| # |
| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| # |
| |
| ### --- Broker Discovery --- ### |
| |
| # The ZooKeeper quorum connection string (as a comma-separated list) |
| zookeeperServers= |
| |
| # Configuration store connection string (as a comma-separated list) |
| configurationStoreServers= |
| |
| # if Service Discovery is Disabled this url should point to the discovery service provider. |
| brokerServiceURL= |
| brokerServiceURLTLS= |
| |
| # These settings are unnecessary if `zookeeperServers` is specified |
| brokerWebServiceURL= |
| brokerWebServiceURLTLS= |
| |
| # If function workers are setup in a separate cluster, configure the following 2 settings |
| # to point to the function workers cluster |
| functionWorkerWebServiceURL= |
| functionWorkerWebServiceURLTLS= |
| |
| # ZooKeeper session timeout (in milliseconds) |
| zookeeperSessionTimeoutMs=30000 |
| |
| # ZooKeeper cache expiry time in seconds |
| zooKeeperCacheExpirySeconds=300 |
| |
| ### --- Server --- ### |
| |
| # Hostname or IP address the service binds on, default is 0.0.0.0. |
| bindAddress=0.0.0.0 |
| |
| # Hostname or IP address the service advertises to the outside world. |
| # If not set, the value of `InetAddress.getLocalHost().getHostname()` is used. |
| advertisedAddress= |
| |
| # Enable or disable the HAProxy protocol. |
| haProxyProtocolEnabled=false |
| |
| # The port to use for server binary Protobuf requests |
| servicePort=6650 |
| |
| # The port to use to server binary Protobuf TLS requests |
| servicePortTls= |
| |
| # Port that discovery service listen on |
| webServicePort=8080 |
| |
| # Port to use to server HTTPS request |
| webServicePortTls= |
| |
| # Path for the file used to determine the rotation status for the proxy instance when responding |
| # to service discovery health checks |
| statusFilePath= |
| |
| # Proxy log level, default is 0. |
| # 0: Do not log any tcp channel info |
| # 1: Parse and log any tcp channel info and command info without message body |
| # 2: Parse and log channel info, command info and message body |
| proxyLogLevel=0 |
| |
| ### ---Authorization --- ### |
| |
| # Role names that are treated as "super-users," meaning that they will be able to perform all admin |
| # operations and publish/consume to/from all topics (as a comma-separated list) |
| superUserRoles= |
| |
| # Whether authorization is enforced by the Pulsar proxy |
| authorizationEnabled=false |
| |
| # Authorization provider as a fully qualified class name |
| authorizationProvider=org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider |
| |
| # Whether client authorization credentials are forwared to the broker for re-authorization. |
| # Authentication must be enabled via authenticationEnabled=true for this to take effect. |
| forwardAuthorizationCredentials=false |
| |
| ### --- Authentication --- ### |
| |
| # Whether authentication is enabled for the Pulsar proxy |
| authenticationEnabled=false |
| |
| # Authentication provider name list (a comma-separated list of class names) |
| authenticationProviders= |
| |
| # When this parameter is not empty, unauthenticated users perform as anonymousUserRole |
| anonymousUserRole= |
| |
| ### --- Client Authentication --- ### |
| |
| # The three brokerClient* authentication settings below are for the proxy itself and determine how it |
| # authenticates with Pulsar brokers |
| |
| # The authentication plugin used by the Pulsar proxy to authenticate with Pulsar brokers |
| brokerClientAuthenticationPlugin= |
| |
| # The authentication parameters used by the Pulsar proxy to authenticate with Pulsar brokers |
| brokerClientAuthenticationParameters= |
| |
| # The path to trusted certificates used by the Pulsar proxy to authenticate with Pulsar brokers |
| brokerClientTrustCertsFilePath= |
| |
| # Whether TLS is enabled when communicating with Pulsar brokers |
| tlsEnabledWithBroker=false |
| |
| # Tls cert refresh duration in seconds (set 0 to check on every new connection) |
| tlsCertRefreshCheckDurationSec=300 |
| |
| ##### --- Rate Limiting --- ##### |
| |
| # Max concurrent inbound connections. The proxy will reject requests beyond that. |
| maxConcurrentInboundConnections=10000 |
| |
| # Max concurrent outbound connections. The proxy will error out requests beyond that. |
| maxConcurrentLookupRequests=50000 |
| |
| ##### --- TLS --- ##### |
| |
| # Deprecated - use servicePortTls and webServicePortTls instead |
| tlsEnabledInProxy=false |
| |
| # Path for the TLS certificate file |
| tlsCertificateFilePath= |
| |
| # Path for the TLS private key file |
| tlsKeyFilePath= |
| |
| # Path for the trusted TLS certificate file. |
| # This cert is used to verify that any certs presented by connecting clients |
| # are signed by a certificate authority. If this verification |
| # fails, then the certs are untrusted and the connections are dropped. |
| tlsTrustCertsFilePath= |
| |
| # Accept untrusted TLS certificate from client. |
| # If true, a client with a cert which cannot be verified with the |
| # 'tlsTrustCertsFilePath' cert will allowed to connect to the server, |
| # though the cert will not be used for client authentication. |
| tlsAllowInsecureConnection=false |
| |
| # Whether the hostname is validated when the proxy creates a TLS connection with brokers |
| tlsHostnameVerificationEnabled=false |
| |
| # Specify the tls protocols the broker will use to negotiate during TLS handshake |
| # (a comma-separated list of protocol names). |
| # Examples:- [TLSv1.2, TLSv1.1, TLSv1] |
| tlsProtocols= |
| |
| # Specify the tls cipher the broker will use to negotiate during TLS Handshake |
| # (a comma-separated list of ciphers). |
| # Examples:- [TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] |
| tlsCiphers= |
| |
| # Whether client certificates are required for TLS. Connections are rejected if the client |
| # certificate isn't trusted. |
| tlsRequireTrustedClientCertOnConnect=false |
| |
| ##### --- HTTP --- ##### |
| |
| # Http directs to redirect to non-pulsar services. |
| httpReverseProxyConfigs= |
| |
| # Http output buffer size. The amount of data that will be buffered for http requests |
| # before it is flushed to the channel. A larger buffer size may result in higher http throughput |
| # though it may take longer for the client to see data. |
| # If using HTTP streaming via the reverse proxy, this should be set to the minimum value, 1, |
| # so that clients see the data as soon as possible. |
| httpOutputBufferSize=32768 |
| |
| # Number of threads to use for HTTP requests processing. Default is |
| # 2 * Runtime.getRuntime().availableProcessors() |
| httpNumThreads= |
| |
| # Enable the enforcement of limits on the incoming HTTP requests |
| httpRequestsLimitEnabled=false |
| |
| # Max HTTP requests per seconds allowed. The excess of requests will be rejected with HTTP code 429 (Too many requests) |
| httpRequestsMaxPerSecond=100.0 |
| |
| |
| ### --- Token Authentication Provider --- ### |
| |
| ## Symmetric key |
| # Configure the secret key to be used to validate auth tokens |
| # The key can be specified like: |
| # tokenSecretKey=data:;base64,xxxxxxxxx |
| # tokenSecretKey=file:///my/secret.key ( Note: key file must be DER-encoded ) |
| tokenSecretKey= |
| |
| ## Asymmetric public/private key pair |
| # Configure the public key to be used to validate auth tokens |
| # The key can be specified like: |
| # tokenPublicKey=data:;base64,xxxxxxxxx |
| # tokenPublicKey=file:///my/public.key ( Note: key file must be DER-encoded ) |
| tokenPublicKey= |
| |
| # The token "claim" that will be interpreted as the authentication "role" or "principal" by AuthenticationProviderToken (defaults to "sub" if blank) |
| tokenAuthClaim= |
| |
| # The token audience "claim" name, e.g. "aud", that will be used to get the audience from token. |
| # If not set, audience will not be verified. |
| tokenAudienceClaim= |
| |
| # The token audience stands for this broker. The field `tokenAudienceClaim` of a valid token, need contains this. |
| tokenAudience= |
| |
| ### --- WebSocket config variables --- ### |
| |
| # Enable or disable the WebSocket servlet. |
| webSocketServiceEnabled=false |
| |
| # Name of the cluster to which this broker belongs to |
| clusterName= |
| |
| ### --- Deprecated config variables --- ### |
| |
| # Deprecated. Use configurationStoreServers |
| globalZookeeperServers= |
