Skip to content

[feat][pip] PIP-478: Asynchronous v5 client auth plugin interfaces and TLS material provider plugin interface#25890

Open
lhotari wants to merge 5 commits into
apache:masterfrom
lhotari:lh-pip-478-v5-client-async-auth-and-tls-material-provider
Open

[feat][pip] PIP-478: Asynchronous v5 client auth plugin interfaces and TLS material provider plugin interface#25890
lhotari wants to merge 5 commits into
apache:masterfrom
lhotari:lh-pip-478-v5-client-async-auth-and-tls-material-provider

Conversation

@lhotari

@lhotari lhotari commented May 29, 2026

Copy link
Copy Markdown
Member

Motivation

This PIP proposes, for the Pulsar 5.0 v5 client (PIP-466) plus two new dependency-light SPI
modules — pulsar-tls-factory-api (TLS) and pulsar-http-client-api (HTTP client):

  • an asynchronous, capability-segregated v5 client authentication SPI — replacing v4's
    kitchen-sink AuthenticationDataProvider, so credential I/O (OAuth2 / Athenz token
    refresh) never blocks the Netty event loop;
  • a framework-managed PulsarHttpClient SPI — so auth plugins share the client's HTTP
    runtime instead of spinning up private AsyncHttpClient instances (issues 24795 and 24944);
  • a purpose-driven PulsarTlsFactory TLS SPI that replaces PIP-337 — decoupled from the
    auth SPI, KMS/HSM-friendly (keys never cross a Pulsar API), with rebuild-not-mutate rotation.

It also folds in the full PIP-337 removal: the sslFactoryPlugin / sslFactoryPluginParams
(and brokerClient*) config keys, the v4 ClientBuilder / PulsarAdminBuilder methods, and the
ClusterData fields are removed in 5.0 (a stale config key is rejected at startup), with a
tlsFactoryClassName / tlsFactoryConfig successor — now on the v4 client and admin builders as
well as the server configuration.

TLS transport configuration and FIPS 140-3

This PIP provides the v5 client and server-side (broker / proxy / websocket / functions-worker)
TLS transport configuration
, built on the PulsarTlsFactory SPI and the flat TlsPolicy. Beyond
cert/key/trust material, ciphers/protocols, and hostname verification, it makes the TLS engine
(JDK vs native OpenSSL) and — via TlsPolicy.jcaProviderany JCA security provider
configurable per component. This lets the TLS transport run under FIPS 140-3, including higher
levels:

  • Level 1 (software cryptographic module, e.g. BC-FIPS): pin the FIPS-140-validated JCA
    provider via TlsPolicy.jcaProvider, which forces the JDK TLS engine (never the non-validated
    native OpenSSL/BoringSSL engine). File-based PEM keys are handed to the provider — permitted at
    Level 1, where plaintext key (CSP) entry within the operational environment is allowed.
  • Level 3 (hardware module / HSM): the decoupled SPI lets a custom PulsarTlsFactory build the
    TLS context against an HSM — e.g. sourcing the key from a PKCS#11 KeyStore — so the key
    material never crosses the module boundary
    and the private key is never read into Pulsar from a
    file. That satisfies the Level 3 rule that plaintext key (CSP) entry/output use physically-separated
    ports or a trusted channel, by keeping the key inside the module.

The engine selection is wired through every server component and the client, so no listener is pinned
to a non-validated native engine. The broader FIPS-compliance mode — approved algorithms across
message encryption and authentication, a FIPS distribution/packaging variant, a fail-fast validation
switch — is out of scope; this PIP covers the TLS-transport slice.

Links

Rendered PIP document:
https://github.com/lhotari/pulsar/blob/lh-pip-478-v5-client-async-auth-and-tls-material-provider/pip/pip-478.md

Discuss thread:
https://lists.apache.org/thread/s9n9jksr9vqgn9o982zmnnkcxdcncy3f

@lhotari lhotari added this to the 5.0.0-M1 milestone May 29, 2026
@github-actions github-actions Bot added the PIP label May 29, 2026
@lhotari lhotari marked this pull request as draft June 29, 2026 21:16
@lhotari

lhotari commented Jun 29, 2026

Copy link
Copy Markdown
Member Author

The PIP will be simplified (the PulsarTlsMaterialProvider part). I haven't yet updated the PIP document.

Updates the PIP-478 design to the current proposal: the async capability-segregated v5 client authentication SPI, the framework-managed PulsarHttpClient SPI, and the purpose-driven PulsarTlsFactory TLS SPI replacing PIP-337 (full config removal + v4-client tlsFactoryClassName successor), plus TlsPolicy.jcaProvider for JCA-provider selection and the FIPS 140-3 TLS-transport coverage.
lhotari added 2 commits July 7, 2026 03:42
…gn fix)

Corrects the v4 sslProvider mapping: the Netty SslProvider engine literals (JDK, OPENSSL, OPENSSL_REFCNT) stay on the engine axis; only other values are treated as a JCA provider name and routed to TlsPolicy.jcaProvider. A valid sslProvider=JDK is no longer misrouted to a non-existent JCA provider named "JDK".
…text provider) + FIPS reframe (BCJSSE)

The provider that builds the SSLContext is a JSSE role; a crypto-only provider (BC-FIPS) has no SSLContext.TLS. Renamed TlsPolicy.jcaProvider to jsseProvider and reframed the FIPS story: jsseProvider=BCJSSE with BC-FIPS registered as the crypto provider it delegates to. Also reconciles the ClusterData broker-client model (per-client factory, no minted per-cluster purposes) and the removal break-summary.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant