Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Broker] Support disabling non-TLS service ports #11681

Merged

Conversation

lhotari
Copy link
Member

@lhotari lhotari commented Aug 17, 2021

Fixes #11548

Motivation

Disabling non-TLS service ports isn't possible at the moment. Issue #11548 has been reported and contains instructions to reproduce the issue.

Modifications

  • Make changes to supports disabling non-TLS service ports in broker.conf/standalone.conf by providing empty values:
brokerServicePort=
webServicePort=
  • there were a few locations where the Optional port value was not checked for existence.
  • embedded Function Worker Service didn't work with TLS only broker. Fix issues in configuring Function Worker Service.
  • add support for MockedPulsarServiceBaseTest tests to disable non-TLS ports.

@lhotari lhotari added type/bug The PR fixed a bug or issue reported a bug area/security labels Aug 17, 2021
@lhotari lhotari added this to the 2.9.0 milestone Aug 17, 2021
@lhotari lhotari self-assigned this Aug 17, 2021
Copy link
Member

@sijie sijie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure how does your PR solve #11548. From what I can see, you are basically changing the function worker service and tests. There is nothing related to brokers. Can you clarify how does your PR fix #11548?

Copy link
Contributor

@eolivelli eolivelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks good to me.
I left one comment PTAL

@lhotari lhotari force-pushed the lh-support-disabling-nontls-service-ports branch from 2ca5173 to 16832a1 Compare August 17, 2021 08:56
@lhotari
Copy link
Member Author

lhotari commented Aug 17, 2021

I am not sure how does your PR solve #11548. From what I can see, you are basically changing the function worker service and tests. There is nothing related to brokers. Can you clarify how does your PR fix #11548?

@sijie This is the first issue to hit with "pulsar standalone":

12:11:04.314 [main] ERROR org.apache.pulsar.broker.PulsarService - Failed to start Pulsar service: No value present
java.util.NoSuchElementException: No value present
	at java.util.Optional.get(Optional.java:148) ~[?:?]
	at org.apache.pulsar.broker.loadbalance.NoopLoadManager.start(NoopLoadManager.java:55) ~[pulsar-broker.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.broker.PulsarService.startLoadManagementService(PulsarService.java:1047) ~[pulsar-broker.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.broker.PulsarService.start(PulsarService.java:751) [pulsar-broker.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.PulsarStandalone.start(PulsarStandalone.java:296) [pulsar-broker.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.PulsarStandaloneStarter.main(PulsarStandaloneStarter.java:131) [pulsar-broker.jar:2.9.0-SNAPSHOT]
12:11:04.314 [main] ERROR org.apache.pulsar.PulsarStandaloneStarter - Failed to start pulsar service.
org.apache.pulsar.broker.PulsarServerException: java.util.NoSuchElementException: No value present
	at org.apache.pulsar.broker.PulsarService.start(PulsarService.java:796) ~[pulsar-broker.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.PulsarStandalone.start(PulsarStandalone.java:296) ~[pulsar-broker.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.PulsarStandaloneStarter.main(PulsarStandaloneStarter.java:131) [pulsar-broker.jar:2.9.0-SNAPSHOT]
Caused by: java.util.NoSuchElementException: No value present
	at java.util.Optional.get(Optional.java:148) ~[?:?]
	at org.apache.pulsar.broker.loadbalance.NoopLoadManager.start(NoopLoadManager.java:55) ~[pulsar-broker.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.broker.PulsarService.startLoadManagementService(PulsarService.java:1047) ~[pulsar-broker.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.broker.PulsarService.start(PulsarService.java:751) ~[pulsar-broker.jar:2.9.0-SNAPSHOT]
	... 2 more

Perhaps the PR description is currently confusing. In PR #11548, the problem is that when you set non-tls ports to an empty value, exceptions will happen. I tested with Pulsar development version by building Pulsar locally and appending these settings to standalone.conf:

brokerServicePort=
brokerServicePortTls=6651
webServicePort=
webServicePortTls=8443
brokerClientTlsEnabled=true
tlsEnabled=true
tlsAllowInsecureConnection=true
tlsCertificateFilePath=pulsar-broker/src/test/resources/authentication/tls-http/broker.cert.pem
tlsKeyFilePath=pulsar-broker/src/test/resources/authentication/tls-http/broker.key-pk8.pem
tlsTrustCertsFilePath=pulsar-broker/src/test/resources/authentication/tls-http/ca.cert.pem

and then starting Pulsar with ./bin/pulsar standalone. I simply kept iterating until the problems were fixed.

I also added unit tests to verify that an empty port value gets converted to Optional.empty. The unit test for TLS without non-TLS ports enabled is also added to verify that in unit tests. That's the reason to add these tests. I added these tests before starting to work on testing it manually with Pulsar standalone.

The reason why the change to Function Worker service is required is that "useTls" setting is deprecated in configuration:

// TLS for Functions -> Broker
// @deprecated use "pulsar+ssl://" in serviceUrl to enable
@Deprecated
private boolean useTls = false;

The same applies to "tlsEnabled" in broker.conf. It has been marked as deprecated.
tlsEnabled was deprecated by PR #2988 many years ago.
At first I was testing without setting tlsEnabled=true and that's why I hit the issue and needed to make the changes.

@sijie I didn't record all of the exceptions that happen without the changes and what this PR fixes. Is that necessary for accepting this PR?

@lhotari
Copy link
Member Author

lhotari commented Aug 17, 2021

@sijie This was the 2nd exception that this PR fixed in Pulsar Standalone (with TLS ports only config mentioned in my previous comment):

12:29:46.424 [main] ERROR org.apache.pulsar.functions.worker.PulsarWorkerService - Error Starting up in worker
java.lang.NullPointerException: null
	at org.apache.pulsar.client.admin.internal.PulsarAdminImpl.<init>(PulsarAdminImpl.java:189) ~[pulsar-client-admin-original.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.client.admin.internal.PulsarAdminBuilderImpl.build(PulsarAdminBuilderImpl.java:47) ~[pulsar-client-admin-original.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.functions.worker.WorkerUtils.getPulsarAdminClient(WorkerUtils.java:221) ~[pulsar-functions-worker.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.functions.worker.WorkerUtils.getPulsarAdminClient(WorkerUtils.java:196) ~[pulsar-functions-worker.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.functions.worker.PulsarWorkerService$1.newPulsarAdmin(PulsarWorkerService.java:144) ~[pulsar-functions-worker.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.functions.worker.PulsarWorkerService.start(PulsarWorkerService.java:433) [pulsar-functions-worker.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.broker.PulsarService.startWorkerService(PulsarService.java:1575) [pulsar-broker.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.broker.PulsarService.start(PulsarService.java:764) [pulsar-broker.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.PulsarStandalone.start(PulsarStandalone.java:296) [pulsar-broker.jar:2.9.0-SNAPSHOT]
	at org.apache.pulsar.PulsarStandaloneStarter.main(PulsarStandaloneStarter.java:131) [pulsar-broker.jar:2.9.0-SNAPSHOT]

@lhotari
Copy link
Member Author

lhotari commented Aug 17, 2021

without making any changes, disabling non-TLS service ports works for Pulsar Stanadlone when Function Worker is disabled and when loadManagerClassName=org.apache.pulsar.broker.loadbalance.impl.ModularLoadManagerImpl setting is used.
I verified by appending these lines to conf/standalone.conf

brokerServicePort=
brokerServicePortTls=6651
webServicePort=
webServicePortTls=8443
brokerClientTlsEnabled=true
tlsEnabled=true
tlsAllowInsecureConnection=true
tlsCertificateFilePath=pulsar-broker/src/test/resources/authentication/tls-http/broker.cert.pem
tlsKeyFilePath=pulsar-broker/src/test/resources/authentication/tls-http/broker.key-pk8.pem
tlsTrustCertsFilePath=pulsar-broker/src/test/resources/authentication/tls-http/ca.cert.pem
loadManagerClassName=org.apache.pulsar.broker.loadbalance.impl.ModularLoadManagerImpl

and starting with ./bin/pulsar standalone --no-functions-worker --no-stream-storage

@sijie This is the reason why this fix contains some changes to Functions worker configuration.

@Anonymitaet
Copy link
Member

Thanks for your contribution. Do we need to update docs here https://pulsar.apache.org/docs/en/next/reference-configuration/#broker?

Copy link
Member

@michaeljmarshall michaeljmarshall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

It's worth adding that the helm chart already creates the pulsar broker service in such a way that either the non-TLS port or the TLS port (exclusively) is open for the pulsar protocol: https://github.com/apache/pulsar-helm-chart/blob/c3e4ea272b15d7e806d2585059686e8270b98b67/charts/pulsar/templates/broker-service.yaml#L32-L45

  ports:
  # prometheus needs to access /metrics endpoint
  - name: http
    port: {{ .Values.broker.ports.http }}
  {{- if or (not .Values.tls.enabled) (not .Values.tls.broker.enabled) }}
  - name: pulsar
    port: {{ .Values.broker.ports.pulsar }}
  {{- end }}
  {{- if and .Values.tls.enabled .Values.tls.broker.enabled }}
  - name: https
    port: {{ .Values.broker.ports.https }}
  - name: pulsarssl
    port: {{ .Values.broker.ports.pulsarssl }}
  {{- end }}

@lhotari
Copy link
Member Author

lhotari commented Aug 18, 2021

Thanks for your contribution. Do we need to update docs here https://pulsar.apache.org/docs/en/next/reference-configuration/#broker?

@Anonymitaet Yes, it would be useful to add docs that it's possible to disable the non-TLS ports brokerServicePort and webServicePort by providing an empty value. In this case it's necessary to specify brokerClientTlsEnabled=true and either set tlsAllowInsecureConnection=true or configure brokerClientTlsEnabledWithKeyStore=true and the related settings brokerClientTlsTrustStore and brokerClientTlsTrustStorePassword. I'll add this to the docs.

@lhotari
Copy link
Member Author

lhotari commented Aug 18, 2021

@Anonymitaet I added docs to security-tls-keystore.md file. Please review

@lhotari lhotari requested a review from sijie August 18, 2021 07:17
Copy link
Member

@Anonymitaet Anonymitaet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution. I've made some comments, PTAL.

site2/docs/security-tls-keystore.md Outdated Show resolved Hide resolved
site2/docs/security-tls-keystore.md Outdated Show resolved Hide resolved
@Anonymitaet Anonymitaet added the doc Your PR contains doc changes, no matter whether the changes are in markdown or code files. label Aug 18, 2021
lhotari and others added 2 commits August 18, 2021 12:51
Co-authored-by: Anonymitaet <50226895+Anonymitaet@users.noreply.github.com>
Co-authored-by: Anonymitaet <50226895+Anonymitaet@users.noreply.github.com>
@eolivelli eolivelli requested a review from Anonymitaet August 18, 2021 14:00
@lhotari
Copy link
Member Author

lhotari commented Aug 18, 2021

Thanks for your contribution. I've made some comments, PTAL.

@Anonymitaet thanks for the suggestions. I committed them. Please PTAL

@lhotari lhotari merged commit 50b6e79 into apache:master Aug 19, 2021
eolivelli pushed a commit to datastax/pulsar that referenced this pull request Aug 19, 2021
* Support disabling non-tls service ports

* Add docs for disabling non-TLS ports

* Update site2/docs/security-tls-keystore.md

Co-authored-by: Anonymitaet <50226895+Anonymitaet@users.noreply.github.com>
(cherry picked from commit 50b6e79)
lhotari added a commit to lhotari/pulsar that referenced this pull request Aug 19, 2021
* Support disabling non-tls service ports

* Add docs for disabling non-TLS ports

* Update site2/docs/security-tls-keystore.md

Co-authored-by: Anonymitaet <50226895+Anonymitaet@users.noreply.github.com>
(cherry picked from commit 50b6e79)
lhotari added a commit to datastax/pulsar that referenced this pull request Aug 19, 2021
* Support disabling non-tls service ports

* Add docs for disabling non-TLS ports

* Update site2/docs/security-tls-keystore.md

Co-authored-by: Anonymitaet <50226895+Anonymitaet@users.noreply.github.com>
(cherry picked from commit 50b6e79)
@lhotari
Copy link
Member Author

lhotari commented Aug 19, 2021

PR for cherry-picking to branch-2.7 is #11724

lhotari added a commit that referenced this pull request Aug 23, 2021
* Support disabling non-tls service ports

* Add docs for disabling non-TLS ports

* Update site2/docs/security-tls-keystore.md

Co-authored-by: Anonymitaet <50226895+Anonymitaet@users.noreply.github.com>
(cherry picked from commit 50b6e79)
codelipenghui pushed a commit that referenced this pull request Sep 9, 2021
* Support disabling non-tls service ports

* Add docs for disabling non-TLS ports

* Update site2/docs/security-tls-keystore.md

Co-authored-by: Anonymitaet <50226895+Anonymitaet@users.noreply.github.com>
(cherry picked from commit 50b6e79)
@codelipenghui codelipenghui added the cherry-picked/branch-2.8 Archived: 2.8 is end of life label Sep 9, 2021
bharanic-dev pushed a commit to bharanic-dev/pulsar that referenced this pull request Mar 18, 2022
* Support disabling non-tls service ports

* Add docs for disabling non-TLS ports

* Update site2/docs/security-tls-keystore.md

Co-authored-by: Anonymitaet <50226895+Anonymitaet@users.noreply.github.com>
momo-jun added a commit to momo-jun/pulsar that referenced this pull request Aug 4, 2022
@lhotari
Copy link
Member Author

lhotari commented Jun 9, 2023

#20535 is also required for supporting disabling of non-TLS service ports.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/security cherry-picked/branch-2.7 Archived: 2.7 is end of life cherry-picked/branch-2.8 Archived: 2.8 is end of life doc Your PR contains doc changes, no matter whether the changes are in markdown or code files. release/2.7.4 release/2.8.2 type/bug The PR fixed a bug or issue reported a bug
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Pulsar server non-tls ports are still listening when TLS in-transit encryption is enabled
7 participants