Reference: pubsub pulsar OIDC authentication #3655
Conversation
| @@ -80,6 +81,14 @@ spec: | |||
| | publicKey | N | A public key to be used for publisher and consumer encryption. Value can be one of two options: file path for a local PEM cert, or the cert data string value | | |||
| | privateKey | N | A private key to be used for consumer encryption. Value can be one of two options: file path for a local PEM cert, or the cert data string value | | |||
| | keys | N | A comma delimited string containing names of [Pulsar session keys](https://pulsar.apache.org/docs/3.0.x/security-encryption/#how-it-works-in-pulsar). Used in conjunction with `publicKey` for publisher encryption | | |||
| | authType | N | One of `"none"`, `"token"` or `"oidc"`. The type of authentication mechanism to use. Defaults to `"none"`, unless `token` is defined in which case it defaults to `"token"`. | "oidc" | | |||
| | token | N | `authType: token`. Token used for authentication. | [How to create pulsar token](https://pulsar.apache.org/docs/en/security-jwt/#generate-tokens)| | |||
There was a problem hiding this comment.
Given the settings required for oidc I suggest that there is a separate example of how these are set in the metadata. For example this component https://docs.dapr.io/reference/components-reference/supported-pubsub/setup-azure-eventhubs/#azure-active-directory-aad-authentication shows how to set AAD authentication correctly.
And if there are any particular gochas outside of the the description and examples, add this into a paragraph or two. In other words be more specific to user on how to use the oidc settings
There was a problem hiding this comment.
Makes sense, will do 👍
|
@JoshVanL - Also there are conflicts on the v1.12 branch https://v1-12.docs.dapr.io/reference/components-reference/supported-pubsub/setup-pulsar/ |
daprdocs/content/en/reference/components-reference/supported-pubsub/setup-pulsar.md
Outdated
Show resolved
Hide resolved
daprdocs/content/en/reference/components-reference/supported-pubsub/setup-pulsar.md
Outdated
Show resolved
Hide resolved
daprdocs/content/en/reference/components-reference/supported-pubsub/setup-pulsar.md
Outdated
Show resolved
Hide resolved
daprdocs/content/en/reference/components-reference/supported-pubsub/setup-pulsar.md
Outdated
Show resolved
Hide resolved
daprdocs/content/en/reference/components-reference/supported-pubsub/setup-pulsar.md
Outdated
Show resolved
Hide resolved
daprdocs/content/en/reference/components-reference/supported-pubsub/setup-pulsar.md
Outdated
Show resolved
Hide resolved
daprdocs/content/en/reference/components-reference/supported-pubsub/setup-pulsar.md
Outdated
Show resolved
Hide resolved
daprdocs/content/en/reference/components-reference/supported-pubsub/setup-pulsar.md
Outdated
Show resolved
Hide resolved
Signed-off-by: joshvanl <[email protected]>
Signed-off-by: joshvanl <[email protected]>
JoshVanL
force-pushed
the
reference-pubsub-pulsar-oidc
branch
from
12db85e
to
a7e5f1f
Compare
|
@ItalyPaleAle please review |
| @@ -128,6 +134,42 @@ curl -X POST http://localhost:3500/v1.0/publish/myPulsar/myTopic?metadata.delive | |||
| }' | |||
| ``` | |||
|
|
|||
| ### OIDC Authentication | |||
|
|
|||
| Since `v3.0`, [Pulsar supports OIDC authentication](https://pulsar.apache.org/docs/3.0.x/security-openid-connect/). | |||
There was a problem hiding this comment.
@JoshVanL would the changes we made support OAuth2 (without OIDC) too? https://pulsar.apache.org/docs/3.0.x/security-oauth2/
There was a problem hiding this comment.
No idea, we can add a certification test to see if it would work.
daprdocs/content/en/reference/components-reference/supported-pubsub/setup-pulsar.md
Outdated
Show resolved
Hide resolved
| @@ -90,6 +89,13 @@ The above example uses secrets as plain strings. It is recommended to use a [sec | |||
| | processMode | N | Enable processing multiple messages at once. Default: `"async"` | `"async"`, `"sync"`| | |||
| | subscribeType | N | Pulsar supports four kinds of [subscription types](https://pulsar.apache.org/docs/3.0.x/concepts-messaging/#subscription-types). Default: `"shared"` | `"shared"`, `"exclusive"`, `"failover"`, `"key_shared"`| | |||
| | partitionKey | N | Sets the key of the message for routing policy. Default: `""` | | | |||
| | token | N | Token used for authentication. | [How to create Pulsar token](https://pulsar.apache.org/docs/en/security-jwt/#generate-tokens)| | |||
There was a problem hiding this comment.
Consider creating a separate table for each authentication profile? (and include a mention that it can work without any). Example: https://docs.dapr.io/reference/components-reference/supported-state-stores/setup-sqlserver/#spec-metadata-fields
There was a problem hiding this comment.
@JoshVanL - Can you address this comment from @ItalyPaleAle?
There was a problem hiding this comment.
@msfussell all comments look to be resolved from my side I think.
|
Stale PR, paging all reviewers |
Signed-off-by: joshvanl <[email protected]>
|
Stale PR, paging all reviewers |
|
Stale PR, paging all reviewers |
|
@ItalyPaleAle could you review Josh's updates per your comments? |
|
Stale PR, paging all reviewers |
|
Stale PR, paging all reviewers |
daprdocs/content/en/reference/components-reference/supported-pubsub/setup-pulsar.md
Outdated
Show resolved
Hide resolved
daprdocs/content/en/reference/components-reference/supported-pubsub/setup-pulsar.md
Outdated
Show resolved
Hide resolved
daprdocs/content/en/reference/components-reference/supported-pubsub/setup-pulsar.md
Outdated
Show resolved
Hide resolved
…ubsub/setup-pulsar.md Co-authored-by: Mark Fussell <[email protected]> Signed-off-by: Josh van Leeuwen <[email protected]>
…ubsub/setup-pulsar.md Co-authored-by: Mark Fussell <[email protected]> Signed-off-by: Josh van Leeuwen <[email protected]>
…ubsub/setup-pulsar.md Co-authored-by: Mark Fussell <[email protected]> Signed-off-by: Josh van Leeuwen <[email protected]>
Document pulsar OIDC authentication options. implemented here.