pulsar icon indicating copy to clipboard operation
pulsar copied to clipboard
verified publisher icon apache

Add parameters for KeyStore TLS in Pulsar test client

Open shasank112001 opened this issue 1 year ago • 0 comments

Search before asking

  • [X] I searched in the issues and found nothing similar.

Motivation

If you want to create a TestClient which uses AuthenticationKeyStoreTls as its authPlugin, Pulsar Test Admin/Client utilized in Pulsar-perf is unable to setup a vaild SSL context due to the requirement of the property "useKeyStoreTls" to be "true" for using keystores properly. Moreover, utilizing the property "useKeyStoreTls" requires the use of trust-store and not trust certificates, therefore requiring additional trustStoreType, trustStorePath and trustStorePass as parameters to be available, to utilize PulsarPerf.

The main reason to require this change is the following code in AsyncHttpConnector

if (conf.isUseKeyStoreTls()) {
                    KeyStoreParams params = authData.hasDataForTls() ? authData.getTlsKeyStoreParams() :
                            new KeyStoreParams(conf.getTlsKeyStoreType(), conf.getTlsKeyStorePath(),
                                    conf.getTlsKeyStorePassword());

                    final SSLContext sslCtx = KeyStoreSSLContext.createClientSslContext(
                            conf.getSslProvider(),
                            params.getKeyStoreType(),
                            params.getKeyStorePath(),
                            params.getKeyStorePassword(),
                            conf.isTlsAllowInsecureConnection(),
                            conf.getTlsTrustStoreType(),
                            conf.getTlsTrustStorePath(),
                            conf.getTlsTrustStorePassword(),
                            conf.getTlsCiphers(),
                            conf.getTlsProtocols());

                    JsseSslEngineFactory sslEngineFactory = new JsseSslEngineFactory(sslCtx);
                    confBuilder.setSslEngineFactory(sslEngineFactory);
                }

I understand that users can just use AuthenticationTls instead of AuthenticationKeyStoreTls for Performance testing as it will work with the mTLS authentication scheme, but my motivation to provide these arguments is to allow for custom authentication/authorization providers that utilize keystores and want to perform performance testing using Pulsar Perf.

Solution

Create new Arguments for the following properties, in PerformanceBaseArguments.java :

  1. useKeyStoreTls
  2. trustStoreType
  3. trustStorePath
  4. trustStorePass
  5. keyStoreType
  6. keyStorePath
  7. keyStorePass

Update the code to change between TrustCerts and TrustStore based on useKeyStoreTls.

Alternatives

An alternative solution is to update AuthenticationDataProviders that utilize keystores to override functions to provide trustStore as stream and the private key as well, not depending on the "useKeyStoreTls" property, but as we already have properties for trustStoreType, trustStorePath and trustStorePass which are only invoked when useKeyStoreTls is true, it makes more sense to expose these properties as parameters in Perf Clients.

Anything else?

No response

Are you willing to submit a PR?

  • [X] I'm willing to submit a PR!

shasank112001 avatar May 08 '24 12:05 shasank112001