In both Pulsar Client and Pulsar Admin, we support the use of KeyStores. This feature is provided by means of the boolean "useKeyStoreTls". The boolean is also the only way authentication mechanisms such as AuthenticationKeyStoreTls can be utilised properly, as the logic to use keystores for SSL Connections, from either ClientConfigurationData stored in Pulsar Admin/Client or AuthData hinges on the "useKeyStoreTls" boolean as can be seen below:
AsyncHttpConnector.java
if (conf.isUseKeyStoreTls()) {
KeyStoreParams params = authData.hasDataForTls() ? authData.getTlsKeyStoreParams() :
new KeyStoreParams(conf.getTlsKeyStoreType(), conf.getTlsKeyStorePath(),
conf.getTlsKeyStorePassword());
final SSLContext sslCtx = KeyStoreSSLContext.createClientSslContext(
conf.getSslProvider(),
params.getKeyStoreType(),
params.getKeyStorePath(),
params.getKeyStorePassword(),
conf.isTlsAllowInsecureConnection(),
conf.getTlsTrustStoreType(),
conf.getTlsTrustStorePath(),
conf.getTlsTrustStorePassword(),
conf.getTlsCiphers(),
conf.getTlsProtocols());
JsseSslEngineFactory sslEngineFactory = new JsseSslEngineFactory(sslCtx);
confBuilder.setSslEngineFactory(sslEngineFactory);
}None of these options can be currently configured when using Pulsar Test client.
As we already let users both extend authentication and use just the keystore and truststore properties to set up mTLS connections, without using any authentication plugin class, a lot of them might want to use this method of authentication during Performance Testing as well.
I understand that currently mTLS (for testing purposes) can be achieved by using trust and client certificates. However, the issue of users extending authentication plugin classes and utilizing keystores is still not covered with the current options. Therefore, I propose we make these already existing options be configured in test clients, increasing its usability.
Create new Arguments for the following properties, in PerformanceBaseArguments.java :
- useKeyStoreTls
- trustStoreType
- trustStorePath
- trustStorePass
- keyStoreType
- keyStorePath
- keyStorePass
Update the code to change between TrustCerts and TrustStore based on useKeyStoreTls.
Add the options for utilizing keystores as part of performance base arguments, along with forwarding their values to the client/admin builders.
All places we utilize Pulsar Test client, for example Pulsar-Perf will have the following new options:
- --use-keystore-tls → Default value = false
- --truststore-type → Default value = JKS, Possible values = JKS, PKCS12
- --truststore-path → Default value = ""
- --truststore-pass → Default value = ""
- --keystore-type → Default value = JKS, Possible values = JKS, PKCS12
- --keystore-path → Default value = ""
- --keystore-pass → Default value = ""
The change will not affect any previous releases. The options can also be brought to previous versions, however, I have noticed that Pulsar has moved away from JCommander in Version 3.2.x to Picocli (currently in master) Therefore, to add these options to previous versions, the code has to be replicated to those versions.