Authentication and authorization in Pulsar

在Pulsar中, 认证 Provider 负责正确地识别客户端,并将客户端与角色 Token进行关联。 如果只启用了身份验证,验证通过的角色 Token 就拥有访问集群中所有资源的权限。 Authorization is the process that determines what clients are able to do.

The role tokens with the most privileges are the superusers. The superusers can create and destroy tenants, along with having full access to all tenant resources.

当超级用户创建一个租户时,该租户就会拥有一个管理员角色。 A client with the admin role token can then create, modify and destroy namespaces, and grant and revoke permissions to other role tokens on those namespaces.

Broker 及代理设置

启用授权并分配超级用户

你可以在 broker 的(conf/broker.conf)配置文件中启用授权并分配 superusers。

  1. authorizationEnabled=true
  2. superUserRoles=my-super-user-1,my-super-user-2

conf/broker.conf 中可以查看完整的参数列表。 你也可以在 Broker 配置 中找到这些参数的默认值。

特别的是,超级用户角色可以给管理员,客户端,以及 broker 到 broker间的访问进行授权。 当你使用 跨地域复制 时,每个 broker 需要拥有能发布到集群中的所有其它主题的权限。

你也可以在代理配置文件(conf/proxy.conf)中启用代理授权。 一旦你启用代理上的授权,代理将在将请求转发给 broker 之前进行额外的授权检查。 如果 broker 上启用授权机制,当 broker 收到转发的请求时,broker 会校验该请求是否获得授权。

代理角色

By default, the broker treats the connection between a proxy and the broker as a normal user connection. broker 使用 proxy.conf 中配置的角色来对用户进行身份验证(详见 “在代理上启用 TLS 身份验证”)。 然而,当用户通过代理连接到集群时,用户很少需要身份验证。 The user expects to be able to interact with the cluster as the role for which they have authenticated with the proxy.

Pulsar uses Proxy roles to enable the authentication. Proxy roles are specified in the broker configuration file, conf/broker.conf. If a client that is authenticated with a broker is one of its proxyRoles, all requests from that client must also carry information about the role of the client that is authenticated with the proxy. This information is called the original principal. If the original principal is absent, the client is not able to access anything.

You must authorize both the proxy role and the original principal to access a resource to ensure that the resource is accessible via the proxy. Administrators can take two approaches to authorize the proxy role and the original principal.

The more secure approach is to grant access to the proxy roles each time you grant access to a resource. For example, if you have a proxy role named proxy1, when the superuser creates a tenant, you should specify proxy1 as one of the admin roles. 当一个角色被授予向/从命名空间生产/消费时,如果客户端想通过代理进行生产或消费,你应该也给 proxy1 授予相同的权限。

Another approach is to make the proxy role a superuser. 这允许代理访问所有资源。 The client still needs to authenticate with the proxy, and all requests made through the proxy have their role downgraded to the original principal of the authenticated client. However, if the proxy is compromised, a bad actor could get full access to your cluster.

你可以在 conf/broker.conf 中指定角色为代理角色。

  1. proxyRoles=my-proxy-role
  2. # if you want to allow superusers to use the proxy (see above)
  3. superUserRoles=my-super-user-1,my-super-user-2,my-proxy-role

管理租户

Pulsar 实例 管理员或某种自助门户通常会提供一个 Pulsar 租户

你可以使用 pulsar-admin 工具来管理租户。

创建新租户

以下是租户创建命令的示范:

  1. $ bin/pulsar-admin tenants create my-tenant \
  2. --admin-roles my-admin-role \
  3. --allowed-clusters us-west,us-east

此命令会创建一个新租户 my-tenant,并允许它使用 us-westus-east 集群。

成功自识别为拥有 my-admin-role 角色的客户端可以在这个租户上执行所有的管理型任务。

The structure of topic names in Pulsar reflects the hierarchy between tenants, clusters, and namespaces:

  1. persistent://tenant/namespace/topic

管理权限

You can use Pulsar Admin Tools for managing permission in Pulsar.

Pulsar 管理员认证

  1. PulsarAdmin admin = PulsarAdmin.builder()
  2. .serviceHttpUrl("http://broker:8080")
  3. .authentication("com.org.MyAuthPluginClass", "param1:value1")
  4. .build();

To use TLS:

  1. PulsarAdmin admin = PulsarAdmin.builder()
  2. .serviceHttpUrl("https://broker:8080")
  3. .authentication("com.org.MyAuthPluginClass", "param1:value1")
  4. .tlsTrustCertsFilePath("/path/to/trust/cert")
  5. .build();