You can configure JSON Web Token (JWT) authentication to a Pulsar cluster.

Before you begin

  • Install the following tools.

Create JWT secret key and tokens

We can use the pulsarctl to create the secret key and issue jwt tokens.

  • Create a secret key

    pulsarctl token create-secret-key -a HS256 --output-file my-secret.key

  • Issue the tokens for broker-admin and proxy-admin subjects.

    pulsarctl token create -a HS256 --secret-key-file my-secret.key --subject broker-admin
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJicm9rZXItYWRtaW4ifQ.mWjzMVR9wr9QoZxroU1iumqFFFRzCrLn_RqG5W8wLjs

    pulsarctl token create -a HS256 --secret-key-file my-secret.key --subject proxy-admin
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJwcm94eS1hZG1pbiJ9.B5LhZ7kNrEGgQeW2Ps8_X0no7zCMo8YG5JvDZydbzHA

  • Issue the tokens for client subject

    pulsarctl token create -a HS256 --secret-key-file my-secret.key --subject client
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJjbGllbnQifQ.ROj5lrJIbaNVFDk7YVEQ6IRr8SrvFnZFCrfITYFbKCk

Create Kubernetes Secrets for secret key and tokens

  • Create the secret key Secret

    kubectl create secret generic secret-key --from-file=my-secret.key -n pulsar

  • Create the broker-admin token Secret

    kubectl create secret generic broker-admin --from-literal=token={"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJicm9rZXItYWRtaW4ifQ.mWjzMVR9wr9QoZxroU1iumqFFFRzCrLn_RqG5W8wLjs"} -n pulsar

  • Create the proxy-admin token Secret

    kubectl create secret generic proxy-admin --from-literal=token={"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJwcm94eS1hZG1pbiJ9.B5LhZ7kNrEGgQeW2Ps8_X0no7zCMo8YG5JvDZydbzHA"} -n pulsar

Enable JWT authentication for Pulsar cluster

To enable JWT authentication on the Pulsar cluster, we need to add configurations on PulsarBroker ojbect:

spec:
  custom:
    authenticationEnabled: 'true'
    authenticateOriginalAuthData: 'true'
    authenticationProviders: 'org.apache.pulsar.broker.authentication.AuthenticationProviderToken'
    brokerClientAuthenticationPlugin: 'org.apache.pulsar.client.impl.auth.AuthenticationToken'
    superUserRoles: 'broker-admin, proxy-admin'
    proxyRoles: 'proxy-admin'
    authorizationEnabled: 'true'
    authorizationProvider: 'org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider'
  secretRefs:
    - mountPath: /mnt/secrets
      secretName: secret-key
  pod:
    vars:
      - name: brokerClientAuthenticationParameters
        valueFrom:
          secretKeyRef:
            name: broker-admin
            key: token
      - name: tokenSecretKey
        value: 'file:///mnt/secrets/my-secret.key'
  • [1] custom: add Pulsar configurations for authentication and authorization.
  • [2] secretRefs: mount the Secret resources.
  • [3] pod.vars: use environment variables to render Pulsar configurations

On the PulsarProxy ojbect, we need to add configurations:

spec:
  config:
    custom:
      authenticationEnabled: 'true'
      authenticateOriginalAuthData: 'true'
      forwardAuthorizationCredentials: 'true'
      authenticationProviders: 'org.apache.pulsar.broker.authentication.AuthenticationProviderToken'
      brokerClientAuthenticationPlugin: 'org.apache.pulsar.client.impl.auth.AuthenticationToken'
      superUserRoles: 'proxy-admin'
  secretRefs:
    - mountPath: /mnt/secrets
      secretName: secret-key
  pod:
    vars:
      - name: brokerClientAuthenticationParameters
        valueFrom:
          secretKeyRef:
            name: proxy-admin
            key: token
      - name: tokenSecretKey
        value: 'file:///mnt/secrets/my-secret.key'

Clients connect to Pulsar with JWT token

  • Create authorization for the client subject with broker-admin token

    pulsarctl --admin-service-url http://<Your PulsarProxy Endpoint>:8080 --token "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJicm9rZXItYWRtaW4ifQ.mWjzMVR9wr9QoZxroU1iumqFFFRzCrLn_RqG5W8wLjs" namespaces grant-permission --role client --actions produce --actions consume public/default

Grant permissions [produce consume] to the client role client to access the namespace public/default successfully

  • Produce messages with client token

    bin/pulsar-client --url pulsar://<Your PulsarProxy Endpoint>:6650 --auth-plugin org.apache.pulsar.client.impl.auth.AuthenticationToken --auth-params token:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJjbGllbnQifQ.ROj5lrJIbaNVFDk7YVEQ6IRr8SrvFnZFCrfITYFbKCk produce public/default/test -m "test" -n 100