Support encryption in websocket proxy #16234
Conversation
|
@rdhabalia Please provide a correct documentation label for your PR. |
rdhabalia
added
doc-complete
rdhabalia
requested review from
codelipenghui,
eolivelli,
hangc0276,
Jason918,
jiazhai,
merlimat and
sijie
| @FieldContext( | ||
| doc = "CryptoKeyReader factory classname to support encryption at websocket." | ||
| ) | ||
| private String cryptoKeyReaderFactoryClassName; |
There was a problem hiding this comment.
Does this mean that the key needs to be available in the WebSocket server?
Wouldn't it be easier to have the keys submitted by the WS client application? Otherwise the WS server will have to store all the private keys for all the topics that need to be exposed in this way.
There was a problem hiding this comment.
Websocket proxy can be used at client side and user would like to take care entire encryption complexity at websocket. Keys are generally stored into CKMS. and cryptoKeyReader just utility to read those keys. So, producer provides name of encryption-key and websocket takes care rest of the complexity.
so, this feature will be useful when single tenant deploys websocket proxy at client side and avoid any encryption complexity.
…ocket.conf (#20840) Motivation: Since the PR #16234 add the prop `cryptoKeyReaderFactoryClassName` for the WebSocket Proxy, but did not add this prop to `websocket.conf`. This can make the script which try to replacement attribute a bit difficult to write Modifications: add the conf `cryptoKeyReaderFactoryClassName` into the file `websocket.conf`
…ocket.conf (#20840) Motivation: Since the PR #16234 add the prop `cryptoKeyReaderFactoryClassName` for the WebSocket Proxy, but did not add this prop to `websocket.conf`. This can make the script which try to replacement attribute a bit difficult to write Modifications: add the conf `cryptoKeyReaderFactoryClassName` into the file `websocket.conf` (cherry picked from commit 5d0aa56)
…ocket.conf (#20840) Motivation: Since the PR #16234 add the prop `cryptoKeyReaderFactoryClassName` for the WebSocket Proxy, but did not add this prop to `websocket.conf`. This can make the script which try to replacement attribute a bit difficult to write Modifications: add the conf `cryptoKeyReaderFactoryClassName` into the file `websocket.conf`
Motivation
Websocket proxy can be used by user to deploy at client side to serve as a proxy between client app and broker. However, user also wants to enable encryption by publishing and consuming encrytepd messages. Therefore, user wants to enable encryption at websocket proxy which can encrypt publish/consume messages for user. So, we need encryption support at Websocket proxy which can use user-provided
CryptoKeyReaderimplementation and load appropriate encryption keys to publish/consume encrypted message.Modification
CryptoKeyReaderFactoryat websocket proxy which can createCryptoKeyReaderfor websocketResult
Websocket supports encryption/decryption for producer/consumer/reader.
doc-completedoc-completedoc-complete