1. Manage Accounts and Access
  2. Authenticate
  3. Use OAuth

Access Cloud Clusters using OAuth 2.0

Use the following information to configure your applications to use the OAuth2 authentication mechanism for connecting to StreamNative Cloud clusters.

Prerequisites

Service URLs

In order to connect to a StreamNative Cloud cluster, you need to get its service URLs.

You can get a cluster's service URLs by following the steps below:

  1. On the left navigation pane, in the Admin section, click Pulsar Clusters.

  2. Navigate to the Details tab, and in the Access Points section, you can find all the available service URLs of this cluster. Click Copy at the end of the row of the service URL to copy the URL.

  • HTTP Service URL (TLS): The URL of Pulsar Admin HTTP service.
  • Broker Service URL (TLS): The URL of Pulsar broker service.
  • Kafka Service URL (TCP): The URL of Kafka service.
  • Kafka Schema Registry URL (HTTPS): The URL of Kafka schema registry service.

Credentials File

Before configuring your clients to use the OAuth 2.0 for connecting to the StreamNative Cloud clusters, you need to download a credential file for the service account you used for your clients. You can do this using the StreamNative Cloud Console, following the steps below.

  1. One the left navigation pane, click Service Accounts.

  2. In the row of the service account you want to use, click ....

  3. In the dropdown menu, click Download OAuth2 Key to download the OAuth2 credential file to your local directory.

The downloaded credentials file contains the service account credentials used for client authentication. The following is an example of the credentials file for a service account sa of organization my_org. Both client_id and client_secret are required while the other fields are optional. Since the credentials file contains client_secret, please make sure the credentials file is stored in a safe place.

{
  "type":"sn_service_account",
  "client_id":"PZWBM2tMCVDFQ1lQInIaYgG4k1OSqwIO",
  "client_secret":"EZr...Kgv",
  "client_email":"sa@my_org.auth.streamnative.cloud",
  "issuer_url":"https://auth.streamnative.cloud"
}

Configure Pulsar Applications

Once you have the credentials file, you can follow the steps below to configure your Pulsar applications to use OAuth2 authentication.

First of all, since Pulsar clients support different authentication plugins, you need to configure the Pulsar clients to use OAuth2 authentication plugin. For example, you can configure the Pulsar Java clients to use org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2.

Secondly, you need to prepare the authentication parameters for OAuth2 authentication. The following table outlines the parameters required for configuring OAuth2 authentication.

ParameterDescriptionExampleRequired or not
typeOAuth 2.0 authentication type. Currently, Pulsar clients only support the client_credentials authentication type.client_credentials (default)Optional
issuerUrlThe URL of the authentication provider which allows the Pulsar client to obtain an access token. Currently, StreamNative Cloud only support Auth0 as the identity provider. So the value here should be https://auth.streamnative.cloud.https://auth.streamnative.cloudRequired
credentialsUrlThe URL to the JSON credentials file. It supports the following pattern formats: <br /> <li> file:///path/to/file </li><li> data:application/json;base64,<base64-encoded value> </li>file:///path/to/my_service_account_key.jsonRequired
audienceThe OAuth 2.0 resource server identifier for a Pulsar cluster. In StreamNative Cloud, a Pulsar cluster is identified by a Uniform Resource Name (URN), which is in the following format urn:sn:pulsar:${your_orgnization_id}:${instance_name}.urn:sn:pulsar:my_org:my_instanceRequired

Configure Pulsar Clients

This section describes how to configure Pulsar clients to connect to a StreamNative Cloud cluster urn:sn:pulsar:my_org:my_instance using OAuth2.

import org.apache.pulsar.client.impl.auth.oauth2.AuthenticationFactoryOAuth2;

URL issuerUrl = new URL("https://auth.streamnative.cloud");
URL credentialsUrl = new URL("file:///path/to/credentials.json");
String audience = "urn:sn:pulsar:my_org:my_instance";

PulsarClient client = PulsarClient.builder()
    .serviceUrl("<PULSAR_BROKER_URL>")
    .authentication(
        AuthenticationFactoryOAuth2.clientCredentials(issuerUrl, credentialsUrl, audience))
    .build();

In the example above:

  • Replace <PULSAR_ADMIN_URL> and/or <PULSAR_BROKER_URL> with the right admin and/or broker URL of your Pulsar cluster. You can get the service URLs in the Cluster Details page of the StreamNative Cloud Console.

  • Replace urn:sn:pulsar:my_org:my_instance with the right URN of your Pulsar cluster.

  • Replace file:///path/to/credentials.json with the right file path of your downloaded credentials file from the StreamNative Cloud Console.

You can find detailed examples in Build Applications with Pulsar.

Configure Pulsar Command-line tools

This section describes how to use Pulsar command-line tools to connect to a StreamNative Cloud cluster urn:sn:pulsar:my_org:my_instance using OAuth2.

bin/pulsar-admin \
    --admin-url <PULSAR_ADMIN_URL> \
    --auth-plugin org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2 \
    --auth-params '{"privateKey":"file:///path/to/credentials.json", \
        "issuerUrl":"https://auth.streamnative.cloud", \
        "audience":"urn:sn:pulsar:my_org:my_instance"}' \
    tenants list

In the example above:

  • Replace <PULSAR_ADMIN_URL> and/or <PULSAR_BROKER_URL> with the right admin and/or broker URL of your Pulsar cluster. You can get the service URLs in the Cluster Details page of the StreamNative Cloud Console.

  • Replace urn:sn:pulsar:my_org:my_instance with the right URN of your Pulsar cluster.

  • Replace file:///path/to/credentials.json with the right file path of your downloaded credentials file from the StreamNative Cloud Console.

Previous
Overview