pulsar-manager icon indicating copy to clipboard operation
pulsar-manager copied to clipboard
verified publisher icon apache

Support for TLS Authentication & Authorization

Open jaschnell opened this issue 5 years ago • 10 comments

Need to enable support for TLS authentication & authorization. Also update the docs to explicitly call out that TLS authentication + authorization is not supported until it actually is.

jaschnell avatar Jun 26 '20 01:06 jaschnell

I have the same problem.

tabalt avatar Jun 27 '20 04:06 tabalt

This feature has been supported here https://github.com/apache/pulsar-manager/pull/286, and I will release a new version recently. At present, you can add the following configuration to enable this feature based on the latest code:

backend.broker.pulsarAdmin.authPlugin=
backend.broker.pulsarAdmin.authParams=
backend.broker.pulsarAdmin.tlsAllowInsecureConnection=false
backend.broker.pulsarAdmin.tlsTrustCertsFilePath=
backend.broker.pulsarAdmin.tlsEnableHostnameVerification=false

@jaschnell @tabalt

tuteng avatar Jun 29 '20 01:06 tuteng

What are the possible values for the 1st two parameters.

Is the tlstrustcertfilepath the path to the ca cert or the cert for the role with admin privs?

What about all the references to the keystore in the application.properties file? Are they still needed?

Do you have a full application.properties that supports tls certs?

On Sun, Jun 28, 2020 at 9:19 PM Guangning [email protected] wrote:

This feature has been supported here, and I will release a new version recently. At present, you can add the following configuration to enable this feature based on the latest code:

backend.broker.pulsarAdmin.authPlugin= backend.broker.pulsarAdmin.authParams= backend.broker.pulsarAdmin.tlsAllowInsecureConnection=false backend.broker.pulsarAdmin.tlsTrustCertsFilePath= backend.broker.pulsarAdmin.tlsEnableHostnameVerification=false

@jaschnell https://github.com/jaschnell @tabalt https://github.com/tabalt

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub https://github.com/apache/pulsar-manager/issues/310#issuecomment-650853783, or unsubscribe https://github.com/notifications/unsubscribe-auth/APUVBFWVF2Z4YPMWKY5HRV3RY7T2LANCNFSM4OI4I3FQ .

-- Sent from Gmail Mobile

jaschnell avatar Jun 29 '20 01:06 jaschnell

What are the possible values for the 1st two parameters.

@jaschnell the first two values will be the same values you used for configuring a normal Pulsar client.

sijie avatar Jun 29 '20 01:06 sijie

There seems to be some problem with the support of this pull request for tls authentication and authorization forwarding requests. I will test it

tuteng avatar Jun 29 '20 01:06 tuteng

Any update on this? Would be great if TLS Authentication/Authorization could be used with the manager.

jeffschnellerEnvisa avatar Dec 10 '20 16:12 jeffschnellerEnvisa

Hi, just going to leave a comment here that I am experiencing a similar issue. It appears to be an issue when the internal Pulsar Client instance attempts to initiate the TLS authentication, I've placed a (truncated) stack trace of the error below.

2021-03-05 12:43:11.742  INFO 10875 --- [http-nio-127.0.0.1-7750-exec-2] o.a.p.m.s.impl.PulsarAdminServiceImpl    : Create Pulsar Admin instance. url=https://cluster-uri:8443, authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationTls, authParams=tlsCertFile:/etc/ssl/certs/pulsar-admin.cert.pem,tlsKeyFile:/etc/ssl/private/pulsar-admin.key-pk8.pem, tlsAllowInsecureConnection=false, tlsTrustCertsFilePath=/etc/ssl/certs/pulsar-ca.cert.pem, tlsEnableHostnameVerification=false
2021-03-05 12:43:11.748 ERROR 10875 --- [http-nio-127.0.0.1-7750-exec-2] o.a.c.c.C.[.[.[/].[dispatcherServlet]    : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is java.lang.reflect.UndeclaredThrowableException] with root cause

java.lang.Exception: Not supported using BoringSSL
        at io.netty.internal.tcnative.SSLContext.setCertRequestedCallback(Native Method) ~[netty-tcnative-boringssl-static-2.0.30.Final.jar:2.0.30.Final]
        at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext.newSessionContext(ReferenceCountedOpenSslClientContext.java:115) ~[netty-handler-4.1.24.Final.jar:4.1.24.Final]
        at io.netty.handler.ssl.OpenSslClientContext.<init>(OpenSslClientContext.java:192) ~[netty-handler-4.1.24.Final.jar:4.1.24.Final]
        at io.netty.handler.ssl.SslContext.newClientContextInternal(SslContext.java:775) ~[netty-handler-4.1.24.Final.jar:4.1.24.Final]
        at io.netty.handler.ssl.SslContextBuilder.build(SslContextBuilder.java:446) ~[netty-handler-4.1.24.Final.jar:4.1.24.Final]
        at org.apache.pulsar.common.util.SecurityUtility.createNettySslContextForClient(SecurityUtility.java:171) ~[pulsar-common-2.5.2.jar:2.5.2]
        at org.apache.pulsar.client.admin.internal.http.AsyncHttpConnector.<init>(AsyncHttpConnector.java:132) ~[pulsar-client-admin-original-2.5.2.jar:2.5.2]
        at org.apache.pulsar.client.admin.internal.http.AsyncHttpConnectorProvider.getConnector(AsyncHttpConnectorProvider.java:47) ~[pulsar-client-admin-original-2.5.2.jar:2.5.2]
        at org.apache.pulsar.client.admin.PulsarAdmin.<init>(PulsarAdmin.java:185) ~[pulsar-client-admin-original-2.5.2.jar:2.5.2]
        at org.apache.pulsar.client.admin.internal.PulsarAdminBuilderImpl.build(PulsarAdminBuilderImpl.java:45) ~[pulsar-client-admin-original-2.5.2.jar:2.5.2]
        at org.apache.pulsar.manager.service.impl.PulsarAdminServiceImpl.createPulsarAdmin(PulsarAdminServiceImpl.java:148) ~[pulsar-manager.jar:na]
        at org.apache.pulsar.manager.service.impl.PulsarAdminServiceImpl.getPulsarAdmin(PulsarAdminServiceImpl.java:75) ~[pulsar-manager.jar:na]
        at org.apache.pulsar.manager.service.impl.PulsarAdminServiceImpl.clusters(PulsarAdminServiceImpl.java:85) ~[pulsar-manager.jar:na]
        at org.apache.pulsar.manager.controller.EnvironmentsController.addEnvironment(EnvironmentsController.java:193) ~[pulsar-manager.jar:na]
        at org.apache.pulsar.manager.controller.EnvironmentsController$$FastClassBySpringCGLIB$$8f0ec792.invoke(<generated>) ~[pulsar-manager.jar:na]
        at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) ~[spring-core-5.0.6.RELEASE.jar:5.0.6.RELEASE]
        at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:746) ~[spring-aop-5.0.6.RELEASE.jar:5.0.6.RELEASE]
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.0.6.RELEASE.jar:5.0.6.RELEASE]
        at org.springframework.validation.beanvalidation.MethodValidationInterceptor.invoke(MethodValidationInterceptor.java:112) ~[spring-context-5.0.6.RELEASE.jar:5.0.6.RELEASE]
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:185) ~[spring-aop-5.0.6.RELEASE.jar:5.0.6.RELEASE]
        at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:688) ~[spring-aop-5.0.6.RELEASE.jar:5.0.6.RELEASE]
        at org.apache.pulsar.manager.controller.EnvironmentsController$$EnhancerBySpringCGLIB$$2b97be10.addEnvironment(<generated>) ~[pulsar-manager.jar:na]

Brand2 avatar Mar 05 '21 01:03 Brand2

Yes, we are currently facing the same issue. Is there any work around way to skip it ?

thomaeschen avatar Oct 12 '21 06:10 thomaeschen

What are the possible values for the 1st two parameters.

@jaschnell the first two values will be the same values you used for configuring a normal Pulsar client.

But the Pulsar manager will show "java.lang.Exception: Not supported using BoringSSL"

thomaeschen avatar Oct 12 '21 06:10 thomaeschen

Same issue "java.lang.Exception: Not supported using BoringSSL", Is there any work around way to skip it ?

ozpervic avatar Oct 15 '21 15:10 ozpervic