[IO] Pass client builder to debezium database history #11293
Conversation
There was a problem hiding this comment.
LGTM for functionality purpose.
I'm just a little concerned about:
- the new exposed API.
- the security of passing this object string around.
If you can help explain it's secure to do so, that will be great. Specifically, what happens a user gets the ClientBuilder and change certain field while keep some sensitive auth fields the same. Will this cause unexpected access to another pulsarcluser/tenant/topic?
| @@ -61,26 +66,34 @@ | |||
| .withValidation(Field::isRequired); | |||
|
|
|||
| public static final Field SERVICE_URL = Field.create(CONFIGURATION_FIELD_PREFIX_STRING + "pulsar.service.url") | |||
| .withDisplayName("Pulsar broker addresses") | |||
| .withDisplayName("Pulsar service url") | |||
| .withType(Type.STRING) | |||
| .withWidth(Width.LONG) | |||
| .withImportance(Importance.HIGH) | |||
| .withDescription("Pulsar service url") | |||
| .withValidation(Field::isRequired); | |||
There was a problem hiding this comment.
we can set either this serviceUrl field or the following clientBuilder field. so they might not be required now.
There was a problem hiding this comment.
Overall the approach looks good to me, it is a great idea indeed.
One question related to security:
with this change the Function code is able to easily access the Authentication information (because it can Serialize the Builder and then read the credentials).
Before this change (with the previous approach) the Function was not able to access the credentials but only to use the PulsarClient, for instance a JWT token could not be stolen. Now you can deploy the Function (the auth information is set by the Admin who deploys the function, not by the author of the function) and the Function can get the credentials and send them outside the cluster.
is it something we should care about ?
pulsar-functions/api-java/src/main/java/org/apache/pulsar/functions/api/BaseContext.java
Outdated
Show resolved
Hide resolved
pulsar-io/debezium/core/src/main/java/org/apache/pulsar/io/debezium/DebeziumSource.java
Outdated
Show resolved
Hide resolved
|
/pulsarbot run-failure-checks |
sijie
changed the title
| * | ||
| * @return the instance of pulsar client builder. | ||
| */ | ||
| default ClientBuilder getPulsarClientBuilder() { |
There was a problem hiding this comment.
@nlu90 You need to implement this method in the sub-classes.
|
/pulsarbot run-failure-checks |
2 similar comments
|
/pulsarbot run-failure-checks |
|
/pulsarbot run-failure-checks |
...-io/debezium/core/src/test/java/org/apache/pulsar/io/debezium/PulsarDatabaseHistoryTest.java
Outdated
Show resolved
Hide resolved
|
/pulsarbot run-failure-checks |
1 similar comment
|
/pulsarbot run-failure-checks |
nlu90
force-pushed
the
wip_current_context
branch
from
3ce2769 to
028210f
Compare
|
/pulsarbot run-failure-checks |
|
@eolivelli Cloud you please help review this PR again, thanks. |
|
There are still some unaddressed comments of mine:
|
pulsar-io/debezium/core/src/main/java/org/apache/pulsar/io/debezium/PulsarDatabaseHistory.java
Outdated
Show resolved
Hide resolved
nlu90
force-pushed
the
wip_current_context
branch
from
028210f to
2f4919d
Compare
|
integration tests failed, regarding Debezium, please check |
|
move to 2.8.2. |
|
@hangc0276 this is a new API, probably it won't be delivered in 2.8.x. I suggest to remove the 2.8.2 label. in point releases we should not add new APIs |
|
/pulsarbot run-failure-checks |
nlu90
force-pushed
the
wip_current_context
branch
from
cc2a4d6 to
04d72d8
Compare
| @@ -62,12 +62,6 @@ | |||
| <version>${kafka-client.version}</version> | |||
| </dependency> | |||
|
|
|||
| <dependency> | |||
| <groupId>${project.groupId}</groupId> | |||
| <artifactId>pulsar-client-original</artifactId> | |||
There was a problem hiding this comment.
This is very interesting.
it looks like that we do not need to import the pulsar-client-original anymore
freeznet
force-pushed
the
wip_current_context
branch
from
8b60fe1 to
350950a
Compare
freeznet
force-pushed
the
wip_current_context
branch
from
350950a to
bcbcabf
Compare
Cherry pick #11293 ## Motivation The Debezium requires pulsar a service URL for history database usage. In #11056 , the service.url field from PulsarKafkaWorkerConfig is no longer available. And the value is also deleted from multiple yaml config files in this commit. This causes the integration test for Debezium connector to fail. Based on the Debezium paradigm, all configurations should be passed as strings. There's no easy way to inject a PulsarClient via configuration. We need to ask user to provide the pulsar url explicitly and probably auth info also. ## Modifications Make the database.history.pulsar.service.url field required Add the config value back to example yaml files Update the integration test config
…m connector (#12145) (#14040) # Conflicts: # pulsar-io/debezium/core/src/main/java/org/apache/pulsar/io/debezium/DebeziumSource.java # pulsar-io/debezium/core/src/main/java/org/apache/pulsar/io/debezium/PulsarDatabaseHistory.java # tests/integration/src/test/java/org/apache/pulsar/tests/integration/io/sources/debezium/DebeziumMySqlSourceTester.java # tests/integration/src/test/java/org/apache/pulsar/tests/integration/io/sources/debezium/PulsarDebeziumSourcesTest.java ### Motivation #11293 allows to passing client builder to debezium database history, but it still requires passing `database.history.pulsar.service.url` as well. With client builder, the `database.history.pulsar.service.url` is not been used anymore. This PR fixes the logic and only pass client builder with no `database.history.pulsar.service.url` provided. Cherry-pick #12145 into branch-2.8
an alternative approach for apache#11251
an alternative approach for #11251