You can configure JSON Web Token (JWT) authentication to a Pulsar cluster.
Before you begin
Create JWT secret key and tokens
We can use the pulsarctl
to create the secret key and issue jwt tokens.
Create Kubernetes Secrets for secret key and tokens
-
Create the secret key Secret
kubectl create secret generic secret-key --from-file=my-secret.key -n pulsar
-
Create the broker-admin
token Secret
kubectl create secret generic broker-admin --from-literal=token={"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJicm9rZXItYWRtaW4ifQ.mWjzMVR9wr9QoZxroU1iumqFFFRzCrLn_RqG5W8wLjs"} -n pulsar
-
Create the proxy-admin
token Secret
kubectl create secret generic proxy-admin --from-literal=token={"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJwcm94eS1hZG1pbiJ9.B5LhZ7kNrEGgQeW2Ps8_X0no7zCMo8YG5JvDZydbzHA"} -n pulsar
Enable JWT authentication for Pulsar cluster
To enable JWT authentication on the Pulsar cluster, we need to add configurations on PulsarBroker
ojbect:
spec:
custom:
authenticationEnabled: 'true'
authenticateOriginalAuthData: 'true'
authenticationProviders: 'org.apache.pulsar.broker.authentication.AuthenticationProviderToken'
brokerClientAuthenticationPlugin: 'org.apache.pulsar.client.impl.auth.AuthenticationToken'
superUserRoles: 'broker-admin, proxy-admin'
proxyRoles: 'proxy-admin'
authorizationEnabled: 'true'
authorizationProvider: 'org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider'
secretRefs:
- mountPath: /mnt/secrets
secretName: secret-key
pod:
vars:
- name: brokerClientAuthenticationParameters
valueFrom:
secretKeyRef:
name: broker-admin
key: token
- name: tokenSecretKey
value: 'file:///mnt/secrets/my-secret.key'
- [1]
custom
: add Pulsar configurations for authentication and authorization.
- [2]
secretRefs
: mount the Secret resources.
- [3]
pod.vars
: use environment variables to render Pulsar configurations
On the PulsarProxy
ojbect, we need to add configurations:
spec:
config:
custom:
authenticationEnabled: 'true'
authenticateOriginalAuthData: 'true'
forwardAuthorizationCredentials: 'true'
authenticationProviders: 'org.apache.pulsar.broker.authentication.AuthenticationProviderToken'
brokerClientAuthenticationPlugin: 'org.apache.pulsar.client.impl.auth.AuthenticationToken'
superUserRoles: 'proxy-admin'
secretRefs:
- mountPath: /mnt/secrets
secretName: secret-key
pod:
vars:
- name: brokerClientAuthenticationParameters
valueFrom:
secretKeyRef:
name: proxy-admin
key: token
- name: tokenSecretKey
value: 'file:///mnt/secrets/my-secret.key'
Clients connect to Pulsar with JWT token