/biscuit-pulsar

Biscuit Authentication and Authorization plugins for Apache Pulsar.

Primary LanguageJavaApache License 2.0Apache-2.0

Pulsar Biscuit Authentication & Authorization plugins

Bintray Version Central Version Nexus Version

Status

We are using 1.1.10 at Clever Cloud, on production, but major changes can still occurs.

Build & Tests

# run all tests and build
mvn clean install

# build module like biscuit-pulsar only
mvn clean install -pl biscuit-pulsar

# build without tests
mvn clean install -Dmaven.test.skip=true

# run AuthorizationProviderBiscuitTest in module biscuit-pulsar
mvn clean install -Dtest=AuthorizationProviderBiscuitTest -pl biscuit-pulsar

Informations

biscuit-pulsar needs protobuf 3.8.0+ as defined in its pom.xml.

Configuration

The listed dependencies can be necessary to add to the /lib of pulsar folder as jars:

  • biscuit-pulsar
  • vavr
  • vavr-match
  • protobuf
  • commons-codec
  • biscuit-java
  • curve25519-elisabeth

We currently are using this script to put libs on pulsar nodes:

#!/bin/bash

wget -P "pulsar/lib" "https://repo1.maven.org/maven2/cafe/cryptography/curve25519-elisabeth/0.1.0/curve25519-elisabeth-0.1.0.jar"
wget -P "pulsar/lib" "https://repo1.maven.org/maven2/io/vavr/vavr/0.10.2/vavr-0.10.2.jar"
wget -P "pulsar/lib" "https://repo1.maven.org/maven2/com/clever-cloud/biscuit-java/0.2.7/biscuit-java-0.2.7.jar"
wget -P "pulsar/lib" "https://repo1.maven.org/maven2/com/google/protobuf/protobuf-java/3.8.0/protobuf-java-3.8.0.jar"

For nodes configuration:

In your broker.conf | proxy.conf | standalone.conf:

# Enable authentication
authenticationEnabled=true

# Autentication provider name list, which is comma separated list of class names
authenticationProviders=com.clevercloud.biscuitpulsar.AuthenticationProviderBiscuit

# Enforce authorization
authorizationEnabled=true

# Authorization provider fully qualified class-name
authorizationProvider=com.clevercloud.biscuitpulsar.AuthorizationProviderBiscuit

### --- Biscuit Authentication Provider --- ###
biscuitPublicRootKey=@@BISCUIT_PUBLIC_ROOT_KEY@@
biscuitSealingKey=@@BISCUIT_PUBLIC_SEALING_KEY@@
#!/bin/bash

sed -i -e "s/@@BISCUIT_PUBLIC_ROOT_KEY@@/$1/" broker.conf
sed -i -e "s/@@BISCUIT_PUBLIC_ROOT_KEY@@/$1/" proxy.conf
sed -i -e "s/@@BISCUIT_PUBLIC_ROOT_KEY@@/$1/" standalone.conf

sed -i -e "s/@@BISCUIT_PUBLIC_SEALING_KEY@@/$2/" broker.conf
sed -i -e "s/@@BISCUIT_PUBLIC_SEALING_KEY@@/$2/" proxy.conf
sed -i -e "s/@@BISCUIT_PUBLIC_SEALING_KEY@@/$2/" standalone.conf

Publish

You need to define this in ~/.m2/settings.xml using your bintray APIKEY on the Clever Cloud organisation:

<server>
  <id>bintray-repo-maven-biscuit-pulsar</id>
  <username>@@BINTRAY_USERNAME@</username>
  <password>@@YOUR_BINTRAY_API_KEY@@</password>
</server>

Then run

mvn deploy

It will prompt for GPG passphrase stored on Clever Cloud vault (search for maven@clever-cloud.com).

Then on bintray package homepage run Sync to Central to push to Maven Central.