| # |
| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| # |
| |
| ### --- Broker Discovery --- ### |
| # The metadata store URL |
| # Examples: |
| # * zk:my-zk-1:2181,my-zk-2:2181,my-zk-3:2181 |
| # * my-zk-1:2181,my-zk-2:2181,my-zk-3:2181 (will default to ZooKeeper when the schema is not specified) |
| # * zk:my-zk-1:2181,my-zk-2:2181,my-zk-3:2181/my-chroot-path (to add a ZK chroot path) |
| metadataStoreUrl= |
| |
| # The metadata store URL for the configuration data. If empty, we fall back to use metadataStoreUrl |
| configurationMetadataStoreUrl= |
| |
| # If does not set metadataStoreUrl or configurationMetadataStoreUrl, this url should point to the discovery service |
| # provider, and does not support multi urls yet. |
| # The URL must begin with pulsar:// for plaintext or with pulsar+ssl:// for TLS. |
| brokerServiceURL= |
| brokerServiceURLTLS= |
| |
| # If does not set metadataStoreUrl or configurationMetadataStoreUrl, this url should point to the discovery service |
| # provider, and does not support multi urls yet. |
| brokerWebServiceURL= |
| brokerWebServiceURLTLS= |
| |
| # If function workers are setup in a separate cluster, configure the following 2 settings. This url should point to |
| # the discovery service provider of the function workers cluster, and does not support multi urls yet. |
| functionWorkerWebServiceURL= |
| functionWorkerWebServiceURLTLS= |
| |
| # Metadata store session timeout in milliseconds |
| metadataStoreSessionTimeoutMillis=30000 |
| |
| # Metadata store cache expiry time in seconds |
| metadataStoreCacheExpirySeconds=300 |
| |
| ### --- Server --- ### |
| |
| # Hostname or IP address the service binds on, default is 0.0.0.0. |
| bindAddress=0.0.0.0 |
| |
| # Hostname or IP address the service advertises to the outside world. |
| # If not set, the value of `InetAddress.getLocalHost().getCanonicalHostName()` is used. |
| advertisedAddress= |
| |
| # Enable or disable the HAProxy protocol. |
| # If true, the real IP addresses of consumers and producers can be obtained when getting topic statistics data. |
| haProxyProtocolEnabled=false |
| |
| # Enables zero-copy transport of data across network interfaces using the splice system call. |
| # Zero copy mode cannot be used when TLS is enabled or when proxyLogLevel is > 0. |
| proxyZeroCopyModeEnabled=true |
| |
| # The port to use for server binary Protobuf requests |
| servicePort=6650 |
| |
| # The port to use to server binary Protobuf TLS requests |
| servicePortTls= |
| |
| # Port that discovery service listen on |
| webServicePort=8080 |
| |
| # Port to use to server HTTPS request |
| webServicePortTls= |
| |
| # Number of threads used for Netty IO. Default is set to `2 * Runtime.getRuntime().availableProcessors()` |
| numIOThreads= |
| |
| # Number of threads used for Netty Acceptor. Default is set to `1` |
| numAcceptorThreads= |
| |
| ### --- TLS config variables --- ### |
| ## Note that some of the above TLS configs also apply to the KeyStore TLS configuration. |
| |
| # Specify the TLS provider for the broker service: |
| # When using TLS authentication with CACert, the valid value is either OPENSSL or JDK. |
| # When using TLS authentication with KeyStore, available values can be SunJSSE, Conscrypt and etc. |
| tlsProvider= |
| |
| # Specify the TLS provider for the web service, available values can be SunJSSE, Conscrypt and etc. |
| webServiceTlsProvider=Conscrypt |
| |
| # Enable TLS with KeyStore type configuration in proxy. |
| tlsEnabledWithKeyStore=false |
| |
| # TLS KeyStore type configuration in proxy: JKS, PKCS12 |
| tlsKeyStoreType=JKS |
| |
| # TLS KeyStore path in proxy |
| tlsKeyStore= |
| |
| # TLS KeyStore password for proxy |
| tlsKeyStorePassword= |
| |
| # TLS TrustStore type configuration in proxy: JKS, PKCS12 |
| tlsTrustStoreType=JKS |
| |
| # TLS TrustStore path in proxy |
| tlsTrustStore= |
| |
| # TLS TrustStore password in proxy, default value is empty password |
| tlsTrustStorePassword= |
| |
| # Specify the tls protocols the proxy's web service will use to negotiate during TLS handshake |
| # (a comma-separated list of protocol names). |
| # Examples: |
| # webServiceTlsProtocols=TLSv1.3,TLSv1.2 |
| webServiceTlsProtocols= |
| |
| # Specify the tls cipher the proxy will use to negotiate during TLS Handshake |
| # (a comma-separated list of ciphers). |
| # Examples: |
| # webServiceTlsCiphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
| webServiceTlsCiphers= |
| |
| # Allowed broker target ports |
| brokerProxyAllowedTargetPorts=6650,6651 |
| |
| # Path for the file used to determine the rotation status for the proxy instance when responding |
| # to service discovery health checks |
| statusFilePath= |
| |
| # Proxy log level, default is 0. |
| # 0: Do not log any tcp channel info |
| # 1: Parse and log any tcp channel info and command info without message body |
| # 2: Parse and log channel info, command info and message body |
| proxyLogLevel=0 |
| |
| ### ---Authorization --- ### |
| |
| # Role names that are treated as "super-users," meaning that they will be able to perform all admin |
| # operations and publish/consume to/from all topics (as a comma-separated list) |
| superUserRoles= |
| |
| # Whether authorization is enforced by the Pulsar proxy |
| authorizationEnabled=false |
| |
| # Authorization provider as a fully qualified class name |
| authorizationProvider=org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider |
| |
| # Whether client authorization credentials are forwarded to the broker for re-authorization. |
| # Authentication must be enabled via authenticationEnabled=true for this to take effect. |
| forwardAuthorizationCredentials=false |
| |
| ### --- Authentication --- ### |
| |
| # Whether authentication is enabled for the Pulsar proxy |
| authenticationEnabled=false |
| |
| # Authentication provider name list (a comma-separated list of class names) |
| authenticationProviders= |
| |
| # When this parameter is not empty, unauthenticated users perform as anonymousUserRole |
| anonymousUserRole= |
| |
| ### --- Client Authentication --- ### |
| |
| # The three brokerClient* authentication settings below are for the proxy itself and determine how it |
| # authenticates with Pulsar brokers |
| |
| # The authentication plugin used by the Pulsar proxy to authenticate with Pulsar brokers |
| brokerClientAuthenticationPlugin= |
| |
| # The authentication parameters used by the Pulsar proxy to authenticate with Pulsar brokers |
| brokerClientAuthenticationParameters= |
| |
| # The path to trusted certificates used by the Pulsar proxy to authenticate with Pulsar brokers |
| brokerClientTrustCertsFilePath= |
| |
| # Whether TLS is enabled when communicating with Pulsar brokers |
| tlsEnabledWithBroker=false |
| |
| # Tls cert refresh duration in seconds (set 0 to check on every new connection) |
| tlsCertRefreshCheckDurationSec=300 |
| |
| # You can add extra configuration options for the Pulsar Client |
| # by prefixing them with "brokerClient_". These configurations are applied after hard coded configuration |
| # and before the above brokerClient configurations named above. |
| |
| ##### --- Rate Limiting --- ##### |
| |
| # Max concurrent inbound connections. The proxy will reject requests beyond that. |
| maxConcurrentInboundConnections=10000 |
| |
| # Max concurrent inbound connections per IP, The proxy will reject requests beyond that. |
| maxConcurrentInboundConnectionsPerIp=0 |
| |
| # Max concurrent outbound connections. The proxy will error out requests beyond that. |
| maxConcurrentLookupRequests=50000 |
| |
| ##### --- TLS --- ##### |
| |
| # Deprecated - use servicePortTls and webServicePortTls instead |
| tlsEnabledInProxy=false |
| |
| # Path for the TLS certificate file |
| tlsCertificateFilePath= |
| |
| # Path for the TLS private key file |
| tlsKeyFilePath= |
| |
| # Path for the trusted TLS certificate file. |
| # This cert is used to verify that any certs presented by connecting clients |
| # are signed by a certificate authority. If this verification |
| # fails, then the certs are untrusted and the connections are dropped. |
| tlsTrustCertsFilePath= |
| |
| # Accept untrusted TLS certificate from client. |
| # If true, a client with a cert which cannot be verified with the |
| # 'tlsTrustCertsFilePath' cert will allowed to connect to the server, |
| # though the cert will not be used for client authentication. |
| tlsAllowInsecureConnection=false |
| |
| # Whether the hostname is validated when the proxy creates a TLS connection with brokers |
| tlsHostnameVerificationEnabled=false |
| |
| # Specify the tls protocols the broker will use to negotiate during TLS handshake |
| # (a comma-separated list of protocol names). |
| # Examples: |
| # tlsProtocols=TLSv1.3,TLSv1.2 |
| tlsProtocols= |
| |
| # Specify the tls cipher the broker will use to negotiate during TLS Handshake |
| # (a comma-separated list of ciphers). |
| # Examples: |
| # tlsCiphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
| tlsCiphers= |
| |
| # Whether client certificates are required for TLS. Connections are rejected if the client |
| # certificate isn't trusted. |
| tlsRequireTrustedClientCertOnConnect=false |
| |
| ##### --- HTTP --- ##### |
| |
| # Http directs to redirect to non-pulsar services. |
| httpReverseProxyConfigs= |
| |
| # Http output buffer size. The amount of data that will be buffered for http requests |
| # before it is flushed to the channel. A larger buffer size may result in higher http throughput |
| # though it may take longer for the client to see data. |
| # If using HTTP streaming via the reverse proxy, this should be set to the minimum value, 1, |
| # so that clients see the data as soon as possible. |
| httpOutputBufferSize=32768 |
| |
| # Number of threads to use for HTTP requests processing. Default is |
| # 2 * Runtime.getRuntime().availableProcessors() |
| httpNumThreads= |
| |
| # Enable the enforcement of limits on the incoming HTTP requests |
| httpRequestsLimitEnabled=false |
| |
| # Max HTTP requests per seconds allowed. The excess of requests will be rejected with HTTP code 429 (Too many requests) |
| httpRequestsMaxPerSecond=100.0 |
| |
| # Capacity for thread pool queue in the HTTP server |
| httpServerThreadPoolQueueSize=8192 |
| |
| # Capacity for accept queue in the HTTP server |
| httpServerAcceptQueueSize=8192 |
| |
| # Maximum number of inbound http connections. (0 to disable limiting) |
| maxHttpServerConnections=2048 |
| |
| # Max concurrent web requests |
| maxConcurrentHttpRequests=1024 |
| |
| # The maximum size in bytes of the request header. Larger headers will allow for more and/or larger cookies plus larger |
| # form content encoded in a URL.However, larger headers consume more memory and can make a server more vulnerable to |
| # denial of service attacks. |
| httpMaxRequestHeaderSize = 8192 |
| |
| ## Configure the datasource of basic authenticate, supports the file and Base64 format. |
| # file: |
| # basicAuthConf=/path/my/.htpasswd |
| # use Base64 to encode the contents of .htpasswd: |
| # basicAuthConf=YOUR-BASE64-DATA |
| basicAuthConf= |
| |
| ### --- Token Authentication Provider --- ### |
| |
| ## Symmetric key |
| # Configure the secret key to be used to validate auth tokens |
| # The key can be specified like: |
| # tokenSecretKey=data:;base64,xxxxxxxxx |
| # tokenSecretKey=file:///my/secret.key ( Note: key file must be DER-encoded ) |
| tokenSecretKey= |
| |
| ## Asymmetric public/private key pair |
| # Configure the public key to be used to validate auth tokens |
| # The key can be specified like: |
| # tokenPublicKey=data:;base64,xxxxxxxxx |
| # tokenPublicKey=file:///my/public.key ( Note: key file must be DER-encoded ) |
| tokenPublicKey= |
| |
| # The token "claim" that will be interpreted as the authentication "role" or "principal" by AuthenticationProviderToken (defaults to "sub" if blank) |
| tokenAuthClaim= |
| |
| # The token audience "claim" name, e.g. "aud", that will be used to get the audience from token. |
| # If not set, audience will not be verified. |
| tokenAudienceClaim= |
| |
| # The token audience stands for this broker. The field `tokenAudienceClaim` of a valid token, need contains this. |
| tokenAudience= |
| |
| ### --- SASL Authentication Provider --- ### |
| |
| # This is a regexp, which limits the range of possible ids which can connect to the Broker using SASL. |
| # Default value: `SaslConstants.JAAS_CLIENT_ALLOWED_IDS_DEFAULT`, which is ".*pulsar.*", |
| # so only clients whose id contains 'pulsar' are allowed to connect. |
| saslJaasClientAllowedIds=.*pulsar.* |
| |
| # Service Principal, for login context name. |
| # Default value `SaslConstants.JAAS_DEFAULT_PROXY_SECTION_NAME`, which is "PulsarProxy". |
| saslJaasServerSectionName=PulsarProxy |
| |
| # Path to file containing the secret to be used to SaslRoleTokenSigner |
| # The Path can be specified like: |
| # saslJaasServerRoleTokenSignerSecretPath=file:///my/saslRoleTokenSignerSecret.key |
| saslJaasServerRoleTokenSignerSecretPath= |
| |
| ### --- WebSocket config variables --- ### |
| |
| # Enable or disable the WebSocket servlet. |
| webSocketServiceEnabled=false |
| |
| # Name of the cluster to which this broker belongs to |
| clusterName= |
| |
| |
| ### --- Proxy Extensions |
| |
| # List of proxy extensions to load, which is a list of extension names |
| #proxyExtensions= |
| |
| # The directory to locate extensions |
| #proxyExtensionsDirectory= |
| |
| ### --- Deprecated config variables --- ### |
| |
| # Deprecated. Use configurationStoreServers |
| globalZookeeperServers= |
| |
| # The ZooKeeper quorum connection string (as a comma-separated list) |
| zookeeperServers= |
| |
| # Configuration store connection string (as a comma-separated list) |
| configurationStoreServers= |
| |
| # ZooKeeper session timeout (in milliseconds) |
| # Deprecated: use metadataStoreSessionTimeoutMillis |
| zookeeperSessionTimeoutMs=-1 |
| |
| # ZooKeeper cache expiry time in seconds |
| # Deprecated: use metadataStoreCacheExpirySeconds |
| zooKeeperCacheExpirySeconds=-1 |
| |
| ### --- Metrics --- ### |
| |
| # Whether to enable the proxy's /metrics and /proxy-stats http endpoints |
| enableProxyStatsEndpoints=true |
| # Whether the '/metrics' endpoint requires authentication. Defaults to true |
| authenticateMetricsEndpoint=true |
| # Time in milliseconds that metrics endpoint would time out. Default is 30s. |
| # Set it to 0 to disable timeout. |
| metricsServletTimeoutMs=30000 |
| |