Skip to content

Biscuit Authentication and Authorization plugins for Apache Pulsar.

License

Notifications You must be signed in to change notification settings

CleverCloud/biscuit-pulsar

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Pulsar Biscuit Authentication & Authorization plugins

Tests

Central Version Nexus Version

Requirements

biscuit-pulsar needs protobuf 3.25.0.

Configuration

The listed dependencies can be necessary to add to the /lib of pulsar folder as jars:

  • vavr
  • protobuf
  • biscuit-java
  • biscuit-pulsar

We currently are using this script to put libs on pulsar nodes:

#!/bin/bash

wget -P "pulsar/lib" "https://repo1.maven.org/maven2/net/i2p/crypto/eddsa/0.3.0/eddsa-0.3.0.jar"
wget -P "pulsar/lib" "https://repo1.maven.org/maven2/io/vavr/vavr/0.10.3/vavr-0.10.3.jar"
wget -P "pulsar/lib" "https://repo1.maven.org/maven2/com/google/protobuf/protobuf-java/3.25.0/protobuf-java-3.25.0.jar"
wget -P "pulsar/lib" "https://repo1.maven.org/maven2/com/clever-cloud/biscuit-java/<VERSION>/biscuit-java-<VERSION>.jar"
wget -P "pulsar/lib" "https://repo1.maven.org/maven2/com/clever-cloud/biscuit-pulsar/<VERSION>/biscuit-pulsar-<VERSION>.jar"

For nodes configuration:

In your broker.conf | proxy.conf | standalone.conf:

# Enable authentication
authenticationEnabled=true

# Autentication provider name list, which is comma separated list of class names
authenticationProviders=com.clevercloud.biscuitpulsar.AuthenticationProviderBiscuit

# Enforce authorization
authorizationEnabled=true

# Authorization provider fully qualified class-name
authorizationProvider=com.clevercloud.biscuitpulsar.AuthorizationProviderBiscuit

### --- Biscuit Authentication Provider --- ###
biscuitPublicRootKey=@@BISCUIT_PUBLIC_ROOT_KEY@@
# support JWT side by side with Biscuit for AuthenticationToken
biscuitSupportJWT=true|false
# biscuit verify run limits before TimeOut
biscuitRunLimitsMaxFacts=1000
biscuitRunLimitsMaxIterations=100
biscuitRunLimitsMaxTimeMillis=30
#!/bin/bash

sed -i -e "s/@@BISCUIT_PUBLIC_ROOT_KEY@@/$1/" broker.conf
sed -i -e "s/@@BISCUIT_PUBLIC_ROOT_KEY@@/$1/" proxy.conf
sed -i -e "s/@@BISCUIT_PUBLIC_ROOT_KEY@@/$1/" standalone.conf

Revocation list

Revoked biscuit must have their revocation ids contained in /etc/biscuit/revocation_list.hex.conf, one revocation per line in hexadecimals. Here is an example.

Usage

PulsarClient client = PulsarClient.builder()
    .authentication(new AuthenticationToken("<BISCUIT_b64 or JWT>"))
    .serviceUrl("pulsar://localhost:6650")
    .build();

Development

# run all tests and build
mvn clean install

# build without tests
mvn clean install -Dmaven.test.skip=true

Publish

Release process

mvn versions:set -DnewVersion=<NEW-VERSION>

Commit and tag the version. Then push and create a GitHub release.

Finally, publishing to Nexus and Maven Central is automatically triggered by creating a GitHub release using GitHub Actions.

mvn versions:set -DnewVersion=<NEW-VERSION With Minor +1 and -SNAPSHOT>

Commit and push.

GitHub Actions Requirements

Publish requires following secrets:

  • OSSRH_USERNAME the Sonatype username
  • OSSRH_TOKEN the Sonatype token
  • OSSRH_GPG_SECRET_KEY the gpg private key used to sign packages
  • OSSRH_GPG_SECRET_KEY_PASSWORD the gpg private key password

These are stored in GitHub organisation's secrets.

About

Biscuit Authentication and Authorization plugins for Apache Pulsar.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages