A Token Authentication Overview
Pulsar supports the use of JSON Web Tokens to authenticate the client (RFC-7519) security token.
Tokens used to identify the Pulsar client, and associated with the role, these roles will then be granted permission to perform certain operations (for example: publish or use a topic).
Client administrators typically will use a token string for connection.
JWT supports two different keys to generate tokens and efficacy
A symmetric key
There is a token key for generating and efficacy
2 asymmetric keys, a pair of keys, a private key and a public key
Private key is used to generate a token
The public key used to generate test results
Two students to first verify the super administrator token
The following example is given to using symmetric key (Pulsar2.4.2 version)
1 Create the key
$ bin/pulsar tokens create-secret-key --output my-secret.ke
Base64-encoded private key generated
$ bin/pulsar tokens create-secret-key --output /data/apache-pulsar-2.4.2/my-secret.key --base64
2 generates a token (Note: generating a first token role superUserRoles)
Token is associated with the user's credentials, the association is through role "to complete.
The following commands are generated to test-user token role
bin/pulsar tokens create --secret-key file:///data/apache-pulsar-2.4.2/my-secret.key \
--subject test-user
After executing this command, the output of the screen mesh this role token, this token record, behind the client configuration will be used.
Generating a token is assumed: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0LXVzZXIifQ.9OHgE9ZUDeBTZs7nSMEFIuGNEX18FLR3qvy8mqxSxXw
3 Brokers enable token authentication
Configuration broker.conf
authenticationEnabled=true
authorizationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderToken
tokenSecretKey=file:///data/apache-pulsar-2.4.2/my-secret.key
# Super user role with the highest authority, the use of multiple comma-separated
superUserRoles=test-user
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationToken
brokerClientAuthenticationParameters=token:eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0LXVzZXIifQ.9OHgE9ZUDeBTZs7nSMEFIuGNEX18FLR3qvy8mqxSxXw
4 After restarting Broker, Broker service at this time started Token Authentication
Execute $ pulsar-admin tenants list command prompts do not have permission.
5 Configuration client.conf using the command line tools have permission to use
authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationToken
Token # configuration here is born into the top of the super administrator token
authParams=token:eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0LXVzZXIifQ.9OHgE9ZUDeBTZs7nSMEFIuGNEX18FLR3qvy8mqxSxXw
After 6 Restart Broker, command-line tool can be used normally
7 java client authentication
PulsarClient client = PulsarClient.builder()
.serviceUrl("pulsar://192.168.1.48:6650/")
.authentication( AuthenticationFactory.token("eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0LXVzZXIifQ.9OHgE9ZUDeBTZs7nSMEFIuGNEX18FLR3qvy8mqxSxXw") .build();
Generating three general user token to the client using
1 generates a new role (test-user1) Token
bin/pulsar tokens create --secret-key file:///data/apache-pulsar-2.4.2/my-secret.key \
--subject test-user1
False tokens are designed to green (eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0LXVzZXIxIn0.HHpjQYfqqdUSN_iAw79qjsPqHyPFvscvGUANvjQNEOo)
2 Authorization
bin/pulsar-admin namespaces grant-permission my-tenant/my-namespace \
--role test-user1 \
--actions produce,consume
3 JAVA client authentication, sending a message or a normal message reception success DESCRIPTION
PulsarClient client = PulsarClient.builder()
.serviceUrl("pulsar://192.168.1.48:6650/")
.authentication( AuthenticationFactory.token("eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0LXVzZXIxIn0.HHpjQYfqqdUSN_iAw79qjsPqHyPFvscvGUANvjQNEOo") .build();