content/docs/en/2.3.2/security-kerberos.html - pulsar-site - Git at Google

 <!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><title>Authentication using Kerberos · Apache Pulsar</title><meta name="viewport" content="width=device-width, initial-scale=1.0"/><meta name="generator" content="Docusaurus"/><meta name="description" content="[Kerberos](https://web.mit.edu/kerberos/) is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. "/><meta name="docsearch:version" content="2.3.2"/><meta name="docsearch:language" content="en"/><meta property="og:title" content="Authentication using Kerberos · Apache Pulsar"/><meta property="og:type" content="website"/><meta property="og:url" content="https://pulsar.apache.org/"/><meta property="og:description" content="[Kerberos](https://web.mit.edu/kerberos/) is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. "/><meta name="twitter:card" content="summary"/><meta name="twitter:image" content="https://pulsar.apache.org/img/pulsar.svg"/><link rel="shortcut icon" href="/img/pulsar.ico"/><link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/styles/atom-one-dark.min.css"/><link rel="alternate" type="application/atom+xml" href="https://pulsar.apache.org/blog/atom.xml" title="Apache Pulsar Blog ATOM Feed"/><link rel="alternate" type="application/rss+xml" href="https://pulsar.apache.org/blog/feed.xml" title="Apache Pulsar Blog RSS Feed"/><link rel="stylesheet" href="/css/code-blocks-buttons.css"/><script type="text/javascript" src="https://buttons.github.io/buttons.js"></script><script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/2.0.0/clipboard.min.js"></script><script type="text/javascript" src="/js/custom.js"></script><script src="/js/scrollSpy.js"></script><link rel="stylesheet" href="/css/main.css"/><script src="/js/codetabs.js"></script></head><body class="sideNavVisible separateOnPageNav"><div class="fixedHeaderContainer"><div class="headerWrapper wrapper"><header><a href="/en"><img class="logo" src="/img/pulsar.svg" alt="Apache Pulsar"/></a><a href="/en/versions"><h3>2.3.2</h3></a><div class="navigationWrapper navigationSlider"><nav class="slidingNav"><ul class="nav-site nav-site-internal"><li class="siteNavGroupActive"><a href="/docs/en/2.3.2/getting-started-standalone" target="_self">Docs</a></li><li class=""><a href="/en/download" target="_self">Download</a></li><li class="siteNavGroupActive"><a href="/docs/en/2.3.2/client-libraries" target="_self">Clients</a></li><li class=""><a href="#restapis" target="_self">REST APIs</a></li><li class=""><a href="#cli" target="_self">Cli</a></li><li class=""><a href="/blog/" target="_self">Blog</a></li><li class=""><a href="#community" target="_self">Community</a></li><li class=""><a href="#apache" target="_self">Apache</a></li><li class=""><a href="https://pulsar-next.staged.apache.org/" target="_self">New Website (Beta)</a></li><span><li><a id="languages-menu" href="#"><img class="languages-icon" src="/img/language.svg" alt="Languages icon"/>English</a><div id="languages-dropdown" class="hide"><ul id="languages-dropdown-items"><li><a href="/docs/ja/2.3.2/security-kerberos">日本語</a></li><li><a href="/docs/fr/2.3.2/security-kerberos">Français</a></li><li><a href="/docs/ko/2.3.2/security-kerberos">한국어</a></li><li><a href="/docs/zh-CN/2.3.2/security-kerberos">中文</a></li><li><a href="/docs/zh-TW/2.3.2/security-kerberos">繁體中文</a></li><li><a href="https://crowdin.com/project/apache-pulsar" target="_blank" rel="noreferrer noopener">Help Translate</a></li></ul></div></li><script>
         const languagesMenuItem = document.getElementById("languages-menu");
         const languagesDropDown = document.getElementById("languages-dropdown");
         languagesMenuItem.addEventListener("click", function(event) {
           event.preventDefault();

           if (languagesDropDown.className == "hide") {
             languagesDropDown.className = "visible";
           } else {
             languagesDropDown.className = "hide";
           }
         });
       </script></span></ul></nav></div></header></div></div><div class="navPusher"><div class="docMainWrapper wrapper"><div class="docsNavContainer" id="docsNav"><nav class="toc"><div class="toggleNav"><section class="navWrapper wrapper"><div class="navBreadcrumb wrapper"><div class="navToggle" id="navToggler"><div class="hamburger-menu"><div class="line1"></div><div class="line2"></div><div class="line3"></div></div></div><h2><i>›</i><span>Security</span></h2><div class="tocToggler" id="tocToggler"><i class="icon-toc"></i></div></div><div class="navGroups"><div class="navGroup"><h3 class="navGroupCategoryTitle">Getting Started</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/pulsar-2.0">Pulsar 2.0</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/getting-started-standalone">Run Pulsar locally</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/getting-started-docker">Run Pulsar in Docker</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/client-libraries">Use Pulsar with client libraries</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Concepts and Architecture</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/concepts-overview">Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/concepts-messaging">Messaging</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/concepts-architecture-overview">Architecture</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/concepts-clients">Clients</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/concepts-replication">Geo Replication</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/concepts-multi-tenancy">Multi Tenancy</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/concepts-authentication">Authentication and Authorization</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/concepts-topic-compaction">Topic Compaction</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/concepts-tiered-storage">Tiered Storage</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/concepts-schema-registry">Schema Registry</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Pulsar Functions</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/functions-overview">Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/functions-quickstart">Getting started</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/functions-api">API</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/functions-deploying">Deploying functions</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/functions-guarantees">Processing guarantees</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/functions-state">State Storage</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/functions-metrics">Metrics</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/functions-worker">Functions Worker</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/window-functions-context">Window Functions: Context</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Pulsar IO</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/io-overview">Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/io-quickstart">Getting started</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/io-managing">Managing Connectors</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/io-connectors">Builtin Connectors</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/io-develop">Developing Connectors</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/io-cdc">CDC Connector</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Pulsar SQL</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/sql-overview">Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/sql-getting-started">Getting Started</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/sql-deployment-configurations">Deployment and Configuration</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Deployment</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/deploy-aws">Amazon Web Services</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/deploy-kubernetes">Kubernetes</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/deploy-bare-metal">Bare metal</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/deploy-bare-metal-multi-cluster">Bare metal multi-cluster</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/deploy-monitoring">Monitoring</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Administration</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/administration-zk-bk">ZooKeeper and BookKeeper</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/administration-geo">Geo-replication</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/administration-dashboard">Dashboard</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/administration-stats">Pulsar statistics</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/administration-load-balance">Load balance</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/administration-proxy">Pulsar proxy</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Security</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/security-overview">Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/security-tls-transport">Transport Encryption using TLS</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/security-tls-authentication">Authentication using TLS</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/security-token-client">Client Authentication using tokens</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/security-token-admin">Token authentication admin</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/security-athenz">Authentication using Athenz</a></li><li class="navListItem navListItemActive"><a class="navItem" href="/docs/en/2.3.2/security-kerberos">Authentication using Kerberos</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/security-authorization">Authorization and ACLs</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/security-encryption">End-to-End Encryption</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/security-extending">Extending</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Client Libraries</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/client-libraries-java">Java</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/client-libraries-go">Go</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/client-libraries-python">Python</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/client-libraries-cpp">C++</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/client-libraries-websocket">WebSocket</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Admin API</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/admin-api-overview">Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/admin-api-clusters">Clusters</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/admin-api-tenants">Tenants</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/admin-api-brokers">Brokers</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/admin-api-namespaces">Namespaces</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/admin-api-permissions">Permissions</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/admin-api-persistent-topics">Persistent topics</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/admin-api-non-persistent-topics">Non-Persistent topics</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/admin-api-partitioned-topics">Partitioned topics</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/admin-api-schemas">Schemas</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Adaptors</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/adaptors-kafka">Kafka client wrapper</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/adaptors-spark">Apache Spark</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/adaptors-storm">Apache Storm</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Cookbooks</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/cookbooks-tiered-storage">Tiered Storage</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/cookbooks-compaction">Topic compaction</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/cookbooks-deduplication">Message deduplication</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/cookbooks-non-persistent">Non-persistent messaging</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/cookbooks-partitioned">Partitioned Topics</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/cookbooks-retention-expiry">Message retention and expiry</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/cookbooks-encryption">Encryption</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/cookbooks-message-queue">Message queue</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/cookbooks-bookkeepermetadata">BookKeeper Ledger Metadata</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Development</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/develop-tools">Simulation tools</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/developing-binary-protocol">Binary protocol</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/develop-schema">Custom schema storage</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/develop-load-manager">Modular load manager</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/develop-cpp">Building Pulsar C++ client</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Reference</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/reference-terminology">Terminology</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/reference-cli-tools">Pulsar CLI tools</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/reference-configuration">Pulsar configuration</a></li></ul></div></div></section></div><script>
             var coll = document.getElementsByClassName('collapsible');
             var checkActiveCategory = true;
             for (var i = 0; i < coll.length; i++) {
               var links = coll[i].nextElementSibling.getElementsByTagName('*');
               if (checkActiveCategory){
                 for (var j = 0; j < links.length; j++) {
                   if (links[j].classList.contains('navListItemActive')){
                     coll[i].nextElementSibling.classList.toggle('hide');
                     coll[i].childNodes[1].classList.toggle('rotate');
                     checkActiveCategory = false;
                     break;
                   }
                 }
               }

               coll[i].addEventListener('click', function() {
                 var arrow = this.childNodes[1];
                 arrow.classList.toggle('rotate');
                 var content = this.nextElementSibling;
                 content.classList.toggle('hide');
               });
             }

             document.addEventListener('DOMContentLoaded', function() {
               createToggler('#navToggler', '#docsNav', 'docsSliderActive');
               createToggler('#tocToggler', 'body', 'tocActive');

               var headings = document.querySelector('.toc-headings');
               headings && headings.addEventListener('click', function(event) {
                 var el = event.target;
                 while(el !== headings){
                   if (el.tagName === 'A') {
                     document.body.classList.remove('tocActive');
                     break;
                   } else{
                     el = el.parentNode;
                   }
                 }
               }, false);

               function createToggler(togglerSelector, targetSelector, className) {
                 var toggler = document.querySelector(togglerSelector);
                 var target = document.querySelector(targetSelector);

                 if (!toggler) {
                   return;
                 }

                 toggler.onclick = function(event) {
                   event.preventDefault();

                   target.classList.toggle(className);
                 };
               }
             });
         </script></nav></div><div class="container mainContainer docsContainer"><div class="wrapper"><div class="post"><header class="postHeader"><a class="edit-page-link button" href="https://github.com/apache/pulsar/edit/master/site2/docs/security-kerberos.md" target="_blank" rel="noreferrer noopener">Edit</a><h1 id="__docusaurus" class="postHeaderTitle">Authentication using Kerberos</h1></header><article><div><span><p><a href="https://web.mit.edu/kerberos/">Kerberos</a> is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.</p>
 <p>In Pulsar, we use Kerberos with <a href="https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer">SASL</a> as a choice for authentication. And Pulsar uses the <a href="https://en.wikipedia.org/wiki/Java_Authentication_and_Authorization_Service">Java Authentication and Authorization Service (JAAS)</a> for SASL configuration. You must provide JAAS configurations for Kerberos authentication.</p>
 <p>In this document, we will introduce how to configure <code>Kerberos</code> with <code>SASL</code> between Pulsar clients and brokers in detail, and then how to configure Kerberos for Pulsar proxy.</p>
 <h2><a class="anchor" aria-hidden="true" id="configuration-for-kerberos-between-client-and-broker"></a><a href="#configuration-for-kerberos-between-client-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Configuration for Kerberos between Client and Broker</h2>
 <h3><a class="anchor" aria-hidden="true" id="prerequisites"></a><a href="#prerequisites" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Prerequisites</h3>
 <p>To begin, you need to set up(or already have) a <a href="https://en.wikipedia.org/wiki/Key_distribution_center">Key Distribution Center(KDC)</a> configured and running.</p>
 <p>If your organization is already using a Kerberos server (for example, by using <code>Active Directory</code>), there is no need to install a new server for Pulsar. Otherwise you will need to install one. Your Linux vendor likely has packages for <code>Kerberos</code> and a short guide on how to install and configure it: (<a href="https://help.ubuntu.com/community/Kerberos">Ubuntu</a>,
 <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/installing-kerberos.html">Redhat</a>).</p>
 <p>Note that if you are using Oracle Java, you need to download JCE policy files for your Java version and copy them to the <code>$JAVA_HOME/jre/lib/security</code> directory.</p>
 <h4><a class="anchor" aria-hidden="true" id="kerberos-principals"></a><a href="#kerberos-principals" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Kerberos Principals</h4>
 <p>If you are using existing Kerberos system, ask your Kerberos administrator for a principal for each Brokers in your cluster and for every operating system user that will access Pulsar with Kerberos authentication(via clients and tools).</p>
 <p>If you have installed your own Kerberos system, you can create these principals with the following commands:</p>
 <pre><code class="hljs css language-shell"><span class="hljs-meta">#</span><span class="bash"><span class="hljs-comment">## add Principals for broker</span></span>
 sudo /usr/sbin/kadmin.local -q 'addprinc -randkey broker/{hostname}@{REALM}'
 sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{broker-keytabname}.keytab broker/{hostname}@{REALM}"
 <span class="hljs-meta">#</span><span class="bash"><span class="hljs-comment">## add Principals for client</span></span>
 sudo /usr/sbin/kadmin.local -q 'addprinc -randkey client/{hostname}@{REALM}'
 sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabname}.keytab client/{hostname}@{REALM}"
 </code></pre>
 <p>Note that it is a <em>Kerberos</em> requirement that all your hosts can be resolved with their FQDNs.</p>
 <h4><a class="anchor" aria-hidden="true" id="configure-how-to-connect-to-kdc"></a><a href="#configure-how-to-connect-to-kdc" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Configure how to connect to KDC</h4>
 <p>You need to specify the path to the <code>krb5.conf</code> file for both client and broker side. The contents of <code>krb5.conf</code> file indicate the default Realm and KDC information. See <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html">JDK’s Kerberos Requirements</a> for more details.</p>
 <pre><code class="hljs css language-shell">-Djava.security.krb5.conf=/etc/pulsar/krb5.conf
 </code></pre>
 <p>Here is an example of the krb5.conf file:</p>
 <p>In the configuration file, <code>EXAMPLE.COM</code> is the default realm; <code>kdc = localhost:62037</code> is the kdc server url for realm <code>EXAMPLE.COM</code>:</p>
 <pre><code class="hljs">[libdefaults]
  <span class="hljs-attr">default_realm</span> = EXAMPLE.COM

 [realms]
  EXAMPLE.<span class="hljs-attr">COM</span>  = {
   <span class="hljs-attr">kdc</span> = localhost:<span class="hljs-number">62037</span>
  }
 </code></pre>
 <p>Usually machines configured with kerberos already have a system wide configuration and this configuration is optional.</p>
 <h4><a class="anchor" aria-hidden="true" id="jaas-configuration-file"></a><a href="#jaas-configuration-file" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>JAAS configuration file</h4>
 <p>JAAS configuration file is needed for both client and broker sides. It provides the section of information that used to connect KDC. Here is an example named <code>pulsar_jaas.conf</code>:</p>
 <pre><code class="hljs"> PulsarBroker {
    com.sun.security.auth.module.Krb5LoginModule required
    <span class="hljs-attribute">useKeyTab</span>=<span class="hljs-literal">true</span>
    <span class="hljs-attribute">storeKey</span>=<span class="hljs-literal">true</span>
    <span class="hljs-attribute">useTicketCache</span>=<span class="hljs-literal">false</span>
    <span class="hljs-attribute">keyTab</span>=<span class="hljs-string">"/etc/security/keytabs/pulsarbroker.keytab"</span>
    <span class="hljs-attribute">principal</span>=<span class="hljs-string">"broker/localhost@EXAMPLE.COM"</span>;
 };

  PulsarClient {
    com.sun.security.auth.module.Krb5LoginModule required
    <span class="hljs-attribute">useKeyTab</span>=<span class="hljs-literal">true</span>
    <span class="hljs-attribute">storeKey</span>=<span class="hljs-literal">true</span>
    <span class="hljs-attribute">useTicketCache</span>=<span class="hljs-literal">false</span>
    <span class="hljs-attribute">keyTab</span>=<span class="hljs-string">"/etc/security/keytabs/pulsarclient.keytab"</span>
    <span class="hljs-attribute">principal</span>=<span class="hljs-string">"client/localhost@EXAMPLE.COM"</span>;
 };
 </code></pre>
 <p>You need to set the <code>JAAS</code> configuration file path as JVM parameter for client and broker. For example:</p>
 <pre><code class="hljs css language-shell">    -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf
 </code></pre>
 <p>In the <code>pulsar_jaas.conf</code> file above</p>
 <ol>
 <li><code>PulsarBroker</code> is a section name in the JAAS file used by each broker. This section tells the broker which principal to use inside Kerberos
 and the location of the keytab where the principal is stored. It allows the broker to use the keytab specified in this section.</li>
 <li><code>PulsarClient</code> is a section name in the JASS file used by each client. This section tells the client which principal to use inside Kerberos
 and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section.</li>
 </ol>
 <p>It is also a choice to have 2 separate JAAS configuration files: the file for broker will only have <code>PulsarBroker</code> section; while the one for client only have <code>PulsarClient</code> section.</p>
 <h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-brokers"></a><a href="#kerberos-configuration-for-brokers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Kerberos configuration for Brokers</h3>
 <ol>
 <li>In the <code>broker.conf</code> file, set Kerberos related configuration.</li>
 </ol>
 <ul>
 <li>Set <code>authenticationEnabled</code> to <code>true</code>;</li>
 <li>Set <code>authenticationProviders</code> to choose <code>AuthenticationProviderSasl</code>;</li>
 <li>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker.</li>
 <li>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker.</li>
 </ul>
 <p>Here is an example:</p>
 <pre><code class="hljs"><span class="hljs-attr">authenticationEnabled</span>=<span class="hljs-literal">true</span>
 <span class="hljs-attr">authenticationProviders</span>=org.apache.pulsar.broker.authentication.AuthenticationProviderSasl
 <span class="hljs-attr">saslJaasClientAllowedIds</span>=.*client.*
 <span class="hljs-attr">saslJaasBrokerSectionName</span>=PulsarBroker
 </code></pre>
 <ol start="2">
 <li>Set JVM parameter for JAAS configuration file and krb5 configuration file with additional option.</li>
 </ol>
 <pre><code class="hljs css language-shell">   -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf
 </code></pre>
 <p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_env.sh"><code>pulsar_env.sh</code></a></p>
 <p>Make sure that the keytabs configured in the <code>pulsar_jaas.conf</code> file and kdc server in the <code>krb5.conf</code> file are reachable by the operating system user who is starting broker.</p>
 <h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-clients"></a><a href="#kerberos-configuration-for-clients" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Kerberos configuration for clients</h3>
 <p>In client, we need to configure the authentication type to use <code>AuthenticationSasl</code>, and also provide the authentication parameters to it.</p>
 <p>There are 2 parameters needed:</p>
 <ul>
 <li><code>saslJaasClientSectionName</code> is corresponding to the section in JAAS configuration file for client;</li>
 <li><code>serverType</code> stands for whether this client is connect to broker or proxy, and client use this parameter to know which server side principal should be used.</li>
 </ul>
 <p>When authenticate between client and broker with the setting in above JAAS configuration file, we need to set <code>saslJaasClientSectionName</code> to <code>PulsarClient</code> and <code>serverType</code> to <code>broker</code>.</p>
 <p>The following is an example of creating a Java client:</p>
 <pre><code class="hljs css language-java">System.setProperty(<span class="hljs-string">"java.security.auth.login.config"</span>, <span class="hljs-string">"/etc/pulsar/pulsar_jaas.conf"</span>);
 System.setProperty(<span class="hljs-string">"java.security.krb5.conf"</span>, <span class="hljs-string">"/etc/pulsar/krb5.conf"</span>);

 Map&lt;String, String&gt; clientSaslConfig = Maps.newHashMap();
 clientSaslConfig.put(<span class="hljs-string">"saslJaasClientSectionName"</span>, <span class="hljs-string">"PulsarClient"</span>);
 clientSaslConfig.put(<span class="hljs-string">"serverType"</span>, <span class="hljs-string">"broker"</span>);

 Authentication saslAuth = AuthenticationFactory
         .create(org.apache.pulsar.client.impl.auth.AuthenticationSasl<span class="hljs-class">.<span class="hljs-keyword">class</span>.<span class="hljs-title">getName</span>(), <span class="hljs-title">authParams</span>)</span>;

 PulsarClient client = PulsarClient.builder()
         .serviceUrl(<span class="hljs-string">"pulsar://my-broker.com:6650"</span>)
         .authentication(saslAuth)
         .build();
 </code></pre>
 <p>Make sure that the keytabs configured in the <code>pulsar_jaas.conf</code> file and kdc server in the <code>krb5.conf</code> file are reachable by the operating system user who is starting pulsar client.</p>
 <h2><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-working-with-pulsar-proxy"></a><a href="#kerberos-configuration-for-working-with-pulsar-proxy" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Kerberos configuration for working with Pulsar Proxy</h2>
 <p>With the above configuration, client and broker can do authentication using Kerberos.</p>
 <p>If a client wants to connect to Pulsar Proxy, it is a little different. Client (as a SASL client in Kerberos) will be authenticated by Pulsar Proxy (as a SASL Server in Kerberos) first; and then Pulsar Proxy will be authenticated by Pulsar broker.</p>
 <p>Now comparing with the above configuration between client and broker, we will show how to configure Pulsar Proxy.</p>
 <h3><a class="anchor" aria-hidden="true" id="create-principal-for-pulsar-proxy-in-kerberos"></a><a href="#create-principal-for-pulsar-proxy-in-kerberos" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Create principal for Pulsar Proxy in Kerberos</h3>
 <p>Comparing with the above configuration, you need to add new principal for Pulsar Proxy. If you already have principals for client and broker, only add proxy principal here.</p>
 <pre><code class="hljs css language-shell"><span class="hljs-meta">#</span><span class="bash"><span class="hljs-comment">## add Principals for Pulsar Proxy</span></span>
 sudo /usr/sbin/kadmin.local -q 'addprinc -randkey proxy/{hostname}@{REALM}'
 sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{proxy-keytabname}.keytab proxy/{hostname}@{REALM}"
 <span class="hljs-meta">#</span><span class="bash"><span class="hljs-comment">## add Principals for broker</span></span>
 sudo /usr/sbin/kadmin.local -q 'addprinc -randkey broker/{hostname}@{REALM}'
 sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{broker-keytabname}.keytab broker/{hostname}@{REALM}"
 <span class="hljs-meta">#</span><span class="bash"><span class="hljs-comment">## add Principals for client</span></span>
 sudo /usr/sbin/kadmin.local -q 'addprinc -randkey client/{hostname}@{REALM}'
 sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabname}.keytab client/{hostname}@{REALM}"
 </code></pre>
 <h3><a class="anchor" aria-hidden="true" id="add-a-section-in-jaas-configuration-file-for-pulsar-proxy"></a><a href="#add-a-section-in-jaas-configuration-file-for-pulsar-proxy" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Add a section in JAAS configuration file for Pulsar Proxy</h3>
 <p>Comparing with the above configuration, add a new section for Pulsar Proxy in JAAS configuration file.</p>
 <p>Here is an example named <code>pulsar_jaas.conf</code>:</p>
 <pre><code class="hljs"> PulsarBroker {
    com.sun.security.auth.module.Krb5LoginModule required
    <span class="hljs-attribute">useKeyTab</span>=<span class="hljs-literal">true</span>
    <span class="hljs-attribute">storeKey</span>=<span class="hljs-literal">true</span>
    <span class="hljs-attribute">useTicketCache</span>=<span class="hljs-literal">false</span>
    <span class="hljs-attribute">keyTab</span>=<span class="hljs-string">"/etc/security/keytabs/pulsarbroker.keytab"</span>
    <span class="hljs-attribute">principal</span>=<span class="hljs-string">"broker/localhost@EXAMPLE.COM"</span>;
 };

  PulsarProxy {
    com.sun.security.auth.module.Krb5LoginModule required
    <span class="hljs-attribute">useKeyTab</span>=<span class="hljs-literal">true</span>
    <span class="hljs-attribute">storeKey</span>=<span class="hljs-literal">true</span>
    <span class="hljs-attribute">useTicketCache</span>=<span class="hljs-literal">false</span>
    <span class="hljs-attribute">keyTab</span>=<span class="hljs-string">"/etc/security/keytabs/pulsarproxy.keytab"</span>
    <span class="hljs-attribute">principal</span>=<span class="hljs-string">"proxy/localhost@EXAMPLE.COM"</span>;
 };

  PulsarClient {
    com.sun.security.auth.module.Krb5LoginModule required
    <span class="hljs-attribute">useKeyTab</span>=<span class="hljs-literal">true</span>
    <span class="hljs-attribute">storeKey</span>=<span class="hljs-literal">true</span>
    <span class="hljs-attribute">useTicketCache</span>=<span class="hljs-literal">false</span>
    <span class="hljs-attribute">keyTab</span>=<span class="hljs-string">"/etc/security/keytabs/pulsarclient.keytab"</span>
    <span class="hljs-attribute">principal</span>=<span class="hljs-string">"client/localhost@EXAMPLE.COM"</span>;
 };
 </code></pre>
 <h3><a class="anchor" aria-hidden="true" id="proxy-client-configuration"></a><a href="#proxy-client-configuration" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Proxy Client configuration</h3>
 <p>Pulsar client configuration is similar with client and broker configuration, except that <code>serverType</code> is set to <code>proxy</code> instead of <code>broker</code>, because it needs to do Kerberos authentication between client and proxy.</p>
 <pre><code class="hljs css language-java">System.setProperty(<span class="hljs-string">"java.security.auth.login.config"</span>, <span class="hljs-string">"/etc/pulsar/pulsar_jaas.conf"</span>);
 System.setProperty(<span class="hljs-string">"java.security.krb5.conf"</span>, <span class="hljs-string">"/etc/pulsar/krb5.conf"</span>);

 Map&lt;String, String&gt; clientSaslConfig = Maps.newHashMap();
 clientSaslConfig.put(<span class="hljs-string">"saslJaasClientSectionName"</span>, <span class="hljs-string">"PulsarClient"</span>);
 clientSaslConfig.put(<span class="hljs-string">"serverType"</span>, <span class="hljs-string">"proxy"</span>);        <span class="hljs-comment">// ** here is the different **</span>

 Authentication saslAuth = AuthenticationFactory
         .create(org.apache.pulsar.client.impl.auth.AuthenticationSasl<span class="hljs-class">.<span class="hljs-keyword">class</span>.<span class="hljs-title">getName</span>(), <span class="hljs-title">authParams</span>)</span>;

 PulsarClient client = PulsarClient.builder()
         .serviceUrl(<span class="hljs-string">"pulsar://my-broker.com:6650"</span>)
         .authentication(saslAuth)
         .build();
 </code></pre>
 <h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-pulsar-proxy-service"></a><a href="#kerberos-configuration-for-pulsar-proxy-service" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Kerberos configuration for Pulsar Proxy service</h3>
 <p>In the <code>proxy.conf</code> file, set Kerberos related configuration. Here is an example:</p>
 <pre><code class="hljs css language-shell"><span class="hljs-meta">#</span><span class="bash"><span class="hljs-comment"># related to authenticate client.</span></span>
 authenticationEnabled=true
 authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderSasl
 saslJaasClientAllowedIds=.*client.*
 saslJaasBrokerSectionName=PulsarProxy
 <span class="hljs-meta">
 #</span><span class="bash"><span class="hljs-comment"># related to be authenticated by broker</span></span>
 brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl
 brokerClientAuthenticationParameters=saslJaasClientSectionName:PulsarProxy,serverType:broker
 forwardAuthorizationCredentials=true
 </code></pre>
 <p>The first part is related to authenticate between client and Pulsar Proxy. In this phase, client works as SASL client, while Pulsar Proxy works as SASL server.</p>
 <p>The second part is related to authenticate between Pulsar Proxy and Pulsar Broker. In this phase, Pulsar Proxy works as SASL client, while Pulsar Broker works as SASL server.</p>
 <h3><a class="anchor" aria-hidden="true" id="broker-side-configuration"></a><a href="#broker-side-configuration" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Broker side configuration.</h3>
 <p>The broker side configuration file is the same with the above <code>broker.conf</code>, you do not need special configuration for Pulsar Proxy.</p>
 <pre><code class="hljs"><span class="hljs-attr">authenticationEnabled</span>=<span class="hljs-literal">true</span>
 <span class="hljs-attr">authenticationProviders</span>=org.apache.pulsar.broker.authentication.AuthenticationProviderSasl
 <span class="hljs-attr">saslJaasClientAllowedIds</span>=.*client.*
 <span class="hljs-attr">saslJaasBrokerSectionName</span>=PulsarBroker
 </code></pre>
 <h2><a class="anchor" aria-hidden="true" id="regarding-authorization-and-role-token"></a><a href="#regarding-authorization-and-role-token" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Regarding authorization and role token</h2>
 <p>For Kerberos authentication, the authenticated principal is used as the role token for Pulsar authorization.  For more information of authorization in Pulsar, see <a href="/docs/en/2.3.2/security-authorization">security authorization</a>.</p>
 <h2><a class="anchor" aria-hidden="true" id="regarding-authorization-between-bookkeeper-and-zookeeper"></a><a href="#regarding-authorization-between-bookkeeper-and-zookeeper" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Regarding authorization between BookKeeper and ZooKeeper</h2>
 <p>Adding <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code> is a prerequisite for Broker (as a Kerberos client) being authenticated by Bookie (as a Kerberos Server):</p>
 <pre><code class="hljs">bookkeeperClientAuthenticationPlugin=org<span class="hljs-selector-class">.apache</span><span class="hljs-selector-class">.bookkeeper</span><span class="hljs-selector-class">.sasl</span><span class="hljs-selector-class">.SASLClientProviderFactory</span>
 </code></pre>
 <p>For more details of how to configure Kerberos for BookKeeper and Zookeeper, refer to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>.</p>
 </span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/en/2.3.2/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/en/2.3.2/security-authorization"><span>Authorization and ACLs</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configuration for Kerberos between Client and Broker</a><ul class="toc-headings"><li><a href="#prerequisites">Prerequisites</a></li><li><a href="#kerberos-configuration-for-brokers">Kerberos configuration for Brokers</a></li><li><a href="#kerberos-configuration-for-clients">Kerberos configuration for clients</a></li></ul></li><li><a href="#kerberos-configuration-for-working-with-pulsar-proxy">Kerberos configuration for working with Pulsar Proxy</a><ul class="toc-headings"><li><a href="#create-principal-for-pulsar-proxy-in-kerberos">Create principal for Pulsar Proxy in Kerberos</a></li><li><a href="#add-a-section-in-jaas-configuration-file-for-pulsar-proxy">Add a section in JAAS configuration file for Pulsar Proxy</a></li><li><a href="#proxy-client-configuration">Proxy Client configuration</a></li><li><a href="#kerberos-configuration-for-pulsar-proxy-service">Kerberos configuration for Pulsar Proxy service</a></li><li><a href="#broker-side-configuration">Broker side configuration.</a></li></ul></li><li><a href="#regarding-authorization-and-role-token">Regarding authorization and role token</a></li><li><a href="#regarding-authorization-between-bookkeeper-and-zookeeper">Regarding authorization between BookKeeper and ZooKeeper</a></li></ul></nav></div><footer class="nav-footer" id="footer"><section class="copyright">Copyright © 2022 The Apache Software Foundation. All Rights Reserved. Apache, Apache Pulsar and the Apache feather logo are trademarks of The Apache Software Foundation.</section><span><script>
       const community = document.querySelector("a[href='#community']").parentNode;
       const communityMenu =
         '<li>' +
         '<a id="community-menu" href="#">Community <span style="font-size: 0.75em">&nbsp;▼</span></a>' +
         '<div id="community-dropdown" class="hide">' +
           '<ul id="community-dropdown-items">' +
             '<li><a href="/en/contact">Contact</a></li>' +
             '<li><a href="/en/contributing">Contributing</a></li>' +
             '<li><a href="/en/coding-guide">Coding guide</a></li>' +
             '<li><a href="/en/events">Events</a></li>' +
             '<li><a href="https://twitter.com/Apache_Pulsar" target="_blank">Twitter &#x2750</a></li>' +
             '<li><a href="https://github.com/apache/pulsar/wiki" target="_blank">Wiki &#x2750</a></li>' +
             '<li><a href="https://github.com/apache/pulsar/issues" target="_blank">Issue tracking &#x2750</a></li>' +
             '<li><a href="https://pulsar-summit.org/" target="_blank">Pulsar Summit &#x2750</a></li>' +
             '<li>&nbsp;</li>' +
             '<li><a href="/en/resources">Resources</a></li>' +
             '<li><a href="/en/team">Team</a></li>' +
             '<li><a href="/en/powered-by">Powered By</a></li>' +
           '</ul>' +
         '</div>' +
         '</li>';

       community.innerHTML = communityMenu;

       const communityMenuItem = document.getElementById("community-menu");
       const communityDropDown = document.getElementById("community-dropdown");
       communityMenuItem.addEventListener("click", function(event) {
         event.preventDefault();

         if (communityDropDown.className == 'hide') {
           communityDropDown.className = 'visible';
         } else {
           communityDropDown.className = 'hide';
         }
       });
     </script></span></footer></div><script>window.twttr=(function(d,s, id){var js,fjs=d.getElementsByTagName(s)[0],t=window.twttr||{};if(d.getElementById(id))return t;js=d.createElement(s);js.id=id;js.src='https://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js, fjs);t._e = [];t.ready = function(f) {t._e.push(f);};return t;}(document, 'script', 'twitter-wjs'));</script></body></html>