Improve security setting of Pulsar Functions (apache#7578)

Signed-off-by: xiaolong.ran <[email protected]> ### Motivation Improve security setting of Pulsar Functions ### Modifications - Add `TLS Authentication` example - Improve `TLS Transport` config - Add `authorizationProvider` filed for **Authorization**
wanghhao · Jul 18, 2020 · 2374cd9 · 2374cd9
1 parent 4e1a677
commit 2374cd9
Showing 1 changed file with 19 additions and 1 deletion.
diff --git a/site2/docs/functions-worker.md b/site2/docs/functions-worker.md
@@ -105,10 +105,17 @@ If you want to enable security on functions workers, you *should*:
 To enable TLS transport encryption, configure the following settings.
 
 ```
+useTLS: true
+pulsarServiceUrl: pulsar+ssl://localhost:6651/
+pulsarWebServiceUrl: https://localhost:8443
+
 tlsEnabled: true
 tlsCertificateFilePath: /path/to/functions-worker.cert.pem
 tlsKeyFilePath:         /path/to/functions-worker.key-pk8.pem
 tlsTrustCertsFilePath:  /path/to/ca.cert.pem
+
+// The path to trusted certificates used by the Pulsar client to authenticate with Pulsar brokers
+brokerClientTrustCertsFilePath: /path/to/ca.cert.pem
 ```
 
 For details on TLS encryption, refer to [Transport Encryption using TLS](security-tls-transport.md).
@@ -124,6 +131,16 @@ authenticationEnabled: true
 authenticationProviders: [ provider1, provider2 ]
 ```
 
+For *TLS Authentication* provider, follow the example below to add the necessary settings.
+See [TLS Authentication](security-tls-authentication.md) for more details.
+```
+brokerClientAuthenticationPlugin: org.apache.pulsar.client.impl.auth.AuthenticationTls
+brokerClientAuthenticationParameters: tlsCertFile:/path/to/admin.cert.pem,tlsKeyFile:/path/to/admin.key-pk8.pem
+
+authenticationEnabled: true
+authenticationProviders: ['org.apache.pulsar.broker.authentication.AuthenticationProviderTls']
+```
+
 For *SASL Authentication* provider, add `saslJaasClientAllowedIds` and `saslJaasBrokerSectionName`
 under `properties` if needed. 
 
@@ -144,10 +161,11 @@ properties:
 
 ##### Enable Authorization Provider
 
-To enable authorization on Functions Worker, you need to configure `authorizationEnabled` and `configurationStoreServers`. The authentication provider connects to `configurationStoreServers` to receive namespace policies.
+To enable authorization on Functions Worker, you need to configure `authorizationEnabled`, `authorizationProvider` and `configurationStoreServers`. The authentication provider connects to `configurationStoreServers` to receive namespace policies.
 
 ```yaml
 authorizationEnabled: true
+authorizationProvider: org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider
 configurationStoreServers: <configuration-store-servers>
 ```