Add Athenz authentication plugin #178
Conversation
pulsar-broker-common/pom.xml
Outdated
| @@ -51,5 +51,11 @@ | |||
| <groupId>javax.servlet</groupId> | |||
| <artifactId>javax.servlet-api</artifactId> | |||
| </dependency> | |||
|
|
|||
| <dependency> | |||
There was a problem hiding this comment.
I think that the Athenz auth provider should be kept in a separate optional module, and not depend on it by default
There was a problem hiding this comment.
I' ll move athenz plugin codes to another module directory(like "pulsar-auth-athenz"), thanks.
| } | ||
|
|
||
| @Override | ||
| public String authenticate(AuthenticationDataSource authData) throws AuthenticationException { |
There was a problem hiding this comment.
How does this auth provider interacts with the authorization policies in Pulsar? Do one needs to "grant permission" on the namespace in Pulsar or everything is handled in Athenz?
There was a problem hiding this comment.
everything is handled in Athenz?
No.
In this PR, we use Athenz for only authentication, not authorization.
So users should do "grant permission" on pulsar admin API.
I think to use Athenz for both authentication and authorization is possible,
maybe it needs abstraction of authorization logic on pulsar,
and should be discussed as another issue.
merlimat
added
the
type/feature
| import com.yahoo.pulsar.client.api.PulsarClientException.GettingAuthenticationDataException; | ||
|
|
||
| /** | ||
| * Created by vmahedia on 10/3/15. |
There was a problem hiding this comment.
Classes authors should be removed
Do you mean unit tests ? |
|
@nkurihar The change looks good to me. If it's feasible, it would be good to have a unit test that spawns up an Athenz service and verify the authentication end-to-end. Also, it would be good to have a new page in the documentation to show how to enable and configure the authentication with Athenz 😄 . But that can go in a different PR. |
|
@merlimat
I'll add documents as another PR.
I'll investigate and if feasible, add the end-to-end unit test as another PR. |
Motivation
Athenz is a role-based authorization system which is recently open-sourced by Yahoo! inc.
We want to use Athenz as an authentication mechanism on pulsar.
Modifications
Add Athenz authentication plugin classes:
AuthenticationProviderAthenz(for Broker)AuthenticationAthenz(for Client)AuthenticationDataAthenz(for Client)and add
athenzDomainNamescongifuration setting to broker.conf / standalone.confResult
Be able to use Athenz authentication on pulsar.
TODO
Add documents about Athenz authentication on pulsar.