/biscuit-pulsar

Biscuit Authentication and Authorization plugins for Apache Pulsar.

Primary LanguageJavaApache License 2.0Apache-2.0

Pulsar Biscuit Authentication & Authorization plugins

Tests

Central Version Nexus Version

Requirements

biscuit-pulsar needs protobuf 3.25.0.

Configuration

The listed dependencies can be necessary to add to the /lib of pulsar folder as jars:

  • vavr
  • protobuf
  • biscuit-java
  • biscuit-pulsar

We currently are using this script to put libs on pulsar nodes:

#!/bin/bash

wget -P "pulsar/lib" "https://repo1.maven.org/maven2/net/i2p/crypto/eddsa/0.3.0/eddsa-0.3.0.jar"
wget -P "pulsar/lib" "https://repo1.maven.org/maven2/io/vavr/vavr/0.10.3/vavr-0.10.3.jar"
wget -P "pulsar/lib" "https://repo1.maven.org/maven2/com/google/protobuf/protobuf-java/3.25.0/protobuf-java-3.25.0.jar"
wget -P "pulsar/lib" "https://repo1.maven.org/maven2/com/clever-cloud/biscuit-java/<VERSION>/biscuit-java-<VERSION>.jar"
wget -P "pulsar/lib" "https://repo1.maven.org/maven2/com/clever-cloud/biscuit-pulsar/<VERSION>/biscuit-pulsar-<VERSION>.jar"

For nodes configuration:

In your broker.conf | proxy.conf | standalone.conf:

# Enable authentication
authenticationEnabled=true

# Autentication provider name list, which is comma separated list of class names
authenticationProviders=com.clevercloud.biscuitpulsar.AuthenticationProviderBiscuit

# Enforce authorization
authorizationEnabled=true

# Authorization provider fully qualified class-name
authorizationProvider=com.clevercloud.biscuitpulsar.AuthorizationProviderBiscuit

### --- Biscuit Authentication Provider --- ###
biscuitPublicRootKey=@@BISCUIT_PUBLIC_ROOT_KEY@@
# support JWT side by side with Biscuit for AuthenticationToken
biscuitSupportJWT=true|false
# biscuit verify run limits before TimeOut
biscuitRunLimitsMaxFacts=1000
biscuitRunLimitsMaxIterations=100
biscuitRunLimitsMaxTimeMillis=30
#!/bin/bash

sed -i -e "s/@@BISCUIT_PUBLIC_ROOT_KEY@@/$1/" broker.conf
sed -i -e "s/@@BISCUIT_PUBLIC_ROOT_KEY@@/$1/" proxy.conf
sed -i -e "s/@@BISCUIT_PUBLIC_ROOT_KEY@@/$1/" standalone.conf

Revocation list

Revoked biscuit must have their revocation ids contained in /etc/biscuit/revocation_list.hex.conf, one revocation per line in hexadecimals. Here is an example.

Usage

PulsarClient client = PulsarClient.builder()
    .authentication(new AuthenticationToken("<BISCUIT_b64 or JWT>"))
    .serviceUrl("pulsar://localhost:6650")
    .build();

Development

# run all tests and build
mvn clean install

# build without tests
mvn clean install -Dmaven.test.skip=true

Publish

Release process

mvn versions:set -DnewVersion=<NEW-VERSION>

Commit and tag the version. Then push and create a GitHub release.

Finally, publishing to Nexus and Maven Central is automatically triggered by creating a GitHub release using GitHub Actions.

mvn versions:set -DnewVersion=<NEW-VERSION With Minor +1 and -SNAPSHOT>

Commit and push.

GitHub Actions Requirements

Publish requires following secrets:

  • OSSRH_USERNAME the Sonatype username
  • OSSRH_TOKEN the Sonatype token
  • OSSRH_GPG_SECRET_KEY the gpg private key used to sign packages
  • OSSRH_GPG_SECRET_KEY_PASSWORD the gpg private key password

These are stored in GitHub organisation's secrets.