Pulsar 访问权限控制-Token模式

参考链接

  • https://pulsar.apache.org/docs/zh-CN/security-token-admin/
  • https://pulsar.apache.org/docs/zh-CN/security-token-client/

Token模式

基于 JSON Web Tokens (RFC-7519) 进行安全认证
规范文档:
https://jwt.io/introduction/
https://tools.ietf.org/pdf/rfc7519.pdf

  • 秘钥方式
  1. 生成秘钥
    bin/pulsar tokens create-secret-key --output /path/to/my-secret.key --base64

  2. 创建Token
    bin/pulsar tokens create --secret-key file:///path/to/my-secret.key --subject test-user --expiry-time 1y

  3. 授权
    bin/pulsar-admin namespaces grant-permission my-tenant/my-namespace --role test-user --actions produce,consume

  4. broker配置修改

authenticationEnabled=true
authorizationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderToken

tokenSecretKey=file:///path/to/my-secret.key

# operations and publish/consume from all topics
superUserRoles=admin

brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationToken
brokerClientAuthenticationParameters=token:账号token
  • 公私钥方式
  1. 生成公私钥
    bin/pulsar tokens create-key-pair --output-private-key /path/to/my-private.key --output-public-key /path/to/my-public.key
    私钥:单独安全存储,用于生成token
    公钥:存储于所有broker节点,用于token认证

  2. 创建Token
    bin/pulsar tokens create --private-key file:///path/to/my-private.key --subject test-user --expiry-time 1y

  3. 授权
    bin/pulsar-admin namespaces grant-permission my-tenant/my-namespace --role test-user --actions produce,consume

  4. broker配置修改

authenticationEnabled=true
authorizationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderToken

tokenPublicKey=file:///path/to/public.key

# operations and publish/consume from all topics
superUserRoles=admin

brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationToken
brokerClientAuthenticationParameters=token:账号token
  • 客户端样例
  1. JAVA
PulsarClient client = PulsarClient.builder()
    .serviceUrl("pulsar://broker.example.com:6650/")
    .authentication(
        AuthenticationFactory.token("token")
    .build();
  1. C++
#include 
pulsar::ClientConfiguration config;
config.setAuth(pulsar::AuthToken::createWithToken("token"));
pulsar::Client client("pulsar://broker.example.com:6650/", config);
  • Pulsar自带工具使用样例
    授权:
    bin/pulsar-admin --auth-plugin org.apache.pulsar.client.impl.auth.AuthenticationToken --auth-params token:[admin账号token] namespaces grant-permission public/default --role test-user --actions produce

生产:
bin/pulsar-perf produce persistent://public/default/test_my_topic -u pulsar://broker.example.com:6650 -s 1024 -time 120 -r 1000 -n 1 -b 0 --auth_plugin org.apache.pulsar.client.impl.auth.AuthenticationToken --auth-params token:[账号token]

消费:
bin//pulsar-perf consume persistent://public/default/test_my_topic -u pulsar://broker.example.com:6650 -s consumer_test_2019 --auth_plugin org.apache.pulsar.client.impl.auth.AuthenticationToken --auth-params token:[账号token]

你可能感兴趣的:(Pulsar 访问权限控制-Token模式)