TLS认证概述

TLS authentication is an extension of TLS transport encryption, but instead of only servers having keys and certs which the client uses to verify the server’s identity, clients also have keys and certs which the server uses to verify the client’s identity. You must have TLS transport encryption configured on your cluster before you can use TLS authentication. This guide assumes you already have TLS transport encryption configured.

创建客户端证书

Client certificates are generated using the same certificate authority as was used to generate the server certificates.

The biggest difference between client certs and server certs is that the common name for the client certificate is the role token which that client will be authenticated as.

First generate the key.

  1. $ openssl genrsa -out admin.key.pem 2048

Similar to the broker, the client expects the key to be in PKCS 8 format, so convert it.

  1. $ openssl pkcs8 -topk8 -inform PEM -outform PEM \
  2. -in admin.key.pem -out admin.key-pk8.pem -nocrypt

Generate the certificate request. When asked for a common name, enter the role token which you want this key pair to authenticate a client as.

  1. $ openssl req -config openssl.cnf \
  2. -key admin.key.pem -new -sha256 -out admin.csr.pem

Sign with request with the certificate authority. Note that that client certs uses the usr_cert extension, which allows the cert to be used for client authentication.

  1. $ openssl ca -config openssl.cnf -extensions usr_cert \
  2. -days 1000 -notext -md sha256 \
  3. -in admin.csr.pem -out admin.cert.pem

This will give you a cert, admin.cert.pem, and a key, admin.key-pk8.pem, which, with ca.cert.pem, can be used by clients to authenticate themselves to brokers and proxies as the role token admin.

开启TLS认证

… on Brokers

To configure brokers to authenticate clients, put the following in broker.conf, alongside the configuration to enable tls transport:

  1. # Configuration to enable authentication
  2. authenticationEnabled=true
  3. authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderTls
  4. # operations and publish/consume from all topics
  5. superUserRoles=admin
  6. # Authentication settings of the broker itself. Used when the broker connects to other brokers, either in same or other clusters
  7. brokerClientTlsEnabled=true
  8. brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationTls
  9. brokerClientAuthenticationParameters=tlsCertFile:/path/my-ca/admin.cert.pem,tlsKeyFile:/path/my-ca/admin.key-pk8.pem
  10. brokerClientTrustCertsFilePath=/path/my-ca/certs/ca.cert.pem

… on Proxies

To configure proxies to authenticate clients, put the folling in proxy.conf, alongside the configuration to enable tls transport:

代理服务器应该有自己的客户端密钥对。 The role token for this key pair should be configured in the proxyRoles of the brokers. 详情请访问 认证指南

  1. # For clients connecting to the proxy
  2. authenticationEnabled=true
  3. authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderTls
  4. # For the proxy to connect to brokers
  5. brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationTls
  6. brokerClientAuthenticationParameters=tlsCertFile:/path/to/proxy.cert.pem,tlsKeyFile:/path/to/proxy.key-pk8.pem

客户端配置

When TLS authentication, the client needs to connect via TLS transport, so you need to configure the client to use https:// and port 8443 for the web service URL, and pulsar+ssl:// and port 6651 for the broker service URL.

命令行工具

命令行工具 pulsar-admin, pulsar-perf pulsar-client 使用 conf/client. onf 配置文件在 Pulsar 安装中。

You’ll need to add the following parameters to that file to use TLS authentication with Pulsar’s CLI tools:

  1. webServiceUrl=https://broker.example.com:8443/
  2. brokerServiceUrl=pulsar+ssl://broker.example.com:6651/
  3. useTls=true
  4. tlsAllowInsecureConnection=false
  5. tlsTrustCertsFilePath=/path/to/ca.cert.pem
  6. authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationTls
  7. authParams=tlsCertFile:/path/to/my-role.cert.pem,tlsKeyFile:/path/to/my-role.key-pk8.pem

Java 客户端

  1. import org.apache.pulsar.client.api.PulsarClient;
  2. PulsarClient client = PulsarClient.builder()
  3. .serviceUrl("pulsar+ssl://broker.example.com:6651/")
  4. .enableTls(true)
  5. .tlsTrustCertsFilePath("/path/to/ca.cert.pem")
  6. .authentication("org.apache.pulsar.client.impl.auth.AuthenticationTls",
  7. "tlsCertFile:/path/to/my-role.cert.pem,tlsKeyFile:/path/to/my-role.key-pk8.pem")
  8. .build();

Python client

  1. from pulsar import Client, AuthenticationTLS
  2. auth = AuthenticationTLS("/path/to/my-role.cert.pem", "/path/to/my-role.key-pk8.pem")
  3. client = Client("pulsar+ssl://broker.example.com:6651/",
  4. tls_trust_certs_file_path="/path/to/ca.cert.pem",
  5. tls_allow_insecure_connection=False,
  6. authentication=auth)

C++ client

  1. #include <pulsar/Client.h>
  2. pulsar::ClientConfiguration config;
  3. config.setUseTls(true);
  4. config.setTlsTrustCertsFilePath("/path/to/ca.cert.pem");
  5. config.setTlsAllowInsecureConnection(false);
  6. pulsar::AuthenticationPtr auth = pulsar::AuthTls::create("/path/to/my-role.cert.pem",
  7. "/path/to/my-role.key-pk8.pem")
  8. config.setAuth(auth);
  9. pulsar::Client client("pulsar+ssl://broker.example.com:6651/", config);