This is an automated email from the ASF dual-hosted git repository. rxl pushed a commit to branch branch-2.6 in repository https://gitbox.apache.org/repos/asf/pulsar.git
commit 7df08cac3689afe0b5c870256d9cea565b71db1c Author: 冉小龙 <r...@apache.org> AuthorDate: Sat Jul 18 09:38:19 2020 +0800 Improve security setting of Pulsar Functions (#7578) Signed-off-by: xiaolong.ran <r...@apache.org> ### Motivation Improve security setting of Pulsar Functions ### Modifications - Add `TLS Authentication` example - Improve `TLS Transport` config - Add `authorizationProvider` filed for **Authorization** (cherry picked from commit 2374cd9c4260d9528e911878c49dc107508a2067) --- site2/docs/functions-worker.md | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/site2/docs/functions-worker.md b/site2/docs/functions-worker.md index 0a4664f..35bfd9a 100644 --- a/site2/docs/functions-worker.md +++ b/site2/docs/functions-worker.md @@ -105,10 +105,17 @@ If you want to enable security on functions workers, you *should*: To enable TLS transport encryption, configure the following settings. ``` +useTLS: true +pulsarServiceUrl: pulsar+ssl://localhost:6651/ +pulsarWebServiceUrl: https://localhost:8443 + tlsEnabled: true tlsCertificateFilePath: /path/to/functions-worker.cert.pem tlsKeyFilePath: /path/to/functions-worker.key-pk8.pem tlsTrustCertsFilePath: /path/to/ca.cert.pem + +// The path to trusted certificates used by the Pulsar client to authenticate with Pulsar brokers +brokerClientTrustCertsFilePath: /path/to/ca.cert.pem ``` For details on TLS encryption, refer to [Transport Encryption using TLS](security-tls-transport.md). @@ -124,6 +131,16 @@ authenticationEnabled: true authenticationProviders: [ provider1, provider2 ] ``` +For *TLS Authentication* provider, follow the example below to add the necessary settings. +See [TLS Authentication](security-tls-authentication.md) for more details. +``` +brokerClientAuthenticationPlugin: org.apache.pulsar.client.impl.auth.AuthenticationTls +brokerClientAuthenticationParameters: tlsCertFile:/path/to/admin.cert.pem,tlsKeyFile:/path/to/admin.key-pk8.pem + +authenticationEnabled: true +authenticationProviders: ['org.apache.pulsar.broker.authentication.AuthenticationProviderTls'] +``` + For *SASL Authentication* provider, add `saslJaasClientAllowedIds` and `saslJaasBrokerSectionName` under `properties` if needed. @@ -144,10 +161,11 @@ properties: ##### Enable Authorization Provider -To enable authorization on Functions Worker, you need to configure `authorizationEnabled` and `configurationStoreServers`. The authentication provider connects to `configurationStoreServers` to receive namespace policies. +To enable authorization on Functions Worker, you need to configure `authorizationEnabled`, `authorizationProvider` and `configurationStoreServers`. The authentication provider connects to `configurationStoreServers` to receive namespace policies. ```yaml authorizationEnabled: true +authorizationProvider: org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider configurationStoreServers: <configuration-store-servers> ```