diff --git a/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/BrokerService.java b/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/BrokerService.java index 15d48e59849b6..ca76a86659141 100644 --- a/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/BrokerService.java +++ b/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/BrokerService.java @@ -1308,7 +1308,7 @@ public PulsarClient getReplicationClient(String cluster, Optional c data.getBrokerClientTrustCertsFilePath(), data.getBrokerClientKeyFilePath(), data.getBrokerClientCertificateFilePath(), - pulsar.getConfiguration().isTlsHostnameVerificationEnabled() + data.isTlsHostnameVerificationEnabled() ); } else if (pulsar.getConfiguration().isBrokerClientTlsEnabled()) { configTlsSettings(clientBuilder, serviceUrlTls, @@ -1445,7 +1445,7 @@ public PulsarAdmin getClusterPulsarAdmin(String cluster, Optional c data.getBrokerClientTrustCertsFilePath(), data.getBrokerClientKeyFilePath(), data.getBrokerClientCertificateFilePath(), - pulsar.getConfiguration().isTlsHostnameVerificationEnabled() + data.isTlsHostnameVerificationEnabled() ); } else if (conf.isBrokerClientTlsEnabled()) { configAdminTlsSettings(builder, @@ -1460,7 +1460,7 @@ public PulsarAdmin getClusterPulsarAdmin(String cluster, Optional c conf.getBrokerClientTrustCertsFilePath(), conf.getBrokerClientKeyFilePath(), conf.getBrokerClientCertificateFilePath(), - pulsar.getConfiguration().isTlsHostnameVerificationEnabled() + conf.isTlsHostnameVerificationEnabled() ); } diff --git a/pulsar-client-admin-api/src/main/java/org/apache/pulsar/common/policies/data/ClusterData.java b/pulsar-client-admin-api/src/main/java/org/apache/pulsar/common/policies/data/ClusterData.java index 212a1575f9934..c298940c6fa02 100644 --- a/pulsar-client-admin-api/src/main/java/org/apache/pulsar/common/policies/data/ClusterData.java +++ b/pulsar-client-admin-api/src/main/java/org/apache/pulsar/common/policies/data/ClusterData.java @@ -48,6 +48,8 @@ public interface ClusterData { boolean isTlsAllowInsecureConnection(); + boolean isTlsHostnameVerificationEnabled(); + boolean isBrokerClientTlsEnabledWithKeyStore(); String getBrokerClientTlsTrustStoreType(); @@ -97,6 +99,8 @@ interface Builder { Builder tlsAllowInsecureConnection(boolean enabled); + Builder tlsHostnameVerificationEnabled(boolean enabled); + Builder brokerClientTlsEnabledWithKeyStore(boolean enabled); Builder brokerClientTlsTrustStoreType(String trustStoreType); diff --git a/pulsar-client-tools/src/main/java/org/apache/pulsar/admin/cli/CmdClusters.java b/pulsar-client-tools/src/main/java/org/apache/pulsar/admin/cli/CmdClusters.java index 173595c9b19a4..96e228e67d211 100644 --- a/pulsar-client-tools/src/main/java/org/apache/pulsar/admin/cli/CmdClusters.java +++ b/pulsar-client-tools/src/main/java/org/apache/pulsar/admin/cli/CmdClusters.java @@ -320,6 +320,10 @@ abstract class ClusterDetailsCommand extends BaseCommand { @Parameter(names = "--tls-allow-insecure", description = "Allow insecure tls connection", required = false) protected Boolean tlsAllowInsecureConnection; + @Parameter(names = "--hostname-verification-enabled", description = "Enable hostname verification", + required = false) + protected Boolean tlsHostnameVerificationEnabled; + @Parameter(names = "--tls-enable-keystore", description = "Whether use KeyStore type to authenticate", required = false) protected Boolean brokerClientTlsEnabledWithKeyStore; @@ -411,6 +415,9 @@ void processArguments() throws Exception { if (tlsAllowInsecureConnection != null) { builder.tlsAllowInsecureConnection(tlsAllowInsecureConnection); } + if (tlsHostnameVerificationEnabled != null) { + builder.tlsHostnameVerificationEnabled(tlsHostnameVerificationEnabled); + } if (brokerClientTlsEnabledWithKeyStore != null) { builder.brokerClientTlsEnabledWithKeyStore(brokerClientTlsEnabledWithKeyStore); } diff --git a/pulsar-common/src/main/java/org/apache/pulsar/common/policies/data/ClusterDataImpl.java b/pulsar-common/src/main/java/org/apache/pulsar/common/policies/data/ClusterDataImpl.java index 2ca75245a8c22..b822f31f52a17 100644 --- a/pulsar-common/src/main/java/org/apache/pulsar/common/policies/data/ClusterDataImpl.java +++ b/pulsar-common/src/main/java/org/apache/pulsar/common/policies/data/ClusterDataImpl.java @@ -109,6 +109,11 @@ public final class ClusterDataImpl implements ClusterData, Cloneable { + " authority." ) private boolean tlsAllowInsecureConnection; + @ApiModelProperty( + name = "tlsHostnameVerificationEnabled", + value = "Enable TLS hostname verification" + ) + private boolean tlsHostnameVerificationEnabled = true; @ApiModelProperty( name = "brokerClientTlsEnabledWithKeyStore", value = "Whether internal client use KeyStore type to authenticate with other Pulsar brokers" @@ -203,6 +208,7 @@ public ClusterDataImplBuilder clone() { .peerClusterNames(peerClusterNames) .brokerClientTlsEnabled(brokerClientTlsEnabled) .tlsAllowInsecureConnection(tlsAllowInsecureConnection) + .tlsHostnameVerificationEnabled(tlsHostnameVerificationEnabled) .brokerClientTlsEnabledWithKeyStore(brokerClientTlsEnabledWithKeyStore) .brokerClientTlsTrustStoreType(brokerClientTlsTrustStoreType) .brokerClientTlsTrustStore(brokerClientTlsTrustStore) @@ -231,6 +237,7 @@ public static class ClusterDataImplBuilder implements ClusterData.Builder { private LinkedHashSet peerClusterNames; private boolean brokerClientTlsEnabled = false; private boolean tlsAllowInsecureConnection = false; + private boolean tlsHostnameVerificationEnabled = true; private boolean brokerClientTlsEnabledWithKeyStore = false; private String brokerClientTlsTrustStoreType = "JKS"; private String brokerClientTlsTrustStore; @@ -303,6 +310,11 @@ public ClusterDataImplBuilder tlsAllowInsecureConnection(boolean tlsAllowInsecur return this; } + public ClusterDataImplBuilder tlsHostnameVerificationEnabled(boolean tlsHostnameVerificationEnabled) { + this.tlsHostnameVerificationEnabled = tlsHostnameVerificationEnabled; + return this; + } + public ClusterDataImplBuilder brokerClientTlsEnabledWithKeyStore(boolean brokerClientTlsEnabledWithKeyStore) { this.brokerClientTlsEnabledWithKeyStore = brokerClientTlsEnabledWithKeyStore; return this; @@ -387,6 +399,7 @@ public ClusterDataImpl build() { peerClusterNames, brokerClientTlsEnabled, tlsAllowInsecureConnection, + tlsHostnameVerificationEnabled, brokerClientTlsEnabledWithKeyStore, brokerClientTlsTrustStoreType, brokerClientTlsTrustStore, diff --git a/pulsar-common/src/test/java/org/apache/pulsar/common/policies/data/ClusterDataImplTest.java b/pulsar-common/src/test/java/org/apache/pulsar/common/policies/data/ClusterDataImplTest.java index ca4cba2cf9749..1c2f2dd65999b 100644 --- a/pulsar-common/src/test/java/org/apache/pulsar/common/policies/data/ClusterDataImplTest.java +++ b/pulsar-common/src/test/java/org/apache/pulsar/common/policies/data/ClusterDataImplTest.java @@ -42,6 +42,7 @@ public void verifyClone() { .peerClusterNames(new LinkedHashSet<>()) .brokerClientTlsEnabled(true) .tlsAllowInsecureConnection(false) + .tlsHostnameVerificationEnabled(true) .brokerClientTlsEnabledWithKeyStore(true) .brokerClientTlsTrustStoreType("JKS") .brokerClientTlsTrustStore("/my/trust/store")