1. Operating StreamNative Platform

Configure OAuth2 authentication

You can configure Open Authorization (OAuth2) to allow users to connect to a Pulsar cluster, log in to StreamNative Console, or access the Grafana service with their Auth0, Google, Azure AD, or Okta accounts.

Configure OAuth2 authentication

To enable OAuth2 authentication, you can configure the OAuth2 authentication property of the StreamNative Platform components in the values.yaml YAML file as follows, and then update the resource.

auth:
  oauth:
    enabled: true # --- [1]
    oauthIssuerUrl: 'your-issuer-url' # --- [2]
    oauthAudience: 'your-application-id' # --- [3]
    oauthSubjectClaim: 'oid' # --- [4]
    oauthScopeClaim: 'scp' # --- [5]
    oauthAuthzRoleClaim: 'roles' # --- [6]
    # The name of the role when creating the application
    oauthAuthzAdminRole: 'admin-approle' # --- [7]
    brokerClientCredential: '' # --- [8]
    brokerClientAuthenticationPlugin: org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2 # --- [9]
    brokerClientAuthenticationParameters: '' # --- [10]
    authenticationProvider: 'io.streamnative.pulsar.broker.authentication.AuthenticationProviderOAuth' # --- [11]
    authorizationProvider: 'io.streamnative.pulsar.broker.authorization.AuthorizationProviderOAuth' # --- [12]
  • [1] enabled: Required. Set it to true if you want to enable OAuth2 authentication. By default, it is set to false.
  • [2] oauthIssuerUrl: Required. The URL of your OAuth2 identity provider that allows a Pulsar client to obtain an access token.
  • [3] oauthAudience: Required. The identifier that all tokens must be issued for.
  • [4] oauthSubjectClaim: Required. The JWT claim that is used as the user name. By default, it is set to sub.
  • [5] oauthScopeClaim: Required. The JWT claim that is used as the scope claims. By default, it is set to scope.
  • [6] oauthAuthzRoleClaim: Required. The JWT claim that is used as the authentication role.
  • [7] oauthAuthzAdminRole: Required. The Authentication Role to operate as a Pulsar superuser.
  • [8] brokerClientCredential: Optional. It is used to create a credential with the client ID and the Secret.
  • [9] brokerClientAuthenticationPlugin: Optional. The broker authentication plugin.
  • [10] brokerClientAuthenticationParameters: Optional. The authentication parameters that are set on the broker. It contains a path to the broker's key file, as mounted into the broker pod.
  • [11] authenticationProvider: Required. The authentication provider that identifies a client and then assigns a role token to that client. By default, it is set to io.streamnative.pulsar.broker.authentication.AuthenticationProviderOAuth.
  • [12] authorizationProvider: Required. The authorization provider that authorizes a service account. By default, it is set to io.streamnative.pulsar.broker.authorization.AuthorizationProviderOAuth.

Currently, StreamNative Platform supports Auth0 and Azure AD OAuth2 authentication.

Configure Auth0 OAuth2 authentication

This section describes how to configure Auth0 OAuth2 authentication for StreamNative Platform.

  1. Create an Auth0 tenant and domain.

    For details, see create a tenant and domain.

  2. Register StreamNative Platform in Auth0 Dashboard.

    For details, see register regular Web applications.

  3. Set up an enterprise connection in Auth0.

    For details, see create an enterprise connection using the Dashboard.

  4. Enable Auth0 OAuth2 authentication for StreamNative Platform.

    auth:
      oauth:
        enabled: true # --- [1]
        oauthIssuerUrl: 'https://<you_domain>.au.auth0.com' # --- [2]
        oauthAudience: 'your-client-id' # --- [3]
        oauthSubjectClaim: 'oid'
        oauthScopeClaim: 'scp'
        # other configs
    
    • [1] enabled: enable Auth0 OAuth2 authentication.
    • [2] oauthIssuerUrl: the URL of the Auth0 OAuth2 identity provider that allows a Pulsar client to obtain an access token.
    • [3] oauthAudience: the Auth0 OAuth2 client ID that is used by StreamNative Platform for requesting an Auth0 OAuth2 token.

Configure Azure AD OAuth2 authentication

This section describes how to configure Azure AD OAuth2 authentication for StreamNative Platform.

  1. Register StreamNative Platform in Azure Portal.

    • Use an application name that represents the cluster, such as "sn-platform".
    • Skip defining a redirect URI.
    • Stash the Application client ID (on the Overview page) for later.

    For details, see register an application.

  2. Add credentials.

    With credentials, your application can authenticate as itself, requiring no interaction from a user at runtime. You can add both certificates and client secrets (a string) as credentials to your application. For details, see add credentials.

  3. Expose an API.

    For details, see configure an application to expose a web API.

  4. Define an App Role for superuser administrative access to StreamNative Platform.

    For details, see App roles UI.

  5. Define the API permissions that are granted to Pulsar cluster's service account.

    For details, see assign app roles to applications.

  6. Grant the admin consent.

    Navigate to the Enterprise application view of the Pulsar cluster. Azure will prompt you to grant the admin consent for your applications. For details, see grant admin consent in App registrations.

  7. Enable Azure AD OAuth2 authentication for StreamNative Platform.

    auth:
      oauth:
        enabled: true # --- [1]
        oauthIssuerUrl: 'https://login.microsoftonline.com/{your-tenant-id}/v2.0' # --- [2]
        oauthAudience: 'your-application-id' # --- [3]
        # other configs
    
    • [1] enabled: enable Azure AD OAuth2 authentication.
    • [2] oauthIssuerUrl: the URL of the Azure AD OAuth2 identity provider that allows a Pulsar client to obtain an access token.
    • [3] oauthAudience: the OAuth2 client ID that is used by StreamNative Platform for requesting an OAuth2 token.

Configure multiple OAuth2 identity providers

To configure multiple OAuth2 identity providers for StreamNative Platform, you need to use the oidcIssuers option to specify the OAuth2 identity providers and then configure parameters for each of the OAuth2 identity providers. The oidcIssuers is a map of multiple OAuth2 identity providers. If it is not set, a single OAuth2 identity provider will be used. For details about how to configure OAuth2 authentication, see configure OAuth2 authentication.

This example shows how to enable Auth0 and Azure AD OAuth2 authentication on StreamNative Platform.

auth:
  oauth:
    enabled: true
    oidcIssuers:
      {
        'https://auth.streamnative.cloud/':
          {
            'audience': 'urn:sn:pulsar:test:test',
            'subjectClaim': 'https://streamnative.io/username',
          },
        'https://login.microsoftonline.com/{tenant_id}/v2.0':
          {
            'audience': 'app_client_id',
            'authzAdminRole': 'admin-approle',
            'authzRoleClaim': 'roles',
            'scopeClaim': 'scp',
            'subjectClaim': 'oid',
          },
      }

Enable OAuth2 authentication for StreamNative Console

Currently, you can configure Google, Microsoft Azure AD, and Okta OAuth2 authentication for StreamNative Console. For details, see configure login methods.

Previous
JWT Authentication