Google Git
Sign in
apache / pulsar / fc1086917fd322da6c25fa2f130ac164495776cd
commitfc1086917fd322da6c25fa2f130ac164495776cd[log] [tgz]
authormassakam <massakam@yahoo-corp.jp>Fri Dec 14 00:26:18 2018 +0900
committerMatteo Merli <mmerli@apache.org>Thu Dec 13 10:39:05 2018 -0800
tree825986bcf677f5a5fc567a173fb0237bc375cd8c
parent3af1cec2a4a17c8284adedf7f92632873427d61d [diff]
Enable specifying allowed offset when verifying athenz role token (#3187)

### Motivation

We are using Athenz for client authentication. Occasionally, the following error occurs and client authentication fails.

> [pulsar-web-28-7] ERROR com.yahoo.athenz.auth.token.Token - Token:validate: token=v=Z1;d=xxx;r=xxx;p=xxx;a=xxx;t=1544027514;e=1544034714;k=0;i=xxx.xxx.xxx.xxx : has future timestamp=1544027514 : current time=1544027513 : allowed offset=0

This means that the timestamp included in the authentication token is more future than the server time. Since the difference between them is only 1 second, I think that the time of either server or client is slightly off.

This error can be avoided by increasing the value of `allowed offset`. Currently, this value is set to 0 in Pulsar, but the default value in Athenz ZMS seems to be 300 seconds.
https://github.com/yahoo/athenz/blob/93fe62c17f3ab4556c71c5136c1646df4a874a5f/servers/zms/conf/zms.properties#L277-L280

### Modifications

* Changed the default value of `allowed offset` from 0 to 30 (I think 300 seconds is too long)
* Enabled specifying `allowed offset` using system property

### Result

Even if the time of the server or client is slightly off, the authentication will succeed.
2 files changed
tree: 825986bcf677f5a5fc567a173fb0237bc375cd8c
  1. .github/
  2. .test-infra/
  3. .travis/
  4. bin/
  5. build/
  6. buildtools/
  7. conf/
  8. dashboard/
  9. deployment/
  10. dev/
  11. distribution/
  12. docker/
  13. docker-compose/
  14. examples/
  15. jclouds-shaded/
  16. managed-ledger/
  17. managed-ledger-shaded/
  18. protobuf/
  19. protobuf-shaded/
  20. pulsar-broker/
  21. pulsar-broker-auth-athenz/
  22. pulsar-broker-common/
  23. pulsar-broker-shaded/
  24. pulsar-client/
  25. pulsar-client-admin/
  26. pulsar-client-admin-shaded/
  27. pulsar-client-auth-athenz/
  28. pulsar-client-cpp/
  29. pulsar-client-go/
  30. pulsar-client-kafka-compat/
  31. pulsar-client-schema/
  32. pulsar-client-shaded/
  33. pulsar-client-tools/
  34. pulsar-client-tools-test/
  35. pulsar-common/
  36. pulsar-discovery-service/
  37. pulsar-flink/
  38. pulsar-functions/
  39. pulsar-io/
  40. pulsar-log4j2-appender/
  41. pulsar-proxy/
  42. pulsar-spark/
  43. pulsar-sql/
  44. pulsar-storm/
  45. pulsar-testclient/
  46. pulsar-websocket/
  47. pulsar-zookeeper/
  48. pulsar-zookeeper-utils/
  49. site/
  50. site2/
  51. src/
  52. tests/
  53. tiered-storage/
  54. .gitignore
  55. .travis.yml
  56. CONTRIBUTORS.md
  57. faq.md
  58. LICENSE
  59. NOTICE
  60. pom.xml
  61. README.md
README.md

logo

Pulsar is a distributed pub-sub messaging platform with a very flexible messaging model and an intuitive client API.

https://pulsar.apache.org

Main features

  • Horizontally scalable (Millions of independent topics and millions of messages published per second)
  • Strong ordering and consistency guarantees
  • Low latency durable storage
  • Topic and queue semantics
  • Load balancer
  • Designed for being deployed as a hosted service:
    • Multi-tenant
    • Authentication
    • Authorization
    • Quotas
    • Support mixing very different workloads
    • Optional hardware isolation
  • Keeps track of consumer cursor position
  • REST API for provisioning, admin and stats
  • Geo replication
  • Transparent handling of partitioned topics
  • Transparent batching of messages

Build Pulsar

Requirements:

  • Java JDK 1.8
  • Maven

Compile and install:

$ mvn install -DskipTests

Start standalone Pulsar service:

$ bin/pulsar standalone

Check https://pulsar.apache.org for documentation and examples.

Build Pulsar docs

Refer to the docs README.

Contact

Mailing lists
NameScope
users@pulsar.apache.orgUser-related discussionsSubscribeUnsubscribeArchives
dev@pulsar.apache.orgDevelopment-related discussionsSubscribeUnsubscribeArchives
Slack

Pulsar slack channel at https://apache-pulsar.slack.com/

You can self-register at https://apache-pulsar.herokuapp.com/

License

Licensed under the Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0

Crypto Notice

This distribution includes cryptographic software. The country in which you currently reside may have restrictions on the import, possession, use, and/or re-export to another country, of encryption software. BEFORE using any encryption software, please check your country's laws, regulations and policies concerning the import, possession, or use, and re-export of encryption software, to see if this is permitted. See http://www.wassenaar.org/ for more information.

The U.S. Government Department of Commerce, Bureau of Industry and Security (BIS), has classified this software as Export Commodity Control Number (ECCN) 5D002.C.1, which includes information security software using or performing cryptographic functions with asymmetric algorithms. The form and manner of this Apache Software Foundation distribution makes it eligible for export under the License Exception ENC Technology Software Unrestricted (TSU) exception (see the BIS Export Administration Regulations, Section 740.13) for both object code and source code.

The following provides more details on the included cryptographic software: Pulsar uses the SSL library from Bouncy Castle written by http://www.bouncycastle.org.