[improve][broker] PIP-490: Zero-downtime token signing-key rotation for the built-in JWT provider#26204
Open
PavelZeger wants to merge 7 commits into
Open
Conversation
…ces and DN mapping rules)
…SAN sources and DN mapping rules)" This reverts commit 911a0c3.
…or the built-in JWT provider
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
Pulsar's built-in JWT provider (
AuthenticationProviderToken) validates every token against a single key that is loaded once at startup and never reloaded. As a result, a signing key cannot be rotated without downtime: there is no window in which both the old and the new key are accepted, so operators must re-issue every token and flip the broker/proxy config in lockstep - in practice a coordinated restart - rejecting "wrong-key" tokens during the switch. That turns key-compromise response into an outage and discourages routine rotation, even thoughAuthenticationProviderOpenIDalready resolves keys by kid from a multi-key set.Modifications
Adds the design document only -
pip/pip-490.md. No code changes.The proposal covers:
keyLocator.Jwks/JwkSet), so each key carries its kid, type, and algorithm - which also closes the JWT algorithm-confusion (RS256 → HS256) surface a naive multi-key design would open.tokenValidationKeysJwks,tokenValidationKeysRefreshSeconds,tokenRequireKid) mirrored intoProxyConfiguration; an optional pulsar tokens create--key-id; a newINVALID_TOKEN_KIDerror code.Implementation will follow in a separate
[improve][broker]PR once the PIP is accepted.Verifying this change
This change is a documentation-only design proposal (adds
pip/pip-490.md); it contains no code and therefore no test coverage.Does this pull request potentially affect one of the following parts:
None - this PR adds a design document only. (The proposal describes future config, CLI, and metrics changes; none are introduced by this PR.)