Pulsar supports a pluggable authentication mechanism and a broker can be configured to support multiple authentication sources.
The role of the Authentication provider implementation is to establish the identity of the client, in the form of a role token. This role token is then used to verify whether this client is allowed to publish or consume on a certain topic.
In addition to provide connection encryption between pulsar clients and broker, TLS can be used to identify the client through a certificate signed by a trusted certificate authority.
Note: Unlike the rest of the Pulsar code, the TLS auth provider is not being used in production at Yahoo. Please report any issues encountered in using it.
The first step is to create the certificate for the CA. The CA will be used to signed both the broker and clients certificates, to ensure each party will trust the others.
# On Linux systems:
$ CA.pl -newca
# On MacOSX
$ /System/Library/OpenSSL/misc/CA.pl -newcaAfter answering the questions, this will leave the CA related files
under ./demoCA directory
demoCA/cacert.pemis the public certificate. It is meant to be distributed to all the parties involved.demoCA/private/cakey.pemis the private key. This is only needed when signing a new certificate for either broker or clients and it must be guarded safely.
Now we can create certificate requests and sign them with the CA.
These commands will ask a few questions and create the certificates. When asked
for the common name, you need to match the hostname of the broker. You could also
use a wildcard to match a group of broker hostnames, eg: *.broker.usw.example.com,
so that the same certificate can be reused in multiple machines.
$ openssl req -newkey rsa:2048 -sha256 -nodes -out broker-cert.csr -outform PEM
# Convert key to PKCS#8 format
$ openssl pkcs8 -topk8 -inform PEM -outform PEM -in privkey.pem -out broker-key.pem -nocryptThis will create a broker certificate request files named
broker-cert.csr and broker-key.pem.
We can now proceed to create the signed certificate:
$ openssl ca -out broker-cert.pem -infiles broker-cert.csrAt this point, we have the broker-cert.pem and broker-key.pem that
are needed for the broker.
Repeat the same steps did for the broker and create a client-cert.pem
and client-key.pem files.
For client common name you need to use a string you intend to use as the role token for this client, though it doesn't need to match the client hostname.
To configure TLS authentication in Pulsar broker in conf/broker.conf:
tlsEnabled=true
tlsCertificateFilePath=/path/to/broker-cert.pem
tlsKeyFilePath=/path/to/broker-key.pem
tlsTrustCertsFilePath=/path/to/cacert.pem
# Add TLS auth provider
authenticationEnabled=true
authorizationEnabled=true
authenticationProviders=com.yahoo.pulsar.broker.authentication.AuthenticationProviderTlsSince discovery service is redirecting the HTTPS requests, it needs to be trusted
by the client as well. Add TLS configuration in in conf/discovery.conf:
tlsEnabled=true
tlsCertificateFilePath=/path/to/broker-cert.pem
tlsKeyFilePath=/path/to/broker-key.pemClientConfiguration conf = new ClientConfiguration();
conf.setUseTls(true);
conf.setTlsTrustCertsFilePath("/path/to/cacert.pem");
Map<String, String> authParams = new HashMap<>();
authParams.put("tlsCertFile", "/path/to/client-cert.pem");
authParams.put("tlsKeyFile", "/path/to/client-cert.pem");
conf.setAuthentication(AuthenticationTls.class.getName(), authParams);
PulsarClient client = PulsarClient.create(
"https://my-broker.com:4443", conf);Command line tools like pulsar-admin, pulsar-perf and pulsar-client use the conf/client.conf config file and we can
add there the authentication parameters:
serviceUrl=https://broker.example.com:8443/
authPlugin=com.yahoo.pulsar.client.impl.auth.AuthenticationTls
authParams=tlsCertFile:/path/to/client-cert.pem,tlsKeyFile:/path/to/client-cert.pem
useTls=true
tlsAllowInsecureConnection=false
tlsTrustCertsFilePath=/path/to/cacert.pem