| <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/installing-kerberos.html" target="_blank" rel="noopener noreferrer">Redhat</a>.</li><li>If you use Oracle Java, you need to download JCE policy files for your Java version and copy them to the <code>$JAVA_HOME/jre/lib/security</code> directory.</li></ul><h2 class="anchor anchorWithStickyNavbar_LWe7" id="enable-kerberos-authentication-on-brokers">Enable Kerberos authentication on brokers<a href="#enable-kerberos-authentication-on-brokers" class="hash-link" aria-label="Direct link to Enable Kerberos authentication on brokers" title="Direct link to Enable Kerberos authentication on brokers"></a></h2><p>To enable Kerberos authentication on brokers, complete the following steps.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="step-1-create-kerberos-principals">Step 1: Create Kerberos principals<a href="#step-1-create-kerberos-principals" class="hash-link" aria-label="Direct link to Step 1: Create Kerberos principals" title="Direct link to Step 1: Create Kerberos principals"></a></h3><p>If you use the existing Kerberos system, ask your Kerberos administrator to obtain a principal for each broker in your cluster and for every operating system user that accesses Pulsar with Kerberos authentication (via clients and CLI tools).</p><p>If you have installed your own Kerberos system, you need to create these principals with the following commands:</p><div class="language-shell codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#F8F8F2;--prism-background-color:#282A36"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-shell codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#F8F8F2"><span class="token comment" style="color:rgb(98, 114, 164)">### add Principals for broker</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"></span><span class="token function" style="color:rgb(80, 250, 123)">sudo</span><span class="token plain"> /usr/sbin/kadmin.local -q </span><span class="token string" style="color:rgb(255, 121, 198)">'addprinc -randkey broker/{hostname}@{REALM}'</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"></span><span class="token function" style="color:rgb(80, 250, 123)">sudo</span><span class="token plain"> /usr/sbin/kadmin.local -q </span><span class="token string" style="color:rgb(255, 121, 198)">"ktadd -k /etc/security/keytabs/{broker-keytabname}.keytab broker/{hostname}@{REALM}"</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"></span><span class="token comment" style="color:rgb(98, 114, 164)">### add Principals for client</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"></span><span class="token function" style="color:rgb(80, 250, 123)">sudo</span><span class="token plain"> /usr/sbin/kadmin.local -q </span><span class="token string" style="color:rgb(255, 121, 198)">'addprinc -randkey client/{hostname}@{REALM}'</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"></span><span class="token function" style="color:rgb(80, 250, 123)">sudo</span><span class="token plain"> /usr/sbin/kadmin.local -q </span><span class="token string" style="color:rgb(255, 121, 198)">"ktadd -k /etc/security/keytabs/{client-keytabname}.keytab client/{hostname}@{REALM}"</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg class="copyButtonIcon_y97N" viewBox="0 0 24 24"><path d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg class="copyButtonSuccessIcon_LjdS" viewBox="0 0 24 24"><path d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><p>The first part of broker principal (for example, <code>broker</code> in <code>broker/{hostname}@{REALM}</code>) is the <code>serverType</code> of each host. The suggested values of <code>serverType</code> are <code>broker</code> (host machine runs Pulsar broker service) and <code>proxy</code> (host machine runs Pulsar Proxy service).</p><p>Note that <em>Kerberos</em> requires that all your hosts can be resolved with their FQDNs.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="step-2-configure-brokers">Step 2: Configure brokers<a href="#step-2-configure-brokers" class="hash-link" aria-label="Direct link to Step 2: Configure brokers" title="Direct link to Step 2: Configure brokers"></a></h3><p>In the <code>broker.conf</code> file, set Kerberos-related configurations. Here is an example:</p><div class="language-conf codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#F8F8F2;--prism-background-color:#282A36"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-conf codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#F8F8F2"><span class="token plain">authenticationEnabled=true</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderSasl</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">saslJaasClientAllowedIds=.*client.* ## regex for principals that are allowed to connect to brokers</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">saslJaasServerSectionName=PulsarBroker ## corresponds to the section in the JAAS configuration file for brokers</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"># Authentication settings of the broker itself. Used when the broker connects to other brokers, or when the proxy connects to brokers, either in same or other clusters</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">brokerClientAuthenticationParameters={"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg class="copyButtonIcon_y97N" viewBox="0 0 24 24"><path d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg class="copyButtonSuccessIcon_LjdS" viewBox="0 0 24 24"><path d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><p>To make Pulsar internal admin client work properly, you need to:</p><ul><li>Set <code>brokerClientAuthenticationPlugin</code> to client plugin <code>AuthenticationSasl</code>;</li><li>Set <code>brokerClientAuthenticationParameters</code> to value in JSON string <code>{"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}</code>, in which <code>PulsarClient</code> is the section name in the <code>pulsar_jaas.conf</code> file, and <code>"serverType":"broker"</code> indicates that the internal admin client connects to a broker.</li></ul><h3 class="anchor anchorWithStickyNavbar_LWe7" id="step-3-configure-jaas">Step 3: Configure JAAS<a href="#step-3-configure-jaas" class="hash-link" aria-label="Direct link to Step 3: Configure JAAS" title="Direct link to Step 3: Configure JAAS"></a></h3><p>JAAS configuration file provides the information to connect KDC. Here is an example named <code>pulsar_jaas.conf</code>:</p><div class="language-conf codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#F8F8F2;--prism-background-color:#282A36"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-conf codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#F8F8F2"><span class="token plain"> PulsarBroker {</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> com.sun.security.auth.module.Krb5LoginModule required</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> useKeyTab=true</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> storeKey=true</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> useTicketCache=false</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> keyTab="/etc/security/keytabs/pulsarbroker.keytab"</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> principal="broker/localhost@EXAMPLE.COM";</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">};</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> PulsarClient {</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> com.sun.security.auth.module.Krb5LoginModule required</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> useKeyTab=true</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> storeKey=true</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> useTicketCache=false</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> keyTab="/etc/security/keytabs/pulsarclient.keytab"</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> principal="client/localhost@EXAMPLE.COM";</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">};</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg class="copyButtonIcon_y97N" viewBox="0 0 24 24"><path d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg class="copyButtonSuccessIcon_LjdS" viewBox="0 0 24 24"><path d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><p>In the above example:</p><ul><li><code>PulsarBroker</code> is a section name in the JAAS file that each broker uses. This section tells the broker to use which principal inside Kerberos and the location of the keytab where the principal is stored.</li><li><code>PulsarClient</code> is a section name in the JASS file that each client uses. This section tells the client to use which principal inside Kerberos and the location of the keytab where the principal is stored.</li></ul><p>You need to set the <code>pulsar_jaas.conf</code> file path as a JVM parameter. For example:</p><div class="language-shell codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#F8F8F2;--prism-background-color:#282A36"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-shell codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#F8F8F2"><span class="token plain"> -Djava.security.auth.login.config</span><span class="token operator">=</span><span class="token plain">/etc/pulsar/pulsar_jaas.conf</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg class="copyButtonIcon_y97N" viewBox="0 0 24 24"><path d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg class="copyButtonSuccessIcon_LjdS" viewBox="0 0 24 24"><path d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><h3 class="anchor anchorWithStickyNavbar_LWe7" id="step-4-connect-to-kdc">Step 4: Connect to KDC<a href="#step-4-connect-to-kdc" class="hash-link" aria-label="Direct link to Step 4: Connect to KDC" title="Direct link to Step 4: Connect to KDC"></a></h3><div class="theme-admonition theme-admonition-note alert alert--secondary admonition_LlT9"><div class="admonitionHeading_tbUL"><span class="admonitionIcon_kALy"><svg viewBox="0 0 14 16"><path fill-rule="evenodd" d="M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"></path></svg></span>note</div><div class="admonitionContent_S0QG"><p>If your machines configured with Kerberos already have a system-wide configuration, you can skip this configuration.</p></div></div><p>The content of <code>krb5.conf</code> file indicates the default Realm and KDC information. See <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html" target="_blank" rel="noopener noreferrer">JDK's Kerberos Requirements</a> for more details.</p><p>To specify the path to the <code>krb5.conf</code> file for brokers, enter the command below.</p><div class="language-shell codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#F8F8F2;--prism-background-color:#282A36"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-shell codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#F8F8F2"><span class="token plain">-Djava.security.krb5.conf</span><span class="token operator">=</span><span class="token plain">/etc/pulsar/krb5.conf</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg class="copyButtonIcon_y97N" viewBox="0 0 24 24"><path d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg class="copyButtonSuccessIcon_LjdS" viewBox="0 0 24 24"><path d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><p>Here is an example of the <code>krb5.conf</code> file.</p><div class="language-conf codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#F8F8F2;--prism-background-color:#282A36"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-conf codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#F8F8F2"><span class="token plain">[libdefaults]</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> default_realm = EXAMPLE.COM</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">[realms]</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> EXAMPLE.COM = {</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> kdc = localhost:62037</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> }</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg class="copyButtonIcon_y97N" viewBox="0 0 24 24"><path d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg class="copyButtonSuccessIcon_LjdS" viewBox="0 0 24 24"><path d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><p>In the above example:</p><ul><li><code>EXAMPLE.COM</code> is the default Realm;</li><li><code>kdc = localhost:62037</code> is the KDC server URL for the <code>EXAMPLE.COM</code> Realm.</li></ul><h2 class="anchor anchorWithStickyNavbar_LWe7" id="enable-kerberos-authentication-on-proxies">Enable Kerberos authentication on proxies<a href="#enable-kerberos-authentication-on-proxies" class="hash-link" aria-label="Direct link to Enable Kerberos authentication on proxies" title="Direct link to Enable Kerberos authentication on proxies"></a></h2><p>If you want to use proxies between brokers and clients, Pulsar proxies (as a SASL server in Kerberos) will authenticate clients (as a SASL client in Kerberos) before brokers authenticate proxies.</p><p>To enable Kerberos authentication on proxies, complete the following steps.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="step-1-create-kerberos-principals-1">Step 1: Create Kerberos principals<a href="#step-1-create-kerberos-principals-1" class="hash-link" aria-label="Direct link to Step 1: Create Kerberos principals" title="Direct link to Step 1: Create Kerberos principals"></a></h3><p>Add new principals for Pulsar proxies.</p><div class="language-shell codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#F8F8F2;--prism-background-color:#282A36"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-shell codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#F8F8F2"><span class="token comment" style="color:rgb(98, 114, 164)">### add Principals for Pulsar Proxy</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"></span><span class="token function" style="color:rgb(80, 250, 123)">sudo</span><span class="token plain"> /usr/sbin/kadmin.local -q </span><span class="token string" style="color:rgb(255, 121, 198)">'addprinc -randkey proxy/{hostname}@{REALM}'</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"></span><span class="token function" style="color:rgb(80, 250, 123)">sudo</span><span class="token plain"> /usr/sbin/kadmin.local -q </span><span class="token string" style="color:rgb(255, 121, 198)">"ktadd -k /etc/security/keytabs/{proxy-keytabname}.keytab proxy/{hostname}@{REALM}"</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg class="copyButtonIcon_y97N" viewBox="0 0 24 24"><path d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg class="copyButtonSuccessIcon_LjdS" viewBox="0 0 24 24"><path d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><p>For principals set for brokers and clients, see <a href="#create-kerberos-principals">here</a>.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="step-2-configure-proxies">Step 2: Configure proxies<a href="#step-2-configure-proxies" class="hash-link" aria-label="Direct link to Step 2: Configure proxies" title="Direct link to Step 2: Configure proxies"></a></h3><p>In the <code>proxy.conf</code> file, set Kerberos-related configuration.</p><div class="language-shell codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#F8F8F2;--prism-background-color:#282A36"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-shell codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#F8F8F2"><span class="token comment" style="color:rgb(98, 114, 164)">## related to authenticate client.</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"></span><span class="token assign-left variable" style="color:rgb(189, 147, 249);font-style:italic">authenticationEnabled</span><span class="token operator">=</span><span class="token plain">true</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"></span><span class="token assign-left variable" style="color:rgb(189, 147, 249);font-style:italic">authenticationProviders</span><span class="token operator">=</span><span class="token plain">org.apache.pulsar.broker.authentication.AuthenticationProviderSasl</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"></span><span class="token assign-left variable" style="color:rgb(189, 147, 249);font-style:italic">saslJaasClientAllowedIds</span><span class="token operator">=</span><span class="token plain">.*client.*</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"></span><span class="token assign-left variable" style="color:rgb(189, 147, 249);font-style:italic">saslJaasServerSectionName</span><span class="token operator">=</span><span class="token plain">PulsarProxy</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"></span><span class="token comment" style="color:rgb(98, 114, 164)">## related to be authenticated by broker</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"></span><span class="token assign-left variable" style="color:rgb(189, 147, 249);font-style:italic">brokerClientAuthenticationPlugin</span><span class="token operator">=</span><span class="token plain">org.apache.pulsar.client.impl.auth.AuthenticationSasl</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"></span><span class="token assign-left variable" style="color:rgb(189, 147, 249);font-style:italic">brokerClientAuthenticationParameters</span><span class="token operator">=</span><span class="token punctuation" style="color:rgb(248, 248, 242)">{</span><span class="token string" style="color:rgb(255, 121, 198)">"saslJaasClientSectionName"</span><span class="token builtin class-name" style="color:rgb(189, 147, 249)">:</span><span class="token string" style="color:rgb(255, 121, 198)">"PulsarProxy"</span><span class="token plain">, </span><span class="token string" style="color:rgb(255, 121, 198)">"serverType"</span><span class="token builtin class-name" style="color:rgb(189, 147, 249)">:</span><span class="token string" style="color:rgb(255, 121, 198)">"broker"</span><span class="token punctuation" style="color:rgb(248, 248, 242)">}</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"></span><span class="token assign-left variable" style="color:rgb(189, 147, 249);font-style:italic">forwardAuthorizationCredentials</span><span class="token operator">=</span><span class="token plain">true</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg class="copyButtonIcon_y97N" viewBox="0 0 24 24"><path d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg class="copyButtonSuccessIcon_LjdS" viewBox="0 0 24 24"><path d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><p>In the above example:</p><ul><li>The first part relates to the authentication between clients and proxies. In this phase, clients work as SASL clients, while proxies work as SASL servers.</li><li>The second part relates to the authentication between proxies and brokers. In this phase, proxies work as SASL clients, while brokers work as SASL servers.</li></ul><h3 class="anchor anchorWithStickyNavbar_LWe7" id="step-3-configure-jaas-1">Step 3: Configure JAAS<a href="#step-3-configure-jaas-1" class="hash-link" aria-label="Direct link to Step 3: Configure JAAS" title="Direct link to Step 3: Configure JAAS"></a></h3><p>Add a new section for proxies in the <code>pulsar_jaas.conf</code> file. Here is an example:</p><div class="language-conf codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#F8F8F2;--prism-background-color:#282A36"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-conf codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#F8F8F2"><span class="token plain"> PulsarProxy {</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> com.sun.security.auth.module.Krb5LoginModule required</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> useKeyTab=true</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> storeKey=true</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> useTicketCache=false</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> keyTab="/etc/security/keytabs/pulsarproxy.keytab"</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> principal="proxy/localhost@EXAMPLE.COM";</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">};</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg class="copyButtonIcon_y97N" viewBox="0 0 24 24"><path d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg class="copyButtonSuccessIcon_LjdS" viewBox="0 0 24 24"><path d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><h2 class="anchor anchorWithStickyNavbar_LWe7" id="configure-kerberos-authentication-in-java-clients">Configure Kerberos authentication in Java clients<a href="#configure-kerberos-authentication-in-java-clients" class="hash-link" aria-label="Direct link to Configure Kerberos authentication in Java clients" title="Direct link to Configure Kerberos authentication in Java clients"></a></h2><div class="theme-admonition theme-admonition-note alert alert--secondary admonition_LlT9"><div class="admonitionHeading_tbUL"><span class="admonitionIcon_kALy"><svg viewBox="0 0 14 16"><path fill-rule="evenodd" d="M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"></path></svg></span>note</div><div class="admonitionContent_S0QG"><p>Ensure that the operating system user who starts Pulsar clients can access the keytabs configured in the <code>pulsar_jaas.conf</code> file and the KDC server configured in the <code>krb5.conf</code> file.</p></div></div><ol><li><p>In client applications, include <code>pulsar-client-auth-sasl</code> in your project dependency.</p><div class="language-xml codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#F8F8F2;--prism-background-color:#282A36"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-xml codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token tag punctuation" style="color:rgb(248, 248, 242)"><</span><span class="token tag" style="color:rgb(255, 121, 198)">dependency</span><span class="token tag punctuation" style="color:rgb(248, 248, 242)">></span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token tag punctuation" style="color:rgb(248, 248, 242)"><</span><span class="token tag" style="color:rgb(255, 121, 198)">groupId</span><span class="token tag punctuation" style="color:rgb(248, 248, 242)">></span><span class="token plain">org.apache.pulsar</span><span class="token tag punctuation" style="color:rgb(248, 248, 242)"></</span><span class="token tag" style="color:rgb(255, 121, 198)">groupId</span><span class="token tag punctuation" style="color:rgb(248, 248, 242)">></span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token tag punctuation" style="color:rgb(248, 248, 242)"><</span><span class="token tag" style="color:rgb(255, 121, 198)">artifactId</span><span class="token tag punctuation" style="color:rgb(248, 248, 242)">></span><span class="token plain">pulsar-client-auth-sasl</span><span class="token tag punctuation" style="color:rgb(248, 248, 242)"></</span><span class="token tag" style="color:rgb(255, 121, 198)">artifactId</span><span class="token tag punctuation" style="color:rgb(248, 248, 242)">></span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token tag punctuation" style="color:rgb(248, 248, 242)"><</span><span class="token tag" style="color:rgb(255, 121, 198)">version</span><span class="token tag punctuation" style="color:rgb(248, 248, 242)">></span><span class="token plain">${pulsar.version}</span><span class="token tag punctuation" style="color:rgb(248, 248, 242)"></</span><span class="token tag" style="color:rgb(255, 121, 198)">version</span><span class="token tag punctuation" style="color:rgb(248, 248, 242)">></span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token tag punctuation" style="color:rgb(248, 248, 242)"></</span><span class="token tag" style="color:rgb(255, 121, 198)">dependency</span><span class="token tag punctuation" style="color:rgb(248, 248, 242)">></span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg class="copyButtonIcon_y97N" viewBox="0 0 24 24"><path d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg class="copyButtonSuccessIcon_LjdS" viewBox="0 0 24 24"><path d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div></li><li><p>Configure the authentication type to use <code>AuthenticationSasl</code> and provide the following parameters.</p><ul><li>set <code>saslJaasClientSectionName</code> to <code>PulsarClient</code>;</li><li>set <code>serverType</code> to <code>broker</code>. <code>serverType</code> stands for whether this client connects to brokers or proxies. Clients use this parameter to know which server-side principal should be used.</li></ul><p>The following is an example of configuring a Java client:</p><div class="language-java codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#F8F8F2;--prism-background-color:#282A36"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-java codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#F8F8F2"><span class="token class-name">System</span><span class="token punctuation" style="color:rgb(248, 248, 242)">.</span><span class="token function" style="color:rgb(80, 250, 123)">setProperty</span><span class="token punctuation" style="color:rgb(248, 248, 242)">(</span><span class="token string" style="color:rgb(255, 121, 198)">"java.security.auth.login.config"</span><span class="token punctuation" style="color:rgb(248, 248, 242)">,</span><span class="token plain"> </span><span class="token string" style="color:rgb(255, 121, 198)">"/etc/pulsar/pulsar_jaas.conf"</span><span class="token punctuation" style="color:rgb(248, 248, 242)">)</span><span class="token punctuation" style="color:rgb(248, 248, 242)">;</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"></span><span class="token class-name">System</span><span class="token punctuation" style="color:rgb(248, 248, 242)">.</span><span class="token function" style="color:rgb(80, 250, 123)">setProperty</span><span class="token punctuation" style="color:rgb(248, 248, 242)">(</span><span class="token string" style="color:rgb(255, 121, 198)">"java.security.krb5.conf"</span><span class="token punctuation" style="color:rgb(248, 248, 242)">,</span><span class="token plain"> </span><span class="token string" style="color:rgb(255, 121, 198)">"/etc/pulsar/krb5.conf"</span><span class="token punctuation" style="color:rgb(248, 248, 242)">)</span><span class="token punctuation" style="color:rgb(248, 248, 242)">;</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"></span><span class="token class-name">Map</span><span class="token generics punctuation" style="color:rgb(248, 248, 242)"><</span><span class="token generics class-name">String</span><span class="token generics punctuation" style="color:rgb(248, 248, 242)">,</span><span class="token generics"> </span><span class="token generics class-name">String</span><span class="token generics punctuation" style="color:rgb(248, 248, 242)">></span><span class="token plain"> authParams </span><span class="token operator">=</span><span class="token plain"> </span><span class="token class-name">Maps</span><span class="token punctuation" style="color:rgb(248, 248, 242)">.</span><span class="token function" style="color:rgb(80, 250, 123)">newHashMap</span><span class="token punctuation" style="color:rgb(248, 248, 242)">(</span><span class="token punctuation" style="color:rgb(248, 248, 242)">)</span><span class="token punctuation" style="color:rgb(248, 248, 242)">;</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">authParams</span><span class="token punctuation" style="color:rgb(248, 248, 242)">.</span><span class="token function" style="color:rgb(80, 250, 123)">put</span><span class="token punctuation" style="color:rgb(248, 248, 242)">(</span><span class="token string" style="color:rgb(255, 121, 198)">"saslJaasClientSectionName"</span><span class="token punctuation" style="color:rgb(248, 248, 242)">,</span><span class="token plain"> </span><span class="token string" style="color:rgb(255, 121, 198)">"PulsarClient"</span><span class="token punctuation" style="color:rgb(248, 248, 242)">)</span><span class="token punctuation" style="color:rgb(248, 248, 242)">;</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">authParams</span><span class="token punctuation" style="color:rgb(248, 248, 242)">.</span><span class="token function" style="color:rgb(80, 250, 123)">put</span><span class="token punctuation" style="color:rgb(248, 248, 242)">(</span><span class="token string" style="color:rgb(255, 121, 198)">"serverType"</span><span class="token punctuation" style="color:rgb(248, 248, 242)">,</span><span class="token plain"> </span><span class="token string" style="color:rgb(255, 121, 198)">"broker"</span><span class="token punctuation" style="color:rgb(248, 248, 242)">)</span><span class="token punctuation" style="color:rgb(248, 248, 242)">;</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"></span><span class="token class-name">Authentication</span><span class="token plain"> saslAuth </span><span class="token operator">=</span><span class="token plain"> </span><span class="token class-name">AuthenticationFactory</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(248, 248, 242)">.</span><span class="token function" style="color:rgb(80, 250, 123)">create</span><span class="token punctuation" style="color:rgb(248, 248, 242)">(</span><span class="token class-name namespace">org</span><span class="token class-name namespace punctuation" style="color:rgb(248, 248, 242)">.</span><span class="token class-name namespace">apache</span><span class="token class-name namespace punctuation" style="color:rgb(248, 248, 242)">.</span><span class="token class-name namespace">pulsar</span><span class="token class-name namespace punctuation" style="color:rgb(248, 248, 242)">.</span><span class="token class-name namespace">client</span><span class="token class-name namespace punctuation" style="color:rgb(248, 248, 242)">.</span><span class="token class-name namespace">impl</span><span class="token class-name namespace punctuation" style="color:rgb(248, 248, 242)">.</span><span class="token class-name namespace">auth</span><span class="token class-name namespace punctuation" style="color:rgb(248, 248, 242)">.</span><span class="token class-name">AuthenticationSasl</span><span class="token punctuation" style="color:rgb(248, 248, 242)">.</span><span class="token keyword" style="color:rgb(189, 147, 249);font-style:italic">class</span><span class="token punctuation" style="color:rgb(248, 248, 242)">.</span><span class="token function" style="color:rgb(80, 250, 123)">getName</span><span class="token punctuation" style="color:rgb(248, 248, 242)">(</span><span class="token punctuation" style="color:rgb(248, 248, 242)">)</span><span class="token punctuation" style="color:rgb(248, 248, 242)">,</span><span class="token plain"> authParams</span><span class="token punctuation" style="color:rgb(248, 248, 242)">)</span><span class="token punctuation" style="color:rgb(248, 248, 242)">;</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"></span><span class="token class-name">PulsarClient</span><span class="token plain"> client </span><span class="token operator">=</span><span class="token plain"> </span><span class="token class-name">PulsarClient</span><span class="token punctuation" style="color:rgb(248, 248, 242)">.</span><span class="token function" style="color:rgb(80, 250, 123)">builder</span><span class="token punctuation" style="color:rgb(248, 248, 242)">(</span><span class="token punctuation" style="color:rgb(248, 248, 242)">)</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(248, 248, 242)">.</span><span class="token function" style="color:rgb(80, 250, 123)">serviceUrl</span><span class="token punctuation" style="color:rgb(248, 248, 242)">(</span><span class="token string" style="color:rgb(255, 121, 198)">"pulsar://my-broker.com:6650"</span><span class="token punctuation" style="color:rgb(248, 248, 242)">)</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(248, 248, 242)">.</span><span class="token function" style="color:rgb(80, 250, 123)">authentication</span><span class="token punctuation" style="color:rgb(248, 248, 242)">(</span><span class="token plain">saslAuth</span><span class="token punctuation" style="color:rgb(248, 248, 242)">)</span><span class="token plain"></span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> </span><span class="token punctuation" style="color:rgb(248, 248, 242)">.</span><span class="token function" style="color:rgb(80, 250, 123)">build</span><span class="token punctuation" style="color:rgb(248, 248, 242)">(</span><span class="token punctuation" style="color:rgb(248, 248, 242)">)</span><span class="token punctuation" style="color:rgb(248, 248, 242)">;</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg class="copyButtonIcon_y97N" viewBox="0 0 24 24"><path d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg class="copyButtonSuccessIcon_LjdS" viewBox="0 0 24 24"><path d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><div class="theme-admonition theme-admonition-note alert alert--secondary admonition_LlT9"><div class="admonitionHeading_tbUL"><span class="admonitionIcon_kALy"><svg viewBox="0 0 14 16"><path fill-rule="evenodd" d="M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"></path></svg></span>note</div><div class="admonitionContent_S0QG"><ul><li>To configure clients for proxies, you need to set <code>serverType</code> to <code>proxy</code> instead of <code>broker</code>.</li><li>The first two lines in the above example are hard-coded. Alternatively, you can set additional JVM parameters for <code>pulsar_jaas.conf</code> and <code>krb5.conf</code> files when you run the application like below:</li></ul><div class="language-shell codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#F8F8F2;--prism-background-color:#282A36"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-shell codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#F8F8F2"><span class="token plain">java -cp -Djava.security.auth.login.config</span><span class="token operator">=</span><span class="token plain">/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf</span><span class="token operator">=</span><span class="token plain">/etc/pulsar/krb5.conf </span><span class="token variable" style="color:rgb(189, 147, 249);font-style:italic">$APP</span><span class="token plain">-jar-with-dependencies.jar </span><span class="token variable" style="color:rgb(189, 147, 249);font-style:italic">$CLASSNAME</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg class="copyButtonIcon_y97N" viewBox="0 0 24 24"><path d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg class="copyButtonSuccessIcon_LjdS" viewBox="0 0 24 24"><path d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div></div></div></li></ol><h2 class="anchor anchorWithStickyNavbar_LWe7" id="configure-kerberos-authentication-in-cli-tools">Configure Kerberos authentication in CLI tools<a href="#configure-kerberos-authentication-in-cli-tools" class="hash-link" aria-label="Direct link to Configure Kerberos authentication in CLI tools" title="Direct link to Configure Kerberos authentication in CLI tools"></a></h2><p><a href="/docs/3.2.x/reference-cli-tools/">Command-line tools</a> like <a href="/reference/#/3.2.x/pulsar-admin/" target="_blank" rel="noopener noreferrer"><code>pulsar-admin</code></a>, <a href="/reference/#/3.2.x/pulsar-perf/" target="_blank" rel="noopener noreferrer"><code>pulsar-perf</code></a>, and <a href="/reference/#/3.2.x/pulsar-client/" target="_blank" rel="noopener noreferrer"><code>pulsar-client</code></a> use the <code>conf/client.conf</code> file in a Pulsar installation.</p><p>When using command-line tools, you need to perform the following steps:</p><ol><li><p>Configure the <code>conf/client.conf</code> file.</p><div class="language-shell codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#F8F8F2;--prism-background-color:#282A36"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-shell codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#F8F8F2"><span class="token assign-left variable" style="color:rgb(189, 147, 249);font-style:italic">authPlugin</span><span class="token operator">=</span><span class="token plain">org.apache.pulsar.client.impl.auth.AuthenticationSasl</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"></span><span class="token assign-left variable" style="color:rgb(189, 147, 249);font-style:italic">authParams</span><span class="token operator">=</span><span class="token punctuation" style="color:rgb(248, 248, 242)">{</span><span class="token string" style="color:rgb(255, 121, 198)">"saslJaasClientSectionName"</span><span class="token builtin class-name" style="color:rgb(189, 147, 249)">:</span><span class="token string" style="color:rgb(255, 121, 198)">"PulsarClient"</span><span class="token plain">, </span><span class="token string" style="color:rgb(255, 121, 198)">"serverType"</span><span class="token builtin class-name" style="color:rgb(189, 147, 249)">:</span><span class="token string" style="color:rgb(255, 121, 198)">"broker"</span><span class="token punctuation" style="color:rgb(248, 248, 242)">}</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg class="copyButtonIcon_y97N" viewBox="0 0 24 24"><path d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg class="copyButtonSuccessIcon_LjdS" viewBox="0 0 24 24"><path d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div></li><li><p>Set JVM parameters for the <code>pulsar_jaas.conf</code> file and <code>krb5.conf</code> files with additional options.</p><div class="language-shell codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#F8F8F2;--prism-background-color:#282A36"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-shell codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#F8F8F2"><span class="token plain">-Djava.security.auth.login.config</span><span class="token operator">=</span><span class="token plain">/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf</span><span class="token operator">=</span><span class="token plain">/etc/pulsar/krb5.conf</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg class="copyButtonIcon_y97N" viewBox="0 0 24 24"><path d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg class="copyButtonSuccessIcon_LjdS" viewBox="0 0 24 24"><path d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh" target="_blank" rel="noopener noreferrer"><code>pulsar_tools_env.sh</code></a>, or add this line <code>OPTS="$OPTS -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf"</code> directly to the CLI tool script. The meaning of configurations is the same as the meaning of configurations in Java client section.</p></li></ol><h2 class="anchor anchorWithStickyNavbar_LWe7" id="configure-kerberos-authentication-between-zookeeper-and-broker">Configure Kerberos authentication between ZooKeeper and broker<a href="#configure-kerberos-authentication-between-zookeeper-and-broker" class="hash-link" aria-label="Direct link to Configure Kerberos authentication between ZooKeeper and broker" title="Direct link to Configure Kerberos authentication between ZooKeeper and broker"></a></h2><p>Pulsar broker acts as a Kerberos client when authenticating with Zookeeper.</p><ol><li><p>Add the settings in <code>conf/zookeeper.conf</code>.</p><div class="language-conf codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#F8F8F2;--prism-background-color:#282A36"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-conf codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#F8F8F2"><span class="token plain">authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">requireClientAuthScheme=sasl</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg class="copyButtonIcon_y97N" viewBox="0 0 24 24"><path d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg class="copyButtonSuccessIcon_LjdS" viewBox="0 0 24 24"><path d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div></li><li><p>Enter the following commands to add a section of <code>Client</code> configurations in <code>pulsar_jaas.conf</code> that Pulsar broker uses:</p><div class="codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#F8F8F2;--prism-background-color:#282A36"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-text codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#F8F8F2"><span class="token plain"> Client {</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> com.sun.security.auth.module.Krb5LoginModule required</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> useKeyTab=true</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> storeKey=true</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> useTicketCache=false</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> keyTab="/etc/security/keytabs/pulsarbroker.keytab"</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> principal="broker/localhost@EXAMPLE.COM";</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">};</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg class="copyButtonIcon_y97N" viewBox="0 0 24 24"><path d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg class="copyButtonSuccessIcon_LjdS" viewBox="0 0 24 24"><path d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><p>In this setting, the principal of Pulsar broker and keytab file indicates the role of brokers when you authenticate with ZooKeeper.</p></li></ol><p>For more information, see <a href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication" target="_blank" rel="noopener noreferrer">ZooKeeper document</a></p><h2 class="anchor anchorWithStickyNavbar_LWe7" id="configure-kerberos-authentication-for-bookkeeper-and-broker">Configure Kerberos authentication for BookKeeper and broker<a href="#configure-kerberos-authentication-for-bookkeeper-and-broker" class="hash-link" aria-label="Direct link to Configure Kerberos authentication for BookKeeper and broker" title="Direct link to Configure Kerberos authentication for BookKeeper and broker"></a></h2><p>Pulsar broker acts as a Kerberos client when authenticating with Bookie.</p><ol><li><p>Add the <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code>.</p><div class="language-conf codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#F8F8F2;--prism-background-color:#282A36"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-conf codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#F8F8F2"><span class="token plain">bookkeeperClientAuthenticationPlugin=org.apache.bookkeeper.sasl.SASLClientProviderFactory</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg class="copyButtonIcon_y97N" viewBox="0 0 24 24"><path d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg class="copyButtonSuccessIcon_LjdS" viewBox="0 0 24 24"><path d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><p><code>SASLClientProviderFactory</code> creates a BookKeeper SASL client in a broker, and the broker uses the created SASL client to authenticate with a Bookie node.</p></li><li><p>Add a section of <code>BookKeeper</code> configurations in the <code>pulsar_jaas.conf</code> file that broker/proxy uses.</p><div class="language-conf codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#F8F8F2;--prism-background-color:#282A36"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-conf codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#F8F8F2"><span class="token plain"> BookKeeper {</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> com.sun.security.auth.module.Krb5LoginModule required</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> useKeyTab=true</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> storeKey=true</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> useTicketCache=false</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> keyTab="/etc/security/keytabs/pulsarbroker.keytab"</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain"> principal="broker/localhost@EXAMPLE.COM";</span><br></span><span class="token-line" style="color:#F8F8F2"><span class="token plain">};</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg class="copyButtonIcon_y97N" viewBox="0 0 24 24"><path d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg class="copyButtonSuccessIcon_LjdS" viewBox="0 0 24 24"><path d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><p>In this setting, the principal of Pulsar broker and keytab file indicates the role of brokers when you authenticate with Bookie.</p></li></ol><p>For more information, see <a href="https://bookkeeper.apache.org/docs/next/security/sasl/" target="_blank" rel="noopener noreferrer">BookKeeper document</a>.</p></div><footer class="theme-doc-footer docusaurus-mt-lg"><div class="theme-doc-footer-edit-meta-row row"><div class="col"><a href="https://github.com/apache/pulsar-site/edit/main/versioned_docs/version-3.2.x/security-kerberos.md" target="_blank" rel="noreferrer noopener" class="theme-edit-this-page"><svg fill="currentColor" height="20" width="20" viewBox="0 0 40 40" class="iconEdit_Z9Sw" aria-hidden="true"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div><div class="col lastUpdated_vwxv"></div></div></footer></article><nav class="pagination-nav docusaurus-mt-lg" aria-label="Docs pages navigation"><a class="pagination-nav__link pagination-nav__link--prev" href="/docs/3.2.x/security-athenz/"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">Authentication using Athenz</div></a><a class="pagination-nav__link pagination-nav__link--next" href="/docs/3.2.x/security-oauth2/"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Authentication using OAuth 2.0 access tokens</div></a></nav></div></div><div class="col col--3"><div class="tableOfContents_jeP5 thin-scrollbar theme-doc-toc-desktop"><div class="border"><div style="color:var(--ifm-toc-link-color)">Was this helpful?</div><div style="border-width:1px;padding:3px;display:flex"><div style="justify-content:center;display:flex;border-radius:99999px;width:2.5rem;height:2.5rem;cursor:pointer;background:;color:"><svg style="width:initial;height:initial" width="12" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M10.086 1.594A1 1 0 0 1 11 1a4 4 0 0 1 4 4v3h4.655a3 3 0 0 1 2.994 3.45l-1.38 9A3.002 3.002 0 0 1 18.275 23H4a3 3 0 0 1-3-3v-7a3 3 0 0 1 3-3h2.35l3.736-8.406ZM8 11.212l3.608-8.117A2 2 0 0 1 13 5v4a1 1 0 0 0 1 1h5.671a1 1 0 0 1 1 1.15l-1.38 9a1 1 0 0 1-1 .85H8v-9.788ZM6 21v-9H4a1 1 0 0 0-1 1v7a1 1 0 0 0 1 1h2Z" fill="currentColor"></path></svg></div><div style="justify-content:center;display:flex;border-radius:99999px;width:2.5rem;height:2.5rem;cursor:pointer;background:;color:"><svg style="width:initial;height:initial" width="12" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M20.563 3.316A1.31 1.31 0 0 0 19.687 3h-1.688v9h1.688a1.31 1.31 0 0 0 1.312-1.077V4.077a1.31 1.31 0 0 0-.436-.761ZM16 12.788l-3.608 8.117A1.999 1.999 0 0 1 11 19v-4a1 1 0 0 0-1-1H4.328a1.002 1.002 0 0 1-1-1.15l1.38-9a1 1 0 0 1 1-.85h10.291v9.788ZM19.661 1a3.31 3.31 0 0 1 3.329 2.866c.006.044.01.09.01.134v7c0 .045-.004.09-.01.134A3.31 3.31 0 0 1 19.661 14h-2.012l-3.736 8.406a1 1 0 0 1-.914.594 4 4 0 0 1-4-4v-3H4.344a3 3 0 0 1-2.994-3.45l1.38-9A3.002 3.002 0 0 1 5.724 1h13.937Z" fill="currentColor"></path></svg></div></div><div class="Actions_uugI"><a target="_blank" class="Action_iBHd" href="https://github.com/apache/pulsar/issues/new?assignees=&labels=doc-required&projects=&template=doc.yml&title=%5BDoc%5D+">💡 Suggest changes</a><a target="_blank" class="Action_iBHd" href="https://github.com/apache/pulsar/discussions/new?category=q-a">🛟 Get support</a></div></div><ul class="table-of-contents table-of-contents__left-border"><li><a href="#prerequisites" class="table-of-contents__link toc-highlight">Prerequisites</a></li><li><a href="#enable-kerberos-authentication-on-brokers" class="table-of-contents__link toc-highlight">Enable Kerberos authentication on brokers</a><ul><li><a href="#step-1-create-kerberos-principals" class="table-of-contents__link toc-highlight">Step 1: Create Kerberos principals</a></li><li><a href="#step-2-configure-brokers" class="table-of-contents__link toc-highlight">Step 2: Configure brokers</a></li><li><a href="#step-3-configure-jaas" class="table-of-contents__link toc-highlight">Step 3: Configure JAAS</a></li><li><a href="#step-4-connect-to-kdc" class="table-of-contents__link toc-highlight">Step 4: Connect to KDC</a></li></ul></li><li><a href="#enable-kerberos-authentication-on-proxies" class="table-of-contents__link toc-highlight">Enable Kerberos authentication on proxies</a><ul><li><a href="#step-1-create-kerberos-principals-1" class="table-of-contents__link toc-highlight">Step 1: Create Kerberos principals</a></li><li><a href="#step-2-configure-proxies" class="table-of-contents__link toc-highlight">Step 2: Configure proxies</a></li><li><a href="#step-3-configure-jaas-1" class="table-of-contents__link toc-highlight">Step 3: Configure JAAS</a></li></ul></li><li><a href="#configure-kerberos-authentication-in-java-clients" class="table-of-contents__link toc-highlight">Configure Kerberos authentication in Java clients</a></li><li><a href="#configure-kerberos-authentication-in-cli-tools" class="table-of-contents__link toc-highlight">Configure Kerberos authentication in CLI tools</a></li><li><a href="#configure-kerberos-authentication-between-zookeeper-and-broker" class="table-of-contents__link toc-highlight">Configure Kerberos authentication between ZooKeeper and broker</a></li><li><a href="#configure-kerberos-authentication-for-bookkeeper-and-broker" class="table-of-contents__link toc-highlight">Configure Kerberos authentication for BookKeeper and broker</a></li></ul></div></div></div></div></main></div></div><footer class="footer"><div class="container container-fluid"><div class="row footer__links"><div class="col footer__col"><div class="footer__title"></div><ul class="footer__items clean-list"><li class="footer__item"><a href="https://www.apache.org/" target="_blank" rel="noopener noreferrer" class="footer__link-item">Foundation<svg width="13.5" height="13.5" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li class="footer__item"><a href="https://www.apache.org/events/current-event.html" target="_blank" rel="noopener noreferrer" class="footer__link-item">Events<svg width="13.5" height="13.5" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li></ul></div><div class="col footer__col"><div class="footer__title"></div><ul class="footer__items clean-list"><li class="footer__item"><a href="https://www.apache.org/licenses/" target="_blank" rel="noopener noreferrer" class="footer__link-item">License<svg width="13.5" height="13.5" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li class="footer__item"><a href="https://www.apache.org/foundation/thanks" target="_blank" rel="noopener noreferrer" class="footer__link-item">Thanks<svg width="13.5" height="13.5" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li class="footer__item"><a href="https://www.apache.org/foundation/sponsorship" target="_blank" rel="noopener noreferrer" class="footer__link-item">Sponsorship<svg width="13.5" height="13.5" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li></ul></div><div class="col footer__col"><div class="footer__title"></div><ul class="footer__items clean-list"><li class="footer__item"><a class="footer__link-item" href="/security/">Security</a></li><li class="footer__item"><a href="https://www.apache.org/foundation/policies/privacy.html" target="_blank" rel="noopener noreferrer" class="footer__link-item">Privacy<svg width="13.5" height="13.5" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li class="footer__item"><a class="footer__link-item" href="/contact/">Contact</a></li></ul></div><div class="col footer__col"><div class="footer__title"></div><ul class="footer__items clean-list"><li class="footer__item"> |