From 39f91ee63b03ff2dbdeed1fe07cc8d5a391ca9d5 Mon Sep 17 00:00:00 2001 From: Bruno Domenici Date: Thu, 27 Jun 2024 09:54:33 +0200 Subject: [PATCH] feat!(openid): introducing support for openid configuration BREAKING CHANGE: provider configuration changed from auth.authentication.provider to auth.authentication.jwt.enabled --- README.md | 1 + charts/pulsar/templates/broker-configmap.yaml | 26 ++++++++++++++++++- .../pulsar/templates/broker-statefulset.yaml | 4 +-- charts/pulsar/templates/proxy-configmap.yaml | 26 ++++++++++++++++++- .../pulsar/templates/proxy-statefulset.yaml | 4 +-- .../templates/pulsar-manager-configmap.yaml | 2 +- .../templates/pulsar-manager-statefulset.yaml | 6 ++--- .../pulsar/templates/toolset-configmap.yaml | 2 +- .../pulsar/templates/toolset-statefulset.yaml | 4 +-- charts/pulsar/values.yaml | 18 ++++++++++++- 10 files changed, 79 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index c84e1d03..e7038f0a 100644 --- a/README.md +++ b/README.md @@ -77,6 +77,7 @@ It includes support for: - [x] ZooKeeper - [x] Authentication - [x] JWT + - [x] OpenID - [ ] Mutal TLS - [ ] Kerberos - [x] Authorization diff --git a/charts/pulsar/templates/broker-configmap.yaml b/charts/pulsar/templates/broker-configmap.yaml index baac848a..f90a5f46 100644 --- a/charts/pulsar/templates/broker-configmap.yaml +++ b/charts/pulsar/templates/broker-configmap.yaml @@ -164,9 +164,14 @@ data: proxyRoles: {{ .Values.auth.superUsers.proxy }} {{- end }} {{- end }} - {{- if eq .Values.auth.authentication.provider "jwt" }} + {{- if and .Values.auth.authentication.enabled .Values.auth.authentication.jwt.enabled }} # token authentication configuration + {{- if and .Values.auth.authentication.enabled .Values.auth.authentication.jwt.enabled .Values.auth.authentication.openid.enabled }} + authenticationProviders: "org.apache.pulsar.broker.authentication.AuthenticationProviderToken,org.apache.pulsar.broker.authentication.oidc.AuthenticationProviderOpenID" + {{- end }} + {{- if and .Values.auth.authentication.enabled .Values.auth.authentication.jwt.enabled ( not .Values.auth.authentication.openid.enabled ) }} authenticationProviders: "org.apache.pulsar.broker.authentication.AuthenticationProviderToken" + {{- end }} brokerClientAuthenticationParameters: "file:///pulsar/tokens/broker/token" brokerClientAuthenticationPlugin: "org.apache.pulsar.client.impl.auth.AuthenticationToken" {{- if .Values.auth.authentication.jwt.usingSecretKey }} @@ -175,6 +180,25 @@ data: tokenPublicKey: "file:///pulsar/keys/token/public.key" {{- end }} {{- end }} + {{- if and .Values.auth.authentication.enabled .Values.auth.authentication.openid.enabled }} + # openid authentication configuration + {{- if and .Values.auth.authentication.enabled .Values.auth.authentication.openid.enabled ( not .Values.auth.authentication.jwt.enabled ) }} + authenticationProviders: "org.apache.pulsar.broker.authentication.oidc.AuthenticationProviderOpenID" + {{- end }} + PULSAR_PREFIX_openIDAllowedTokenIssuers: {{ .Values.auth.authentication.openid.openIDAllowedTokenIssuers | uniq | compact | sortAlpha | join "," | quote }} + PULSAR_PREFIX_openIDAllowedAudiences: {{ .Values.auth.authentication.openid.openIDAllowedAudiences | uniq | compact | sortAlpha | join "," | quote }} + PULSAR_PREFIX_openIDTokenIssuerTrustCertsFilePath: {{ .Values.auth.authentication.openid.openIDTokenIssuerTrustCertsFilePath | quote }} + PULSAR_PREFIX_openIDRoleClaim: {{ .Values.auth.authentication.openid.openIDRoleClaim | quote }} + PULSAR_PREFIX_openIDAcceptedTimeLeewaySeconds: {{ .Values.auth.authentication.openid.openIDAcceptedTimeLeewaySeconds | quote }} + PULSAR_PREFIX_openIDCacheSize: {{ .Values.auth.authentication.openid.openIDCacheSize | quote }} + PULSAR_PREFIX_openIDCacheRefreshAfterWriteSeconds: {{ .Values.auth.authentication.openid.openIDCacheRefreshAfterWriteSeconds | quote }} + PULSAR_PREFIX_openIDCacheExpirationSeconds: {{ .Values.auth.authentication.openid.openIDCacheExpirationSeconds | quote }} + PULSAR_PREFIX_openIDHttpConnectionTimeoutMillis: {{ .Values.auth.authentication.openid.openIDHttpConnectionTimeoutMillis | quote }} + PULSAR_PREFIX_openIDHttpReadTimeoutMillis: {{ .Values.auth.authentication.openid.openIDHttpReadTimeoutMillis | quote }} + PULSAR_PREFIX_openIDKeyIdCacheMissRefreshSeconds: {{ .Values.auth.authentication.openid.openIDKeyIdCacheMissRefreshSeconds | quote }} + PULSAR_PREFIX_openIDRequireIssuersUseHttps: {{ .Values.auth.authentication.openid.openIDRequireIssuersUseHttps | quote }} + PULSAR_PREFIX_openIDFallbackDiscoveryMode: {{ .Values.auth.authentication.openid.openIDFallbackDiscoveryMode | quote }} + {{- end }} {{- end }} {{- if and .Values.tls.enabled .Values.tls.bookie.enabled }} diff --git a/charts/pulsar/templates/broker-statefulset.yaml b/charts/pulsar/templates/broker-statefulset.yaml index f45adcfd..eacf8067 100644 --- a/charts/pulsar/templates/broker-statefulset.yaml +++ b/charts/pulsar/templates/broker-statefulset.yaml @@ -258,7 +258,7 @@ spec: name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}" volumeMounts: {{- if .Values.auth.authentication.enabled }} - {{- if eq .Values.auth.authentication.provider "jwt" }} + {{- if .Values.auth.authentication.jwt.enabled }} - mountPath: "/pulsar/keys" name: token-keys readOnly: true @@ -312,7 +312,7 @@ spec: {{ toYaml .Values.broker.extraVolumes | indent 6 }} {{- end }} {{- if .Values.auth.authentication.enabled }} - {{- if eq .Values.auth.authentication.provider "jwt" }} + {{- if .Values.auth.authentication.jwt.enabled }} - name: token-keys secret: {{- if not .Values.auth.authentication.jwt.usingSecretKey }} diff --git a/charts/pulsar/templates/proxy-configmap.yaml b/charts/pulsar/templates/proxy-configmap.yaml index 959c23dd..01105fe0 100644 --- a/charts/pulsar/templates/proxy-configmap.yaml +++ b/charts/pulsar/templates/proxy-configmap.yaml @@ -70,9 +70,14 @@ data: superUserRoles: {{ .Values.auth.superUsers | values | compact | sortAlpha | join "," }} {{- end }} {{- end }} - {{- if eq .Values.auth.authentication.provider "jwt" }} + {{- if and .Values.auth.authentication.enabled .Values.auth.authentication.jwt.enabled }} # token authentication configuration + {{- if and .Values.auth.authentication.enabled .Values.auth.authentication.jwt.enabled .Values.auth.authentication.openid.enabled }} + authenticationProviders: "org.apache.pulsar.broker.authentication.AuthenticationProviderToken,org.apache.pulsar.broker.authentication.oidc.AuthenticationProviderOpenID" + {{- end }} + {{- if and .Values.auth.authentication.enabled .Values.auth.authentication.jwt.enabled ( not .Values.auth.authentication.openid.enabled ) }} authenticationProviders: "org.apache.pulsar.broker.authentication.AuthenticationProviderToken" + {{- end }} brokerClientAuthenticationParameters: "file:///pulsar/tokens/proxy/token" brokerClientAuthenticationPlugin: "org.apache.pulsar.client.impl.auth.AuthenticationToken" {{- if .Values.auth.authentication.jwt.usingSecretKey }} @@ -81,6 +86,25 @@ data: tokenPublicKey: "file:///pulsar/keys/token/public.key" {{- end }} {{- end }} + {{- if and .Values.auth.authentication.enabled .Values.auth.authentication.openid.enabled }} + # openid authentication configuration + {{- if and .Values.auth.authentication.enabled .Values.auth.authentication.openid.enabled ( not .Values.auth.authentication.jwt.enabled ) }} + authenticationProviders: "org.apache.pulsar.broker.authentication.oidc.AuthenticationProviderOpenID" + {{- end }} + PULSAR_PREFIX_openIDAllowedTokenIssuers: {{ .Values.auth.authentication.openid.openIDAllowedTokenIssuers | uniq | compact | sortAlpha | join "," | quote }} + PULSAR_PREFIX_openIDAllowedAudiences: {{ .Values.auth.authentication.openid.openIDAllowedAudiences | uniq | compact | sortAlpha | join "," | quote }} + PULSAR_PREFIX_openIDTokenIssuerTrustCertsFilePath: {{ .Values.auth.authentication.openid.openIDTokenIssuerTrustCertsFilePath | quote }} + PULSAR_PREFIX_openIDRoleClaim: {{ .Values.auth.authentication.openid.openIDRoleClaim | quote }} + PULSAR_PREFIX_openIDAcceptedTimeLeewaySeconds: {{ .Values.auth.authentication.openid.openIDAcceptedTimeLeewaySeconds | quote }} + PULSAR_PREFIX_openIDCacheSize: {{ .Values.auth.authentication.openid.openIDCacheSize | quote }} + PULSAR_PREFIX_openIDCacheRefreshAfterWriteSeconds: {{ .Values.auth.authentication.openid.openIDCacheRefreshAfterWriteSeconds | quote }} + PULSAR_PREFIX_openIDCacheExpirationSeconds: {{ .Values.auth.authentication.openid.openIDCacheExpirationSeconds | quote }} + PULSAR_PREFIX_openIDHttpConnectionTimeoutMillis: {{ .Values.auth.authentication.openid.openIDHttpConnectionTimeoutMillis | quote }} + PULSAR_PREFIX_openIDHttpReadTimeoutMillis: {{ .Values.auth.authentication.openid.openIDHttpReadTimeoutMillis | quote }} + PULSAR_PREFIX_openIDKeyIdCacheMissRefreshSeconds: {{ .Values.auth.authentication.openid.openIDKeyIdCacheMissRefreshSeconds | quote }} + PULSAR_PREFIX_openIDRequireIssuersUseHttps: {{ .Values.auth.authentication.openid.openIDRequireIssuersUseHttps | quote }} + PULSAR_PREFIX_openIDFallbackDiscoveryMode: {{ .Values.auth.authentication.openid.openIDFallbackDiscoveryMode | quote }} + {{- end }} {{- end }} {{ toYaml .Values.proxy.configData | indent 2 }} {{- end }} diff --git a/charts/pulsar/templates/proxy-statefulset.yaml b/charts/pulsar/templates/proxy-statefulset.yaml index e6a18106..2ff5d355 100644 --- a/charts/pulsar/templates/proxy-statefulset.yaml +++ b/charts/pulsar/templates/proxy-statefulset.yaml @@ -215,7 +215,7 @@ spec: {{- if or .Values.proxy.extraVolumeMounts .Values.auth.authentication.enabled (and .Values.tls.enabled (or .Values.tls.proxy.enabled .Values.tls.broker.enabled)) }} volumeMounts: {{- if .Values.auth.authentication.enabled }} - {{- if eq .Values.auth.authentication.provider "jwt" }} + {{- if .Values.auth.authentication.jwt.enabled }} - mountPath: "/pulsar/keys" name: token-keys readOnly: true @@ -245,7 +245,7 @@ spec: {{ toYaml .Values.proxy.extraVolumes | indent 8 }} {{- end }} {{- if .Values.auth.authentication.enabled }} - {{- if eq .Values.auth.authentication.provider "jwt" }} + {{- if .Values.auth.authentication.jwt.enabled }} - name: token-keys secret: {{- if not .Values.auth.authentication.jwt.usingSecretKey }} diff --git a/charts/pulsar/templates/pulsar-manager-configmap.yaml b/charts/pulsar/templates/pulsar-manager-configmap.yaml index df70ecd0..e5ebef94 100644 --- a/charts/pulsar/templates/pulsar-manager-configmap.yaml +++ b/charts/pulsar/templates/pulsar-manager-configmap.yaml @@ -31,7 +31,7 @@ data: PULSAR_MANAGER_OPTS: "-Dlog4j2.formatMsgNoLookups=true" {{- if .Values.auth.authentication.enabled }} # auth - {{- if eq .Values.auth.authentication.provider "jwt" }} + {{- if .Values.auth.authentication.jwt.enabled }} {{- if .Values.auth.authentication.jwt.usingSecretKey }} SECRET_KEY: "file:///pulsar-manager/keys/token/secret.key" {{- else }} diff --git a/charts/pulsar/templates/pulsar-manager-statefulset.yaml b/charts/pulsar/templates/pulsar-manager-statefulset.yaml index 3b29d6f2..7db685d0 100755 --- a/charts/pulsar/templates/pulsar-manager-statefulset.yaml +++ b/charts/pulsar/templates/pulsar-manager-statefulset.yaml @@ -70,7 +70,7 @@ spec: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.pulsar_manager.component }}-{{ .Values.pulsar_manager.volumes.data.name }}" mountPath: /data {{- if .Values.auth.authentication.enabled }} - {{- if eq .Values.auth.authentication.provider "jwt" }} + {{- if .Values.auth.authentication.jwt.enabled }} - name: pulsar-manager-keys mountPath: /pulsar-manager/keys {{- end }} @@ -98,7 +98,7 @@ spec: {{- end }} key: DB_PASSWORD {{- if .Values.auth.authentication.enabled }} - {{- if eq .Values.auth.authentication.provider "jwt" }} + {{- if .Values.auth.authentication.jwt.enabled }} {{- if .Values.auth.superUsers.manager }} - name: JWT_TOKEN valueFrom: @@ -111,7 +111,7 @@ spec: {{- include "pulsar.imagePullSecrets" . | nindent 6}} volumes: {{- if .Values.auth.authentication.enabled }} - {{- if eq .Values.auth.authentication.provider "jwt" }} + {{- if .Values.auth.authentication.jwt.enabled }} - name: pulsar-manager-keys secret: defaultMode: 420 diff --git a/charts/pulsar/templates/toolset-configmap.yaml b/charts/pulsar/templates/toolset-configmap.yaml index 7a1cafea..9ecdec77 100644 --- a/charts/pulsar/templates/toolset-configmap.yaml +++ b/charts/pulsar/templates/toolset-configmap.yaml @@ -61,7 +61,7 @@ data: {{- end }} # Authentication Settings {{- if .Values.auth.authentication.enabled }} - {{- if eq .Values.auth.authentication.provider "jwt" }} + {{- if .Values.auth.authentication.jwt.enabled }} authParams: "file:///pulsar/tokens/client/token" authPlugin: "org.apache.pulsar.client.impl.auth.AuthenticationToken" {{- end }} diff --git a/charts/pulsar/templates/toolset-statefulset.yaml b/charts/pulsar/templates/toolset-statefulset.yaml index 3ecd4797..3d3b13ae 100644 --- a/charts/pulsar/templates/toolset-statefulset.yaml +++ b/charts/pulsar/templates/toolset-statefulset.yaml @@ -86,7 +86,7 @@ spec: name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" volumeMounts: {{- if .Values.auth.authentication.enabled }} - {{- if eq .Values.auth.authentication.provider "jwt" }} + {{- if .Values.auth.authentication.jwt.enabled }} - mountPath: "/pulsar/tokens" name: client-token readOnly: true @@ -103,7 +103,7 @@ spec: {{- include "pulsar.toolset.certs.volumeMounts" . | nindent 8 }} volumes: {{- if .Values.auth.authentication.enabled }} - {{- if eq .Values.auth.authentication.provider "jwt" }} + {{- if .Values.auth.authentication.jwt.enabled }} - name: client-token secret: secretName: "{{ .Release.Name }}-token-{{ .Values.auth.superUsers.client }}" diff --git a/charts/pulsar/values.yaml b/charts/pulsar/values.yaml index 21cb554a..a072e097 100755 --- a/charts/pulsar/values.yaml +++ b/charts/pulsar/values.yaml @@ -235,12 +235,28 @@ tls: auth: authentication: enabled: false - provider: "jwt" jwt: + enabled: false # Enable JWT authentication # If the token is generated by a secret key, set the usingSecretKey as true. # If the token is generated by a private key, set the usingSecretKey as false. usingSecretKey: false + openid: + enabled: false +# # https://pulsar.apache.org/docs/next/security-openid-connect/#enable-openid-connect-authentication-in-the-broker-and-proxy + openIDAllowedTokenIssuers: [] + openIDAllowedAudiences: [] + openIDTokenIssuerTrustCertsFilePath: + openIDRoleClaim: + openIDAcceptedTimeLeewaySeconds: "0" + openIDCacheSize: "5" + openIDCacheRefreshAfterWriteSeconds: "64800" + openIDCacheExpirationSeconds: "86400" + openIDHttpConnectionTimeoutMillis: "10000" + openIDHttpReadTimeoutMillis: "10000" + openIDKeyIdCacheMissRefreshSeconds: "300" + openIDRequireIssuersUseHttps: "true" + openIDFallbackDiscoveryMode: "DISABLED" authorization: enabled: false superUsers: