Hi, Here, we would like to configure "subject-key-identifier" at every broker in the cluster dynamically. We also want to perform certain actions once this configuration-value has been changed.
Broker's dynamic configuration is introduced for such usecases where dynamic-config value gets stored into zk and change will be listened by all brokers so, it can be applied to entire cluster immediately. So, I think we should add dynamic configuration <https://github.com/apache/incubator-pulsar/blob/master/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/ServiceConfiguration.java#L369> "*tlsSubjectKeyIdentifier*" at "ServiceConfiguration" and we can also register appropriate listener <https://github.com/apache/incubator-pulsar/blob/master/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/BrokerService.java#L1184>to perform subsequent action with newly changed value of the configuration. So, I would not add one more REST end-point and it should be part of dynamic configuration. You can see "dispatchThrottlingRatePerSubscriptionInMsg <https://github.com/apache/incubator-pulsar/blob/master/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/BrokerService.java#L1177>" example for dynamic-configuration. Thanks, Rajan On Tue, Aug 7, 2018 at 1:12 AM, Ivan Kelly <[email protected]> wrote: > Hi folks, > > This is a PIP to add a mechanism to block TLS client certs from > accessing Pulsar if they have been compromised. > > This is a relatively small change, but I thought it best to put it to > the community before moving ahead with it, as people may have opinions > on the approach. > > The PIP is here: > https://github.com/apache/incubator-pulsar/wiki/PIP-20% > 3A-Mechanism-to-revoke-TLS-authentication > > Cheers, > Ivan >
