Authentication using TLS
TLS 身份验证概述
TLS 身份验证是 TLS 传输加密 的扩展。 不仅服务器有客户端用于验证服务器身份的密钥和证书, 客户端还有服务器用于验证客户端身份的密钥和证书。 You must have TLS transport encryption configured on your cluster before you can use TLS authentication. This guide assumes you already have TLS transport encryption configured.
Pulsar 使用了Bouncy Castle Provider
提供的 TLS 相关的密码套件和算法。 如果你需要 FIPS 版本的 Bouncy Castle Provider
,请参考 Bouncy Castle 页面。
创建客户证书
Client certificates are generated using the certificate authority. Server certificates are also generated with the same certificate authority.
The biggest difference between client certs and server certs is that the common name for the client certificate is the role token which that client is authenticated as.
要使用客户端证书,需要在 broker 设置 tlsRequireTrustedClientCertOnConnect=true
。 了解详情,请参阅 TLS broker 配置。
首先,你需要输入文件夹命令才能生成密钥:
$ openssl genrsa -out admin.key.pem 2048
与 broker 类似,客户端希望使用 PKCS 8 格式的秘钥。 所以需要通过输入下列命令来转换它。
$ openssl pkcs8 -topk8 -inform PEM -outform PEM \
-in admin.key.pem -out admin.key-pk8.pem -nocrypt
接下来,输入下面的命令来生成证书请求。 When you are asked for a common name, enter the role token that you want this key pair to authenticate a client as.
$ openssl req -config openssl.cnf \
-key admin.key.pem -new -sha256 -out admin.csr.pem
注意 如果未指定 openssl.cnf ,请读取 证书颁发机构 获取openssl.cnf。
然后输入下面的命令来与证书权威签约。 Note that the client certs uses the usr_cert extension, which allows the cert to be used for client authentication.
$ openssl ca -config openssl.cnf -extensions usr_cert \
-days 1000 -notext -md sha256 \
-in admin.csr.pem -out admin.cert.pem
你可以从此命令获得证书、 admin.cert.pem
和一个密钥。 admin.key-pk8.pem
使用 ca.cert. em
, 客户可以使用此证书和此密钥向 broker 和 proxy 进行身份验证,作为 管理员
Note If the “unable to load CA private key” error occurs and the reason of this error is “No such file or directory: /etc/pki/CA/private/cakey.pem” in this step. Try the command below:
$ cd /etc/pki/tls/misc/CA
$ ./CA -newca
生成
cakey.pem
。
在 broker 上启用 TLS 认证
要配置 broker 来验证客户端,请在 broker.conf
中添加以下参数,和 配置一起启用tls transport:
# Configuration to enable authentication
authenticationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderTls
# operations and publish/consume from all topics
superUserRoles=admin
# Authentication settings of the broker itself. Used when the broker connects to other brokers, either in same or other clusters
brokerClientTlsEnabled=true
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationTls
brokerClientAuthenticationParameters={"tlsCertFile":"/path/my-ca/admin.cert.pem","tlsKeyFile":"/path/my-ca/admin.key-pk8.pem"}
brokerClientTrustCertsFilePath=/path/my-ca/certs/ca.cert.pem
在 proxy 上启用 TLS 身份验证
要配置 proxy 服务器来验证客户端,请在 代理.conf
的配置中加上 来启用tls transport:
代理服务器应该有自己的客户端密钥对。 你需要在 broker 的 代理角色
中配置此密钥对的角色标记。 详情请访问 认证指南。
# For clients connecting to the proxy
authenticationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderTls
# For the proxy to connect to brokers
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationTls
brokerClientAuthenticationParameters=tlsCertFile:/path/to/proxy.cert.pem,tlsKeyFile:/path/to/proxy.key-pk8.pem
客户端配置
When you use TLS authentication, client connects via TLS transport. You need to configure the client to use https://
and 8443 port for the web service URL, pulsar+ssl://
and 6651 port for the broker service URL.
命令行工具
命令行工具 pulsar-admin, pulsar-perf pulsar-client 使用 conf/client. onf
配置文件在 Pulsar 安装中。
你需要添加以下参数到该文件以使用 Pulsar 的 CLI 工具使用 TLS 身份验证:
webServiceUrl=https://broker.example.com:8443/
brokerServiceUrl=pulsar+ssl://broker.example.com:6651/
useTls=true
tlsAllowInsecureConnection=false
tlsTrustCertsFilePath=/path/to/ca.cert.pem
authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationTls
authParams=tlsCertFile:/path/to/my-role.cert.pem,tlsKeyFile:/path/to/my-role.key-pk8.pem
Java 客户端
import org.apache.pulsar.client.api.PulsarClient;
PulsarClient client = PulsarClient.builder()
.serviceUrl("pulsar+ssl://broker.example.com:6651/")
.enableTls(true)
.tlsTrustCertsFilePath("/path/to/ca.cert.pem")
.authentication("org.apache.pulsar.client.impl.auth.AuthenticationTls",
"tlsCertFile:/path/to/my-role.cert.pem,tlsKeyFile:/path/to/my-role.key-pk8.pem")
.build();
Python client
from pulsar import Client, AuthenticationTLS
auth = AuthenticationTLS("/path/to/my-role.cert.pem", "/path/to/my-role.key-pk8.pem")
client = Client("pulsar+ssl://broker.example.com:6651/",
tls_trust_certs_file_path="/path/to/ca.cert.pem",
tls_allow_insecure_connection=False,
authentication=auth)
C++ client
#include <pulsar/Client.h>
pulsar::ClientConfiguration config;
config.setUseTls(true);
config.setTlsTrustCertsFilePath("/path/to/ca.cert.pem");
config.setTlsAllowInsecureConnection(false);
pulsar::AuthenticationPtr auth = pulsar::AuthTls::create("/path/to/my-role.cert.pem",
"/path/to/my-role.key-pk8.pem")
config.setAuth(auth);
pulsar::Client client("pulsar+ssl://broker.example.com:6651/", config);
Node.js 客户端
const Pulsar = require('pulsar-client');
(async () => {
const auth = new Pulsar.AuthenticationTls({
certificatePath: '/path/to/my-role.cert.pem',
privateKeyPath: '/path/to/my-role.key-pk8.pem',
});
const client = new Pulsar.Client({
serviceUrl: 'pulsar+ssl://broker.example.com:6651/',
authentication: auth,
tlsTrustCertsFilePath: '/path/to/ca.cert.pem',
});
})();
C# 客户端
var clientCertificate = new X509Certificate2("admin.pfx");
var client = PulsarClient.Builder()
.AuthenticateUsingClientCertificate(clientCertificate)
.Build();