[feat][pip] PIP-478: Asynchronous v5 client auth plugin interfaces and TLS material provider plugin interface#25890
Open
lhotari wants to merge 5 commits into
Conversation
… and TLS material provider plugin interface
Member
Author
|
The PIP will be simplified (the PulsarTlsMaterialProvider part). I haven't yet updated the PIP document. |
Updates the PIP-478 design to the current proposal: the async capability-segregated v5 client authentication SPI, the framework-managed PulsarHttpClient SPI, and the purpose-driven PulsarTlsFactory TLS SPI replacing PIP-337 (full config removal + v4-client tlsFactoryClassName successor), plus TlsPolicy.jcaProvider for JCA-provider selection and the FIPS 140-3 TLS-transport coverage.
…gn fix) Corrects the v4 sslProvider mapping: the Netty SslProvider engine literals (JDK, OPENSSL, OPENSSL_REFCNT) stay on the engine axis; only other values are treated as a JCA provider name and routed to TlsPolicy.jcaProvider. A valid sslProvider=JDK is no longer misrouted to a non-existent JCA provider named "JDK".
…text provider) + FIPS reframe (BCJSSE) The provider that builds the SSLContext is a JSSE role; a crypto-only provider (BC-FIPS) has no SSLContext.TLS. Renamed TlsPolicy.jcaProvider to jsseProvider and reframed the FIPS story: jsseProvider=BCJSSE with BC-FIPS registered as the crypto provider it delegates to. Also reconciles the ClusterData broker-client model (per-client factory, no minted per-cluster purposes) and the removal break-summary.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
This PIP proposes, for the Pulsar 5.0 v5 client (PIP-466) plus two new dependency-light SPI
modules —
pulsar-tls-factory-api(TLS) andpulsar-http-client-api(HTTP client):kitchen-sink
AuthenticationDataProvider, so credential I/O (OAuth2 / Athenz tokenrefresh) never blocks the Netty event loop;
PulsarHttpClientSPI — so auth plugins share the client's HTTPruntime instead of spinning up private
AsyncHttpClientinstances (issues 24795 and 24944);PulsarTlsFactoryTLS SPI that replaces PIP-337 — decoupled from theauth SPI, KMS/HSM-friendly (keys never cross a Pulsar API), with rebuild-not-mutate rotation.
It also folds in the full PIP-337 removal: the
sslFactoryPlugin/sslFactoryPluginParams(and
brokerClient*) config keys, the v4ClientBuilder/PulsarAdminBuildermethods, and theClusterDatafields are removed in 5.0 (a stale config key is rejected at startup), with atlsFactoryClassName/tlsFactoryConfigsuccessor — now on the v4 client and admin builders aswell as the server configuration.
TLS transport configuration and FIPS 140-3
This PIP provides the v5 client and server-side (broker / proxy / websocket / functions-worker)
TLS transport configuration, built on the
PulsarTlsFactorySPI and the flatTlsPolicy. Beyondcert/key/trust material, ciphers/protocols, and hostname verification, it makes the TLS engine
(JDK vs native OpenSSL) and — via
TlsPolicy.jcaProvider— any JCA security providerconfigurable per component. This lets the TLS transport run under FIPS 140-3, including higher
levels:
provider via
TlsPolicy.jcaProvider, which forces the JDK TLS engine (never the non-validatednative OpenSSL/BoringSSL engine). File-based PEM keys are handed to the provider — permitted at
Level 1, where plaintext key (CSP) entry within the operational environment is allowed.
PulsarTlsFactorybuild theTLS context against an HSM — e.g. sourcing the key from a PKCS#11
KeyStore— so the keymaterial never crosses the module boundary and the private key is never read into Pulsar from a
file. That satisfies the Level 3 rule that plaintext key (CSP) entry/output use physically-separated
ports or a trusted channel, by keeping the key inside the module.
The engine selection is wired through every server component and the client, so no listener is pinned
to a non-validated native engine. The broader FIPS-compliance mode — approved algorithms across
message encryption and authentication, a FIPS distribution/packaging variant, a fail-fast validation
switch — is out of scope; this PIP covers the TLS-transport slice.
Links
Rendered PIP document:
https://github.com/lhotari/pulsar/blob/lh-pip-478-v5-client-async-auth-and-tls-material-provider/pip/pip-478.md
Discuss thread:
https://lists.apache.org/thread/s9n9jksr9vqgn9o982zmnnkcxdcncy3f