[improve][broker] PIP-488: Pluggable authentication audit-event hook#26144
Open
PavelZeger wants to merge 7 commits into
Open
[improve][broker] PIP-488: Pluggable authentication audit-event hook#26144PavelZeger wants to merge 7 commits into
PavelZeger wants to merge 7 commits into
Conversation
…ces and DN mapping rules)
…SAN sources and DN mapping rules)" This reverts commit 911a0c3.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
Pulsar exposes only aggregate
AuthenticationMetrics(success/failure counters by provider and error code). There is no per-login structured record - nothing that says "principal P authenticated via method M from address A at time T," or "a failed attempt with reason R came from A."Security teams need that audit trail: SIEM ingestion, anomaly detection (failure spikes from one source, a principal appearing from an unexpected location), incident forensics, and compliance. Counters cannot answer "who, from where, when, and why did this fail." Today operators must scrape provider-internal logs (unstructured, mostly absent) or fork the broker.
BrokerInterceptoris the closest existing extension point, but it does not cover this: it fires only on successful binary connections (onConnectionCreated), runs inline on the event-loop thread (can block auth), is not authentication-scoped, and cannot be reached frompulsar-broker-commonwhere HTTP/admin auth happens. This proposal closes the gap.Modifications
Adds the design document
pip/pip-488.md. It proposes a pluggable authentication audit-event hook that emits a structured, secret-freeAuthenticationEventon login success, failure, and refresh, on both the binary and HTTP/HTTPS paths, delivered through a bounded background queue so a slow or throwing listener can never stall or fail authentication.The proposal presents two delivery options side by side for the community to choose on the DISCUSS thread:
default onAuthenticationEvent(...)method to the existingBrokerInterceptorand reuse its loading/lifecycle.AuthenticationEventListenerSPI inpulsar-broker-common.This PR contains only the proposal document - no production code or configuration changes.
Verifying this change
This change is a trivial rework / documentation-only change (a PIP design document) without any test coverage.
Does this pull request potentially affect one of the following parts: