Pulsar 访问权限控制-Token模式
参考链接
- https://pulsar.apache.org/docs/zh-CN/security-token-admin/
- https://pulsar.apache.org/docs/zh-CN/security-token-client/
Token模式
基于 JSON Web Tokens (RFC-7519) 进行安全认证
规范文档:
https://jwt.io/introduction/
https://tools.ietf.org/pdf/rfc7519.pdf
- 秘钥方式
-
生成秘钥
bin/pulsar tokens create-secret-key --output /path/to/my-secret.key --base64 -
创建Token
bin/pulsar tokens create --secret-key file:///path/to/my-secret.key --subject test-user --expiry-time 1y -
授权
bin/pulsar-admin namespaces grant-permission my-tenant/my-namespace --role test-user --actions produce,consume -
broker配置修改
authenticationEnabled=true
authorizationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderToken
tokenSecretKey=file:///path/to/my-secret.key
# operations and publish/consume from all topics
superUserRoles=admin
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationToken
brokerClientAuthenticationParameters=token:账号token
- 公私钥方式
-
生成公私钥
bin/pulsar tokens create-key-pair --output-private-key /path/to/my-private.key --output-public-key /path/to/my-public.key
私钥:单独安全存储,用于生成token
公钥:存储于所有broker节点,用于token认证 -
创建Token
bin/pulsar tokens create --private-key file:///path/to/my-private.key --subject test-user --expiry-time 1y -
授权
bin/pulsar-admin namespaces grant-permission my-tenant/my-namespace --role test-user --actions produce,consume -
broker配置修改
authenticationEnabled=true
authorizationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderToken
tokenPublicKey=file:///path/to/public.key
# operations and publish/consume from all topics
superUserRoles=admin
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationToken
brokerClientAuthenticationParameters=token:账号token
- 客户端样例
- JAVA
PulsarClient client = PulsarClient.builder()
.serviceUrl("pulsar://broker.example.com:6650/")
.authentication(
AuthenticationFactory.token("token")
.build();
- C++
#include <pulsar/Client.h>
pulsar::ClientConfiguration config;
config.setAuth(pulsar::AuthToken::createWithToken("token"));
pulsar::Client client("pulsar://broker.example.com:6650/", config);
- Pulsar自带工具使用样例
授权:
bin/pulsar-admin --auth-plugin org.apache.pulsar.client.impl.auth.AuthenticationToken --auth-params token:[admin账号token] namespaces grant-permission public/default --role test-user --actions produce
生产:
bin/pulsar-perf produce persistent://public/default/test_my_topic -u pulsar://broker.example.com:6650 -s 1024 -time 120 -r 1000 -n 1 -b 0 --auth_plugin org.apache.pulsar.client.impl.auth.AuthenticationToken --auth-params token:[账号token]
消费:
bin//pulsar-perf consume persistent://public/default/test_my_topic -u pulsar://broker.example.com:6650 -s consumer_test_2019 --auth_plugin org.apache.pulsar.client.impl.auth.AuthenticationToken --auth-params token:[账号token]