Awesome
Pulsar Biscuit Authentication & Authorization plugins
Requirements
biscuit-pulsar
needs protobuf
3.25.0.
Configuration
The listed dependencies can be necessary to add to the /lib
of pulsar folder as jars:
vavr
protobuf
biscuit-java
biscuit-pulsar
We currently are using this script to put libs on pulsar nodes:
#!/bin/bash
wget -P "pulsar/lib" "https://repo1.maven.org/maven2/net/i2p/crypto/eddsa/0.3.0/eddsa-0.3.0.jar"
wget -P "pulsar/lib" "https://repo1.maven.org/maven2/io/vavr/vavr/0.10.3/vavr-0.10.3.jar"
wget -P "pulsar/lib" "https://repo1.maven.org/maven2/com/google/protobuf/protobuf-java/3.25.0/protobuf-java-3.25.0.jar"
wget -P "pulsar/lib" "https://repo1.maven.org/maven2/com/clever-cloud/biscuit-java/<VERSION>/biscuit-java-<VERSION>.jar"
wget -P "pulsar/lib" "https://repo1.maven.org/maven2/com/clever-cloud/biscuit-pulsar/<VERSION>/biscuit-pulsar-<VERSION>.jar"
For nodes configuration:
In your broker.conf
| proxy.conf
| standalone.conf
:
# Enable authentication
authenticationEnabled=true
# Autentication provider name list, which is comma separated list of class names
authenticationProviders=com.clevercloud.biscuitpulsar.AuthenticationProviderBiscuit
# Enforce authorization
authorizationEnabled=true
# Authorization provider fully qualified class-name
authorizationProvider=com.clevercloud.biscuitpulsar.AuthorizationProviderBiscuit
### --- Biscuit Authentication Provider --- ###
biscuitPublicRootKey=@@BISCUIT_PUBLIC_ROOT_KEY@@
# support JWT side by side with Biscuit for AuthenticationToken
biscuitSupportJWT=true|false
# biscuit verify run limits before TimeOut
biscuitRunLimitsMaxFacts=1000
biscuitRunLimitsMaxIterations=100
biscuitRunLimitsMaxTimeMillis=30
#!/bin/bash
sed -i -e "s/@@BISCUIT_PUBLIC_ROOT_KEY@@/$1/" broker.conf
sed -i -e "s/@@BISCUIT_PUBLIC_ROOT_KEY@@/$1/" proxy.conf
sed -i -e "s/@@BISCUIT_PUBLIC_ROOT_KEY@@/$1/" standalone.conf
Revocation list
Revoked biscuit must have their revocation ids contained in /etc/biscuit/revocation_list.hex.conf
, one revocation per line in hexadecimals. Here is an example.
Usage
PulsarClient client = PulsarClient.builder()
.authentication(new AuthenticationToken("<BISCUIT_b64 or JWT>"))
.serviceUrl("pulsar://localhost:6650")
.build();
Development
# run all tests and build
mvn clean install
# build without tests
mvn clean install -Dmaven.test.skip=true
Publish
Release process
mvn versions:set -DnewVersion=<NEW-VERSION>
Commit and tag the version. Then push and create a GitHub release.
Finally, publishing to Nexus and Maven Central is automatically triggered by creating a GitHub release using GitHub Actions.
mvn versions:set -DnewVersion=<NEW-VERSION With Minor +1 and -SNAPSHOT>
Commit and push.
GitHub Actions Requirements
Publish requires following secrets:
OSSRH_USERNAME
the Sonatype usernameOSSRH_TOKEN
the Sonatype tokenOSSRH_GPG_SECRET_KEY
the gpg private key used to sign packagesOSSRH_GPG_SECRET_KEY_PASSWORD
the gpg private key password
These are stored in GitHub organisation's secrets.