Configure JWT authentication

You can configure JSON Web Token (JWT) authentication to a Pulsar cluster.

Before you begin

• Install the following tools.

  • Install kubectl v1.16 or higher.
  • Install pulsarctl.

Create JWT secret key and tokens

We can use the pulsarctl to create the secret key and issue jwt tokens.

• Create a secret key

  pulsarctl token create-secret-key -a HS256 --output-file my-secret.key
  

• Issue the tokens for broker-admin and proxy-admin subjects.

  pulsarctl token create -a HS256 --secret-key-file my-secret.key --subject broker-admin
  eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJicm9rZXItYWRtaW4ifQ.mWjzMVR9wr9QoZxroU1iumqFFFRzCrLn_RqG5W8wLjs
  

  pulsarctl token create -a HS256 --secret-key-file my-secret.key --subject proxy-admin
  eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJwcm94eS1hZG1pbiJ9.B5LhZ7kNrEGgQeW2Ps8_X0no7zCMo8YG5JvDZydbzHA
  

• Issue the tokens for client subject

  pulsarctl token create -a HS256 --secret-key-file my-secret.key --subject client
  eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJjbGllbnQifQ.ROj5lrJIbaNVFDk7YVEQ6IRr8SrvFnZFCrfITYFbKCk
  

Create Kubernetes Secrets for secret key and tokens

• Create the secret key Secret

  kubectl create secret generic secret-key --from-file=my-secret.key -n pulsar
  

• Create the broker-admin token Secret

  kubectl create secret generic broker-admin --from-literal=token={"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJicm9rZXItYWRtaW4ifQ.mWjzMVR9wr9QoZxroU1iumqFFFRzCrLn_RqG5W8wLjs"} -n pulsar
  

• Create the proxy-admin token Secret

  kubectl create secret generic proxy-admin --from-literal=token={"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJwcm94eS1hZG1pbiJ9.B5LhZ7kNrEGgQeW2Ps8_X0no7zCMo8YG5JvDZydbzHA"} -n pulsar
  

Enable JWT authentication for Pulsar cluster

To enable JWT authentication on the Pulsar cluster, we need to add configurations on PulsarBroker ojbect:

spec:
  custom:
    authenticationEnabled: 'true'
    authenticateOriginalAuthData: 'true'
    authenticationProviders: 'org.apache.pulsar.broker.authentication.AuthenticationProviderToken'
    brokerClientAuthenticationPlugin: 'org.apache.pulsar.client.impl.auth.AuthenticationToken'
    superUserRoles: 'broker-admin, proxy-admin'
    proxyRoles: 'proxy-admin'
    authorizationEnabled: 'true'
    authorizationProvider: 'org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider'
  secretRefs:
    - mountPath: /mnt/secrets
      secretName: secret-key
  vars:
    - name: brokerClientAuthenticationParameters
      valueFrom:
        secretKeyRef:
          name: broker-admin
          key: token
    - name: tokenSecretKey
      value: 'file:///mnt/secrets/my-secret.key'

• [1] custom: add Pulsar configurations for authentication and authorization.
• [2] secretRefs: mount the Secret resources.
• [3] vars: use environment variables to render Pulsar configurations

On the PulsarProxy ojbect, we need to add configurations:

spec:
  config:
    custom:
      authenticationEnabled: 'true'
      authenticateOriginalAuthData: 'true'
      forwardAuthorizationCredentials: 'true'
      authenticationProviders: 'org.apache.pulsar.broker.authentication.AuthenticationProviderToken'
      brokerClientAuthenticationPlugin: 'org.apache.pulsar.client.impl.auth.AuthenticationToken'
      superUserRoles: 'proxy-admin'
  secretRefs:
    - mountPath: /mnt/secrets
      secretName: secret-key
  vars:
    - name: brokerClientAuthenticationParameters
      valueFrom:
        secretKeyRef:
          name: proxy-admin
          key: token
    - name: tokenSecretKey
      value: 'file:///mnt/secrets/my-secret.key'

Clients connect to Pulsar with JWT token

• Create authorization for the client subject with broker-admin token

  pulsarctl --admin-service-url http://<Your PulsarProxy Endpoint>:8080 --token "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJicm9rZXItYWRtaW4ifQ.mWjzMVR9wr9QoZxroU1iumqFFFRzCrLn_RqG5W8wLjs" namespaces grant-permission --role client --actions produce --actions consume public/default
  
  Grant permissions [produce consume] to the client role client to access the namespace public/default successfully
  

• Produce messages with client token

  bin/pulsar-client --url pulsar://<Your PulsarProxy Endpoint>:6650 --auth-plugin org.apache.pulsar.client.impl.auth.AuthenticationToken --auth-params token:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJjbGllbnQifQ.ROj5lrJIbaNVFDk7YVEQ6IRr8SrvFnZFCrfITYFbKCk produce public/default/test -m "test" -n 100