RobertIndie opened a new pull request, #15571:
URL: https://github.com/apache/pulsar/pull/15571
<!--
### Contribution Checklist
- PR title format should be *[type][component] summary*. For details, see
*[Guideline - Pulsar PR Naming
Convention](https://docs.google.com/document/d/1d8Pw6ZbWk-_pCKdOmdvx9rnhPiyuxwq60_TrD68d7BA/edit#heading=h.trs9rsex3xom)*.
- Fill out the template below to describe the changes contributed by the
pull request. That will give reviewers the context they need to do the review.
- Each pull request should address only one issue, not mix up code from
multiple issues.
- Each commit in the pull request has a meaningful commit message
- Once all items of the checklist are addressed, remove the above text and
this checklist, leaving only the filled out template below.
**(The sections below can be removed for hotfixes of typos)**
-->
*(If this PR fixes a github issue, please add `Fixes #<xyz>`.)*
### Motivation
Currently, pulsar SQL does not compatible with the authentication and
authorization from the pulsar broker. We don't have any security-related
integration between Pulsar and Presto.
Although we can implement a presto access control plugin to interface with
the pulsar broker's authorization module. But this method does not handle
authentication well.
### Modifications
This PR adds authentication and authorization support between Pulsar and
Pulsar SQL by using the extra credentials properties. The request from the
pulsar SQL client can have auth-related parameters(like `auth-plugin` and
`auth-params`) attached to the extra credentials. The pulsar SQL worker can
therefore obtain auth information and use PulsarClient to initiate an auth
verification request to the broker. In this way, we can call the broker's
authentication and authentication directly on the pulsar SQL worker.
This PR adds a new module `PulsarAuth` to the SQL worker.
### Verifying this change
- [ ] Make sure that the change passes the CI checks.
*(Please pick either of the following options)*
This change is a trivial rework / code cleanup without any test coverage.
*(or)*
This change is already covered by existing tests, such as *(please describe
tests)*.
*(or)*
This change added tests and can be verified as follows:
*(example:)*
- *Added integration tests for end-to-end deployment with large payloads
(10MB)*
- *Extended integration test for recovery after broker failure*
### Does this pull request potentially affect one of the following parts:
*If `yes` was chosen, please highlight the changes*
- Dependencies (does it add or upgrade a dependency): (yes / no)
- The public API: (yes / no)
- The schema: (yes / no / don't know)
- The default values of configurations: (yes / no)
- The wire protocol: (yes / no)
- The rest endpoints: (yes / no)
- The admin cli options: (yes / no)
- Anything that affects deployment: (yes / no / don't know)
### Documentation
Check the box below or label this PR directly.
Need to update docs?
- [x] `doc-required`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
