| <!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><title>Authentication and authorization in Pulsar · Apache Pulsar</title><meta name="viewport" content="width=device-width, initial-scale=1.0"/><meta name="generator" content="Docusaurus"/><meta name="description" content="In Pulsar, the [authentication provider](/docs/en/next/security-overview#authentication-providers) is responsible for properly identifying clients and associating the clients with [role tokens](/docs/en/next/security-overview#role-tokens). If you only enable authentication, an authenticated role token has the ability to access all resources in the cluster. *Authorization* is the process that determines *what* clients are able to do."/><meta name="docsearch:version" content="next"/><meta name="docsearch:language" content="en"/><meta property="og:title" content="Authentication and authorization in Pulsar · Apache Pulsar"/><meta property="og:type" content="website"/><meta property="og:url" content="https://pulsar.apache.org/"/><meta property="og:description" content="In Pulsar, the [authentication provider](/docs/en/next/security-overview#authentication-providers) is responsible for properly identifying clients and associating the clients with [role tokens](/docs/en/next/security-overview#role-tokens). If you only enable authentication, an authenticated role token has the ability to access all resources in the cluster. *Authorization* is the process that determines *what* clients are able to do."/><meta name="twitter:card" content="summary"/><meta name="twitter:image" content="https://pulsar.apache.org/img/pulsar.svg"/><link rel="shortcut icon" href="/img/pulsar.ico"/><link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/styles/atom-one-dark.min.css"/><link rel="alternate" type="application/atom+xml" href="https://pulsar.apache.org/blog/atom.xml" title="Apache Pulsar Blog ATOM Feed"/><link rel="alternate" type="application/rss+xml" href="https://pulsar.apache.org/blog/feed.xml" title="Apache Pulsar Blog RSS Feed"/><link rel="stylesheet" href="/css/code-blocks-buttons.css"/><script type="text/javascript" src="https://buttons.github.io/buttons.js"></script><script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/2.0.0/clipboard.min.js"></script><script type="text/javascript" src="/js/custom.js"></script><script src="/js/scrollSpy.js"></script><link rel="stylesheet" href="/css/main.css"/><script src="/js/codetabs.js"></script></head><body class="sideNavVisible separateOnPageNav"><div class="fixedHeaderContainer"><div class="headerWrapper wrapper"><header><a href="/en"><img class="logo" src="/img/pulsar.svg" alt="Apache Pulsar"/></a><a href="/en/versions"><h3>next</h3></a><div class="navigationWrapper navigationSlider"><nav class="slidingNav"><ul class="nav-site nav-site-internal"><li class="siteNavGroupActive"><a href="/docs/en/next/getting-started-standalone" target="_self">Docs</a></li><li class=""><a href="/en/download" target="_self">Download</a></li><li class="siteNavGroupActive"><a href="/docs/en/next/client-libraries" target="_self">Clients</a></li><li class=""><a href="#restapis" target="_self">REST APIs</a></li><li class=""><a href="#cli" target="_self">Cli</a></li><li class=""><a href="/blog/" target="_self">Blog</a></li><li class=""><a href="#community" target="_self">Community</a></li><li class=""><a href="#apache" target="_self">Apache</a></li><li class=""><a href="https://pulsar-next.staged.apache.org/" target="_self">New Website (Beta)</a></li><span><li><a id="languages-menu" href="#"><img class="languages-icon" src="/img/language.svg" alt="Languages icon"/>English</a><div id="languages-dropdown" class="hide"><ul id="languages-dropdown-items"><li><a href="/docs/ja/next/security-authorization">日本語</a></li><li><a href="/docs/fr/next/security-authorization">Français</a></li><li><a href="/docs/ko/next/security-authorization">한국어</a></li><li><a href="/docs/zh-CN/next/security-authorization">中文</a></li><li><a href="/docs/zh-TW/next/security-authorization">繁體中文</a></li><li><a href="https://crowdin.com/project/apache-pulsar" target="_blank" rel="noreferrer noopener">Help Translate</a></li></ul></div></li><script> |
| const languagesMenuItem = document.getElementById("languages-menu"); |
| const languagesDropDown = document.getElementById("languages-dropdown"); |
| languagesMenuItem.addEventListener("click", function(event) { |
| event.preventDefault(); |
| |
| if (languagesDropDown.className == "hide") { |
| languagesDropDown.className = "visible"; |
| } else { |
| languagesDropDown.className = "hide"; |
| } |
| }); |
| </script></span></ul></nav></div></header></div></div><div class="navPusher"><div class="docMainWrapper wrapper"><div class="docsNavContainer" id="docsNav"><nav class="toc"><div class="toggleNav"><section class="navWrapper wrapper"><div class="navBreadcrumb wrapper"><div class="navToggle" id="navToggler"><div class="hamburger-menu"><div class="line1"></div><div class="line2"></div><div class="line3"></div></div></div><h2><i>›</i><span>Security</span></h2><div class="tocToggler" id="tocToggler"><i class="icon-toc"></i></div></div><div class="navGroups"><div class="navGroup"><h3 class="navGroupCategoryTitle">Get Started</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/next/getting-started-standalone">Run Pulsar locally</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/getting-started-docker">Run Pulsar in Docker</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/getting-started-helm">Run Pulsar in Kubernetes</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Concepts and Architecture</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/next/concepts-overview">Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/concepts-messaging">Messaging</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/concepts-architecture-overview">Architecture</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/concepts-clients">Clients</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/concepts-replication">Geo Replication</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/concepts-multi-tenancy">Multi Tenancy</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/concepts-authentication">Authentication and Authorization</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/concepts-topic-compaction">Topic Compaction</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/concepts-proxy-sni-routing">Proxy support with SNI routing</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/concepts-multiple-advertised-listeners">Multiple advertised listeners</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Pulsar Schema</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/next/schema-get-started">Get started</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/schema-understand">Understand schema</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/schema-evolution-compatibility">Schema evolution and compatibility</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/schema-manage">Manage schema</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Pulsar Functions</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/next/functions-overview">Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/functions-runtime">Setup: Configure Functions runtime</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/functions-worker">Setup: Pulsar Functions Worker</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/functions-develop">How-to: Develop</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/functions-package">How-to: Package</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/functions-debug">How-to: Debug</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/functions-deploy">How-to: Deploy</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/functions-cli">Reference: CLI</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/window-functions-context">Window Functions: Context</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Pulsar IO</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/next/io-overview">Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/io-quickstart">Get started</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/io-use">Use</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/io-debug">Debug</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/io-connectors">Built-in connector</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/io-cdc">CDC connector</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/io-develop">Develop</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/io-cli">CLI</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Pulsar SQL</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/next/sql-overview">Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/sql-getting-started">Query data</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/sql-deployment-configurations">Configuration and deployment</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/sql-rest-api">REST APIs</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Tiered Storage</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/next/tiered-storage-overview">Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/tiered-storage-aws">AWS S3 offloader</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/tiered-storage-gcs">GCS offloader</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/tiered-storage-filesystem">Filesystem offloader</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/tiered-storage-azure">Azure BlobStore offloader</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/tiered-storage-aliyun">Aliyun OSS offloader</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Transactions</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/next/txn-why">Why transactions?</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/txn-what">What are transactions?</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/txn-how">How transactions work?</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/txn-use">How to use transactions?</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/txn-monitor">How to monitor transactions?</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Kubernetes (Helm)</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/next/helm-overview">Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/helm-prepare">Prepare</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/helm-install">Install</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/helm-deploy">Deployment</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/helm-upgrade">Upgrade</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/helm-tools">Required Tools</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Deployment</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/next/deploy-aws">Amazon Web Services</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/deploy-kubernetes">Kubernetes</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/deploy-bare-metal">Bare metal</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/deploy-bare-metal-multi-cluster">Bare metal multi-cluster</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/deploy-docker">Docker</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/deploy-monitoring">Monitor</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Administration</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/next/administration-zk-bk">ZooKeeper and BookKeeper</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/administration-geo">Geo-replication</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/administration-pulsar-manager">Pulsar Manager</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/administration-stats">Pulsar statistics</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/administration-load-balance">Load balance</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/administration-proxy">Pulsar proxy</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/administration-upgrade">Upgrade</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/administration-isolation">Pulsar isolation</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Security</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/next/security-overview">Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/security-policy-and-supported-versions">Security Policy and Supported Versions</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/security-tls-transport">Transport Encryption using TLS</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/security-tls-authentication">Authentication using TLS</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/security-tls-keystore">Using TLS with KeyStore configure</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/security-jwt">Authentication using JWT</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/security-athenz">Authentication using Athenz</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/security-kerberos">Authentication using Kerberos</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/security-oauth2">Authentication using OAuth 2.0 access tokens</a></li><li class="navListItem navListItemActive"><a class="navItem" href="/docs/en/next/security-authorization">Authorization and ACLs</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/security-encryption">End-to-End Encryption</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/security-extending">Extend Authentication and Authorization</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/security-bouncy-castle">Bouncy Castle Providers</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Performance</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/next/performance-pulsar-perf">Pulsar Perf</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Client Libraries</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/next/client-libraries">Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/client-libraries-java">Java</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/client-libraries-go">Go</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/client-libraries-python">Python</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/client-libraries-cpp">C++</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/client-libraries-node">Node.js</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/client-libraries-websocket">WebSocket</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/client-libraries-dotnet">C#</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/client-libraries-rest">REST</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Admin API</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/next/admin-api-overview">Overview</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/admin-api-clusters">Clusters</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/admin-api-tenants">Tenants</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/admin-api-brokers">Brokers</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/admin-api-namespaces">Namespaces</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/admin-api-permissions">Permissions</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/admin-api-topics">Topics</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/admin-api-functions">Functions</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/admin-api-packages">Packages</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Adaptors</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/next/adaptors-kafka">Kafka client wrapper</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/adaptors-spark">Apache Spark</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/adaptors-storm">Apache Storm</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Cookbooks</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/next/cookbooks-compaction">Topic compaction</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/cookbooks-deduplication">Message deduplication</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/cookbooks-non-persistent">Non-persistent messaging</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/cookbooks-retention-expiry">Message retention and expiry</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/cookbooks-encryption">Encryption</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/cookbooks-message-queue">Message queue</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/cookbooks-bookkeepermetadata">BookKeeper Ledger Metadata</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Development</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/next/develop-tools">Simulation tools</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/developing-binary-protocol">Binary protocol</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/develop-load-manager">Modular load manager</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/develop-plugin">Plugin</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle">Reference</h3><ul class=""><li class="navListItem"><a class="navItem" href="/docs/en/next/reference-terminology">Terminology</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/reference-cli-tools">Pulsar CLI tools</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/reference-configuration">Pulsar configuration</a></li><li class="navListItem"><a class="navItem" href="/docs/en/next/reference-metrics">Pulsar Metrics</a></li></ul></div></div></section></div><script> |
| var coll = document.getElementsByClassName('collapsible'); |
| var checkActiveCategory = true; |
| for (var i = 0; i < coll.length; i++) { |
| var links = coll[i].nextElementSibling.getElementsByTagName('*'); |
| if (checkActiveCategory){ |
| for (var j = 0; j < links.length; j++) { |
| if (links[j].classList.contains('navListItemActive')){ |
| coll[i].nextElementSibling.classList.toggle('hide'); |
| coll[i].childNodes[1].classList.toggle('rotate'); |
| checkActiveCategory = false; |
| break; |
| } |
| } |
| } |
| |
| coll[i].addEventListener('click', function() { |
| var arrow = this.childNodes[1]; |
| arrow.classList.toggle('rotate'); |
| var content = this.nextElementSibling; |
| content.classList.toggle('hide'); |
| }); |
| } |
| |
| document.addEventListener('DOMContentLoaded', function() { |
| createToggler('#navToggler', '#docsNav', 'docsSliderActive'); |
| createToggler('#tocToggler', 'body', 'tocActive'); |
| |
| var headings = document.querySelector('.toc-headings'); |
| headings && headings.addEventListener('click', function(event) { |
| var el = event.target; |
| while(el !== headings){ |
| if (el.tagName === 'A') { |
| document.body.classList.remove('tocActive'); |
| break; |
| } else{ |
| el = el.parentNode; |
| } |
| } |
| }, false); |
| |
| function createToggler(togglerSelector, targetSelector, className) { |
| var toggler = document.querySelector(togglerSelector); |
| var target = document.querySelector(targetSelector); |
| |
| if (!toggler) { |
| return; |
| } |
| |
| toggler.onclick = function(event) { |
| event.preventDefault(); |
| |
| target.classList.toggle(className); |
| }; |
| } |
| }); |
| </script></nav></div><div class="container mainContainer docsContainer"><div class="wrapper"><div class="post"><header class="postHeader"><a class="edit-page-link button" href="https://github.com/apache/pulsar/edit/master/site2/docs/security-authorization.md" target="_blank" rel="noreferrer noopener">Edit</a><h1 id="__docusaurus" class="postHeaderTitle">Authentication and authorization in Pulsar</h1></header><article><div><span><p>In Pulsar, the <a href="/docs/en/next/security-overview#authentication-providers">authentication provider</a> is responsible for properly identifying clients and associating the clients with <a href="/docs/en/next/security-overview#role-tokens">role tokens</a>. If you only enable authentication, an authenticated role token has the ability to access all resources in the cluster. <em>Authorization</em> is the process that determines <em>what</em> clients are able to do.</p> |
| <p>The role tokens with the most privileges are the <em>superusers</em>. The <em>superusers</em> can create and destroy tenants, along with having full access to all tenant resources.</p> |
| <p>When a superuser creates a <a href="/docs/en/next/reference-terminology#tenant">tenant</a>, that tenant is assigned an admin role. A client with the admin role token can then create, modify and destroy namespaces, and grant and revoke permissions to <em>other role tokens</em> on those namespaces.</p> |
| <h2><a class="anchor" aria-hidden="true" id="broker-and-proxy-setup"></a><a href="#broker-and-proxy-setup" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Broker and Proxy Setup</h2> |
| <h3><a class="anchor" aria-hidden="true" id="enable-authorization-and-assign-superusers"></a><a href="#enable-authorization-and-assign-superusers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Enable authorization and assign superusers</h3> |
| <p>You can enable the authorization and assign the superusers in the broker (<a href="/docs/en/next/reference-configuration#broker"><code>conf/broker.conf</code></a>) configuration files.</p> |
| <pre><code class="hljs css language-properties"><span class="hljs-attr">authorizationEnabled</span>=<span class="hljs-string">true</span> |
| <span class="hljs-attr">superUserRoles</span>=<span class="hljs-string">my-super-user-1,my-super-user-2</span> |
| </code></pre> |
| <blockquote> |
| <p>A full list of parameters is available in the <code>conf/broker.conf</code> file. |
| You can also find the default values for those parameters in <a href="/docs/en/next/reference-configuration#broker">Broker Configuration</a>.</p> |
| </blockquote> |
| <p>Typically, you use superuser roles for administrators, clients as well as broker-to-broker authorization. When you use <a href="/docs/en/next/concepts-replication">geo-replication</a>, every broker needs to be able to publish to all the other topics of clusters.</p> |
| <p>You can also enable the authorization for the proxy in the proxy configuration file (<code>conf/proxy.conf</code>). Once you enable the authorization on the proxy, the proxy does an additional authorization check before forwarding the request to a broker. |
| If you enable authorization on the broker, the broker checks the authorization of the request when the broker receives the forwarded request.</p> |
| <h3><a class="anchor" aria-hidden="true" id="proxy-roles"></a><a href="#proxy-roles" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Proxy Roles</h3> |
| <p>By default, the broker treats the connection between a proxy and the broker as a normal user connection. The broker authenticates the user as the role configured in <code>proxy.conf</code>(see <a href="/docs/en/next/security-tls-authentication#enable-tls-authentication-on-proxies">"Enable TLS Authentication on Proxies"</a>). However, when the user connects to the cluster through a proxy, the user rarely requires the authentication. The user expects to be able to interact with the cluster as the role for which they have authenticated with the proxy.</p> |
| <p>Pulsar uses <em>Proxy roles</em> to enable the authentication. Proxy roles are specified in the broker configuration file, <a href="/docs/en/next/reference-configuration#broker"><code>conf/broker.conf</code></a>. If a client that is authenticated with a broker is one of its <code>proxyRoles</code>, all requests from that client must also carry information about the role of the client that is authenticated with the proxy. This information is called the <em>original principal</em>. If the <em>original principal</em> is absent, the client is not able to access anything.</p> |
| <p>You must authorize both the <em>proxy role</em> and the <em>original principal</em> to access a resource to ensure that the resource is accessible via the proxy. Administrators can take two approaches to authorize the <em>proxy role</em> and the <em>original principal</em>.</p> |
| <p>The more secure approach is to grant access to the proxy roles each time you grant access to a resource. For example, if you have a proxy role named <code>proxy1</code>, when the superuser creates a tenant, you should specify <code>proxy1</code> as one of the admin roles. When a role is granted permissions to produce or consume from a namespace, if that client wants to produce or consume through a proxy, you should also grant <code>proxy1</code> the same permissions.</p> |
| <p>Another approach is to make the proxy role a superuser. This allows the proxy to access all resources. The client still needs to authenticate with the proxy, and all requests made through the proxy have their role downgraded to the <em>original principal</em> of the authenticated client. However, if the proxy is compromised, a bad actor could get full access to your cluster.</p> |
| <p>You can specify the roles as proxy roles in <a href="/docs/en/next/reference-configuration#broker"><code>conf/broker.conf</code></a>.</p> |
| <pre><code class="hljs css language-properties"><span class="hljs-attr">proxyRoles</span>=<span class="hljs-string">my-proxy-role</span> |
| <span class="hljs-comment"> |
| # if you want to allow superusers to use the proxy (see above)</span> |
| <span class="hljs-attr">superUserRoles</span>=<span class="hljs-string">my-super-user-1,my-super-user-2,my-proxy-role</span> |
| </code></pre> |
| <h2><a class="anchor" aria-hidden="true" id="administer-tenants"></a><a href="#administer-tenants" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Administer tenants</h2> |
| <p>Pulsar <a href="/docs/en/next/reference-terminology#instance">instance</a> administrators or some kind of self-service portal typically provisions a Pulsar <a href="/docs/en/next/reference-terminology#tenant">tenant</a>.</p> |
| <p>You can manage tenants using the <a href="/docs/en/next/reference-pulsar-admin"><code>pulsar-admin</code></a> tool.</p> |
| <h3><a class="anchor" aria-hidden="true" id="create-a-new-tenant"></a><a href="#create-a-new-tenant" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Create a new tenant</h3> |
| <p>The following is an example tenant creation command:</p> |
| <pre><code class="hljs css language-shell"><span class="hljs-meta">$</span><span class="bash"> bin/pulsar-admin tenants create my-tenant \</span> |
| --admin-roles my-admin-role \ |
| --allowed-clusters us-west,us-east |
| </code></pre> |
| <p>This command creates a new tenant <code>my-tenant</code> that is allowed to use the clusters <code>us-west</code> and <code>us-east</code>.</p> |
| <p>A client that successfully identifies itself as having the role <code>my-admin-role</code> is allowed to perform all administrative tasks on this tenant.</p> |
| <p>The structure of topic names in Pulsar reflects the hierarchy between tenants, clusters, and namespaces:</p> |
| <pre><code class="hljs css language-shell">persistent://tenant/namespace/topic |
| </code></pre> |
| <h3><a class="anchor" aria-hidden="true" id="manage-permissions"></a><a href="#manage-permissions" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Manage permissions</h3> |
| <p>You can use <a href="/docs/en/next/admin-api-permissions">Pulsar Admin Tools</a> for managing permission in Pulsar.</p> |
| <h3><a class="anchor" aria-hidden="true" id="pulsar-admin-authentication"></a><a href="#pulsar-admin-authentication" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Pulsar admin authentication</h3> |
| <pre><code class="hljs css language-java">PulsarAdmin admin = PulsarAdmin.builder() |
| .serviceHttpUrl(<span class="hljs-string">"http://broker:8080"</span>) |
| .authentication(<span class="hljs-string">"com.org.MyAuthPluginClass"</span>, <span class="hljs-string">"param1:value1"</span>) |
| .build(); |
| </code></pre> |
| <p>To use TLS:</p> |
| <pre><code class="hljs css language-java">PulsarAdmin admin = PulsarAdmin.builder() |
| .serviceHttpUrl(<span class="hljs-string">"https://broker:8080"</span>) |
| .authentication(<span class="hljs-string">"com.org.MyAuthPluginClass"</span>, <span class="hljs-string">"param1:value1"</span>) |
| .tlsTrustCertsFilePath(<span class="hljs-string">"/path/to/trust/cert"</span>) |
| .build(); |
| </code></pre> |
| <h2><a class="anchor" aria-hidden="true" id="authorize-an-authenticated-client-with-multiple-roles"></a><a href="#authorize-an-authenticated-client-with-multiple-roles" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Authorize an authenticated client with multiple roles</h2> |
| <p>When a client is identified with multiple roles in a token (the type of role claim in the token is an array) during the authentication process, Pulsar supports to check the permissions of all the roles and further authorize the client as long as one of its roles has the required permissions.</p> |
| <blockquote> |
| <p><strong>Note</strong><br /> |
| This authorization method is only compatible with <a href="/docs/en/next/security-jwt">JWT authentication</a>.</p> |
| </blockquote> |
| <p>To enable this authorization method, configure the authorization provider as <code>MultiRolesTokenAuthorizationProvider</code> in the <code>conf/broker.conf</code> file.</p> |
| <pre><code class="hljs css language-properties"><span class="hljs-comment"># Authorization provider fully qualified class-name</span> |
| <span class="hljs-attr">authorizationProvider</span>=<span class="hljs-string">org.apache.pulsar.broker.authorization.MultiRolesTokenAuthorizationProvider</span> |
| </code></pre> |
| </span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/en/next/security-oauth2"><span class="arrow-prev">← </span><span>Authentication using OAuth 2.0 access tokens</span></a><a class="docs-next button" href="/docs/en/next/security-encryption"><span>End-to-End Encryption</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#broker-and-proxy-setup">Broker and Proxy Setup</a><ul class="toc-headings"><li><a href="#enable-authorization-and-assign-superusers">Enable authorization and assign superusers</a></li><li><a href="#proxy-roles">Proxy Roles</a></li></ul></li><li><a href="#administer-tenants">Administer tenants</a><ul class="toc-headings"><li><a href="#create-a-new-tenant">Create a new tenant</a></li><li><a href="#manage-permissions">Manage permissions</a></li><li><a href="#pulsar-admin-authentication">Pulsar admin authentication</a></li></ul></li><li><a href="#authorize-an-authenticated-client-with-multiple-roles">Authorize an authenticated client with multiple roles</a></li></ul></nav></div><footer class="nav-footer" id="footer"><section class="copyright">Copyright © 2022 The Apache Software Foundation. All Rights Reserved. Apache, Apache Pulsar and the Apache feather logo are trademarks of The Apache Software Foundation.</section><span><script> |
| const community = document.querySelector("a[href='#community']").parentNode; |
| const communityMenu = |
| '<li>' + |
| '<a id="community-menu" href="#">Community <span style="font-size: 0.75em"> ▼</span></a>' + |
| '<div id="community-dropdown" class="hide">' + |
| '<ul id="community-dropdown-items">' + |
| '<li><a href="/en/contact">Contact</a></li>' + |
| '<li><a href="/en/contributing">Contributing</a></li>' + |
| '<li><a href="/en/coding-guide">Coding guide</a></li>' + |
| '<li><a href="/en/events">Events</a></li>' + |
| '<li><a href="https://twitter.com/Apache_Pulsar" target="_blank">Twitter ❐</a></li>' + |
| '<li><a href="https://github.com/apache/pulsar/wiki" target="_blank">Wiki ❐</a></li>' + |
| '<li><a href="https://github.com/apache/pulsar/issues" target="_blank">Issue tracking ❐</a></li>' + |
| '<li><a href="https://pulsar-summit.org/" target="_blank">Pulsar Summit ❐</a></li>' + |
| '<li> </li>' + |
| '<li><a href="/en/resources">Resources</a></li>' + |
| '<li><a href="/en/team">Team</a></li>' + |
| '<li><a href="/en/powered-by">Powered By</a></li>' + |
| '</ul>' + |
| '</div>' + |
| '</li>'; |
| |
| community.innerHTML = communityMenu; |
| |
| const communityMenuItem = document.getElementById("community-menu"); |
| const communityDropDown = document.getElementById("community-dropdown"); |
| communityMenuItem.addEventListener("click", function(event) { |
| event.preventDefault(); |
| |
| if (communityDropDown.className == 'hide') { |
| communityDropDown.className = 'visible'; |
| } else { |
| communityDropDown.className = 'hide'; |
| } |
| }); |
| </script></span></footer></div><script>window.twttr=(function(d,s, id){var js,fjs=d.getElementsByTagName(s)[0],t=window.twttr||{};if(d.getElementById(id))return t;js=d.createElement(s);js.id=id;js.src='https://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js, fjs);t._e = [];t.ready = function(f) {t._e.push(f);};return t;}(document, 'script', 'twitter-wjs'));</script></body></html> |
