Token Authentication Overview

Pulsar supports authenticating clients using security tokens that are based on JSON Web Tokens (RFC-7519).

Tokens are used to identify a Pulsar client and associate with some “principal” (or “role”) which will be then granted permissions to do some actions (eg: publish or consume from a topic).

A user will typically be given a token string by an administrator (or some automated service).

The compact representation of a signed JWT is a string that looks like:

  1.  eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJKb2UifQ.ipevRNuRP6HflG8cFKnmUPtypruRC4fb1DWtoLL62SY
  2.  ```
  4. Application will specify the token when creating the client instance. An alternative is to pass
  5. a "token supplier", that is to say a function that returns the token when the client library
  6. will need one.
  8. See [Token authentication admin](security-token-admin.md) for a reference on how to enable token
  9. authentication on a Pulsar cluster.
  11. ### CLI tools
  13. [Command-line tools](reference-cli-tools.md) like [`pulsar-admin`](reference-pulsar-admin.md), [`pulsar-perf`](reference-cli-tools.md#pulsar-perf), and [`pulsar-client`](reference-cli-tools.md#pulsar-client) use the `conf/client.conf` config file in a Pulsar installation.
  15. You'll need to add the following parameters to that file to use the token authentication with
  16. Pulsar's CLI tools:
  18. ```properties
  19. webServiceUrl=http://broker.example.com:8080/
  20. brokerServiceUrl=pulsar://broker.example.com:6650/
  21. authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationToken
  22. authParams=token:eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJKb2UifQ.ipevRNuRP6HflG8cFKnmUPtypruRC4fb1DWtoLL62SY

The token string can also be read from a file, eg:

  1. authParams=file:///path/to/token/file

Java 客户端

  1. PulsarClient client = PulsarClient.builder()
  2.     .serviceUrl("pulsar://broker.example.com:6650/")
  3.     .authentication(
  4.         AuthenticationFactory.token("eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJKb2UifQ.ipevRNuRP6HflG8cFKnmUPtypruRC4fb1DWtoLL62SY")
  5.     .build();

Similarly, one can also pass a Supplier:

  1. PulsarClient client = PulsarClient.builder()
  2.     .serviceUrl("pulsar://broker.example.com:6650/")
  3.     .authentication(
  4.         AuthenticationFactory.token(() -> {
  5.             // Read token from custom source
  6.             return readToken();
  7.         })
  8.     .build();

Python client

  1. from pulsar import Client, AuthenticationToken
  3. client = Client('pulsar://broker.example.com:6650/'
  4.                 authentication=AuthenticationToken('eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJKb2UifQ.ipevRNuRP6HflG8cFKnmUPtypruRC4fb1DWtoLL62SY'))

Alternatively, with a supplier:

  1. <br />def read_token():
  2.     with open('/path/to/token.txt') as tf:
  3.         return tf.read().strip()
  5. client = Client('pulsar://broker.example.com:6650/'
  6.                 authentication=AuthenticationToken(read_token))

Go client

  1. client, err := NewClient(ClientOptions{
  2.     URL:            "pulsar://localhost:6650",
  3.     Authentication: NewAuthenticationToken("eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJKb2UifQ.ipevRNuRP6HflG8cFKnmUPtypruRC4fb1DWtoLL62SY"),
  4. })

Alternatively, with a supplier:

  1. client, err := NewClient(ClientOptions{
  2.     URL:            "pulsar://localhost:6650",
  3.     Authentication: NewAuthenticationTokenSupplier(func () string {
  4.         // Read token from custom source
  5.         return readToken()
  6.     }),
  7. })

C++ client

  1. #include <pulsar/Client.h>
  3. pulsar::ClientConfiguration config;
  4. config.setAuth(pulsar::AuthToken::createWithToken("eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJKb2UifQ.ipevRNuRP6HflG8cFKnmUPtypruRC4fb1DWtoLL62SY"));
  6. pulsar::Client client("pulsar://broker.example.com:6650/", config);