SlideShare a Scribd company logo

Pulsar Summit Asia - Running a secure pulsar cluster

Shivji Kumar Jha
Shivji Kumar Jha

This document provides an overview of securing Apache Pulsar. It discusses securing the different cluster components like Zookeeper, Bookkeeper and brokers. It describes how to enable TLS for securing communication between these components. It also covers setting up TLS, keystores and truststores for brokers and clients. The document references Pulsar and Zookeeper documentation for more details on configuring security.

Engineering
1 of 52
Download to read offline
#PulsarSummit Asia 2020 1
● Senior Developer at Nutanix responsible for all things pulsar ● Love spending time with data (stores, streams, analytics etc) ● Ex-MySQL - started out with 3 great years building MySQL Replication ● Contributions to pulsar & MySQL Who am I ? https://www.linkedin.com/in/shivjijha/ https://twitter.com/ShivjiJha 2
Catalogue • Background: Apache Pulsar • The cluster components • Background: Security • The secure coordination • The secure store • The secure serving 3
Background : Apache Pulsar 4
Background: Apache Pulsar Pulsar: cloud-native, distributed messaging and streaming platform 5
Background: Apache Pulsar Pulsar: cloud-native, distributed messaging and streaming platform APACHE PULSAR 6
Background: Apache Pulsar Pulsar: cloud-native, distributed messaging and streaming platform Highlights: 1. Modular design 2. Horizontally scalable 3. Low latency with durability 4. Multi-tenancy 5. Geo Replication APACHE PULSAR 7
The Cluster Components 8
The Cluster Components : zookeeper An open-source server which enables highly reliable distributed coordination. Centralized service for: 1. Configuration information 2. Distributed synchronization 3. Group Services Use Case: Bookkeeper, broker 9
A scalable, fault-tolerant and low-latency storage service optimized for realtime workloads. 1. Stand-alone apache project 2. Overlapping committers Use Case: Broker The Cluster Components : bookkeeper 10
A stateless component that’s primarily responsible for: 1. Dispatcher: Async TCP server over custom binary protocol for all data transfers. 2. HTTP Server: REST APIs for admin tasks. The Cluster Components : broker 11
The Cluster Geo Replication is the replication of persistently stored data across multiple clusters. Messages are instantly replicated across clusters.12
Background: Security 13
TLS: Transport Layer Security 1. Encryption : Hide data being transferred. 2. Authentication : Parties exchanging info are who they claim to be. 3. Integrity : Verify data is not tempered with. Background : Security - TLS 14
1. Certificate Authority (CA) issues digital certs that contain: a. public key b. identity of the owner 2. Keep private key secret. Distribute public key. 3. CA is responsible for saying: a. yes, clients are who they say they are. b. And we the CA certify that. Background : Security - CA 15
In general, there are three files: 1. Certifying authority (CA) certificate 2. RSA key pair a. private key b. public key 3. X.509 is a standard format for any digital certificate. Background : Security - Crypto Keys 16
1. Enabling HTTPS on the server (one-way TLS) 2. Require the client to identify itself (two way TLS) 3. Two way TLS based on trusting the Certificate Authority Background : Security - Crypto Keys 17
1. Several commonly used filename extensions for X.509 certificate files. 2. Password-protected files that sit on the same file system as our running application 3. We will encounter: a. jks b. pkcs12 c. pem Background : Security - Crypto Keys Jks : java key store The default format used for these files is JKS until Java 8. 18
1. Several commonly used filename extensions for X.509 certificate files. 2. Password-protected files that sit on the same file system as our running application 3. We will encounter: a. jks b. pkcs12 c. pem Background : Security - Crypto Keys Since Java 9, the default keystore format is PKCS12. JKS is a format specific to Java, PKCS12 is language-neutral 19
1. Several commonly used filename extensions for X.509 certificate files. 2. Password-protected files that sit on the same file system as our running application 3. We will encounter: a. jks b. pkcs12 c. pem Background : Security - Crypto Keys Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"20
1. Several commonly used filename extensions for X.509 certificate files. 2. Password-protected files that sit on the same file system as our running application 3. We will encounter: a. jks b. pkcs12 c. pem Conversion possible: pem <==> pkcs12 <==> jks Background : Security - Crypto Keys 21
1. Can use PEM / jks with broker. 2. Can use jks with bookkeeper. 3. Can use PEM / jks with zookeeper. Background : Security - Crypto Keys 22
1. Use openssl command to look at certificate data (CA cert or public key): openssl x509 -noout -text -in /path/to/your/ca-certificates/file.pem Background : Security - Crypto Keys 23
Background : Security - Crypto Keys https://sites.google.com/site/ddmwsst/digital-certificates 24
1. To check if your private key is ok, openssl rsa -in /path/to/private/keyfile.key -check RSA key ok writing RSA key -----BEGIN PRIVATE KEY----- ….. -----BEGIN PRIVATE KEY----- Background : Security - Crypto Keys 25
1. To check if your tls port is serving traffic. openssl s_client -connect hostname:port Background : Security - Crypto Keys 26
The Secure Coordination 27
Secure coordination : Zookeeper (ZK) 1. By Default, network communications of ZK are not encrypted. 2. We will use the SSL feature of zookeeper. 3. ZK was initially designed over java NIO package. 4. Later Netty package added, to optionally replace NIO. 5. SSL support only added over Netty package usage. 28
Secure coordination : Zookeeper (ZK) 1. Enable Netty to use SSL feature. Set Java system property: zookeeper.clientCnxnSocket= "org.apache.zookeeper.ClientCnxnSocketNetty" zookeeper.serverCnxnFactory= "org.apache.zookeeper.server.NettyServerCnxnFactory" 29
The Secure Store : Zookeeper (ZK) 1. Configure client-server communication to use SSL. a. server => zookeeper cluster nodes b. client => bookkeeper / broker server nodes 2. Configure the zk nodes to talk over SSL among themselves ( Quorum SSL ). 30
The Secure Store : Zookeeper (ZK) Set up server to accept secure connections: ( Add following to zookeeper.conf) serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory ssl.keyStore.location="/path/to/your/keystore" ssl.keyStore.password="keystore_password" ssl.trustStore.location="/path/to/your/truststore" ssl.trustStore.password="truststore_password” ssl.hostnameVerification=true 31
The Secure Store : Zookeeper (ZK) On ZK servers: Provide a secure port to listen to secure connections: secureClientPort=2281 Also use port unification to move from non-tls to tls portUnification = true Once complete setup is running with tls, portUnification = false32
The Secure Store : Zookeeper (ZK) Set up client (bookkeeper and broker) to talk over secure connections In pulsar_env.sh, append these options to extra opts: export PULSAR_EXTRA_OPTS=" -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.ssl.keyStore.location=/path/to/keystore/file.jks -Dzookeeper.ssl.keyStore.password=testpass -Dzookeeper.ssl.trustStore.location=/path/to/truststore/file.jks -Dzookeeper.ssl.trustStore.password=testpass" -Dzookeeper.client.secure=true 33
The Secure Store : Zookeeper (ZK) Set up server to use SSL cert files to accept secure connections from peer ZK servers. In zookeeper.conf, append these configurations: sslQuorum=true ssl.quorum.keyStore.location=/path/to/keystore/file.jks ssl.quorum.keyStore.password=testpass ssl.quorum.trustStore.location=/path/to/trustore/file,jks ssl.quorum.trustStore.password=testpass ssl.quorum.hostnameVerification=true 34
The Secure Store 35
The Secure Store : Bookkeeper options # Port that bookie server listen on bookiePort=3181 The same bookkeeper port is used for tls as well as non-tls traffic. 36
The Secure Store : Bookkeeper options ###################################################################### ## TLS settings ###################################################################### # TLS Provider (JDK or OpenSSL). tlsProvider=OpenSSL # The path to the class that provides security. tlsProviderFactoryClass=org.apache.bookkeeper.tls.TLSContextFactory # Type of security used by server. tlsClientAuthentication=true # Bookie Keystore type. tlsKeyStoreType=JKS 37
The Secure Store : Bookkeeper options # Bookie Keystore location (path). tlsKeyStore=/path/to/keystore/file.jks # Bookie Keystore password path, if the keystore is protected by a password. tlsKeyStorePasswordPath=/path/to/keystore/password/file.jks # Bookie Truststore type. tlsTrustStoreType=/path/to/truststore/file.jks # Bookie Truststore location (path). tlsTrustStore=/path/to/truststore/password/file.jks # Bookie Truststore password path, if the trust store is protected by a password. tlsTrustStorePasswordPath=/path/to/truststore/password/file.jks 38
The Secure Serving 39
Secure Serving : Broker options # Broker data port brokerServicePort=6650 # Broker data port for TLS - By default TLS is disabled brokerServicePortTls=6651 # Port to use to server HTTP request webServicePort=8080 # Port to use to server HTTPS request - By default TLS is disabled webServicePortTls=8443 40
The Secure Serving : Broker options # Path for the TLS certificate file tlsCertificateFilePath=/etc/pulsar/certs/pulsarcluster1-broker-node-1.bm.infra.crt # Path for the TLS private key file tlsKeyFilePath=/path/to/private/keyfile.pem # Path for the trusted TLS certificate file. # This cert is used to verify that any certs presented by connecting clients # are signed by a certificate authority. If this verification # fails, then the certs are untrusted and the connections are dropped. tlsTrustCertsFilePath=/path/to/ca-certificates/file.pem # Accept untrusted TLS certificate from client. # tlsAllowInsecureConnection=false 41
The Secure Serving : Broker options # Specify the tls protocols the broker will use to negotiate during TLS handshake # (a comma-separated list of protocol names). # Examples:- [TLSv1.2, TLSv1.1, TLSv1] tlsProtocols= # Specify the tls cipher the broker will use to negotiate during TLS Handshake # (a comma-separated list of ciphers). # Examples:- [TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] tlsCiphers= 42
The Secure Serving : Broker options ### --- KeyStore TLS config variables --- ### # Enable TLS with KeyStore type configuration in broker. tlsEnabledWithKeyStore=false # TLS Provider for KeyStore type tlsProvider= # TLS KeyStore type configuration in broker: JKS, PKCS12 tlsKeyStoreType=JKS # TLS KeyStore path in broker tlsKeyStore= # TLS KeyStore password for broker tlsKeyStorePassword= 43
The Secure Serving : Broker options ### --- KeyStore TLS config variables --- ### …… # TLS TrustStore type configuration in broker: JKS, PKCS12 tlsTrustStoreType=JKS # TLS TrustStore path in broker tlsTrustStore= # TLS TrustStore password in broker tlsTrustStorePassword= 44
The Secure Serving : Broker options Authentication options in broker: # Enable authentication authenticationEnabled=true # Autentication provider name list, which is comma separated list of class names authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderToken # Interval of time for checking for expired authentication credentials authenticationRefreshCheckSeconds=60 # Enforce authorization authorizationEnabled=true ……. 45
The Secure Serving : Broker options Authentication options in broker: …… # Authorization provider fully qualified class-name authorizationProvider=org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider # Role names that are treated as "super-user", meaning they will be able to do all admin # operations and publish/consume from all topics superUserRoles=admin 46
The Secure Serving : Broker options Peer to peer secure connection options in broker: # Authentication settings of the broker itself. Used when the broker connects to other #brokers, either in same or other clusters brokerClientTlsEnabled=true brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationToken brokerClientAuthenticationParameters=token:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX brokerClientTrustCertsFilePath=/usr/local/share/ca-certificates/pulsar-gov-pki-ca.pem # Supported Athenz provider domain names(comma separated) for authentication athenzDomainNames= 47
The Secure Serving : Broker options Setting up authentication in pulsar client (client.conf) ## Authentication plugin to authenticate with servers # e.g. for TLS # authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationTls authPlugin= # Parameters passed to authentication plugin. # A comma separated list of key:value pairs. # Keys depend on the configured authPlugin. # e.g. for TLS # authParams=tlsCertFile:/path/to/client-cert.pem,tlsKeyFile:/path/to/client-key.pem authParams= 48
The Secure Serving : Broker options Setting up TLS in pulsar client (client.conf) # Allow TLS connections to servers whose certificate cannot be verified to have been #signed by a trusted certificate authority. tlsAllowInsecureConnection=false # Whether server hostname must match the common name of the certificate the server #is using. tlsEnableHostnameVerification=false tlsTrustCertsFilePath= # Enable TLS with KeyStore type configuration in broker. useKeyStoreTls=false 49
The Secure Serving : Broker options Setting up TLS in pulsar client (client.conf) # TLS KeyStore type configuration: JKS, PKCS12 tlsTrustStoreType=JKS # TLS TrustStore path tlsTrustStorePath= # TLS TrustStore password tlsTrustStorePassword= 50
References 1. Pulsar docs :: https://pulsar.apache.org/docs 2. Digital Certificates : https://sites.google.com/site/ddmwsst/digital-certificates 3. Mutual TLS : https://dzone.com/articles/hakky54mutual-tls-1 4. Broker tls http://pulsar.apache.org/docs/en/security-tls-transport/ 5. BookKeeper TLS: https://bookkeeper.apache.org/docs/latest/security/tls/ 6. ZooKeeper TLS: ● https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide ● https://zookeeper.apache.org/doc/r3.5.7/zookeeperAdmin.html#sc_authOptions ● https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+and+SASL 51
Stay Connected: ● Pulsar Mailing Lists ○ users@pulsar.apache.org ○ dev@pulsar.apache.org ● Pulsar Slack ○ https://apache-pulsar.slack.com ● You can contact me at: ○ https://twitter.com/ShivjiJha ○ https://www.linkedin.com/in/shivjijha/ Q & A 52

Recommended

Streaming millions of Contact Center interactions in (near) real-time with Pu...
Streaming millions of Contact Center interactions in (near) real-time with Pu...Streaming millions of Contact Center interactions in (near) real-time with Pu...
Streaming millions of Contact Center interactions in (near) real-time with Pu...Frank Kelly
 
How pulsar stores data at Pulsar-na-summit-2021.pptx (1)
How pulsar stores data at Pulsar-na-summit-2021.pptx (1)How pulsar stores data at Pulsar-na-summit-2021.pptx (1)
How pulsar stores data at Pulsar-na-summit-2021.pptx (1)Shivji Kumar Jha
 
Building a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre Zemb
Building a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre ZembBuilding a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre Zemb
Building a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre ZembStreamNative
 
Lessons from managing a Pulsar cluster (Nutanix)
Lessons from managing a Pulsar cluster (Nutanix)Lessons from managing a Pulsar cluster (Nutanix)
Lessons from managing a Pulsar cluster (Nutanix)StreamNative
 
Introduction Apache Kafka
Introduction Apache KafkaIntroduction Apache Kafka
Introduction Apache KafkaJoe Stein
 
Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka confluent
 
Transaction preview of Apache Pulsar
Transaction preview of Apache PulsarTransaction preview of Apache Pulsar
Transaction preview of Apache PulsarStreamNative
 
Unify Storage Backend for Batch and Streaming Computation with Apache Pulsar_...
Unify Storage Backend for Batch and Streaming Computation with Apache Pulsar_...Unify Storage Backend for Batch and Streaming Computation with Apache Pulsar_...
Unify Storage Backend for Batch and Streaming Computation with Apache Pulsar_...StreamNative
 

Recommended

Streaming millions of Contact Center interactions in (near) real-time with Pu...
Streaming millions of Contact Center interactions in (near) real-time with Pu...Streaming millions of Contact Center interactions in (near) real-time with Pu...
Streaming millions of Contact Center interactions in (near) real-time with Pu...Frank Kelly
 
How pulsar stores data at Pulsar-na-summit-2021.pptx (1)
How pulsar stores data at Pulsar-na-summit-2021.pptx (1)How pulsar stores data at Pulsar-na-summit-2021.pptx (1)
How pulsar stores data at Pulsar-na-summit-2021.pptx (1)Shivji Kumar Jha
 
Building a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre Zemb
Building a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre ZembBuilding a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre Zemb
Building a Messaging Solutions for OVHcloud with Apache Pulsar_Pierre ZembStreamNative
 
Lessons from managing a Pulsar cluster (Nutanix)
Lessons from managing a Pulsar cluster (Nutanix)Lessons from managing a Pulsar cluster (Nutanix)
Lessons from managing a Pulsar cluster (Nutanix)StreamNative
 
Introduction Apache Kafka
Introduction Apache KafkaIntroduction Apache Kafka
Introduction Apache KafkaJoe Stein
 
Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka confluent
 
Transaction preview of Apache Pulsar
Transaction preview of Apache PulsarTransaction preview of Apache Pulsar
Transaction preview of Apache PulsarStreamNative
 
Unify Storage Backend for Batch and Streaming Computation with Apache Pulsar_...
Unify Storage Backend for Batch and Streaming Computation with Apache Pulsar_...Unify Storage Backend for Batch and Streaming Computation with Apache Pulsar_...
Unify Storage Backend for Batch and Streaming Computation with Apache Pulsar_...StreamNative
 
Apache Kafka
Apache KafkaApache Kafka
Apache KafkaJoe Stein
 
Building a FaaS with pulsar
Building a FaaS with pulsarBuilding a FaaS with pulsar
Building a FaaS with pulsarStreamNative
 
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...confluent
 
Introducing Kafka-on-Pulsar: bring native Kafka protocol support to Apache Pu...
Introducing Kafka-on-Pulsar: bring native Kafka protocol support to Apache Pu...Introducing Kafka-on-Pulsar: bring native Kafka protocol support to Apache Pu...
Introducing Kafka-on-Pulsar: bring native Kafka protocol support to Apache Pu...StreamNative
 
Apache Pulsar Seattle - Meetup
Apache Pulsar Seattle - MeetupApache Pulsar Seattle - Meetup
Apache Pulsar Seattle - MeetupKarthik Ramasamy
 
Devoxx Morocco 2016 - Microservices with Kafka
Devoxx Morocco 2016 - Microservices with KafkaDevoxx Morocco 2016 - Microservices with Kafka
Devoxx Morocco 2016 - Microservices with KafkaLászló-Róbert Albert
 
Introduction to Apache Kafka
Introduction to Apache KafkaIntroduction to Apache Kafka
Introduction to Apache KafkaShiao-An Yuan
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips confluent
 
From Message to Cluster: A Realworld Introduction to Kafka Capacity Planning
From Message to Cluster: A Realworld Introduction to Kafka Capacity PlanningFrom Message to Cluster: A Realworld Introduction to Kafka Capacity Planning
From Message to Cluster: A Realworld Introduction to Kafka Capacity Planningconfluent
 
How Orange Financial combat financial frauds over 50M transactions a day usin...
How Orange Financial combat financial frauds over 50M transactions a day usin...How Orange Financial combat financial frauds over 50M transactions a day usin...
How Orange Financial combat financial frauds over 50M transactions a day usin...JinfengHuang3
 
When apache pulsar meets apache flink
When apache pulsar meets apache flinkWhen apache pulsar meets apache flink
When apache pulsar meets apache flinkStreamNative
 
High performance messaging with Apache Pulsar
High performance messaging with Apache PulsarHigh performance messaging with Apache Pulsar
High performance messaging with Apache PulsarMatteo Merli
 
Apache Bookkeeper and Apache Zookeeper for Apache Pulsar
Apache Bookkeeper and Apache Zookeeper for Apache PulsarApache Bookkeeper and Apache Zookeeper for Apache Pulsar
Apache Bookkeeper and Apache Zookeeper for Apache PulsarEnrico Olivelli
 
A la rencontre de Kafka, le log distribué par Florian GARCIA
A la rencontre de Kafka, le log distribué par Florian GARCIAA la rencontre de Kafka, le log distribué par Florian GARCIA
A la rencontre de Kafka, le log distribué par Florian GARCIALa Cuisine du Web
 
Pulsar - Distributed pub/sub platform
Pulsar - Distributed pub/sub platformPulsar - Distributed pub/sub platform
Pulsar - Distributed pub/sub platformMatteo Merli
 
Scaling customer engagement with apache pulsar
Scaling customer engagement with apache pulsarScaling customer engagement with apache pulsar
Scaling customer engagement with apache pulsarStreamNative
 
Strata London 2018: Multi-everything with Apache Pulsar
Strata London 2018: Multi-everything with Apache PulsarStrata London 2018: Multi-everything with Apache Pulsar
Strata London 2018: Multi-everything with Apache PulsarStreamlio
 
Apache Kafka - Martin Podval
Apache Kafka - Martin PodvalApache Kafka - Martin Podval
Apache Kafka - Martin PodvalMartin Podval
 
October 2016 HUG: Pulsar,  a highly scalable, low latency pub-sub messaging s...
October 2016 HUG: Pulsar,  a highly scalable, low latency pub-sub messaging s...October 2016 HUG: Pulsar,  a highly scalable, low latency pub-sub messaging s...
October 2016 HUG: Pulsar,  a highly scalable, low latency pub-sub messaging s...Yahoo Developer Network
 
Pulsar Storage on BookKeeper _Seamless Evolution
Pulsar Storage on BookKeeper _Seamless EvolutionPulsar Storage on BookKeeper _Seamless Evolution
Pulsar Storage on BookKeeper _Seamless EvolutionStreamNative
 
Alfresco Certificates
Alfresco Certificates Alfresco Certificates
Alfresco Certificates Angel Borroy López
 
Securing Cassandra The Right Way
Securing Cassandra The Right WaySecuring Cassandra The Right Way
Securing Cassandra The Right WayDataStax Academy
 

More Related Content

What's hot

Apache Kafka
Apache KafkaApache Kafka
Apache KafkaJoe Stein
 
Building a FaaS with pulsar
Building a FaaS with pulsarBuilding a FaaS with pulsar
Building a FaaS with pulsarStreamNative
 
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...confluent
 
Introducing Kafka-on-Pulsar: bring native Kafka protocol support to Apache Pu...
Introducing Kafka-on-Pulsar: bring native Kafka protocol support to Apache Pu...Introducing Kafka-on-Pulsar: bring native Kafka protocol support to Apache Pu...
Introducing Kafka-on-Pulsar: bring native Kafka protocol support to Apache Pu...StreamNative
 
Apache Pulsar Seattle - Meetup
Apache Pulsar Seattle - MeetupApache Pulsar Seattle - Meetup
Apache Pulsar Seattle - MeetupKarthik Ramasamy
 
Devoxx Morocco 2016 - Microservices with Kafka
Devoxx Morocco 2016 - Microservices with KafkaDevoxx Morocco 2016 - Microservices with Kafka
Devoxx Morocco 2016 - Microservices with KafkaLászló-Róbert Albert
 
Introduction to Apache Kafka
Introduction to Apache KafkaIntroduction to Apache Kafka
Introduction to Apache KafkaShiao-An Yuan
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips confluent
 
From Message to Cluster: A Realworld Introduction to Kafka Capacity Planning
From Message to Cluster: A Realworld Introduction to Kafka Capacity PlanningFrom Message to Cluster: A Realworld Introduction to Kafka Capacity Planning
From Message to Cluster: A Realworld Introduction to Kafka Capacity Planningconfluent
 
How Orange Financial combat financial frauds over 50M transactions a day usin...
How Orange Financial combat financial frauds over 50M transactions a day usin...How Orange Financial combat financial frauds over 50M transactions a day usin...
How Orange Financial combat financial frauds over 50M transactions a day usin...JinfengHuang3
 
When apache pulsar meets apache flink
When apache pulsar meets apache flinkWhen apache pulsar meets apache flink
When apache pulsar meets apache flinkStreamNative
 
High performance messaging with Apache Pulsar
High performance messaging with Apache PulsarHigh performance messaging with Apache Pulsar
High performance messaging with Apache PulsarMatteo Merli
 
Apache Bookkeeper and Apache Zookeeper for Apache Pulsar
Apache Bookkeeper and Apache Zookeeper for Apache PulsarApache Bookkeeper and Apache Zookeeper for Apache Pulsar
Apache Bookkeeper and Apache Zookeeper for Apache PulsarEnrico Olivelli
 
A la rencontre de Kafka, le log distribué par Florian GARCIA
A la rencontre de Kafka, le log distribué par Florian GARCIAA la rencontre de Kafka, le log distribué par Florian GARCIA
A la rencontre de Kafka, le log distribué par Florian GARCIALa Cuisine du Web
 
Pulsar - Distributed pub/sub platform
Pulsar - Distributed pub/sub platformPulsar - Distributed pub/sub platform
Pulsar - Distributed pub/sub platformMatteo Merli
 
Scaling customer engagement with apache pulsar
Scaling customer engagement with apache pulsarScaling customer engagement with apache pulsar
Scaling customer engagement with apache pulsarStreamNative
 
Strata London 2018: Multi-everything with Apache Pulsar
Strata London 2018: Multi-everything with Apache PulsarStrata London 2018: Multi-everything with Apache Pulsar
Strata London 2018: Multi-everything with Apache PulsarStreamlio
 
Apache Kafka - Martin Podval
Apache Kafka - Martin PodvalApache Kafka - Martin Podval
Apache Kafka - Martin PodvalMartin Podval
 
October 2016 HUG: Pulsar,  a highly scalable, low latency pub-sub messaging s...
October 2016 HUG: Pulsar,  a highly scalable, low latency pub-sub messaging s...October 2016 HUG: Pulsar,  a highly scalable, low latency pub-sub messaging s...
October 2016 HUG: Pulsar,  a highly scalable, low latency pub-sub messaging s...Yahoo Developer Network
 
Pulsar Storage on BookKeeper _Seamless Evolution
Pulsar Storage on BookKeeper _Seamless EvolutionPulsar Storage on BookKeeper _Seamless Evolution
Pulsar Storage on BookKeeper _Seamless EvolutionStreamNative
 

What's hot (20)

Apache Kafka
Apache KafkaApache Kafka
Apache Kafka
 
Building a FaaS with pulsar
Building a FaaS with pulsarBuilding a FaaS with pulsar
Building a FaaS with pulsar
 
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
 
Introducing Kafka-on-Pulsar: bring native Kafka protocol support to Apache Pu...
Introducing Kafka-on-Pulsar: bring native Kafka protocol support to Apache Pu...Introducing Kafka-on-Pulsar: bring native Kafka protocol support to Apache Pu...
Introducing Kafka-on-Pulsar: bring native Kafka protocol support to Apache Pu...
 
Apache Pulsar Seattle - Meetup
Apache Pulsar Seattle - MeetupApache Pulsar Seattle - Meetup
Apache Pulsar Seattle - Meetup
 
Devoxx Morocco 2016 - Microservices with Kafka
Devoxx Morocco 2016 - Microservices with KafkaDevoxx Morocco 2016 - Microservices with Kafka
Devoxx Morocco 2016 - Microservices with Kafka
 
Introduction to Apache Kafka
Introduction to Apache KafkaIntroduction to Apache Kafka
Introduction to Apache Kafka
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips
 
From Message to Cluster: A Realworld Introduction to Kafka Capacity Planning
From Message to Cluster: A Realworld Introduction to Kafka Capacity PlanningFrom Message to Cluster: A Realworld Introduction to Kafka Capacity Planning
From Message to Cluster: A Realworld Introduction to Kafka Capacity Planning
 
How Orange Financial combat financial frauds over 50M transactions a day usin...
How Orange Financial combat financial frauds over 50M transactions a day usin...How Orange Financial combat financial frauds over 50M transactions a day usin...
How Orange Financial combat financial frauds over 50M transactions a day usin...
 
When apache pulsar meets apache flink
When apache pulsar meets apache flinkWhen apache pulsar meets apache flink
When apache pulsar meets apache flink
 
High performance messaging with Apache Pulsar
High performance messaging with Apache PulsarHigh performance messaging with Apache Pulsar
High performance messaging with Apache Pulsar
 
Apache Bookkeeper and Apache Zookeeper for Apache Pulsar
Apache Bookkeeper and Apache Zookeeper for Apache PulsarApache Bookkeeper and Apache Zookeeper for Apache Pulsar
Apache Bookkeeper and Apache Zookeeper for Apache Pulsar
 
A la rencontre de Kafka, le log distribué par Florian GARCIA
A la rencontre de Kafka, le log distribué par Florian GARCIAA la rencontre de Kafka, le log distribué par Florian GARCIA
A la rencontre de Kafka, le log distribué par Florian GARCIA
 
Pulsar - Distributed pub/sub platform
Pulsar - Distributed pub/sub platformPulsar - Distributed pub/sub platform
Pulsar - Distributed pub/sub platform
 
Scaling customer engagement with apache pulsar
Scaling customer engagement with apache pulsarScaling customer engagement with apache pulsar
Scaling customer engagement with apache pulsar
 
Strata London 2018: Multi-everything with Apache Pulsar
Strata London 2018: Multi-everything with Apache PulsarStrata London 2018: Multi-everything with Apache Pulsar
Strata London 2018: Multi-everything with Apache Pulsar
 
Apache Kafka - Martin Podval
Apache Kafka - Martin PodvalApache Kafka - Martin Podval
Apache Kafka - Martin Podval
 
October 2016 HUG: Pulsar,  a highly scalable, low latency pub-sub messaging s...
October 2016 HUG: Pulsar,  a highly scalable, low latency pub-sub messaging s...October 2016 HUG: Pulsar,  a highly scalable, low latency pub-sub messaging s...
October 2016 HUG: Pulsar,  a highly scalable, low latency pub-sub messaging s...
 
Pulsar Storage on BookKeeper _Seamless Evolution
Pulsar Storage on BookKeeper _Seamless EvolutionPulsar Storage on BookKeeper _Seamless Evolution
Pulsar Storage on BookKeeper _Seamless Evolution
 

Similar to Pulsar Summit Asia - Running a secure pulsar cluster

Securing Cassandra The Right Way
Securing Cassandra The Right WaySecuring Cassandra The Right Way
Securing Cassandra The Right WayDataStax Academy
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLContinuent
 
Cassandra and security
Cassandra and securityCassandra and security
Cassandra and securityBen Bromhead
 
Instaclustr: Securing Cassandra
Instaclustr: Securing CassandraInstaclustr: Securing Cassandra
Instaclustr: Securing CassandraDataStax Academy
 
Securing Cassandra
Securing CassandraSecuring Cassandra
Securing CassandraInstaclustr
 
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArtDataArt
 
SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications nishchal29
 
Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Abdelkrim Hadjidj
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environmentTaswar Bhatti
 
OpenSecure socket layerin cyber security
OpenSecure socket layerin cyber securityOpenSecure socket layerin cyber security
OpenSecure socket layerin cyber securityssuserec53e73
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer securityMaarten Smeets
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPRafal Gancarz
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
 
Cassandra Security Configuration
Cassandra Security ConfigurationCassandra Security Configuration
Cassandra Security ConfigurationBraja Krishna Das
 
[Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things![Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things!OWASP
 
Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security PoliciesMatias Korhonen
 

Similar to Pulsar Summit Asia - Running a secure pulsar cluster (20)

Alfresco Certificates
Alfresco Certificates Alfresco Certificates
Alfresco Certificates
 
Securing Cassandra The Right Way
Securing Cassandra The Right WaySecuring Cassandra The Right Way
Securing Cassandra The Right Way
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
 
Cassandra and security
Cassandra and securityCassandra and security
Cassandra and security
 
Instaclustr: Securing Cassandra
Instaclustr: Securing CassandraInstaclustr: Securing Cassandra
Instaclustr: Securing Cassandra
 
Securing Cassandra
Securing CassandraSecuring Cassandra
Securing Cassandra
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
 
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
 
SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications
 
Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101Paris FOD meetup - kafka security 101
Paris FOD meetup - kafka security 101
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
 
OpenSecure socket layerin cyber security
OpenSecure socket layerin cyber securityOpenSecure socket layerin cyber security
OpenSecure socket layerin cyber security
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer security
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTP
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
Cassandra Security Configuration
Cassandra Security ConfigurationCassandra Security Configuration
Cassandra Security Configuration
 
[Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things![Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things!
 
Rails and Content Security Policies
Rails and Content Security PoliciesRails and Content Security Policies
Rails and Content Security Policies
 
Web security
Web securityWeb security
Web security
 

More from Shivji Kumar Jha

Navigating Transactions: ACID Complexity in Modern Databases
Navigating Transactions: ACID Complexity in Modern DatabasesNavigating Transactions: ACID Complexity in Modern Databases
Navigating Transactions: ACID Complexity in Modern DatabasesShivji Kumar Jha
 
Druid Summit 2023 : Changing Druid Ingestion from 3 hours to 5 minutes
Druid Summit 2023 : Changing Druid Ingestion from 3 hours to 5 minutesDruid Summit 2023 : Changing Druid Ingestion from 3 hours to 5 minutes
Druid Summit 2023 : Changing Druid Ingestion from 3 hours to 5 minutesShivji Kumar Jha
 
pulsar-platformatory-meetup-2.pptx
pulsar-platformatory-meetup-2.pptxpulsar-platformatory-meetup-2.pptx
pulsar-platformatory-meetup-2.pptxShivji Kumar Jha
 
Pulsar Summit Asia 2022 - Streaming wars and How Apache Pulsar is acing the b...
Pulsar Summit Asia 2022 - Streaming wars and How Apache Pulsar is acing the b...Pulsar Summit Asia 2022 - Streaming wars and How Apache Pulsar is acing the b...
Pulsar Summit Asia 2022 - Streaming wars and How Apache Pulsar is acing the b...Shivji Kumar Jha
 
Pulsar Summit Asia 2022 - Keeping on top of hybrid cloud usage with Pulsar
Pulsar Summit Asia 2022 - Keeping on top of hybrid cloud usage with PulsarPulsar Summit Asia 2022 - Keeping on top of hybrid cloud usage with Pulsar
Pulsar Summit Asia 2022 - Keeping on top of hybrid cloud usage with PulsarShivji Kumar Jha
 
Pulsar summit asia 2021: Designing Pulsar for Isolation
Pulsar summit asia 2021: Designing Pulsar for IsolationPulsar summit asia 2021: Designing Pulsar for Isolation
Pulsar summit asia 2021: Designing Pulsar for IsolationShivji Kumar Jha
 
Event sourcing Live 2021: Streaming App Changes to Event Store
Event sourcing Live 2021: Streaming App Changes to Event StoreEvent sourcing Live 2021: Streaming App Changes to Event Store
Event sourcing Live 2021: Streaming App Changes to Event StoreShivji Kumar Jha
 
Apache Con 2021 Structured Data Streaming
Apache Con 2021 Structured Data StreamingApache Con 2021 Structured Data Streaming
Apache Con 2021 Structured Data StreamingShivji Kumar Jha
 
Apache Con 2021 : Apache Bookkeeper Key Value Store and use cases
Apache Con 2021 : Apache Bookkeeper Key Value Store and use casesApache Con 2021 : Apache Bookkeeper Key Value Store and use cases
Apache Con 2021 : Apache Bookkeeper Key Value Store and use casesShivji Kumar Jha
 
Pulsar Summit Asia - Structured Data Stream with Apache Pulsar
Pulsar Summit Asia - Structured Data Stream with Apache PulsarPulsar Summit Asia - Structured Data Stream with Apache Pulsar
Pulsar Summit Asia - Structured Data Stream with Apache PulsarShivji Kumar Jha
 
lessons from managing a pulsar cluster
lessons from managing a pulsar cluster lessons from managing a pulsar cluster
lessons from managing a pulsar clusterShivji Kumar Jha
 
FOSSASIA 2015: MySQL Group Replication
FOSSASIA 2015: MySQL Group ReplicationFOSSASIA 2015: MySQL Group Replication
FOSSASIA 2015: MySQL Group ReplicationShivji Kumar Jha
 
MySQL High Availability with Replication New Features
MySQL High Availability with Replication New FeaturesMySQL High Availability with Replication New Features
MySQL High Availability with Replication New FeaturesShivji Kumar Jha
 
MySQL Developer Day conference: MySQL Replication and Scalability
MySQL Developer Day conference: MySQL Replication and ScalabilityMySQL Developer Day conference: MySQL Replication and Scalability
MySQL Developer Day conference: MySQL Replication and ScalabilityShivji Kumar Jha
 
MySQL User Camp: MySQL Cluster
MySQL User Camp: MySQL ClusterMySQL User Camp: MySQL Cluster
MySQL User Camp: MySQL ClusterShivji Kumar Jha
 
Open source India - MySQL Labs: Multi-Source Replication
Open source India - MySQL Labs: Multi-Source ReplicationOpen source India - MySQL Labs: Multi-Source Replication
Open source India - MySQL Labs: Multi-Source ReplicationShivji Kumar Jha
 
MySQL User Camp: Multi-threaded Slaves
MySQL User Camp: Multi-threaded SlavesMySQL User Camp: Multi-threaded Slaves
MySQL User Camp: Multi-threaded SlavesShivji Kumar Jha
 

More from Shivji Kumar Jha (19)

Navigating Transactions: ACID Complexity in Modern Databases
Navigating Transactions: ACID Complexity in Modern DatabasesNavigating Transactions: ACID Complexity in Modern Databases
Navigating Transactions: ACID Complexity in Modern Databases
 
Druid Summit 2023 : Changing Druid Ingestion from 3 hours to 5 minutes
Druid Summit 2023 : Changing Druid Ingestion from 3 hours to 5 minutesDruid Summit 2023 : Changing Druid Ingestion from 3 hours to 5 minutes
Druid Summit 2023 : Changing Druid Ingestion from 3 hours to 5 minutes
 
osi-oss-dbs.pptx
osi-oss-dbs.pptxosi-oss-dbs.pptx
osi-oss-dbs.pptx
 
pulsar-platformatory-meetup-2.pptx
pulsar-platformatory-meetup-2.pptxpulsar-platformatory-meetup-2.pptx
pulsar-platformatory-meetup-2.pptx
 
Pulsar Summit Asia 2022 - Streaming wars and How Apache Pulsar is acing the b...
Pulsar Summit Asia 2022 - Streaming wars and How Apache Pulsar is acing the b...Pulsar Summit Asia 2022 - Streaming wars and How Apache Pulsar is acing the b...
Pulsar Summit Asia 2022 - Streaming wars and How Apache Pulsar is acing the b...
 
Pulsar Summit Asia 2022 - Keeping on top of hybrid cloud usage with Pulsar
Pulsar Summit Asia 2022 - Keeping on top of hybrid cloud usage with PulsarPulsar Summit Asia 2022 - Keeping on top of hybrid cloud usage with Pulsar
Pulsar Summit Asia 2022 - Keeping on top of hybrid cloud usage with Pulsar
 
Pulsar summit asia 2021: Designing Pulsar for Isolation
Pulsar summit asia 2021: Designing Pulsar for IsolationPulsar summit asia 2021: Designing Pulsar for Isolation
Pulsar summit asia 2021: Designing Pulsar for Isolation
 
Event sourcing Live 2021: Streaming App Changes to Event Store
Event sourcing Live 2021: Streaming App Changes to Event StoreEvent sourcing Live 2021: Streaming App Changes to Event Store
Event sourcing Live 2021: Streaming App Changes to Event Store
 
Apache Con 2021 Structured Data Streaming
Apache Con 2021 Structured Data StreamingApache Con 2021 Structured Data Streaming
Apache Con 2021 Structured Data Streaming
 
Apache Con 2021 : Apache Bookkeeper Key Value Store and use cases
Apache Con 2021 : Apache Bookkeeper Key Value Store and use casesApache Con 2021 : Apache Bookkeeper Key Value Store and use cases
Apache Con 2021 : Apache Bookkeeper Key Value Store and use cases
 
Pulsar Summit Asia - Structured Data Stream with Apache Pulsar
Pulsar Summit Asia - Structured Data Stream with Apache PulsarPulsar Summit Asia - Structured Data Stream with Apache Pulsar
Pulsar Summit Asia - Structured Data Stream with Apache Pulsar
 
lessons from managing a pulsar cluster
lessons from managing a pulsar cluster lessons from managing a pulsar cluster
lessons from managing a pulsar cluster
 
FOSSASIA 2015: MySQL Group Replication
FOSSASIA 2015: MySQL Group ReplicationFOSSASIA 2015: MySQL Group Replication
FOSSASIA 2015: MySQL Group Replication
 
MySQL High Availability with Replication New Features
MySQL High Availability with Replication New FeaturesMySQL High Availability with Replication New Features
MySQL High Availability with Replication New Features
 
MySQL Developer Day conference: MySQL Replication and Scalability
MySQL Developer Day conference: MySQL Replication and ScalabilityMySQL Developer Day conference: MySQL Replication and Scalability
MySQL Developer Day conference: MySQL Replication and Scalability
 
MySQL User Camp: MySQL Cluster
MySQL User Camp: MySQL ClusterMySQL User Camp: MySQL Cluster
MySQL User Camp: MySQL Cluster
 
MySQL User Camp: GTIDs
MySQL User Camp: GTIDsMySQL User Camp: GTIDs
MySQL User Camp: GTIDs
 
Open source India - MySQL Labs: Multi-Source Replication
Open source India - MySQL Labs: Multi-Source ReplicationOpen source India - MySQL Labs: Multi-Source Replication
Open source India - MySQL Labs: Multi-Source Replication
 
MySQL User Camp: Multi-threaded Slaves
MySQL User Camp: Multi-threaded SlavesMySQL User Camp: Multi-threaded Slaves
MySQL User Camp: Multi-threaded Slaves
 

Recently uploaded

Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTbhaskargani46
 
Intro To Electric Vehicles PDF Notes.pdf
Intro To Electric Vehicles PDF Notes.pdfIntro To Electric Vehicles PDF Notes.pdf
Intro To Electric Vehicles PDF Notes.pdfrs7054576148
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptDineshKumar4165
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordAsst.prof M.Gokilavani
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapRishantSharmaFr
 
Unit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdfUnit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdfRagavanV2
 
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdfIntze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdfSuman Jyoti
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptMsecMca
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performancesivaprakash250
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfankushspencer015
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Bookingroncy bisnoi
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Arindam Chakraborty, Ph.D., P.E. (CA, TX)
 
Block diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptBlock diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptNANDHAKUMARA10
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXssuser89054b
 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startQuintin Balsdon
 

Recently uploaded (20)

Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
Intro To Electric Vehicles PDF Notes.pdf
Intro To Electric Vehicles PDF Notes.pdfIntro To Electric Vehicles PDF Notes.pdf
Intro To Electric Vehicles PDF Notes.pdf
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
Unit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdfUnit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdf
 
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
 
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdfIntze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
 
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
 
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
 
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
 
Block diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptBlock diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.ppt
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the start
 

Pulsar Summit Asia - Running a secure pulsar cluster

  • 2. ● Senior Developer at Nutanix responsible for all things pulsar ● Love spending time with data (stores, streams, analytics etc) ● Ex-MySQL - started out with 3 great years building MySQL Replication ● Contributions to pulsar & MySQL Who am I ? https://www.linkedin.com/in/shivjijha/ https://twitter.com/ShivjiJha 2
  • 3. Catalogue • Background: Apache Pulsar • The cluster components • Background: Security • The secure coordination • The secure store • The secure serving 3
  • 5. Background: Apache Pulsar Pulsar: cloud-native, distributed messaging and streaming platform 5
  • 6. Background: Apache Pulsar Pulsar: cloud-native, distributed messaging and streaming platform APACHE PULSAR 6
  • 7. Background: Apache Pulsar Pulsar: cloud-native, distributed messaging and streaming platform Highlights: 1. Modular design 2. Horizontally scalable 3. Low latency with durability 4. Multi-tenancy 5. Geo Replication APACHE PULSAR 7
  • 9. The Cluster Components : zookeeper An open-source server which enables highly reliable distributed coordination. Centralized service for: 1. Configuration information 2. Distributed synchronization 3. Group Services Use Case: Bookkeeper, broker 9
  • 10. A scalable, fault-tolerant and low-latency storage service optimized for realtime workloads. 1. Stand-alone apache project 2. Overlapping committers Use Case: Broker The Cluster Components : bookkeeper 10
  • 11. A stateless component that’s primarily responsible for: 1. Dispatcher: Async TCP server over custom binary protocol for all data transfers. 2. HTTP Server: REST APIs for admin tasks. The Cluster Components : broker 11
  • 12. The Cluster Geo Replication is the replication of persistently stored data across multiple clusters. Messages are instantly replicated across clusters.12
  • 14. TLS: Transport Layer Security 1. Encryption : Hide data being transferred. 2. Authentication : Parties exchanging info are who they claim to be. 3. Integrity : Verify data is not tempered with. Background : Security - TLS 14
  • 15. 1. Certificate Authority (CA) issues digital certs that contain: a. public key b. identity of the owner 2. Keep private key secret. Distribute public key. 3. CA is responsible for saying: a. yes, clients are who they say they are. b. And we the CA certify that. Background : Security - CA 15
  • 16. In general, there are three files: 1. Certifying authority (CA) certificate 2. RSA key pair a. private key b. public key 3. X.509 is a standard format for any digital certificate. Background : Security - Crypto Keys 16
  • 17. 1. Enabling HTTPS on the server (one-way TLS) 2. Require the client to identify itself (two way TLS) 3. Two way TLS based on trusting the Certificate Authority Background : Security - Crypto Keys 17
  • 18. 1. Several commonly used filename extensions for X.509 certificate files. 2. Password-protected files that sit on the same file system as our running application 3. We will encounter: a. jks b. pkcs12 c. pem Background : Security - Crypto Keys Jks : java key store The default format used for these files is JKS until Java 8. 18
  • 19. 1. Several commonly used filename extensions for X.509 certificate files. 2. Password-protected files that sit on the same file system as our running application 3. We will encounter: a. jks b. pkcs12 c. pem Background : Security - Crypto Keys Since Java 9, the default keystore format is PKCS12. JKS is a format specific to Java, PKCS12 is language-neutral 19
  • 20. 1. Several commonly used filename extensions for X.509 certificate files. 2. Password-protected files that sit on the same file system as our running application 3. We will encounter: a. jks b. pkcs12 c. pem Background : Security - Crypto Keys Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"20
  • 21. 1. Several commonly used filename extensions for X.509 certificate files. 2. Password-protected files that sit on the same file system as our running application 3. We will encounter: a. jks b. pkcs12 c. pem Conversion possible: pem <==> pkcs12 <==> jks Background : Security - Crypto Keys 21
  • 22. 1. Can use PEM / jks with broker. 2. Can use jks with bookkeeper. 3. Can use PEM / jks with zookeeper. Background : Security - Crypto Keys 22
  • 23. 1. Use openssl command to look at certificate data (CA cert or public key): openssl x509 -noout -text -in /path/to/your/ca-certificates/file.pem Background : Security - Crypto Keys 23
  • 24. Background : Security - Crypto Keys https://sites.google.com/site/ddmwsst/digital-certificates 24
  • 25. 1. To check if your private key is ok, openssl rsa -in /path/to/private/keyfile.key -check RSA key ok writing RSA key -----BEGIN PRIVATE KEY----- ….. -----BEGIN PRIVATE KEY----- Background : Security - Crypto Keys 25
  • 26. 1. To check if your tls port is serving traffic. openssl s_client -connect hostname:port Background : Security - Crypto Keys 26
  • 28. Secure coordination : Zookeeper (ZK) 1. By Default, network communications of ZK are not encrypted. 2. We will use the SSL feature of zookeeper. 3. ZK was initially designed over java NIO package. 4. Later Netty package added, to optionally replace NIO. 5. SSL support only added over Netty package usage. 28
  • 29. Secure coordination : Zookeeper (ZK) 1. Enable Netty to use SSL feature. Set Java system property: zookeeper.clientCnxnSocket= "org.apache.zookeeper.ClientCnxnSocketNetty" zookeeper.serverCnxnFactory= "org.apache.zookeeper.server.NettyServerCnxnFactory" 29
  • 30. The Secure Store : Zookeeper (ZK) 1. Configure client-server communication to use SSL. a. server => zookeeper cluster nodes b. client => bookkeeper / broker server nodes 2. Configure the zk nodes to talk over SSL among themselves ( Quorum SSL ). 30
  • 31. The Secure Store : Zookeeper (ZK) Set up server to accept secure connections: ( Add following to zookeeper.conf) serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory ssl.keyStore.location="/path/to/your/keystore" ssl.keyStore.password="keystore_password" ssl.trustStore.location="/path/to/your/truststore" ssl.trustStore.password="truststore_password” ssl.hostnameVerification=true 31
  • 32. The Secure Store : Zookeeper (ZK) On ZK servers: Provide a secure port to listen to secure connections: secureClientPort=2281 Also use port unification to move from non-tls to tls portUnification = true Once complete setup is running with tls, portUnification = false32
  • 33. The Secure Store : Zookeeper (ZK) Set up client (bookkeeper and broker) to talk over secure connections In pulsar_env.sh, append these options to extra opts: export PULSAR_EXTRA_OPTS=" -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.ssl.keyStore.location=/path/to/keystore/file.jks -Dzookeeper.ssl.keyStore.password=testpass -Dzookeeper.ssl.trustStore.location=/path/to/truststore/file.jks -Dzookeeper.ssl.trustStore.password=testpass" -Dzookeeper.client.secure=true 33
  • 34. The Secure Store : Zookeeper (ZK) Set up server to use SSL cert files to accept secure connections from peer ZK servers. In zookeeper.conf, append these configurations: sslQuorum=true ssl.quorum.keyStore.location=/path/to/keystore/file.jks ssl.quorum.keyStore.password=testpass ssl.quorum.trustStore.location=/path/to/trustore/file,jks ssl.quorum.trustStore.password=testpass ssl.quorum.hostnameVerification=true 34
  • 36. The Secure Store : Bookkeeper options # Port that bookie server listen on bookiePort=3181 The same bookkeeper port is used for tls as well as non-tls traffic. 36
  • 37. The Secure Store : Bookkeeper options ###################################################################### ## TLS settings ###################################################################### # TLS Provider (JDK or OpenSSL). tlsProvider=OpenSSL # The path to the class that provides security. tlsProviderFactoryClass=org.apache.bookkeeper.tls.TLSContextFactory # Type of security used by server. tlsClientAuthentication=true # Bookie Keystore type. tlsKeyStoreType=JKS 37
  • 38. The Secure Store : Bookkeeper options # Bookie Keystore location (path). tlsKeyStore=/path/to/keystore/file.jks # Bookie Keystore password path, if the keystore is protected by a password. tlsKeyStorePasswordPath=/path/to/keystore/password/file.jks # Bookie Truststore type. tlsTrustStoreType=/path/to/truststore/file.jks # Bookie Truststore location (path). tlsTrustStore=/path/to/truststore/password/file.jks # Bookie Truststore password path, if the trust store is protected by a password. tlsTrustStorePasswordPath=/path/to/truststore/password/file.jks 38
  • 40. Secure Serving : Broker options # Broker data port brokerServicePort=6650 # Broker data port for TLS - By default TLS is disabled brokerServicePortTls=6651 # Port to use to server HTTP request webServicePort=8080 # Port to use to server HTTPS request - By default TLS is disabled webServicePortTls=8443 40
  • 41. The Secure Serving : Broker options # Path for the TLS certificate file tlsCertificateFilePath=/etc/pulsar/certs/pulsarcluster1-broker-node-1.bm.infra.crt # Path for the TLS private key file tlsKeyFilePath=/path/to/private/keyfile.pem # Path for the trusted TLS certificate file. # This cert is used to verify that any certs presented by connecting clients # are signed by a certificate authority. If this verification # fails, then the certs are untrusted and the connections are dropped. tlsTrustCertsFilePath=/path/to/ca-certificates/file.pem # Accept untrusted TLS certificate from client. # tlsAllowInsecureConnection=false 41
  • 42. The Secure Serving : Broker options # Specify the tls protocols the broker will use to negotiate during TLS handshake # (a comma-separated list of protocol names). # Examples:- [TLSv1.2, TLSv1.1, TLSv1] tlsProtocols= # Specify the tls cipher the broker will use to negotiate during TLS Handshake # (a comma-separated list of ciphers). # Examples:- [TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] tlsCiphers= 42
  • 43. The Secure Serving : Broker options ### --- KeyStore TLS config variables --- ### # Enable TLS with KeyStore type configuration in broker. tlsEnabledWithKeyStore=false # TLS Provider for KeyStore type tlsProvider= # TLS KeyStore type configuration in broker: JKS, PKCS12 tlsKeyStoreType=JKS # TLS KeyStore path in broker tlsKeyStore= # TLS KeyStore password for broker tlsKeyStorePassword= 43
  • 44. The Secure Serving : Broker options ### --- KeyStore TLS config variables --- ### …… # TLS TrustStore type configuration in broker: JKS, PKCS12 tlsTrustStoreType=JKS # TLS TrustStore path in broker tlsTrustStore= # TLS TrustStore password in broker tlsTrustStorePassword= 44
  • 45. The Secure Serving : Broker options Authentication options in broker: # Enable authentication authenticationEnabled=true # Autentication provider name list, which is comma separated list of class names authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderToken # Interval of time for checking for expired authentication credentials authenticationRefreshCheckSeconds=60 # Enforce authorization authorizationEnabled=true ……. 45
  • 46. The Secure Serving : Broker options Authentication options in broker: …… # Authorization provider fully qualified class-name authorizationProvider=org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider # Role names that are treated as "super-user", meaning they will be able to do all admin # operations and publish/consume from all topics superUserRoles=admin 46
  • 47. The Secure Serving : Broker options Peer to peer secure connection options in broker: # Authentication settings of the broker itself. Used when the broker connects to other #brokers, either in same or other clusters brokerClientTlsEnabled=true brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationToken brokerClientAuthenticationParameters=token:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX brokerClientTrustCertsFilePath=/usr/local/share/ca-certificates/pulsar-gov-pki-ca.pem # Supported Athenz provider domain names(comma separated) for authentication athenzDomainNames= 47
  • 48. The Secure Serving : Broker options Setting up authentication in pulsar client (client.conf) ## Authentication plugin to authenticate with servers # e.g. for TLS # authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationTls authPlugin= # Parameters passed to authentication plugin. # A comma separated list of key:value pairs. # Keys depend on the configured authPlugin. # e.g. for TLS # authParams=tlsCertFile:/path/to/client-cert.pem,tlsKeyFile:/path/to/client-key.pem authParams= 48
  • 49. The Secure Serving : Broker options Setting up TLS in pulsar client (client.conf) # Allow TLS connections to servers whose certificate cannot be verified to have been #signed by a trusted certificate authority. tlsAllowInsecureConnection=false # Whether server hostname must match the common name of the certificate the server #is using. tlsEnableHostnameVerification=false tlsTrustCertsFilePath= # Enable TLS with KeyStore type configuration in broker. useKeyStoreTls=false 49
  • 50. The Secure Serving : Broker options Setting up TLS in pulsar client (client.conf) # TLS KeyStore type configuration: JKS, PKCS12 tlsTrustStoreType=JKS # TLS TrustStore path tlsTrustStorePath= # TLS TrustStore password tlsTrustStorePassword= 50
  • 51. References 1. Pulsar docs :: https://pulsar.apache.org/docs 2. Digital Certificates : https://sites.google.com/site/ddmwsst/digital-certificates 3. Mutual TLS : https://dzone.com/articles/hakky54mutual-tls-1 4. Broker tls http://pulsar.apache.org/docs/en/security-tls-transport/ 5. BookKeeper TLS: https://bookkeeper.apache.org/docs/latest/security/tls/ 6. ZooKeeper TLS: ● https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide ● https://zookeeper.apache.org/doc/r3.5.7/zookeeperAdmin.html#sc_authOptions ● https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+and+SASL 51
  • 52. Stay Connected: ● Pulsar Mailing Lists ○ users@pulsar.apache.org ○ dev@pulsar.apache.org ● Pulsar Slack ○ https://apache-pulsar.slack.com ● You can contact me at: ○ https://twitter.com/ShivjiJha ○ https://www.linkedin.com/in/shivjijha/ Q & A 52