The role tokens with the most privileges are the superusers. The superusers can create and destroy tenants, along with having full access to all tenant resources.
当一个超级用户创建 租户 时,租户会被分配为管理员角色。 A client with the admin role token can then create, modify and destroy namespaces, and grant and revoke permissions to other role tokens on those namespaces.
你可以在 broker 的()配置文件中启用授权并分配 superusers。
特别的是,超级用户角色不仅能用于管理员和客户端,也能用于 broker 到 broker 的授权。 当你使用 跨地域复制时,每个 broker 需要能发布到集群中的所有其它主题。
你也可以在代理配置文件(conf/proxy.conf
)中启用代理授权。 一旦你启用代理上的授权,代理将在将请求转发给 broker 之前进行额外的授权检查。 broker 在收到转发请求时仍然检查申请的授权。
Pulsar uses Proxy roles to enable the authentication. Proxy roles are specified in the broker configuration file, . If a client that is authenticated with a broker is one of its proxyRoles
, all requests from that client must also carry information about the role of the client that is authenticated with the proxy. This information is called the original principle. If the original principle misses, the client is not able to access anything.
You must authorize the proxy role and the original principle to access a resource. 这样资源就可以通过代理访问了。 Administrators can take two approaches to authorize the proxy role and the original principle.
The more secure approach is to grant access to the proxy roles each time you grant access to a resource. 举个例子,如果你有一个代理角色叫 proxy1
,当超级用户创建一个租户时,你应该指定 proxy1
作为管理员角色。 当一个角色被授予向/从命名空间生产/消费时,如果客户端想通过代理进行生产或消费,你应该也给 授予相同的权限。
Another approach is to make the proxy role a superuser. 这允许代理访问所有资源。 The client still needs to authenticate with the proxy, and all requests made through the proxy have their role downgraded to the original principal of the authenticated client. However, if the proxy is compromised, a bad actor could get full access to your cluster.
你可以在 conf/broker.conf
中指定角色为代理角色。
proxyRoles=my-proxy-role
# if you want to allow superusers to use the proxy (see above)
管理租户
Pulsar 实例 管理员或某种自助门户通常会提供一个 Pulsar 。
以下是租户创建命令的示范:
此命令会创建一个新租户 my-tenant
,并允许它使用 和 us-east
集群。
成功自识别为拥有 my-admin-role
角色的客户端可以在这个租户上执行所有的管理型任务。
The structure of topic names in Pulsar reflects the hierarchy between tenants, clusters, and namespaces:
persistent://tenant/namespace/topic
You can use Pulsar Admin Tools for managing permission in Pulsar.
To use TLS:
PulsarAdmin admin = PulsarAdmin.builder()
.serviceHttpUrl("https://broker:8080")
.authentication("com.org.MyAuthPluginClass", "param1:value1")