| <!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><title>Authentication using Kerberos · Apache Pulsar</title><meta name="viewport" content="width=device-width, initial-scale=1.0"/><meta name="generator" content="Docusaurus"/><meta name="description" content="[Kerberos](https://web.mit.edu/kerberos/) is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. "/><meta name="docsearch:version" content="2.3.2"/><meta name="docsearch:language" content="en"/><meta property="og:title" content="Authentication using Kerberos · Apache Pulsar"/><meta property="og:type" content="website"/><meta property="og:url" content="https://pulsar.apache.org/"/><meta property="og:description" content="[Kerberos](https://web.mit.edu/kerberos/) is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. "/><meta name="twitter:card" content="summary"/><meta name="twitter:image" content="https://pulsar.apache.org/img/pulsar.svg"/><link rel="shortcut icon" href="/img/pulsar.ico"/><link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/styles/atom-one-dark.min.css"/><link rel="alternate" type="application/atom+xml" href="https://pulsar.apache.org/blog/atom.xml" title="Apache Pulsar Blog ATOM Feed"/><link rel="alternate" type="application/rss+xml" href="https://pulsar.apache.org/blog/feed.xml" title="Apache Pulsar Blog RSS Feed"/><link rel="stylesheet" href="/css/code-blocks-buttons.css"/><script type="text/javascript" src="https://buttons.github.io/buttons.js"></script><script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/2.0.0/clipboard.min.js"></script><script type="text/javascript" src="/js/custom.js"></script><script src="/js/scrollSpy.js"></script><link rel="stylesheet" href="/css/main.css"/><script src="/js/codetabs.js"></script></head><body class="sideNavVisible separateOnPageNav"><div class="fixedHeaderContainer"><div class="headerWrapper wrapper"><header><a href="/en"><img class="logo" src="/img/pulsar.svg" alt="Apache Pulsar"/></a><a href="/en/versions"><h3>2.3.2</h3></a><div class="navigationWrapper navigationSlider"><nav class="slidingNav"><ul class="nav-site nav-site-internal"><li class="siteNavGroupActive"><a href="/docs/en/2.3.2/getting-started-standalone" target="_self">Docs</a></li><li class=""><a href="/en/download" target="_self">Download</a></li><li class="siteNavGroupActive"><a href="/docs/en/2.3.2/client-libraries" target="_self">Clients</a></li><li class=""><a href="#restapis" target="_self">REST APIs</a></li><li class=""><a href="#cli" target="_self">Cli</a></li><li class=""><a href="/blog/" target="_self">Blog</a></li><li class=""><a href="#community" target="_self">Community</a></li><li class=""><a href="#apache" target="_self">Apache</a></li><li class=""><a href="https://pulsar-next.staged.apache.org/" target="_self">New Website (Beta)</a></li><span><li><a id="languages-menu" href="#"><img class="languages-icon" src="/img/language.svg" alt="Languages icon"/>English</a><div id="languages-dropdown" class="hide"><ul id="languages-dropdown-items"><li><a href="/docs/ja/2.3.2/security-kerberos">日本語</a></li><li><a href="/docs/fr/2.3.2/security-kerberos">Français</a></li><li><a href="/docs/ko/2.3.2/security-kerberos">한국어</a></li><li><a href="/docs/zh-CN/2.3.2/security-kerberos">中文</a></li><li><a href="/docs/zh-TW/2.3.2/security-kerberos">繁體中文</a></li><li><a href="https://crowdin.com/project/apache-pulsar" target="_blank" rel="noreferrer noopener">Help Translate</a></li></ul></div></li><script> |
| const languagesMenuItem = document.getElementById("languages-menu"); |
| const languagesDropDown = document.getElementById("languages-dropdown"); |
| languagesMenuItem.addEventListener("click", function(event) { |
| event.preventDefault(); |
| |
| if (languagesDropDown.className == "hide") { |
| languagesDropDown.className = "visible"; |
| } else { |
| languagesDropDown.className = "hide"; |
| } |
| }); |
| </script></span></ul></nav></div></header></div></div><div class="navPusher"><div class="docMainWrapper wrapper"><div class="docsNavContainer" id="docsNav"><nav class="toc"><div class="toggleNav"><section class="navWrapper wrapper"><div class="navBreadcrumb wrapper"><div class="navToggle" id="navToggler"><div class="hamburger-menu"><div class="line1"></div><div class="line2"></div><div class="line3"></div></div></div><h2><i>›</i><span>Security</span></h2><div class="tocToggler" id="tocToggler"><i class="icon-toc"></i></div></div><div class="navGroups"><div class="navGroup"><h3 class="navGroupCategoryTitle">Getting Started</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/pulsar-2.0">Pulsar 2.0</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/getting-started-standalone">Run Pulsar locally</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/getting-started-docker">Run Pulsar in Docker</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/client-libraries">Use Pulsar with client libraries</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Concepts and Architecture</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/concepts-overview">Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/concepts-messaging">Messaging</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/concepts-architecture-overview">Architecture</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/concepts-clients">Clients</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/concepts-replication">Geo Replication</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/concepts-multi-tenancy">Multi Tenancy</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/concepts-authentication">Authentication and Authorization</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/concepts-topic-compaction">Topic Compaction</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/concepts-tiered-storage">Tiered Storage</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/concepts-schema-registry">Schema Registry</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Pulsar Functions</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/functions-overview">Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/functions-quickstart">Getting started</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/functions-api">API</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/functions-deploying">Deploying functions</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/functions-guarantees">Processing guarantees</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/functions-state">State Storage</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/functions-metrics">Metrics</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/functions-worker">Functions Worker</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/window-functions-context">Window Functions: Context</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Pulsar IO</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/io-overview">Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/io-quickstart">Getting started</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/io-managing">Managing Connectors</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/io-connectors">Builtin Connectors</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/io-develop">Developing Connectors</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/io-cdc">CDC Connector</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Pulsar SQL</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/sql-overview">Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/sql-getting-started">Getting Started</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/sql-deployment-configurations">Deployment and Configuration</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Deployment</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/deploy-aws">Amazon Web Services</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/deploy-kubernetes">Kubernetes</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/deploy-bare-metal">Bare metal</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/deploy-bare-metal-multi-cluster">Bare metal multi-cluster</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/deploy-monitoring">Monitoring</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Administration</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/administration-zk-bk">ZooKeeper and BookKeeper</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/administration-geo">Geo-replication</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/administration-dashboard">Dashboard</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/administration-stats">Pulsar statistics</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/administration-load-balance">Load balance</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/administration-proxy">Pulsar proxy</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Security</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/security-overview">Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/security-tls-transport">Transport Encryption using TLS</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/security-tls-authentication">Authentication using TLS</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/security-token-client">Client Authentication using tokens</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/security-token-admin">Token authentication admin</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/security-athenz">Authentication using Athenz</a></li><li class="navListItem navListItemActive"><a class="navItem" href="/docs/en/2.3.2/security-kerberos">Authentication using Kerberos</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/security-authorization">Authorization and ACLs</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/security-encryption">End-to-End Encryption</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/security-extending">Extending</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Client Libraries</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/client-libraries-java">Java</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/client-libraries-go">Go</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/client-libraries-python">Python</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/client-libraries-cpp">C++</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/client-libraries-websocket">WebSocket</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Admin API</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/admin-api-overview">Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/admin-api-clusters">Clusters</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/admin-api-tenants">Tenants</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/admin-api-brokers">Brokers</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/admin-api-namespaces">Namespaces</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/admin-api-permissions">Permissions</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/admin-api-persistent-topics">Persistent topics</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/admin-api-non-persistent-topics">Non-Persistent topics</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/admin-api-partitioned-topics">Partitioned topics</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/admin-api-schemas">Schemas</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Adaptors</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/adaptors-kafka">Kafka client wrapper</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/adaptors-spark">Apache Spark</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/adaptors-storm">Apache Storm</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Cookbooks</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/cookbooks-tiered-storage">Tiered Storage</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/cookbooks-compaction">Topic compaction</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/cookbooks-deduplication">Message deduplication</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/cookbooks-non-persistent">Non-persistent messaging</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/cookbooks-partitioned">Partitioned Topics</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/cookbooks-retention-expiry">Message retention and expiry</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/cookbooks-encryption">Encryption</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/cookbooks-message-queue">Message queue</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/cookbooks-bookkeepermetadata">BookKeeper Ledger Metadata</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Development</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/develop-tools">Simulation tools</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/developing-binary-protocol">Binary protocol</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/develop-schema">Custom schema storage</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/develop-load-manager">Modular load manager</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/develop-cpp">Building Pulsar C++ client</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Reference</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/reference-terminology">Terminology</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/reference-cli-tools">Pulsar CLI tools</a></li><li class="navListItem"><a class="navItem" href="/docs/en/2.3.2/reference-configuration">Pulsar configuration</a></li></ul></div></div></section></div><script> |
| var coll = document.getElementsByClassName('collapsible'); |
| var checkActiveCategory = true; |
| for (var i = 0; i < coll.length; i++) { |
| var links = coll[i].nextElementSibling.getElementsByTagName('*'); |
| if (checkActiveCategory){ |
| for (var j = 0; j < links.length; j++) { |
| if (links[j].classList.contains('navListItemActive')){ |
| coll[i].nextElementSibling.classList.toggle('hide'); |
| coll[i].childNodes[1].classList.toggle('rotate'); |
| checkActiveCategory = false; |
| break; |
| } |
| } |
| } |
| |
| coll[i].addEventListener('click', function() { |
| var arrow = this.childNodes[1]; |
| arrow.classList.toggle('rotate'); |
| var content = this.nextElementSibling; |
| content.classList.toggle('hide'); |
| }); |
| } |
| |
| document.addEventListener('DOMContentLoaded', function() { |
| createToggler('#navToggler', '#docsNav', 'docsSliderActive'); |
| createToggler('#tocToggler', 'body', 'tocActive'); |
| |
| var headings = document.querySelector('.toc-headings'); |
| headings && headings.addEventListener('click', function(event) { |
| var el = event.target; |
| while(el !== headings){ |
| if (el.tagName === 'A') { |
| document.body.classList.remove('tocActive'); |
| break; |
| } else{ |
| el = el.parentNode; |
| } |
| } |
| }, false); |
| |
| function createToggler(togglerSelector, targetSelector, className) { |
| var toggler = document.querySelector(togglerSelector); |
| var target = document.querySelector(targetSelector); |
| |
| if (!toggler) { |
| return; |
| } |
| |
| toggler.onclick = function(event) { |
| event.preventDefault(); |
| |
| target.classList.toggle(className); |
| }; |
| } |
| }); |
| </script></nav></div><div class="container mainContainer docsContainer"><div class="wrapper"><div class="post"><header class="postHeader"><a class="edit-page-link button" href="https://github.com/apache/pulsar/edit/master/site2/docs/security-kerberos.md" target="_blank" rel="noreferrer noopener">Edit</a><h1 id="__docusaurus" class="postHeaderTitle">Authentication using Kerberos</h1></header><article><div><span><p><a href="https://web.mit.edu/kerberos/">Kerberos</a> is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.</p> |
| <p>In Pulsar, we use Kerberos with <a href="https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer">SASL</a> as a choice for authentication. And Pulsar uses the <a href="https://en.wikipedia.org/wiki/Java_Authentication_and_Authorization_Service">Java Authentication and Authorization Service (JAAS)</a> for SASL configuration. You must provide JAAS configurations for Kerberos authentication.</p> |
| <p>In this document, we will introduce how to configure <code>Kerberos</code> with <code>SASL</code> between Pulsar clients and brokers in detail, and then how to configure Kerberos for Pulsar proxy.</p> |
| <h2><a class="anchor" aria-hidden="true" id="configuration-for-kerberos-between-client-and-broker"></a><a href="#configuration-for-kerberos-between-client-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Configuration for Kerberos between Client and Broker</h2> |
| <h3><a class="anchor" aria-hidden="true" id="prerequisites"></a><a href="#prerequisites" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Prerequisites</h3> |
| <p>To begin, you need to set up(or already have) a <a href="https://en.wikipedia.org/wiki/Key_distribution_center">Key Distribution Center(KDC)</a> configured and running.</p> |
| <p>If your organization is already using a Kerberos server (for example, by using <code>Active Directory</code>), there is no need to install a new server for Pulsar. Otherwise you will need to install one. Your Linux vendor likely has packages for <code>Kerberos</code> and a short guide on how to install and configure it: (<a href="https://help.ubuntu.com/community/Kerberos">Ubuntu</a>, |
| <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/installing-kerberos.html">Redhat</a>).</p> |
| <p>Note that if you are using Oracle Java, you need to download JCE policy files for your Java version and copy them to the <code>$JAVA_HOME/jre/lib/security</code> directory.</p> |
| <h4><a class="anchor" aria-hidden="true" id="kerberos-principals"></a><a href="#kerberos-principals" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Kerberos Principals</h4> |
| <p>If you are using existing Kerberos system, ask your Kerberos administrator for a principal for each Brokers in your cluster and for every operating system user that will access Pulsar with Kerberos authentication(via clients and tools).</p> |
| <p>If you have installed your own Kerberos system, you can create these principals with the following commands:</p> |
| <pre><code class="hljs css language-shell"><span class="hljs-meta">#</span><span class="bash"><span class="hljs-comment">## add Principals for broker</span></span> |
| sudo /usr/sbin/kadmin.local -q 'addprinc -randkey broker/{hostname}@{REALM}' |
| sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{broker-keytabname}.keytab broker/{hostname}@{REALM}" |
| <span class="hljs-meta">#</span><span class="bash"><span class="hljs-comment">## add Principals for client</span></span> |
| sudo /usr/sbin/kadmin.local -q 'addprinc -randkey client/{hostname}@{REALM}' |
| sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabname}.keytab client/{hostname}@{REALM}" |
| </code></pre> |
| <p>Note that it is a <em>Kerberos</em> requirement that all your hosts can be resolved with their FQDNs.</p> |
| <h4><a class="anchor" aria-hidden="true" id="configure-how-to-connect-to-kdc"></a><a href="#configure-how-to-connect-to-kdc" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Configure how to connect to KDC</h4> |
| <p>You need to specify the path to the <code>krb5.conf</code> file for both client and broker side. The contents of <code>krb5.conf</code> file indicate the default Realm and KDC information. See <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html">JDK’s Kerberos Requirements</a> for more details.</p> |
| <pre><code class="hljs css language-shell">-Djava.security.krb5.conf=/etc/pulsar/krb5.conf |
| </code></pre> |
| <p>Here is an example of the krb5.conf file:</p> |
| <p>In the configuration file, <code>EXAMPLE.COM</code> is the default realm; <code>kdc = localhost:62037</code> is the kdc server url for realm <code>EXAMPLE.COM</code>:</p> |
| <pre><code class="hljs">[libdefaults] |
| <span class="hljs-attr">default_realm</span> = EXAMPLE.COM |
| |
| [realms] |
| EXAMPLE.<span class="hljs-attr">COM</span> = { |
| <span class="hljs-attr">kdc</span> = localhost:<span class="hljs-number">62037</span> |
| } |
| </code></pre> |
| <p>Usually machines configured with kerberos already have a system wide configuration and this configuration is optional.</p> |
| <h4><a class="anchor" aria-hidden="true" id="jaas-configuration-file"></a><a href="#jaas-configuration-file" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>JAAS configuration file</h4> |
| <p>JAAS configuration file is needed for both client and broker sides. It provides the section of information that used to connect KDC. Here is an example named <code>pulsar_jaas.conf</code>:</p> |
| <pre><code class="hljs"> PulsarBroker { |
| com.sun.security.auth.module.Krb5LoginModule required |
| <span class="hljs-attribute">useKeyTab</span>=<span class="hljs-literal">true</span> |
| <span class="hljs-attribute">storeKey</span>=<span class="hljs-literal">true</span> |
| <span class="hljs-attribute">useTicketCache</span>=<span class="hljs-literal">false</span> |
| <span class="hljs-attribute">keyTab</span>=<span class="hljs-string">"/etc/security/keytabs/pulsarbroker.keytab"</span> |
| <span class="hljs-attribute">principal</span>=<span class="hljs-string">"broker/localhost@EXAMPLE.COM"</span>; |
| }; |
| |
| PulsarClient { |
| com.sun.security.auth.module.Krb5LoginModule required |
| <span class="hljs-attribute">useKeyTab</span>=<span class="hljs-literal">true</span> |
| <span class="hljs-attribute">storeKey</span>=<span class="hljs-literal">true</span> |
| <span class="hljs-attribute">useTicketCache</span>=<span class="hljs-literal">false</span> |
| <span class="hljs-attribute">keyTab</span>=<span class="hljs-string">"/etc/security/keytabs/pulsarclient.keytab"</span> |
| <span class="hljs-attribute">principal</span>=<span class="hljs-string">"client/localhost@EXAMPLE.COM"</span>; |
| }; |
| </code></pre> |
| <p>You need to set the <code>JAAS</code> configuration file path as JVM parameter for client and broker. For example:</p> |
| <pre><code class="hljs css language-shell"> -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf |
| </code></pre> |
| <p>In the <code>pulsar_jaas.conf</code> file above</p> |
| <ol> |
| <li><code>PulsarBroker</code> is a section name in the JAAS file used by each broker. This section tells the broker which principal to use inside Kerberos |
| and the location of the keytab where the principal is stored. It allows the broker to use the keytab specified in this section.</li> |
| <li><code>PulsarClient</code> is a section name in the JASS file used by each client. This section tells the client which principal to use inside Kerberos |
| and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section.</li> |
| </ol> |
| <p>It is also a choice to have 2 separate JAAS configuration files: the file for broker will only have <code>PulsarBroker</code> section; while the one for client only have <code>PulsarClient</code> section.</p> |
| <h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-brokers"></a><a href="#kerberos-configuration-for-brokers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Kerberos configuration for Brokers</h3> |
| <ol> |
| <li>In the <code>broker.conf</code> file, set Kerberos related configuration.</li> |
| </ol> |
| <ul> |
| <li>Set <code>authenticationEnabled</code> to <code>true</code>;</li> |
| <li>Set <code>authenticationProviders</code> to choose <code>AuthenticationProviderSasl</code>;</li> |
| <li>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker.</li> |
| <li>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker.</li> |
| </ul> |
| <p>Here is an example:</p> |
| <pre><code class="hljs"><span class="hljs-attr">authenticationEnabled</span>=<span class="hljs-literal">true</span> |
| <span class="hljs-attr">authenticationProviders</span>=org.apache.pulsar.broker.authentication.AuthenticationProviderSasl |
| <span class="hljs-attr">saslJaasClientAllowedIds</span>=.*client.* |
| <span class="hljs-attr">saslJaasBrokerSectionName</span>=PulsarBroker |
| </code></pre> |
| <ol start="2"> |
| <li>Set JVM parameter for JAAS configuration file and krb5 configuration file with additional option.</li> |
| </ol> |
| <pre><code class="hljs css language-shell"> -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf |
| </code></pre> |
| <p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_env.sh"><code>pulsar_env.sh</code></a></p> |
| <p>Make sure that the keytabs configured in the <code>pulsar_jaas.conf</code> file and kdc server in the <code>krb5.conf</code> file are reachable by the operating system user who is starting broker.</p> |
| <h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-clients"></a><a href="#kerberos-configuration-for-clients" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Kerberos configuration for clients</h3> |
| <p>In client, we need to configure the authentication type to use <code>AuthenticationSasl</code>, and also provide the authentication parameters to it.</p> |
| <p>There are 2 parameters needed:</p> |
| <ul> |
| <li><code>saslJaasClientSectionName</code> is corresponding to the section in JAAS configuration file for client;</li> |
| <li><code>serverType</code> stands for whether this client is connect to broker or proxy, and client use this parameter to know which server side principal should be used.</li> |
| </ul> |
| <p>When authenticate between client and broker with the setting in above JAAS configuration file, we need to set <code>saslJaasClientSectionName</code> to <code>PulsarClient</code> and <code>serverType</code> to <code>broker</code>.</p> |
| <p>The following is an example of creating a Java client:</p> |
| <pre><code class="hljs css language-java">System.setProperty(<span class="hljs-string">"java.security.auth.login.config"</span>, <span class="hljs-string">"/etc/pulsar/pulsar_jaas.conf"</span>); |
| System.setProperty(<span class="hljs-string">"java.security.krb5.conf"</span>, <span class="hljs-string">"/etc/pulsar/krb5.conf"</span>); |
| |
| Map<String, String> clientSaslConfig = Maps.newHashMap(); |
| clientSaslConfig.put(<span class="hljs-string">"saslJaasClientSectionName"</span>, <span class="hljs-string">"PulsarClient"</span>); |
| clientSaslConfig.put(<span class="hljs-string">"serverType"</span>, <span class="hljs-string">"broker"</span>); |
| |
| Authentication saslAuth = AuthenticationFactory |
| .create(org.apache.pulsar.client.impl.auth.AuthenticationSasl<span class="hljs-class">.<span class="hljs-keyword">class</span>.<span class="hljs-title">getName</span>(), <span class="hljs-title">authParams</span>)</span>; |
| |
| PulsarClient client = PulsarClient.builder() |
| .serviceUrl(<span class="hljs-string">"pulsar://my-broker.com:6650"</span>) |
| .authentication(saslAuth) |
| .build(); |
| </code></pre> |
| <p>Make sure that the keytabs configured in the <code>pulsar_jaas.conf</code> file and kdc server in the <code>krb5.conf</code> file are reachable by the operating system user who is starting pulsar client.</p> |
| <h2><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-working-with-pulsar-proxy"></a><a href="#kerberos-configuration-for-working-with-pulsar-proxy" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Kerberos configuration for working with Pulsar Proxy</h2> |
| <p>With the above configuration, client and broker can do authentication using Kerberos.</p> |
| <p>If a client wants to connect to Pulsar Proxy, it is a little different. Client (as a SASL client in Kerberos) will be authenticated by Pulsar Proxy (as a SASL Server in Kerberos) first; and then Pulsar Proxy will be authenticated by Pulsar broker.</p> |
| <p>Now comparing with the above configuration between client and broker, we will show how to configure Pulsar Proxy.</p> |
| <h3><a class="anchor" aria-hidden="true" id="create-principal-for-pulsar-proxy-in-kerberos"></a><a href="#create-principal-for-pulsar-proxy-in-kerberos" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Create principal for Pulsar Proxy in Kerberos</h3> |
| <p>Comparing with the above configuration, you need to add new principal for Pulsar Proxy. If you already have principals for client and broker, only add proxy principal here.</p> |
| <pre><code class="hljs css language-shell"><span class="hljs-meta">#</span><span class="bash"><span class="hljs-comment">## add Principals for Pulsar Proxy</span></span> |
| sudo /usr/sbin/kadmin.local -q 'addprinc -randkey proxy/{hostname}@{REALM}' |
| sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{proxy-keytabname}.keytab proxy/{hostname}@{REALM}" |
| <span class="hljs-meta">#</span><span class="bash"><span class="hljs-comment">## add Principals for broker</span></span> |
| sudo /usr/sbin/kadmin.local -q 'addprinc -randkey broker/{hostname}@{REALM}' |
| sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{broker-keytabname}.keytab broker/{hostname}@{REALM}" |
| <span class="hljs-meta">#</span><span class="bash"><span class="hljs-comment">## add Principals for client</span></span> |
| sudo /usr/sbin/kadmin.local -q 'addprinc -randkey client/{hostname}@{REALM}' |
| sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabname}.keytab client/{hostname}@{REALM}" |
| </code></pre> |
| <h3><a class="anchor" aria-hidden="true" id="add-a-section-in-jaas-configuration-file-for-pulsar-proxy"></a><a href="#add-a-section-in-jaas-configuration-file-for-pulsar-proxy" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Add a section in JAAS configuration file for Pulsar Proxy</h3> |
| <p>Comparing with the above configuration, add a new section for Pulsar Proxy in JAAS configuration file.</p> |
| <p>Here is an example named <code>pulsar_jaas.conf</code>:</p> |
| <pre><code class="hljs"> PulsarBroker { |
| com.sun.security.auth.module.Krb5LoginModule required |
| <span class="hljs-attribute">useKeyTab</span>=<span class="hljs-literal">true</span> |
| <span class="hljs-attribute">storeKey</span>=<span class="hljs-literal">true</span> |
| <span class="hljs-attribute">useTicketCache</span>=<span class="hljs-literal">false</span> |
| <span class="hljs-attribute">keyTab</span>=<span class="hljs-string">"/etc/security/keytabs/pulsarbroker.keytab"</span> |
| <span class="hljs-attribute">principal</span>=<span class="hljs-string">"broker/localhost@EXAMPLE.COM"</span>; |
| }; |
| |
| PulsarProxy { |
| com.sun.security.auth.module.Krb5LoginModule required |
| <span class="hljs-attribute">useKeyTab</span>=<span class="hljs-literal">true</span> |
| <span class="hljs-attribute">storeKey</span>=<span class="hljs-literal">true</span> |
| <span class="hljs-attribute">useTicketCache</span>=<span class="hljs-literal">false</span> |
| <span class="hljs-attribute">keyTab</span>=<span class="hljs-string">"/etc/security/keytabs/pulsarproxy.keytab"</span> |
| <span class="hljs-attribute">principal</span>=<span class="hljs-string">"proxy/localhost@EXAMPLE.COM"</span>; |
| }; |
| |
| PulsarClient { |
| com.sun.security.auth.module.Krb5LoginModule required |
| <span class="hljs-attribute">useKeyTab</span>=<span class="hljs-literal">true</span> |
| <span class="hljs-attribute">storeKey</span>=<span class="hljs-literal">true</span> |
| <span class="hljs-attribute">useTicketCache</span>=<span class="hljs-literal">false</span> |
| <span class="hljs-attribute">keyTab</span>=<span class="hljs-string">"/etc/security/keytabs/pulsarclient.keytab"</span> |
| <span class="hljs-attribute">principal</span>=<span class="hljs-string">"client/localhost@EXAMPLE.COM"</span>; |
| }; |
| </code></pre> |
| <h3><a class="anchor" aria-hidden="true" id="proxy-client-configuration"></a><a href="#proxy-client-configuration" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Proxy Client configuration</h3> |
| <p>Pulsar client configuration is similar with client and broker configuration, except that <code>serverType</code> is set to <code>proxy</code> instead of <code>broker</code>, because it needs to do Kerberos authentication between client and proxy.</p> |
| <pre><code class="hljs css language-java">System.setProperty(<span class="hljs-string">"java.security.auth.login.config"</span>, <span class="hljs-string">"/etc/pulsar/pulsar_jaas.conf"</span>); |
| System.setProperty(<span class="hljs-string">"java.security.krb5.conf"</span>, <span class="hljs-string">"/etc/pulsar/krb5.conf"</span>); |
| |
| Map<String, String> clientSaslConfig = Maps.newHashMap(); |
| clientSaslConfig.put(<span class="hljs-string">"saslJaasClientSectionName"</span>, <span class="hljs-string">"PulsarClient"</span>); |
| clientSaslConfig.put(<span class="hljs-string">"serverType"</span>, <span class="hljs-string">"proxy"</span>); <span class="hljs-comment">// ** here is the different **</span> |
| |
| Authentication saslAuth = AuthenticationFactory |
| .create(org.apache.pulsar.client.impl.auth.AuthenticationSasl<span class="hljs-class">.<span class="hljs-keyword">class</span>.<span class="hljs-title">getName</span>(), <span class="hljs-title">authParams</span>)</span>; |
| |
| PulsarClient client = PulsarClient.builder() |
| .serviceUrl(<span class="hljs-string">"pulsar://my-broker.com:6650"</span>) |
| .authentication(saslAuth) |
| .build(); |
| </code></pre> |
| <h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-pulsar-proxy-service"></a><a href="#kerberos-configuration-for-pulsar-proxy-service" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Kerberos configuration for Pulsar Proxy service</h3> |
| <p>In the <code>proxy.conf</code> file, set Kerberos related configuration. Here is an example:</p> |
| <pre><code class="hljs css language-shell"><span class="hljs-meta">#</span><span class="bash"><span class="hljs-comment"># related to authenticate client.</span></span> |
| authenticationEnabled=true |
| authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderSasl |
| saslJaasClientAllowedIds=.*client.* |
| saslJaasBrokerSectionName=PulsarProxy |
| <span class="hljs-meta"> |
| #</span><span class="bash"><span class="hljs-comment"># related to be authenticated by broker</span></span> |
| brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl |
| brokerClientAuthenticationParameters=saslJaasClientSectionName:PulsarProxy,serverType:broker |
| forwardAuthorizationCredentials=true |
| </code></pre> |
| <p>The first part is related to authenticate between client and Pulsar Proxy. In this phase, client works as SASL client, while Pulsar Proxy works as SASL server.</p> |
| <p>The second part is related to authenticate between Pulsar Proxy and Pulsar Broker. In this phase, Pulsar Proxy works as SASL client, while Pulsar Broker works as SASL server.</p> |
| <h3><a class="anchor" aria-hidden="true" id="broker-side-configuration"></a><a href="#broker-side-configuration" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Broker side configuration.</h3> |
| <p>The broker side configuration file is the same with the above <code>broker.conf</code>, you do not need special configuration for Pulsar Proxy.</p> |
| <pre><code class="hljs"><span class="hljs-attr">authenticationEnabled</span>=<span class="hljs-literal">true</span> |
| <span class="hljs-attr">authenticationProviders</span>=org.apache.pulsar.broker.authentication.AuthenticationProviderSasl |
| <span class="hljs-attr">saslJaasClientAllowedIds</span>=.*client.* |
| <span class="hljs-attr">saslJaasBrokerSectionName</span>=PulsarBroker |
| </code></pre> |
| <h2><a class="anchor" aria-hidden="true" id="regarding-authorization-and-role-token"></a><a href="#regarding-authorization-and-role-token" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Regarding authorization and role token</h2> |
| <p>For Kerberos authentication, the authenticated principal is used as the role token for Pulsar authorization. For more information of authorization in Pulsar, see <a href="/docs/en/2.3.2/security-authorization">security authorization</a>.</p> |
| <h2><a class="anchor" aria-hidden="true" id="regarding-authorization-between-bookkeeper-and-zookeeper"></a><a href="#regarding-authorization-between-bookkeeper-and-zookeeper" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Regarding authorization between BookKeeper and ZooKeeper</h2> |
| <p>Adding <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code> is a prerequisite for Broker (as a Kerberos client) being authenticated by Bookie (as a Kerberos Server):</p> |
| <pre><code class="hljs">bookkeeperClientAuthenticationPlugin=org<span class="hljs-selector-class">.apache</span><span class="hljs-selector-class">.bookkeeper</span><span class="hljs-selector-class">.sasl</span><span class="hljs-selector-class">.SASLClientProviderFactory</span> |
| </code></pre> |
| <p>For more details of how to configure Kerberos for BookKeeper and Zookeeper, refer to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>.</p> |
| </span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/en/2.3.2/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/en/2.3.2/security-authorization"><span>Authorization and ACLs</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configuration for Kerberos between Client and Broker</a><ul class="toc-headings"><li><a href="#prerequisites">Prerequisites</a></li><li><a href="#kerberos-configuration-for-brokers">Kerberos configuration for Brokers</a></li><li><a href="#kerberos-configuration-for-clients">Kerberos configuration for clients</a></li></ul></li><li><a href="#kerberos-configuration-for-working-with-pulsar-proxy">Kerberos configuration for working with Pulsar Proxy</a><ul class="toc-headings"><li><a href="#create-principal-for-pulsar-proxy-in-kerberos">Create principal for Pulsar Proxy in Kerberos</a></li><li><a href="#add-a-section-in-jaas-configuration-file-for-pulsar-proxy">Add a section in JAAS configuration file for Pulsar Proxy</a></li><li><a href="#proxy-client-configuration">Proxy Client configuration</a></li><li><a href="#kerberos-configuration-for-pulsar-proxy-service">Kerberos configuration for Pulsar Proxy service</a></li><li><a href="#broker-side-configuration">Broker side configuration.</a></li></ul></li><li><a href="#regarding-authorization-and-role-token">Regarding authorization and role token</a></li><li><a href="#regarding-authorization-between-bookkeeper-and-zookeeper">Regarding authorization between BookKeeper and ZooKeeper</a></li></ul></nav></div><footer class="nav-footer" id="footer"><section class="copyright">Copyright © 2022 The Apache Software Foundation. All Rights Reserved. Apache, Apache Pulsar and the Apache feather logo are trademarks of The Apache Software Foundation.</section><span><script> |
| const community = document.querySelector("a[href='#community']").parentNode; |
| const communityMenu = |
| '<li>' + |
| '<a id="community-menu" href="#">Community <span style="font-size: 0.75em"> ▼</span></a>' + |
| '<div id="community-dropdown" class="hide">' + |
| '<ul id="community-dropdown-items">' + |
| '<li><a href="/en/contact">Contact</a></li>' + |
| '<li><a href="/en/contributing">Contributing</a></li>' + |
| '<li><a href="/en/coding-guide">Coding guide</a></li>' + |
| '<li><a href="/en/events">Events</a></li>' + |
| '<li><a href="https://twitter.com/Apache_Pulsar" target="_blank">Twitter ❐</a></li>' + |
| '<li><a href="https://github.com/apache/pulsar/wiki" target="_blank">Wiki ❐</a></li>' + |
| '<li><a href="https://github.com/apache/pulsar/issues" target="_blank">Issue tracking ❐</a></li>' + |
| '<li><a href="https://pulsar-summit.org/" target="_blank">Pulsar Summit ❐</a></li>' + |
| '<li> </li>' + |
| '<li><a href="/en/resources">Resources</a></li>' + |
| '<li><a href="/en/team">Team</a></li>' + |
| '<li><a href="/en/powered-by">Powered By</a></li>' + |
| '</ul>' + |
| '</div>' + |
| '</li>'; |
| |
| community.innerHTML = communityMenu; |
| |
| const communityMenuItem = document.getElementById("community-menu"); |
| const communityDropDown = document.getElementById("community-dropdown"); |
| communityMenuItem.addEventListener("click", function(event) { |
| event.preventDefault(); |
| |
| if (communityDropDown.className == 'hide') { |
| communityDropDown.className = 'visible'; |
| } else { |
| communityDropDown.className = 'hide'; |
| } |
| }); |
| </script></span></footer></div><script>window.twttr=(function(d,s, id){var js,fjs=d.getElementsByTagName(s)[0],t=window.twttr||{};if(d.getElementById(id))return t;js=d.createElement(s);js.id=id;js.src='https://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js, fjs);t._e = [];t.ready = function(f) {t._e.push(f);};return t;}(document, 'script', 'twitter-wjs'));</script></body></html> |