-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Broker] Support disabling non-TLS service ports #11681
[Broker] Support disabling non-TLS service ports #11681
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall looks good to me.
I left one comment PTAL
...ar-broker/src/main/java/org/apache/pulsar/broker/loadbalance/impl/SimpleLoadManagerImpl.java
Show resolved
Hide resolved
pulsar-websocket/src/main/java/org/apache/pulsar/websocket/service/ProxyServer.java
Outdated
Show resolved
Hide resolved
2ca5173
to
16832a1
Compare
@sijie This is the first issue to hit with "pulsar standalone":
Perhaps the PR description is currently confusing. In PR #11548, the problem is that when you set non-tls ports to an empty value, exceptions will happen. I tested with Pulsar development version by building Pulsar locally and appending these settings to
and then starting Pulsar with I also added unit tests to verify that an empty port value gets converted to Optional.empty. The unit test for TLS without non-TLS ports enabled is also added to verify that in unit tests. That's the reason to add these tests. I added these tests before starting to work on testing it manually with Pulsar standalone. The reason why the change to Function Worker service is required is that "useTls" setting is deprecated in configuration: pulsar/pulsar-functions/runtime/src/main/java/org/apache/pulsar/functions/worker/WorkerConfig.java Lines 357 to 360 in 047fb6a
The same applies to "tlsEnabled" in broker.conf. It has been marked as deprecated. tlsEnabled was deprecated by PR #2988 many years ago. At first I was testing without setting tlsEnabled=true and that's why I hit the issue and needed to make the changes. @sijie I didn't record all of the exceptions that happen without the changes and what this PR fixes. Is that necessary for accepting this PR? |
@sijie This was the 2nd exception that this PR fixed in Pulsar Standalone (with TLS ports only config mentioned in my previous comment):
|
without making any changes, disabling non-TLS service ports works for Pulsar Stanadlone when Function Worker is disabled and when
and starting with @sijie This is the reason why this fix contains some changes to Functions worker configuration. |
Thanks for your contribution. Do we need to update docs here https://pulsar.apache.org/docs/en/next/reference-configuration/#broker? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
It's worth adding that the helm chart already creates the pulsar broker service in such a way that either the non-TLS port or the TLS port (exclusively) is open for the pulsar
protocol: https://github.com/apache/pulsar-helm-chart/blob/c3e4ea272b15d7e806d2585059686e8270b98b67/charts/pulsar/templates/broker-service.yaml#L32-L45
ports:
# prometheus needs to access /metrics endpoint
- name: http
port: {{ .Values.broker.ports.http }}
{{- if or (not .Values.tls.enabled) (not .Values.tls.broker.enabled) }}
- name: pulsar
port: {{ .Values.broker.ports.pulsar }}
{{- end }}
{{- if and .Values.tls.enabled .Values.tls.broker.enabled }}
- name: https
port: {{ .Values.broker.ports.https }}
- name: pulsarssl
port: {{ .Values.broker.ports.pulsarssl }}
{{- end }}
@Anonymitaet Yes, it would be useful to add docs that it's possible to disable the non-TLS ports |
@Anonymitaet I added docs to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your contribution. I've made some comments, PTAL.
Co-authored-by: Anonymitaet <50226895+Anonymitaet@users.noreply.github.com>
Co-authored-by: Anonymitaet <50226895+Anonymitaet@users.noreply.github.com>
@Anonymitaet thanks for the suggestions. I committed them. Please PTAL |
* Support disabling non-tls service ports * Add docs for disabling non-TLS ports * Update site2/docs/security-tls-keystore.md Co-authored-by: Anonymitaet <50226895+Anonymitaet@users.noreply.github.com> (cherry picked from commit 50b6e79)
* Support disabling non-tls service ports * Add docs for disabling non-TLS ports * Update site2/docs/security-tls-keystore.md Co-authored-by: Anonymitaet <50226895+Anonymitaet@users.noreply.github.com> (cherry picked from commit 50b6e79)
* Support disabling non-tls service ports * Add docs for disabling non-TLS ports * Update site2/docs/security-tls-keystore.md Co-authored-by: Anonymitaet <50226895+Anonymitaet@users.noreply.github.com> (cherry picked from commit 50b6e79)
PR for cherry-picking to branch-2.7 is #11724 |
* Support disabling non-tls service ports * Add docs for disabling non-TLS ports * Update site2/docs/security-tls-keystore.md Co-authored-by: Anonymitaet <50226895+Anonymitaet@users.noreply.github.com> (cherry picked from commit 50b6e79)
* Support disabling non-tls service ports * Add docs for disabling non-TLS ports * Update site2/docs/security-tls-keystore.md Co-authored-by: Anonymitaet <50226895+Anonymitaet@users.noreply.github.com> (cherry picked from commit 50b6e79)
* Support disabling non-tls service ports * Add docs for disabling non-TLS ports * Update site2/docs/security-tls-keystore.md Co-authored-by: Anonymitaet <50226895+Anonymitaet@users.noreply.github.com>
#20535 is also required for supporting disabling of non-TLS service ports. |
Fixes #11548
Motivation
Disabling non-TLS service ports isn't possible at the moment. Issue #11548 has been reported and contains instructions to reproduce the issue.
Modifications
broker.conf
/standalone.conf
by providing empty values: