection will be disconnected, and then the client will reconnect to the broker.
That sounds ideal, but based on my testing this is not the case. Would u have any more details around how the disconnection occurs? As have not seen any pulsar code that would do this.
I remember the connection will be disconnected, would you happen to have any logs? I can test this case tomorrow.
expired_mtls_certs.log @nodece - my test case is:
The logs seems uneventful enough. I have DEBUG switched on for both pulsar client and broker, and have attached a snippet. This shows all the logging that occurs when publishing a message.
fyi @nodece - i had also opened this ticket to refresh the TLS client certs. PR is work in progress, but u can see my changes here
Obviously this may now be moot - if u ware right, are TLS cert refreshing is supported... Thanks
Thank you for sharing, you are right, the pulsar client stays connected, and I think this is a bug.
Going to #22125.
Search before asking
What issue do you find in Pulsar docs?
In the blurb:
https://pulsar.apache.org/docs/next/security-overview/#how-authentication-works-in-pulsar
, it only talks about the need for clients to implement a refresh. I was surprised to learn that the pulsar broker does not support
authenticationRefreshCheckSeconds
for mTLS - and I feel that auth mechanisms that actually support this server (and client) side should be explicitly called out.At the same time, I will create tickets to track mTLS support for
authenticationRefreshCheckSeconds
.What is your suggestion?
Perhaps provide a table, listing all the auth plugins, and their support for authenticationRefreshCheckSeconds. This can be Yes, no or n/a
Or provide some info or how a dev can figure this out. For me, I looked at the broker code, and saw that the AuthenticationProviderTls class did not define / create an AuthenticationState instance (as compared to the token provider)
Any reference?
No response
Are you willing to submit a PR?