Authentication and authorization in Pulsar

    The role tokens with the most privileges are the superusers. The superusers can create and destroy tenants, along with having full access to all tenant resources.

    当超级用户创建一个租户时,该租户就会拥有一个管理员角色。 A client with the admin role token can then create, modify and destroy namespaces, and grant and revoke permissions to other role tokens on those namespaces.

    你可以在 broker 的()配置文件中启用授权并分配 superusers。

    特别的是,超级用户角色可以给管理员,客户端,以及 broker 到 broker间的访问进行授权。 当你使用 跨地域复制 时,每个 broker 需要拥有能发布到集群中的所有其它主题的权限。

    你也可以在代理配置文件(conf/proxy.conf)中启用代理授权。 一旦你启用代理上的授权,代理将在将请求转发给 broker 之前进行额外的授权检查。 如果 broker 上启用授权机制,当 broker 收到转发的请求时,broker 会校验该请求是否获得授权。

    Pulsar uses Proxy roles to enable the authentication. Proxy roles are specified in the broker configuration file, . If a client that is authenticated with a broker is one of its proxyRoles, all requests from that client must also carry information about the role of the client that is authenticated with the proxy. This information is called the original principal. If the original principal is absent, the client is not able to access anything.

    You must authorize both the proxy role and the original principal to access a resource to ensure that the resource is accessible via the proxy. Administrators can take two approaches to authorize the proxy role and the original principal.

    The more secure approach is to grant access to the proxy roles each time you grant access to a resource. For example, if you have a proxy role named proxy1, when the superuser creates a tenant, you should specify proxy1 as one of the admin roles. 当一个角色被授予向/从命名空间生产/消费时,如果客户端想通过代理进行生产或消费,你应该也给 proxy1 授予相同的权限。

    Another approach is to make the proxy role a superuser. 这允许代理访问所有资源。 The client still needs to authenticate with the proxy, and all requests made through the proxy have their role downgraded to the original principal of the authenticated client. However, if the proxy is compromised, a bad actor could get full access to your cluster.

    你可以在 conf/broker.conf 中指定角色为代理角色。

    3. # if you want to allow superusers to use the proxy (see above)
    4. superUserRoles=my-super-user-1,my-super-user-2,my-proxy-role

    管理租户

    Pulsar 实例 管理员或某种自助门户通常会提供一个 Pulsar 。

    以下是租户创建命令的示范:

    此命令会创建一个新租户 my-tenant,并允许它使用 us-westus-east 集群。

    成功自识别为拥有 角色的客户端可以在这个租户上执行所有的管理型任务。

    The structure of topic names in Pulsar reflects the hierarchy between tenants, clusters, and namespaces:

      You can use Pulsar Admin Tools for managing permission in Pulsar.

      To use TLS:

      1. PulsarAdmin admin = PulsarAdmin.builder()
      2.                     .serviceHttpUrl("https://broker:8080")
      3.                     .authentication("com.org.MyAuthPluginClass", "param1:value1")
      4.                     .tlsTrustCertsFilePath("/path/to/trust/cert")
      5.                     .build();