Re: [PR] [fix][client] Fix compatibility between kerberos and tls [pulsar]

Wed, 25 Mar 2026 05:12:11 -0700 


lhotari commented on code in PR #23798:
URL: https://github.com/apache/pulsar/pull/23798#discussion_r2987785417


##########
pulsar-client/src/main/java/org/apache/pulsar/client/impl/PulsarChannelInitializer.java:
##########
@@ -123,6 +116,23 @@ CompletableFuture<Channel> initTls(Channel ch, 
InetSocketAddress sniHost) {
         CompletableFuture<Channel> initTlsFuture = new CompletableFuture<>();
         ch.eventLoop().execute(() -> {
             try {
+                PulsarSslFactory pulsarSslFactory = 
pulsarSslFactoryMap.computeIfAbsent(sniHost.getHostName(), key -> {
+                    try {
+                        PulsarSslFactory factory = (PulsarSslFactory) 
Class.forName(conf.getSslFactoryPlugin())
+                                .getConstructor().newInstance();
+                        PulsarSslConfiguration sslConfiguration = 
buildSslConfiguration(conf, key);
+                        factory.initialize(sslConfiguration);
+                        factory.createInternalSslContext();
+                        return factory;
+                    } catch (Exception e) {
+                        log.error("Unable to initialize and create the ssl 
context", e);
+                        initTlsFuture.completeExceptionally(e);
+                        return null;
+                    }
+                });
+                if (pulsarSslFactory == null) {
+                    return;
+                }

Review Comment:
   I realize it now. This is a shortcoming of the authentication interfaces. I 
think this should be fixed in the interfaces so that PulsarSslFactory could be 
shared while also supporting this use case. I have some ideas in mind to 
address this. I'm planning to add a new interface which extends 
org.apache.pulsar.client.api.Authentication to address this. This per-host 
solution could be a fallback if the org.apache.pulsar.client.api.Authentication 
implementation doesn't support the new interface to support this use case. 
org.apache.pulsar.client.impl.auth.AuthenticationTls and 
org.apache.pulsar.client.impl.auth.AuthenticationSasl would implement this 
interface.
   This change could also impact the PIP-337 interfaces 
(org.apache.pulsar.common.util.PulsarSslFactory related). Currently it doesn't 
make much sense that a new PulsarSslFactory instance is created for each host. 
As long as the client's key material doesn't change, it should be possible to 
use the same instance. This is something that the extended interface could 
handle so that it returns a PulsarSslFactory directly and caches the instance 
in the AuthenticationTls instance.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to