You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by zh...@apache.org on 2019/05/30 11:31:47 UTC
[pulsar] branch master updated: Update pulsar kerberos document
(#4385)
This is an automated email from the ASF dual-hosted git repository.
zhaijia pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/master by this push:
new e3f4841 Update pulsar kerberos document (#4385)
e3f4841 is described below
commit e3f4841805777386688e45bfcad3ab3b7204792b
Author: Yong Zhang <zh...@gmail.com>
AuthorDate: Thu May 30 19:31:41 2019 +0800
Update pulsar kerberos document (#4385)
Currently, kerberos document is lack of some description when using client to connect brokers with kerberos.
* Update pulsar kerberos document
* Update doc
* Fix doc
---
site2/docs/security-kerberos.md | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/site2/docs/security-kerberos.md b/site2/docs/security-kerberos.md
index 9b582f1..9956dcc 100644
--- a/site2/docs/security-kerberos.md
+++ b/site2/docs/security-kerberos.md
@@ -156,6 +156,18 @@ The following is an example of creating a Java client:
Make sure that the keytabs configured in the `pulsar_jaas.conf` file and kdc server in the `krb5.conf` file are reachable by the operating system user who is starting pulsar client.
+If you are using command line, you can continue with these step:
+1. Config your `client.conf`:
+```shell
+authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl
+authParams={"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}
+```
+2. Set JVM parameter for JAAS configuration file and krb5 configuration file with additional option.
+```shell
+ -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf
+```
+You can add this at the end of `PULSAR_EXTRA_OPTS` in the file [`pulsar_tools_env.sh`](https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh)
+
## Kerberos configuration for working with Pulsar Proxy
With the above configuration, client and broker can do authentication using Kerberos.
@@ -271,6 +283,13 @@ saslJaasBrokerSectionName=PulsarBroker
For Kerberos authentication, the authenticated principal is used as the role token for Pulsar authorization. For more information of authorization in Pulsar, see [security authorization](security-authorization.md).
+If you enabled authorizationEnabled you need set `superUserRoles` in `broker.conf` that corresponding to the name registered in kdc
+
+For example:
+```bash
+superUserRoles=client/{clientIp}@EXAMPLE.COM
+```
+
## Regarding authorization between BookKeeper and ZooKeeper
Adding `bookkeeperClientAuthenticationPlugin` parameter in `broker.conf` is a prerequisite for Broker (as a Kerberos client) being authenticated by Bookie (as a Kerberos Server):