You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by mm...@apache.org on 2019/08/03 09:07:44 UTC
[pulsar] branch asf-site updated: Updated site at revision 710b4b1
This is an automated email from the ASF dual-hosted git repository.
mmerli pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/asf-site by this push:
new e6bc780 Updated site at revision 710b4b1
e6bc780 is described below
commit e6bc780229e4c72ba47c5e9a9ac0837999b27cdd
Author: jenkins <bu...@apache.org>
AuthorDate: Sat Aug 3 09:07:36 2019 +0000
Updated site at revision 710b4b1
---
content/docs/en/next/schema-get-started.html | 25 +++++--
content/docs/en/next/schema-get-started/index.html | 25 +++++--
content/docs/en/next/security-kerberos.html | 87 ++++++++++++++++------
content/docs/en/next/security-kerberos/index.html | 87 ++++++++++++++++------
content/docs/en/security-kerberos.html | 87 ++++++++++++++++------
content/docs/en/security-kerberos/index.html | 87 ++++++++++++++++------
content/docs/fr/next/schema-get-started.html | 25 +++++--
content/docs/fr/next/schema-get-started/index.html | 25 +++++--
content/docs/fr/next/security-kerberos.html | 80 +++++++++++++++-----
content/docs/fr/next/security-kerberos/index.html | 80 +++++++++++++++-----
content/docs/fr/security-kerberos.html | 80 +++++++++++++++-----
content/docs/fr/security-kerberos/index.html | 80 +++++++++++++++-----
content/docs/ja/next/schema-get-started.html | 25 +++++--
content/docs/ja/next/schema-get-started/index.html | 25 +++++--
content/docs/ja/next/security-kerberos.html | 80 +++++++++++++++-----
content/docs/ja/next/security-kerberos/index.html | 80 +++++++++++++++-----
content/docs/ja/security-kerberos.html | 80 +++++++++++++++-----
content/docs/ja/security-kerberos/index.html | 80 +++++++++++++++-----
content/docs/zh-CN/next/schema-get-started.html | 25 +++++--
.../docs/zh-CN/next/schema-get-started/index.html | 25 +++++--
content/docs/zh-CN/next/security-kerberos.html | 80 +++++++++++++++-----
.../docs/zh-CN/next/security-kerberos/index.html | 80 +++++++++++++++-----
content/docs/zh-CN/security-kerberos.html | 80 +++++++++++++++-----
content/docs/zh-CN/security-kerberos/index.html | 80 +++++++++++++++-----
content/swagger/2.5.0-SNAPSHOT/swagger.json | 54 +++++++-------
.../swagger/2.5.0-SNAPSHOT/swaggerfunctions.json | 22 +++---
26 files changed, 1166 insertions(+), 418 deletions(-)
diff --git a/content/docs/en/next/schema-get-started.html b/content/docs/en/next/schema-get-started.html
index 7c7c104..a50f802 100644
--- a/content/docs/en/next/schema-get-started.html
+++ b/content/docs/en/next/schema-get-started.html
@@ -1,4 +1,4 @@
-<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><title>Get started · Apache Pulsar</title><meta name="viewport" content="width=device-width"/><meta name="generator" content="Docusaurus"/><meta name="description" content="When a schema is enabled, Pulsar does parse data, it takes bytes as inputs and sends bytes as outputs. While data has meaning beyond bytes, you need to parse data and might encounter parse exceptions which [...]
+<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><title>Get started · Apache Pulsar</title><meta name="viewport" content="width=device-width"/><meta name="generator" content="Docusaurus"/><meta name="description" content="## Schema Registry"/><meta name="docsearch:version" content="next"/><meta name="docsearch:language" content="en"/><meta property="og:title" content="Get started · Apache Pulsar"/><meta property="og:type" c [...]
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
@@ -74,7 +74,20 @@
};
}
});
- </script></nav></div><div class="container mainContainer"><div class="wrapper"><div class="post"><header class="postHeader"><a class="edit-page-link button" href="https://github.com/apache/incubator-pulsar/edit/master/site2/docs/schema-get-started.md" target="_blank" rel="noreferrer noopener">Edit</a><h1 class="postHeaderTitle">Get started</h1></header><article><div><span><p>When a schema is enabled, Pulsar does parse data, it takes bytes as inputs and sends bytes as outputs. Whi [...]
+ </script></nav></div><div class="container mainContainer"><div class="wrapper"><div class="post"><header class="postHeader"><a class="edit-page-link button" href="https://github.com/apache/incubator-pulsar/edit/master/site2/docs/schema-get-started.md" target="_blank" rel="noreferrer noopener">Edit</a><h1 class="postHeaderTitle">Get started</h1></header><article><div><span><h2><a class="anchor" aria-hidden="true" id="schema-registry"></a><a href="#schema-registry" aria-hidden="tru [...]
+<p>Type safety is extremely important in any application built around a message bus like Pulsar.</p>
+<p>Producers and consumers need some kind of mechanism for coordinating types at the topic level to aviod various potential problems arise. For example, serialization and deserialization issues.</p>
+<p>Applications typically adopt one of the following approaches to guarantee type safety in messaging. Both approaches are available in Pulsar, and you're free to adopt one or the other or to mix and match on a per-topic basis.</p>
+<h3><a class="anchor" aria-hidden="true" id="client-side-approach"></a><a href="#client-side-approach" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1 [...]
+<p>Producers and consumers are responsible for not only serializing and deserializing messages (which consist of raw bytes) but also "knowing" which types are being transmitted via which topics.</p>
+<p>If a producer is sending temperature sensor data on the topic <code>topic-1</code>, consumers of that topic will run into trouble if they attempt to parse that data as moisture sensor readings.</p>
+<p>Producers and consumers can send and receive messages consisting of raw byte arrays and leave all type safety enforcement to the application on an "out-of-band" basis.</p>
+<h3><a class="anchor" aria-hidden="true" id="server-side-approach"></a><a href="#server-side-approach" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1 [...]
+<p>Producers and consumers inform the system which data types can be transmitted via the topic.</p>
+<p>With this approach, the messaging system enforces type safety and ensures that producers and consumers remain synced.</p>
+<p>Pulsar has a built-in <strong>schema registry</strong> that enables clients to upload data schemas on a per-topic basis. Those schemas dictate which data types are recognized as valid for that topic.</p>
+<h2><a class="anchor" aria-hidden="true" id="why-use-schema"></a><a href="#why-use-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0- [...]
+<p>When a schema is enabled, Pulsar does parse data, it takes bytes as inputs and sends bytes as outputs. While data has meaning beyond bytes, you need to parse data and might encounter parse exceptions which mainly occur in the following situations:</p>
<ul>
<li><p>The field does not exist</p></li>
<li><p>The field type has changed (for example, <code>string</code> is changed to <code>int</code>)</p></li>
@@ -89,7 +102,7 @@
}
</code></pre>
<p>When constructing a producer with the <em>User</em> class, you can specify a schema or not as below.</p>
-<h2><a class="anchor" aria-hidden="true" id="without-schema"></a><a href="#without-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0- [...]
+<h3><a class="anchor" aria-hidden="true" id="without-schema"></a><a href="#without-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0- [...]
<p>If you construct a producer without specifying a schema, then the producer can only produce messages of type <code>byte[]</code>. If you have a POJO class, you need to serialize the POJO into bytes before sending messages.</p>
<p><strong>Example</strong></p>
<pre><code class="hljs">Producer<byte[]> producer = client.newProducer()
@@ -99,7 +112,7 @@
byte[] message = … // serialize the `<span class="hljs-keyword">user</span>` <span class="hljs-keyword">by</span> yourself;
producer.send(message);
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="with-schema"></a><a href="#with-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42 [...]
+<h3><a class="anchor" aria-hidden="true" id="with-schema"></a><a href="#with-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42 [...]
<p>If you construct a producer with specifying a schema, then you can send a class to a topic directly without worrying about how to serialize POJOs into bytes.</p>
<p><strong>Example</strong></p>
<p>This example constructs a producer with the <em>JSONSchema</em>, and you can send the <em>User</em> class to topics directly without worrying about how to serialize it into bytes.</p>
@@ -109,9 +122,9 @@ producer.send(message);
<span class="hljs-keyword">User</span> <span class="hljs-keyword">user</span> = <span class="hljs-built_in">new</span> <span class="hljs-keyword">User</span>(“Tom”, <span class="hljs-number">28</span>);
producer.send(<span class="hljs-keyword">User</span>);
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="summary"></a><a href="#summary" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1- [...]
+<h3><a class="anchor" aria-hidden="true" id="summary"></a><a href="#summary" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1- [...]
<p>When constructing a producer with a schema, you do not need to serialize messages into bytes, instead Pulsar schema does this job in the background.</p>
-</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/en/next/concepts-schema-registry"><span class="arrow-prev">← </span><span>Schema Registry</span></a><a class="docs-next button" href="/docs/en/next/functions-overview"><span>Overview</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#without-schema">Without schema</a></li><li><a href="#with-schema">With schema</a></li><li [...]
+</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/en/next/concepts-schema-registry"><span class="arrow-prev">← </span><span>Schema Registry</span></a><a class="docs-next button" href="/docs/en/next/functions-overview"><span>Overview</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#schema-registry">Schema Registry</a><ul class="toc-headings"><li><a href="#client-side-ap [...]
const community = document.querySelector("a[href='#community']").parentNode;
const communityMenu =
'<li>' +
diff --git a/content/docs/en/next/schema-get-started/index.html b/content/docs/en/next/schema-get-started/index.html
index 7c7c104..a50f802 100644
--- a/content/docs/en/next/schema-get-started/index.html
+++ b/content/docs/en/next/schema-get-started/index.html
@@ -1,4 +1,4 @@
-<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><title>Get started · Apache Pulsar</title><meta name="viewport" content="width=device-width"/><meta name="generator" content="Docusaurus"/><meta name="description" content="When a schema is enabled, Pulsar does parse data, it takes bytes as inputs and sends bytes as outputs. While data has meaning beyond bytes, you need to parse data and might encounter parse exceptions which [...]
+<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><title>Get started · Apache Pulsar</title><meta name="viewport" content="width=device-width"/><meta name="generator" content="Docusaurus"/><meta name="description" content="## Schema Registry"/><meta name="docsearch:version" content="next"/><meta name="docsearch:language" content="en"/><meta property="og:title" content="Get started · Apache Pulsar"/><meta property="og:type" c [...]
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
@@ -74,7 +74,20 @@
};
}
});
- </script></nav></div><div class="container mainContainer"><div class="wrapper"><div class="post"><header class="postHeader"><a class="edit-page-link button" href="https://github.com/apache/incubator-pulsar/edit/master/site2/docs/schema-get-started.md" target="_blank" rel="noreferrer noopener">Edit</a><h1 class="postHeaderTitle">Get started</h1></header><article><div><span><p>When a schema is enabled, Pulsar does parse data, it takes bytes as inputs and sends bytes as outputs. Whi [...]
+ </script></nav></div><div class="container mainContainer"><div class="wrapper"><div class="post"><header class="postHeader"><a class="edit-page-link button" href="https://github.com/apache/incubator-pulsar/edit/master/site2/docs/schema-get-started.md" target="_blank" rel="noreferrer noopener">Edit</a><h1 class="postHeaderTitle">Get started</h1></header><article><div><span><h2><a class="anchor" aria-hidden="true" id="schema-registry"></a><a href="#schema-registry" aria-hidden="tru [...]
+<p>Type safety is extremely important in any application built around a message bus like Pulsar.</p>
+<p>Producers and consumers need some kind of mechanism for coordinating types at the topic level to aviod various potential problems arise. For example, serialization and deserialization issues.</p>
+<p>Applications typically adopt one of the following approaches to guarantee type safety in messaging. Both approaches are available in Pulsar, and you're free to adopt one or the other or to mix and match on a per-topic basis.</p>
+<h3><a class="anchor" aria-hidden="true" id="client-side-approach"></a><a href="#client-side-approach" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1 [...]
+<p>Producers and consumers are responsible for not only serializing and deserializing messages (which consist of raw bytes) but also "knowing" which types are being transmitted via which topics.</p>
+<p>If a producer is sending temperature sensor data on the topic <code>topic-1</code>, consumers of that topic will run into trouble if they attempt to parse that data as moisture sensor readings.</p>
+<p>Producers and consumers can send and receive messages consisting of raw byte arrays and leave all type safety enforcement to the application on an "out-of-band" basis.</p>
+<h3><a class="anchor" aria-hidden="true" id="server-side-approach"></a><a href="#server-side-approach" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1 [...]
+<p>Producers and consumers inform the system which data types can be transmitted via the topic.</p>
+<p>With this approach, the messaging system enforces type safety and ensures that producers and consumers remain synced.</p>
+<p>Pulsar has a built-in <strong>schema registry</strong> that enables clients to upload data schemas on a per-topic basis. Those schemas dictate which data types are recognized as valid for that topic.</p>
+<h2><a class="anchor" aria-hidden="true" id="why-use-schema"></a><a href="#why-use-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0- [...]
+<p>When a schema is enabled, Pulsar does parse data, it takes bytes as inputs and sends bytes as outputs. While data has meaning beyond bytes, you need to parse data and might encounter parse exceptions which mainly occur in the following situations:</p>
<ul>
<li><p>The field does not exist</p></li>
<li><p>The field type has changed (for example, <code>string</code> is changed to <code>int</code>)</p></li>
@@ -89,7 +102,7 @@
}
</code></pre>
<p>When constructing a producer with the <em>User</em> class, you can specify a schema or not as below.</p>
-<h2><a class="anchor" aria-hidden="true" id="without-schema"></a><a href="#without-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0- [...]
+<h3><a class="anchor" aria-hidden="true" id="without-schema"></a><a href="#without-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0- [...]
<p>If you construct a producer without specifying a schema, then the producer can only produce messages of type <code>byte[]</code>. If you have a POJO class, you need to serialize the POJO into bytes before sending messages.</p>
<p><strong>Example</strong></p>
<pre><code class="hljs">Producer<byte[]> producer = client.newProducer()
@@ -99,7 +112,7 @@
byte[] message = … // serialize the `<span class="hljs-keyword">user</span>` <span class="hljs-keyword">by</span> yourself;
producer.send(message);
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="with-schema"></a><a href="#with-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42 [...]
+<h3><a class="anchor" aria-hidden="true" id="with-schema"></a><a href="#with-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42 [...]
<p>If you construct a producer with specifying a schema, then you can send a class to a topic directly without worrying about how to serialize POJOs into bytes.</p>
<p><strong>Example</strong></p>
<p>This example constructs a producer with the <em>JSONSchema</em>, and you can send the <em>User</em> class to topics directly without worrying about how to serialize it into bytes.</p>
@@ -109,9 +122,9 @@ producer.send(message);
<span class="hljs-keyword">User</span> <span class="hljs-keyword">user</span> = <span class="hljs-built_in">new</span> <span class="hljs-keyword">User</span>(“Tom”, <span class="hljs-number">28</span>);
producer.send(<span class="hljs-keyword">User</span>);
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="summary"></a><a href="#summary" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1- [...]
+<h3><a class="anchor" aria-hidden="true" id="summary"></a><a href="#summary" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1- [...]
<p>When constructing a producer with a schema, you do not need to serialize messages into bytes, instead Pulsar schema does this job in the background.</p>
-</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/en/next/concepts-schema-registry"><span class="arrow-prev">← </span><span>Schema Registry</span></a><a class="docs-next button" href="/docs/en/next/functions-overview"><span>Overview</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#without-schema">Without schema</a></li><li><a href="#with-schema">With schema</a></li><li [...]
+</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/en/next/concepts-schema-registry"><span class="arrow-prev">← </span><span>Schema Registry</span></a><a class="docs-next button" href="/docs/en/next/functions-overview"><span>Overview</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#schema-registry">Schema Registry</a><ul class="toc-headings"><li><a href="#client-side-ap [...]
const community = document.querySelector("a[href='#community']").parentNode;
const communityMenu =
'<li>' +
diff --git a/content/docs/en/next/security-kerberos.html b/content/docs/en/next/security-kerberos.html
index e9d846a..c65a240 100644
--- a/content/docs/en/next/security-kerberos.html
+++ b/content/docs/en/next/security-kerberos.html
@@ -94,6 +94,8 @@ sudo /usr/sbin/kadmin.local -q 'addprinc -randkey client/{hostname}@{REALM}'
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabname}.keytab client/{hostname}@{REALM}"
</code></pre>
<p>Note that it is a <em>Kerberos</em> requirement that all your hosts can be resolved with their FQDNs.</p>
+<p>The first part of Broker principal (for example, <code>broker</code> in <code>broker/{hostname}@{REALM}</code>) is the <code>serverType</code> of each host,
+The suggested values of <code>serverType</code> are <code>broker</code> (host machine runs service Pulsar Broker) and <code>proxy</code> (host machine runs service Pulsar Proxy).</p>
<h4><a class="anchor" aria-hidden="true" id="configure-how-to-connect-to-kdc"></a><a href="#configure-how-to-connect-to-kdc" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 [...]
<p>You need to specify the path to the <code>krb5.conf</code> file for both client and broker side. The contents of <code>krb5.conf</code> file indicate the default Realm and KDC information. See <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html">JDK’s Kerberos Requirements</a> for more details.</p>
<pre><code class="hljs css language-shell">-Djava.security.krb5.conf=/etc/pulsar/krb5.conf
@@ -137,33 +139,46 @@ sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabnam
<li><code>PulsarBroker</code> is a section name in the JAAS file used by each broker. This section tells the broker which principal to use inside Kerberos
and the location of the keytab where the principal is stored. It allows the broker to use the keytab specified in this section.</li>
<li><code>PulsarClient</code> is a section name in the JASS file used by each client. This section tells the client which principal to use inside Kerberos
-and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section.</li>
+and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section.
+In the following example, this <code>PulsarClient</code> section will also be reused in both the Pulsar internal admin configuration and in CLI command of <code>bin/pulsar-client</code>, <code>bin/pulsar-perf</code> and <code>bin/pulsar-admin</code>. You can also add different sections for different use cases.</li>
</ol>
-<p>It is also a choice to have 2 separate JAAS configuration files: the file for broker will only have <code>PulsarBroker</code> section; while the one for client only have <code>PulsarClient</code> section.</p>
+<p>You can have 2 separate JAAS configuration files:</p>
+<ul>
+<li>the file for a broker has sections of both <code>PulsarBroker</code> and <code>PulsarClient</code>;</li>
+<li>the file for a client only has a <code>PulsarClient</code> section.</li>
+</ul>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-brokers"></a><a href="#kerberos-configuration-for-brokers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
-<ol>
-<li>In the <code>broker.conf</code> file, set Kerberos related configuration.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="configure-brokerconf-file"></a><a href="#configure-brokerconf-file" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c [...]
+<p>In the <code>broker.conf</code> file, set Kerberos related configurations.</p>
<ul>
<li>Set <code>authenticationEnabled</code> to <code>true</code>;</li>
<li>Set <code>authenticationProviders</code> to choose <code>AuthenticationProviderSasl</code>;</li>
-<li>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker.</li>
-<li>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker.</li>
+<li>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker;</li>
+<li>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker;</li>
+</ul>
+<p>To make Pulsar internal admin client work properly, you need to set the configuration in the <code>broker.conf</code> file as below:</p>
+<ul>
+<li>Set <code>brokerClientAuthenticationPlugin</code> to client plugin <code>AuthenticationSasl</code>;</li>
+<li>Set <code>brokerClientAuthenticationParameters</code> to value in JSON string <code>{"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}</code>, in which <code>PulsarClient</code> is the section name in above <code>pulsar_jaas.conf</code> file, and <code>"serverType":"broker"</code> indicate that internal admin client will connect to a Pulsar Broker;</li>
</ul>
<p>Here is an example:</p>
<pre><code class="hljs"><span class="hljs-attr">authenticationEnabled</span>=<span class="hljs-literal">true</span>
<span class="hljs-attr">authenticationProviders</span>=org.apache.pulsar.broker.authentication.AuthenticationProviderSasl
<span class="hljs-attr">saslJaasClientAllowedIds</span>=.*client.*
<span class="hljs-attr">saslJaasBrokerSectionName</span>=PulsarBroker
+
+<span class="hljs-comment">## Authentication settings of the broker itself. Used when the broker connects to other brokers</span>
+<span class="hljs-attr">brokerClientAuthenticationPlugin</span>=org.apache.pulsar.client.impl.auth.AuthenticationSasl
+<span class="hljs-attr">brokerClientAuthenticationParameters</span>={<span class="hljs-string">"saslJaasClientSectionName"</span>:<span class="hljs-string">"PulsarClient"</span>, <span class="hljs-string">"serverType"</span>:<span class="hljs-string">"broker"</span>}
</code></pre>
-<ol start="2">
-<li>Set JVM parameter for JAAS configuration file and krb5 configuration file with additional option.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="set-broker-jvm-parameter"></a><a href="#set-broker-jvm-parameter" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-. [...]
+<p>Set JVM parameters for JAAS configuration file and krb5 configuration file with additional options.</p>
<pre><code class="hljs css language-shell"> -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf
</code></pre>
<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_env.sh"><code>pulsar_env.sh</code></a></p>
<p>Make sure that the keytabs configured in the <code>pulsar_jaas.conf</code> file and kdc server in the <code>krb5.conf</code> file are reachable by the operating system user who is starting broker.</p>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-clients"></a><a href="#kerberos-configuration-for-clients" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
+<h4><a class="anchor" aria-hidden="true" id="java-client-and-java-admin-client"></a><a href="#java-client-and-java-admin-client" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S1 [...]
<p>In client application, include <code>pulsar-client-auth-sasl</code> in your project dependency.</p>
<pre><code class="hljs"><span class="xml"> <span class="hljs-tag"><<span class="hljs-name">dependency</span>></span>
<span class="hljs-tag"><<span class="hljs-name">groupId</span>></span>org.apache.pulsar<span class="hljs-tag"></<span class="hljs-name">groupId</span>></span>
@@ -200,19 +215,18 @@ PulsarClient client = PulsarClient.builder()
<pre><code class="hljs">java -cp -Djava<span class="hljs-selector-class">.security</span><span class="hljs-selector-class">.auth</span><span class="hljs-selector-class">.login</span><span class="hljs-selector-class">.config</span>=/etc/pulsar/pulsar_jaas<span class="hljs-selector-class">.conf</span> -Djava<span class="hljs-selector-class">.security</span><span class="hljs-selector-class">.krb5</span><span class="hljs-selector-class">.conf</span>=/etc/pulsar/krb5<span class="hljs-selector [...]
</code></pre>
<p>Make sure that the keytabs configured in the <code>pulsar_jaas.conf</code> file and kdc server in the <code>krb5.conf</code> file are reachable by the operating system user who is starting pulsar client.</p>
-<p>If you are using command line, you can continue with these step:</p>
-<ol>
-<li>Config your <code>client.conf</code>:</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="configure-cli-tools"></a><a href="#configure-cli-tools" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.2 [...]
+<p>If you are using a command-line tool (such as <code>bin/pulsar-client</code>, <code>bin/pulsar-perf</code> and <code>bin/pulsar-admin</code>), you need to preform the following steps:</p>
+<p>Step 1. Config your <code>client.conf</code>.</p>
<pre><code class="hljs css language-shell">authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl
authParams={"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}
</code></pre>
-<ol start="2">
-<li>Set JVM parameter for JAAS configuration file and krb5 configuration file with additional option.</li>
-</ol>
+<p>Step 2. Set JVM parameters for JAAS configuration file and krb5 configuration file with additional options.</p>
<pre><code class="hljs css language-shell"> -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf
</code></pre>
-<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a></p>
+<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a>,
+or add this line <code>OPTS="$OPTS -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf "</code> directly to the CLI tool script.</p>
+<p>The meaning of configurations is the same as that in Java client section.</p>
<h2><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-working-with-pulsar-proxy"></a><a href="#kerberos-configuration-for-working-with-pulsar-proxy" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S [...]
<p>With the above configuration, client and broker can do authentication using Kerberos.</p>
<p>If a client wants to connect to Pulsar Proxy, it is a little different. Client (as a SASL client in Kerberos) will be authenticated by Pulsar Proxy (as a SASL Server in Kerberos) first; and then Pulsar Proxy will be authenticated by Pulsar broker.</p>
@@ -291,7 +305,7 @@ saslJaasBrokerSectionName=PulsarProxy
<span class="hljs-meta">
#</span><span class="bash"><span class="hljs-comment"># related to be authenticated by broker</span></span>
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl
-brokerClientAuthenticationParameters=saslJaasClientSectionName:PulsarProxy,serverType:broker
+brokerClientAuthenticationParameters={"saslJaasClientSectionName":"PulsarProxy", "serverType":"broker"}
forwardAuthorizationCredentials=true
</code></pre>
<p>The first part is related to authenticate between client and Pulsar Proxy. In this phase, client works as SASL client, while Pulsar Proxy works as SASL server.</p>
@@ -309,12 +323,39 @@ forwardAuthorizationCredentials=true
<p>For example:</p>
<pre><code class="hljs css language-bash">superUserRoles=client/{clientIp}@EXAMPLE.COM
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="regarding-authorization-between-bookkeeper-and-zookeeper"></a><a href="#regarding-authorization-between-bookkeeper-and-zookeeper" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.2 [...]
-<p>Adding <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code> is a prerequisite for Broker (as a Kerberos client) being authenticated by Bookie (as a Kerberos Server):</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-zookeeper-and-broker"></a><a href="#regarding-authentication-between-zookeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2. [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Zookeeper. According to <a href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication">ZooKeeper document</a>, you need these settings in <code>conf/zookeeper.conf</code>:</p>
+<pre><code class="hljs">authProvider.<span class="hljs-number">1</span>=org<span class="hljs-selector-class">.apache</span><span class="hljs-selector-class">.zookeeper</span><span class="hljs-selector-class">.server</span><span class="hljs-selector-class">.auth</span><span class="hljs-selector-class">.SASLAuthenticationProvider</span>
+requireClientAuthScheme=sasl
+</code></pre>
+<p>And add a section of <code>Client</code> configurations in the file <code>pulsar_jaas.conf</code>, which is used by Pulsar Broker:</p>
+<pre><code class="hljs"><span class="hljs-built_in"> Client </span>{
+ com.sun.security.auth.module.Krb5LoginModule required
+ <span class="hljs-attribute">useKeyTab</span>=<span class="hljs-literal">true</span>
+ <span class="hljs-attribute">storeKey</span>=<span class="hljs-literal">true</span>
+ <span class="hljs-attribute">useTicketCache</span>=<span class="hljs-literal">false</span>
+ <span class="hljs-attribute">keyTab</span>=<span class="hljs-string">"/etc/security/keytabs/pulsarbroker.keytab"</span>
+ <span class="hljs-attribute">principal</span>=<span class="hljs-string">"broker/localhost@EXAMPLE.COM"</span>;
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with ZooKeeper.</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-bookkeeper-and-broker"></a><a href="#regarding-authentication-between-bookkeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Bookie. According to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>, you need to add <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code>:</p>
<pre><code class="hljs">bookkeeperClientAuthenticationPlugin=org<span class="hljs-selector-class">.apache</span><span class="hljs-selector-class">.bookkeeper</span><span class="hljs-selector-class">.sasl</span><span class="hljs-selector-class">.SASLClientProviderFactory</span>
</code></pre>
-<p>For more details of how to configure Kerberos for BookKeeper and Zookeeper, refer to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>.</p>
-</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/en/next/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/en/next/security-authorization"><span>Authorization and ACLs</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configuration [...]
+<p>In this setting, <code>SASLClientProviderFactory</code> creates a BookKeeper SASL client in a Broker, and the Broker uses the created SASL client to authenticate with a Bookie node.</p>
+<p>And add a section of <code>BookKeeper</code> configurations in the <code>pulsar_jaas.conf</code> that used by Pulsar Broker:</p>
+<pre><code class="hljs"> BookKeeper {
+ com.sun.security.auth.module.Krb5LoginModule required
+ <span class="hljs-attribute">useKeyTab</span>=<span class="hljs-literal">true</span>
+ <span class="hljs-attribute">storeKey</span>=<span class="hljs-literal">true</span>
+ <span class="hljs-attribute">useTicketCache</span>=<span class="hljs-literal">false</span>
+ <span class="hljs-attribute">keyTab</span>=<span class="hljs-string">"/etc/security/keytabs/pulsarbroker.keytab"</span>
+ <span class="hljs-attribute">principal</span>=<span class="hljs-string">"broker/localhost@EXAMPLE.COM"</span>;
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with Bookie.</p>
+</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/en/next/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/en/next/security-authorization"><span>Authorization and ACLs</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configuration [...]
const community = document.querySelector("a[href='#community']").parentNode;
const communityMenu =
'<li>' +
diff --git a/content/docs/en/next/security-kerberos/index.html b/content/docs/en/next/security-kerberos/index.html
index e9d846a..c65a240 100644
--- a/content/docs/en/next/security-kerberos/index.html
+++ b/content/docs/en/next/security-kerberos/index.html
@@ -94,6 +94,8 @@ sudo /usr/sbin/kadmin.local -q 'addprinc -randkey client/{hostname}@{REALM}'
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabname}.keytab client/{hostname}@{REALM}"
</code></pre>
<p>Note that it is a <em>Kerberos</em> requirement that all your hosts can be resolved with their FQDNs.</p>
+<p>The first part of Broker principal (for example, <code>broker</code> in <code>broker/{hostname}@{REALM}</code>) is the <code>serverType</code> of each host,
+The suggested values of <code>serverType</code> are <code>broker</code> (host machine runs service Pulsar Broker) and <code>proxy</code> (host machine runs service Pulsar Proxy).</p>
<h4><a class="anchor" aria-hidden="true" id="configure-how-to-connect-to-kdc"></a><a href="#configure-how-to-connect-to-kdc" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 [...]
<p>You need to specify the path to the <code>krb5.conf</code> file for both client and broker side. The contents of <code>krb5.conf</code> file indicate the default Realm and KDC information. See <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html">JDK’s Kerberos Requirements</a> for more details.</p>
<pre><code class="hljs css language-shell">-Djava.security.krb5.conf=/etc/pulsar/krb5.conf
@@ -137,33 +139,46 @@ sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabnam
<li><code>PulsarBroker</code> is a section name in the JAAS file used by each broker. This section tells the broker which principal to use inside Kerberos
and the location of the keytab where the principal is stored. It allows the broker to use the keytab specified in this section.</li>
<li><code>PulsarClient</code> is a section name in the JASS file used by each client. This section tells the client which principal to use inside Kerberos
-and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section.</li>
+and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section.
+In the following example, this <code>PulsarClient</code> section will also be reused in both the Pulsar internal admin configuration and in CLI command of <code>bin/pulsar-client</code>, <code>bin/pulsar-perf</code> and <code>bin/pulsar-admin</code>. You can also add different sections for different use cases.</li>
</ol>
-<p>It is also a choice to have 2 separate JAAS configuration files: the file for broker will only have <code>PulsarBroker</code> section; while the one for client only have <code>PulsarClient</code> section.</p>
+<p>You can have 2 separate JAAS configuration files:</p>
+<ul>
+<li>the file for a broker has sections of both <code>PulsarBroker</code> and <code>PulsarClient</code>;</li>
+<li>the file for a client only has a <code>PulsarClient</code> section.</li>
+</ul>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-brokers"></a><a href="#kerberos-configuration-for-brokers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
-<ol>
-<li>In the <code>broker.conf</code> file, set Kerberos related configuration.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="configure-brokerconf-file"></a><a href="#configure-brokerconf-file" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c [...]
+<p>In the <code>broker.conf</code> file, set Kerberos related configurations.</p>
<ul>
<li>Set <code>authenticationEnabled</code> to <code>true</code>;</li>
<li>Set <code>authenticationProviders</code> to choose <code>AuthenticationProviderSasl</code>;</li>
-<li>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker.</li>
-<li>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker.</li>
+<li>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker;</li>
+<li>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker;</li>
+</ul>
+<p>To make Pulsar internal admin client work properly, you need to set the configuration in the <code>broker.conf</code> file as below:</p>
+<ul>
+<li>Set <code>brokerClientAuthenticationPlugin</code> to client plugin <code>AuthenticationSasl</code>;</li>
+<li>Set <code>brokerClientAuthenticationParameters</code> to value in JSON string <code>{"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}</code>, in which <code>PulsarClient</code> is the section name in above <code>pulsar_jaas.conf</code> file, and <code>"serverType":"broker"</code> indicate that internal admin client will connect to a Pulsar Broker;</li>
</ul>
<p>Here is an example:</p>
<pre><code class="hljs"><span class="hljs-attr">authenticationEnabled</span>=<span class="hljs-literal">true</span>
<span class="hljs-attr">authenticationProviders</span>=org.apache.pulsar.broker.authentication.AuthenticationProviderSasl
<span class="hljs-attr">saslJaasClientAllowedIds</span>=.*client.*
<span class="hljs-attr">saslJaasBrokerSectionName</span>=PulsarBroker
+
+<span class="hljs-comment">## Authentication settings of the broker itself. Used when the broker connects to other brokers</span>
+<span class="hljs-attr">brokerClientAuthenticationPlugin</span>=org.apache.pulsar.client.impl.auth.AuthenticationSasl
+<span class="hljs-attr">brokerClientAuthenticationParameters</span>={<span class="hljs-string">"saslJaasClientSectionName"</span>:<span class="hljs-string">"PulsarClient"</span>, <span class="hljs-string">"serverType"</span>:<span class="hljs-string">"broker"</span>}
</code></pre>
-<ol start="2">
-<li>Set JVM parameter for JAAS configuration file and krb5 configuration file with additional option.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="set-broker-jvm-parameter"></a><a href="#set-broker-jvm-parameter" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-. [...]
+<p>Set JVM parameters for JAAS configuration file and krb5 configuration file with additional options.</p>
<pre><code class="hljs css language-shell"> -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf
</code></pre>
<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_env.sh"><code>pulsar_env.sh</code></a></p>
<p>Make sure that the keytabs configured in the <code>pulsar_jaas.conf</code> file and kdc server in the <code>krb5.conf</code> file are reachable by the operating system user who is starting broker.</p>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-clients"></a><a href="#kerberos-configuration-for-clients" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
+<h4><a class="anchor" aria-hidden="true" id="java-client-and-java-admin-client"></a><a href="#java-client-and-java-admin-client" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S1 [...]
<p>In client application, include <code>pulsar-client-auth-sasl</code> in your project dependency.</p>
<pre><code class="hljs"><span class="xml"> <span class="hljs-tag"><<span class="hljs-name">dependency</span>></span>
<span class="hljs-tag"><<span class="hljs-name">groupId</span>></span>org.apache.pulsar<span class="hljs-tag"></<span class="hljs-name">groupId</span>></span>
@@ -200,19 +215,18 @@ PulsarClient client = PulsarClient.builder()
<pre><code class="hljs">java -cp -Djava<span class="hljs-selector-class">.security</span><span class="hljs-selector-class">.auth</span><span class="hljs-selector-class">.login</span><span class="hljs-selector-class">.config</span>=/etc/pulsar/pulsar_jaas<span class="hljs-selector-class">.conf</span> -Djava<span class="hljs-selector-class">.security</span><span class="hljs-selector-class">.krb5</span><span class="hljs-selector-class">.conf</span>=/etc/pulsar/krb5<span class="hljs-selector [...]
</code></pre>
<p>Make sure that the keytabs configured in the <code>pulsar_jaas.conf</code> file and kdc server in the <code>krb5.conf</code> file are reachable by the operating system user who is starting pulsar client.</p>
-<p>If you are using command line, you can continue with these step:</p>
-<ol>
-<li>Config your <code>client.conf</code>:</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="configure-cli-tools"></a><a href="#configure-cli-tools" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.2 [...]
+<p>If you are using a command-line tool (such as <code>bin/pulsar-client</code>, <code>bin/pulsar-perf</code> and <code>bin/pulsar-admin</code>), you need to preform the following steps:</p>
+<p>Step 1. Config your <code>client.conf</code>.</p>
<pre><code class="hljs css language-shell">authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl
authParams={"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}
</code></pre>
-<ol start="2">
-<li>Set JVM parameter for JAAS configuration file and krb5 configuration file with additional option.</li>
-</ol>
+<p>Step 2. Set JVM parameters for JAAS configuration file and krb5 configuration file with additional options.</p>
<pre><code class="hljs css language-shell"> -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf
</code></pre>
-<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a></p>
+<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a>,
+or add this line <code>OPTS="$OPTS -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf "</code> directly to the CLI tool script.</p>
+<p>The meaning of configurations is the same as that in Java client section.</p>
<h2><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-working-with-pulsar-proxy"></a><a href="#kerberos-configuration-for-working-with-pulsar-proxy" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S [...]
<p>With the above configuration, client and broker can do authentication using Kerberos.</p>
<p>If a client wants to connect to Pulsar Proxy, it is a little different. Client (as a SASL client in Kerberos) will be authenticated by Pulsar Proxy (as a SASL Server in Kerberos) first; and then Pulsar Proxy will be authenticated by Pulsar broker.</p>
@@ -291,7 +305,7 @@ saslJaasBrokerSectionName=PulsarProxy
<span class="hljs-meta">
#</span><span class="bash"><span class="hljs-comment"># related to be authenticated by broker</span></span>
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl
-brokerClientAuthenticationParameters=saslJaasClientSectionName:PulsarProxy,serverType:broker
+brokerClientAuthenticationParameters={"saslJaasClientSectionName":"PulsarProxy", "serverType":"broker"}
forwardAuthorizationCredentials=true
</code></pre>
<p>The first part is related to authenticate between client and Pulsar Proxy. In this phase, client works as SASL client, while Pulsar Proxy works as SASL server.</p>
@@ -309,12 +323,39 @@ forwardAuthorizationCredentials=true
<p>For example:</p>
<pre><code class="hljs css language-bash">superUserRoles=client/{clientIp}@EXAMPLE.COM
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="regarding-authorization-between-bookkeeper-and-zookeeper"></a><a href="#regarding-authorization-between-bookkeeper-and-zookeeper" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.2 [...]
-<p>Adding <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code> is a prerequisite for Broker (as a Kerberos client) being authenticated by Bookie (as a Kerberos Server):</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-zookeeper-and-broker"></a><a href="#regarding-authentication-between-zookeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2. [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Zookeeper. According to <a href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication">ZooKeeper document</a>, you need these settings in <code>conf/zookeeper.conf</code>:</p>
+<pre><code class="hljs">authProvider.<span class="hljs-number">1</span>=org<span class="hljs-selector-class">.apache</span><span class="hljs-selector-class">.zookeeper</span><span class="hljs-selector-class">.server</span><span class="hljs-selector-class">.auth</span><span class="hljs-selector-class">.SASLAuthenticationProvider</span>
+requireClientAuthScheme=sasl
+</code></pre>
+<p>And add a section of <code>Client</code> configurations in the file <code>pulsar_jaas.conf</code>, which is used by Pulsar Broker:</p>
+<pre><code class="hljs"><span class="hljs-built_in"> Client </span>{
+ com.sun.security.auth.module.Krb5LoginModule required
+ <span class="hljs-attribute">useKeyTab</span>=<span class="hljs-literal">true</span>
+ <span class="hljs-attribute">storeKey</span>=<span class="hljs-literal">true</span>
+ <span class="hljs-attribute">useTicketCache</span>=<span class="hljs-literal">false</span>
+ <span class="hljs-attribute">keyTab</span>=<span class="hljs-string">"/etc/security/keytabs/pulsarbroker.keytab"</span>
+ <span class="hljs-attribute">principal</span>=<span class="hljs-string">"broker/localhost@EXAMPLE.COM"</span>;
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with ZooKeeper.</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-bookkeeper-and-broker"></a><a href="#regarding-authentication-between-bookkeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Bookie. According to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>, you need to add <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code>:</p>
<pre><code class="hljs">bookkeeperClientAuthenticationPlugin=org<span class="hljs-selector-class">.apache</span><span class="hljs-selector-class">.bookkeeper</span><span class="hljs-selector-class">.sasl</span><span class="hljs-selector-class">.SASLClientProviderFactory</span>
</code></pre>
-<p>For more details of how to configure Kerberos for BookKeeper and Zookeeper, refer to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>.</p>
-</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/en/next/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/en/next/security-authorization"><span>Authorization and ACLs</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configuration [...]
+<p>In this setting, <code>SASLClientProviderFactory</code> creates a BookKeeper SASL client in a Broker, and the Broker uses the created SASL client to authenticate with a Bookie node.</p>
+<p>And add a section of <code>BookKeeper</code> configurations in the <code>pulsar_jaas.conf</code> that used by Pulsar Broker:</p>
+<pre><code class="hljs"> BookKeeper {
+ com.sun.security.auth.module.Krb5LoginModule required
+ <span class="hljs-attribute">useKeyTab</span>=<span class="hljs-literal">true</span>
+ <span class="hljs-attribute">storeKey</span>=<span class="hljs-literal">true</span>
+ <span class="hljs-attribute">useTicketCache</span>=<span class="hljs-literal">false</span>
+ <span class="hljs-attribute">keyTab</span>=<span class="hljs-string">"/etc/security/keytabs/pulsarbroker.keytab"</span>
+ <span class="hljs-attribute">principal</span>=<span class="hljs-string">"broker/localhost@EXAMPLE.COM"</span>;
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with Bookie.</p>
+</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/en/next/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/en/next/security-authorization"><span>Authorization and ACLs</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configuration [...]
const community = document.querySelector("a[href='#community']").parentNode;
const communityMenu =
'<li>' +
diff --git a/content/docs/en/security-kerberos.html b/content/docs/en/security-kerberos.html
index 705d65f..4f4bff6 100644
--- a/content/docs/en/security-kerberos.html
+++ b/content/docs/en/security-kerberos.html
@@ -94,6 +94,8 @@ sudo /usr/sbin/kadmin.local -q 'addprinc -randkey client/{hostname}@{REALM}'
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabname}.keytab client/{hostname}@{REALM}"
</code></pre>
<p>Note that it is a <em>Kerberos</em> requirement that all your hosts can be resolved with their FQDNs.</p>
+<p>The first part of Broker principal (for example, <code>broker</code> in <code>broker/{hostname}@{REALM}</code>) is the <code>serverType</code> of each host,
+The suggested values of <code>serverType</code> are <code>broker</code> (host machine runs service Pulsar Broker) and <code>proxy</code> (host machine runs service Pulsar Proxy).</p>
<h4><a class="anchor" aria-hidden="true" id="configure-how-to-connect-to-kdc"></a><a href="#configure-how-to-connect-to-kdc" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 [...]
<p>You need to specify the path to the <code>krb5.conf</code> file for both client and broker side. The contents of <code>krb5.conf</code> file indicate the default Realm and KDC information. See <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html">JDK’s Kerberos Requirements</a> for more details.</p>
<pre><code class="hljs css language-shell">-Djava.security.krb5.conf=/etc/pulsar/krb5.conf
@@ -137,33 +139,46 @@ sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabnam
<li><code>PulsarBroker</code> is a section name in the JAAS file used by each broker. This section tells the broker which principal to use inside Kerberos
and the location of the keytab where the principal is stored. It allows the broker to use the keytab specified in this section.</li>
<li><code>PulsarClient</code> is a section name in the JASS file used by each client. This section tells the client which principal to use inside Kerberos
-and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section.</li>
+and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section.
+In the following example, this <code>PulsarClient</code> section will also be reused in both the Pulsar internal admin configuration and in CLI command of <code>bin/pulsar-client</code>, <code>bin/pulsar-perf</code> and <code>bin/pulsar-admin</code>. You can also add different sections for different use cases.</li>
</ol>
-<p>It is also a choice to have 2 separate JAAS configuration files: the file for broker will only have <code>PulsarBroker</code> section; while the one for client only have <code>PulsarClient</code> section.</p>
+<p>You can have 2 separate JAAS configuration files:</p>
+<ul>
+<li>the file for a broker has sections of both <code>PulsarBroker</code> and <code>PulsarClient</code>;</li>
+<li>the file for a client only has a <code>PulsarClient</code> section.</li>
+</ul>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-brokers"></a><a href="#kerberos-configuration-for-brokers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
-<ol>
-<li>In the <code>broker.conf</code> file, set Kerberos related configuration.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="configure-brokerconf-file"></a><a href="#configure-brokerconf-file" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c [...]
+<p>In the <code>broker.conf</code> file, set Kerberos related configurations.</p>
<ul>
<li>Set <code>authenticationEnabled</code> to <code>true</code>;</li>
<li>Set <code>authenticationProviders</code> to choose <code>AuthenticationProviderSasl</code>;</li>
-<li>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker.</li>
-<li>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker.</li>
+<li>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker;</li>
+<li>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker;</li>
+</ul>
+<p>To make Pulsar internal admin client work properly, you need to set the configuration in the <code>broker.conf</code> file as below:</p>
+<ul>
+<li>Set <code>brokerClientAuthenticationPlugin</code> to client plugin <code>AuthenticationSasl</code>;</li>
+<li>Set <code>brokerClientAuthenticationParameters</code> to value in JSON string <code>{"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}</code>, in which <code>PulsarClient</code> is the section name in above <code>pulsar_jaas.conf</code> file, and <code>"serverType":"broker"</code> indicate that internal admin client will connect to a Pulsar Broker;</li>
</ul>
<p>Here is an example:</p>
<pre><code class="hljs"><span class="hljs-attr">authenticationEnabled</span>=<span class="hljs-literal">true</span>
<span class="hljs-attr">authenticationProviders</span>=org.apache.pulsar.broker.authentication.AuthenticationProviderSasl
<span class="hljs-attr">saslJaasClientAllowedIds</span>=.*client.*
<span class="hljs-attr">saslJaasBrokerSectionName</span>=PulsarBroker
+
+<span class="hljs-comment">## Authentication settings of the broker itself. Used when the broker connects to other brokers</span>
+<span class="hljs-attr">brokerClientAuthenticationPlugin</span>=org.apache.pulsar.client.impl.auth.AuthenticationSasl
+<span class="hljs-attr">brokerClientAuthenticationParameters</span>={<span class="hljs-string">"saslJaasClientSectionName"</span>:<span class="hljs-string">"PulsarClient"</span>, <span class="hljs-string">"serverType"</span>:<span class="hljs-string">"broker"</span>}
</code></pre>
-<ol start="2">
-<li>Set JVM parameter for JAAS configuration file and krb5 configuration file with additional option.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="set-broker-jvm-parameter"></a><a href="#set-broker-jvm-parameter" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-. [...]
+<p>Set JVM parameters for JAAS configuration file and krb5 configuration file with additional options.</p>
<pre><code class="hljs css language-shell"> -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf
</code></pre>
<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_env.sh"><code>pulsar_env.sh</code></a></p>
<p>Make sure that the keytabs configured in the <code>pulsar_jaas.conf</code> file and kdc server in the <code>krb5.conf</code> file are reachable by the operating system user who is starting broker.</p>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-clients"></a><a href="#kerberos-configuration-for-clients" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
+<h4><a class="anchor" aria-hidden="true" id="java-client-and-java-admin-client"></a><a href="#java-client-and-java-admin-client" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S1 [...]
<p>In client application, include <code>pulsar-client-auth-sasl</code> in your project dependency.</p>
<pre><code class="hljs"><span class="xml"> <span class="hljs-tag"><<span class="hljs-name">dependency</span>></span>
<span class="hljs-tag"><<span class="hljs-name">groupId</span>></span>org.apache.pulsar<span class="hljs-tag"></<span class="hljs-name">groupId</span>></span>
@@ -200,19 +215,18 @@ PulsarClient client = PulsarClient.builder()
<pre><code class="hljs">java -cp -Djava<span class="hljs-selector-class">.security</span><span class="hljs-selector-class">.auth</span><span class="hljs-selector-class">.login</span><span class="hljs-selector-class">.config</span>=/etc/pulsar/pulsar_jaas<span class="hljs-selector-class">.conf</span> -Djava<span class="hljs-selector-class">.security</span><span class="hljs-selector-class">.krb5</span><span class="hljs-selector-class">.conf</span>=/etc/pulsar/krb5<span class="hljs-selector [...]
</code></pre>
<p>Make sure that the keytabs configured in the <code>pulsar_jaas.conf</code> file and kdc server in the <code>krb5.conf</code> file are reachable by the operating system user who is starting pulsar client.</p>
-<p>If you are using command line, you can continue with these step:</p>
-<ol>
-<li>Config your <code>client.conf</code>:</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="configure-cli-tools"></a><a href="#configure-cli-tools" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.2 [...]
+<p>If you are using a command-line tool (such as <code>bin/pulsar-client</code>, <code>bin/pulsar-perf</code> and <code>bin/pulsar-admin</code>), you need to preform the following steps:</p>
+<p>Step 1. Config your <code>client.conf</code>.</p>
<pre><code class="hljs css language-shell">authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl
authParams={"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}
</code></pre>
-<ol start="2">
-<li>Set JVM parameter for JAAS configuration file and krb5 configuration file with additional option.</li>
-</ol>
+<p>Step 2. Set JVM parameters for JAAS configuration file and krb5 configuration file with additional options.</p>
<pre><code class="hljs css language-shell"> -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf
</code></pre>
-<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a></p>
+<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a>,
+or add this line <code>OPTS="$OPTS -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf "</code> directly to the CLI tool script.</p>
+<p>The meaning of configurations is the same as that in Java client section.</p>
<h2><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-working-with-pulsar-proxy"></a><a href="#kerberos-configuration-for-working-with-pulsar-proxy" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S [...]
<p>With the above configuration, client and broker can do authentication using Kerberos.</p>
<p>If a client wants to connect to Pulsar Proxy, it is a little different. Client (as a SASL client in Kerberos) will be authenticated by Pulsar Proxy (as a SASL Server in Kerberos) first; and then Pulsar Proxy will be authenticated by Pulsar broker.</p>
@@ -291,7 +305,7 @@ saslJaasBrokerSectionName=PulsarProxy
<span class="hljs-meta">
#</span><span class="bash"><span class="hljs-comment"># related to be authenticated by broker</span></span>
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl
-brokerClientAuthenticationParameters=saslJaasClientSectionName:PulsarProxy,serverType:broker
+brokerClientAuthenticationParameters={"saslJaasClientSectionName":"PulsarProxy", "serverType":"broker"}
forwardAuthorizationCredentials=true
</code></pre>
<p>The first part is related to authenticate between client and Pulsar Proxy. In this phase, client works as SASL client, while Pulsar Proxy works as SASL server.</p>
@@ -309,12 +323,39 @@ forwardAuthorizationCredentials=true
<p>For example:</p>
<pre><code class="hljs css language-bash">superUserRoles=client/{clientIp}@EXAMPLE.COM
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="regarding-authorization-between-bookkeeper-and-zookeeper"></a><a href="#regarding-authorization-between-bookkeeper-and-zookeeper" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.2 [...]
-<p>Adding <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code> is a prerequisite for Broker (as a Kerberos client) being authenticated by Bookie (as a Kerberos Server):</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-zookeeper-and-broker"></a><a href="#regarding-authentication-between-zookeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2. [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Zookeeper. According to <a href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication">ZooKeeper document</a>, you need these settings in <code>conf/zookeeper.conf</code>:</p>
+<pre><code class="hljs">authProvider.<span class="hljs-number">1</span>=org<span class="hljs-selector-class">.apache</span><span class="hljs-selector-class">.zookeeper</span><span class="hljs-selector-class">.server</span><span class="hljs-selector-class">.auth</span><span class="hljs-selector-class">.SASLAuthenticationProvider</span>
+requireClientAuthScheme=sasl
+</code></pre>
+<p>And add a section of <code>Client</code> configurations in the file <code>pulsar_jaas.conf</code>, which is used by Pulsar Broker:</p>
+<pre><code class="hljs"><span class="hljs-built_in"> Client </span>{
+ com.sun.security.auth.module.Krb5LoginModule required
+ <span class="hljs-attribute">useKeyTab</span>=<span class="hljs-literal">true</span>
+ <span class="hljs-attribute">storeKey</span>=<span class="hljs-literal">true</span>
+ <span class="hljs-attribute">useTicketCache</span>=<span class="hljs-literal">false</span>
+ <span class="hljs-attribute">keyTab</span>=<span class="hljs-string">"/etc/security/keytabs/pulsarbroker.keytab"</span>
+ <span class="hljs-attribute">principal</span>=<span class="hljs-string">"broker/localhost@EXAMPLE.COM"</span>;
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with ZooKeeper.</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-bookkeeper-and-broker"></a><a href="#regarding-authentication-between-bookkeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Bookie. According to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>, you need to add <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code>:</p>
<pre><code class="hljs">bookkeeperClientAuthenticationPlugin=org<span class="hljs-selector-class">.apache</span><span class="hljs-selector-class">.bookkeeper</span><span class="hljs-selector-class">.sasl</span><span class="hljs-selector-class">.SASLClientProviderFactory</span>
</code></pre>
-<p>For more details of how to configure Kerberos for BookKeeper and Zookeeper, refer to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>.</p>
-</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/en/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/en/security-authorization"><span>Authorization and ACLs</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configuration for Kerber [...]
+<p>In this setting, <code>SASLClientProviderFactory</code> creates a BookKeeper SASL client in a Broker, and the Broker uses the created SASL client to authenticate with a Bookie node.</p>
+<p>And add a section of <code>BookKeeper</code> configurations in the <code>pulsar_jaas.conf</code> that used by Pulsar Broker:</p>
+<pre><code class="hljs"> BookKeeper {
+ com.sun.security.auth.module.Krb5LoginModule required
+ <span class="hljs-attribute">useKeyTab</span>=<span class="hljs-literal">true</span>
+ <span class="hljs-attribute">storeKey</span>=<span class="hljs-literal">true</span>
+ <span class="hljs-attribute">useTicketCache</span>=<span class="hljs-literal">false</span>
+ <span class="hljs-attribute">keyTab</span>=<span class="hljs-string">"/etc/security/keytabs/pulsarbroker.keytab"</span>
+ <span class="hljs-attribute">principal</span>=<span class="hljs-string">"broker/localhost@EXAMPLE.COM"</span>;
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with Bookie.</p>
+</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/en/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/en/security-authorization"><span>Authorization and ACLs</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configuration for Kerber [...]
const community = document.querySelector("a[href='#community']").parentNode;
const communityMenu =
'<li>' +
diff --git a/content/docs/en/security-kerberos/index.html b/content/docs/en/security-kerberos/index.html
index 705d65f..4f4bff6 100644
--- a/content/docs/en/security-kerberos/index.html
+++ b/content/docs/en/security-kerberos/index.html
@@ -94,6 +94,8 @@ sudo /usr/sbin/kadmin.local -q 'addprinc -randkey client/{hostname}@{REALM}'
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabname}.keytab client/{hostname}@{REALM}"
</code></pre>
<p>Note that it is a <em>Kerberos</em> requirement that all your hosts can be resolved with their FQDNs.</p>
+<p>The first part of Broker principal (for example, <code>broker</code> in <code>broker/{hostname}@{REALM}</code>) is the <code>serverType</code> of each host,
+The suggested values of <code>serverType</code> are <code>broker</code> (host machine runs service Pulsar Broker) and <code>proxy</code> (host machine runs service Pulsar Proxy).</p>
<h4><a class="anchor" aria-hidden="true" id="configure-how-to-connect-to-kdc"></a><a href="#configure-how-to-connect-to-kdc" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 [...]
<p>You need to specify the path to the <code>krb5.conf</code> file for both client and broker side. The contents of <code>krb5.conf</code> file indicate the default Realm and KDC information. See <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html">JDK’s Kerberos Requirements</a> for more details.</p>
<pre><code class="hljs css language-shell">-Djava.security.krb5.conf=/etc/pulsar/krb5.conf
@@ -137,33 +139,46 @@ sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabnam
<li><code>PulsarBroker</code> is a section name in the JAAS file used by each broker. This section tells the broker which principal to use inside Kerberos
and the location of the keytab where the principal is stored. It allows the broker to use the keytab specified in this section.</li>
<li><code>PulsarClient</code> is a section name in the JASS file used by each client. This section tells the client which principal to use inside Kerberos
-and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section.</li>
+and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section.
+In the following example, this <code>PulsarClient</code> section will also be reused in both the Pulsar internal admin configuration and in CLI command of <code>bin/pulsar-client</code>, <code>bin/pulsar-perf</code> and <code>bin/pulsar-admin</code>. You can also add different sections for different use cases.</li>
</ol>
-<p>It is also a choice to have 2 separate JAAS configuration files: the file for broker will only have <code>PulsarBroker</code> section; while the one for client only have <code>PulsarClient</code> section.</p>
+<p>You can have 2 separate JAAS configuration files:</p>
+<ul>
+<li>the file for a broker has sections of both <code>PulsarBroker</code> and <code>PulsarClient</code>;</li>
+<li>the file for a client only has a <code>PulsarClient</code> section.</li>
+</ul>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-brokers"></a><a href="#kerberos-configuration-for-brokers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
-<ol>
-<li>In the <code>broker.conf</code> file, set Kerberos related configuration.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="configure-brokerconf-file"></a><a href="#configure-brokerconf-file" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c [...]
+<p>In the <code>broker.conf</code> file, set Kerberos related configurations.</p>
<ul>
<li>Set <code>authenticationEnabled</code> to <code>true</code>;</li>
<li>Set <code>authenticationProviders</code> to choose <code>AuthenticationProviderSasl</code>;</li>
-<li>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker.</li>
-<li>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker.</li>
+<li>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker;</li>
+<li>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker;</li>
+</ul>
+<p>To make Pulsar internal admin client work properly, you need to set the configuration in the <code>broker.conf</code> file as below:</p>
+<ul>
+<li>Set <code>brokerClientAuthenticationPlugin</code> to client plugin <code>AuthenticationSasl</code>;</li>
+<li>Set <code>brokerClientAuthenticationParameters</code> to value in JSON string <code>{"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}</code>, in which <code>PulsarClient</code> is the section name in above <code>pulsar_jaas.conf</code> file, and <code>"serverType":"broker"</code> indicate that internal admin client will connect to a Pulsar Broker;</li>
</ul>
<p>Here is an example:</p>
<pre><code class="hljs"><span class="hljs-attr">authenticationEnabled</span>=<span class="hljs-literal">true</span>
<span class="hljs-attr">authenticationProviders</span>=org.apache.pulsar.broker.authentication.AuthenticationProviderSasl
<span class="hljs-attr">saslJaasClientAllowedIds</span>=.*client.*
<span class="hljs-attr">saslJaasBrokerSectionName</span>=PulsarBroker
+
+<span class="hljs-comment">## Authentication settings of the broker itself. Used when the broker connects to other brokers</span>
+<span class="hljs-attr">brokerClientAuthenticationPlugin</span>=org.apache.pulsar.client.impl.auth.AuthenticationSasl
+<span class="hljs-attr">brokerClientAuthenticationParameters</span>={<span class="hljs-string">"saslJaasClientSectionName"</span>:<span class="hljs-string">"PulsarClient"</span>, <span class="hljs-string">"serverType"</span>:<span class="hljs-string">"broker"</span>}
</code></pre>
-<ol start="2">
-<li>Set JVM parameter for JAAS configuration file and krb5 configuration file with additional option.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="set-broker-jvm-parameter"></a><a href="#set-broker-jvm-parameter" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-. [...]
+<p>Set JVM parameters for JAAS configuration file and krb5 configuration file with additional options.</p>
<pre><code class="hljs css language-shell"> -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf
</code></pre>
<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_env.sh"><code>pulsar_env.sh</code></a></p>
<p>Make sure that the keytabs configured in the <code>pulsar_jaas.conf</code> file and kdc server in the <code>krb5.conf</code> file are reachable by the operating system user who is starting broker.</p>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-clients"></a><a href="#kerberos-configuration-for-clients" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
+<h4><a class="anchor" aria-hidden="true" id="java-client-and-java-admin-client"></a><a href="#java-client-and-java-admin-client" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S1 [...]
<p>In client application, include <code>pulsar-client-auth-sasl</code> in your project dependency.</p>
<pre><code class="hljs"><span class="xml"> <span class="hljs-tag"><<span class="hljs-name">dependency</span>></span>
<span class="hljs-tag"><<span class="hljs-name">groupId</span>></span>org.apache.pulsar<span class="hljs-tag"></<span class="hljs-name">groupId</span>></span>
@@ -200,19 +215,18 @@ PulsarClient client = PulsarClient.builder()
<pre><code class="hljs">java -cp -Djava<span class="hljs-selector-class">.security</span><span class="hljs-selector-class">.auth</span><span class="hljs-selector-class">.login</span><span class="hljs-selector-class">.config</span>=/etc/pulsar/pulsar_jaas<span class="hljs-selector-class">.conf</span> -Djava<span class="hljs-selector-class">.security</span><span class="hljs-selector-class">.krb5</span><span class="hljs-selector-class">.conf</span>=/etc/pulsar/krb5<span class="hljs-selector [...]
</code></pre>
<p>Make sure that the keytabs configured in the <code>pulsar_jaas.conf</code> file and kdc server in the <code>krb5.conf</code> file are reachable by the operating system user who is starting pulsar client.</p>
-<p>If you are using command line, you can continue with these step:</p>
-<ol>
-<li>Config your <code>client.conf</code>:</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="configure-cli-tools"></a><a href="#configure-cli-tools" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.2 [...]
+<p>If you are using a command-line tool (such as <code>bin/pulsar-client</code>, <code>bin/pulsar-perf</code> and <code>bin/pulsar-admin</code>), you need to preform the following steps:</p>
+<p>Step 1. Config your <code>client.conf</code>.</p>
<pre><code class="hljs css language-shell">authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl
authParams={"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}
</code></pre>
-<ol start="2">
-<li>Set JVM parameter for JAAS configuration file and krb5 configuration file with additional option.</li>
-</ol>
+<p>Step 2. Set JVM parameters for JAAS configuration file and krb5 configuration file with additional options.</p>
<pre><code class="hljs css language-shell"> -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf
</code></pre>
-<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a></p>
+<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a>,
+or add this line <code>OPTS="$OPTS -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf "</code> directly to the CLI tool script.</p>
+<p>The meaning of configurations is the same as that in Java client section.</p>
<h2><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-working-with-pulsar-proxy"></a><a href="#kerberos-configuration-for-working-with-pulsar-proxy" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S [...]
<p>With the above configuration, client and broker can do authentication using Kerberos.</p>
<p>If a client wants to connect to Pulsar Proxy, it is a little different. Client (as a SASL client in Kerberos) will be authenticated by Pulsar Proxy (as a SASL Server in Kerberos) first; and then Pulsar Proxy will be authenticated by Pulsar broker.</p>
@@ -291,7 +305,7 @@ saslJaasBrokerSectionName=PulsarProxy
<span class="hljs-meta">
#</span><span class="bash"><span class="hljs-comment"># related to be authenticated by broker</span></span>
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl
-brokerClientAuthenticationParameters=saslJaasClientSectionName:PulsarProxy,serverType:broker
+brokerClientAuthenticationParameters={"saslJaasClientSectionName":"PulsarProxy", "serverType":"broker"}
forwardAuthorizationCredentials=true
</code></pre>
<p>The first part is related to authenticate between client and Pulsar Proxy. In this phase, client works as SASL client, while Pulsar Proxy works as SASL server.</p>
@@ -309,12 +323,39 @@ forwardAuthorizationCredentials=true
<p>For example:</p>
<pre><code class="hljs css language-bash">superUserRoles=client/{clientIp}@EXAMPLE.COM
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="regarding-authorization-between-bookkeeper-and-zookeeper"></a><a href="#regarding-authorization-between-bookkeeper-and-zookeeper" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.2 [...]
-<p>Adding <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code> is a prerequisite for Broker (as a Kerberos client) being authenticated by Bookie (as a Kerberos Server):</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-zookeeper-and-broker"></a><a href="#regarding-authentication-between-zookeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2. [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Zookeeper. According to <a href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication">ZooKeeper document</a>, you need these settings in <code>conf/zookeeper.conf</code>:</p>
+<pre><code class="hljs">authProvider.<span class="hljs-number">1</span>=org<span class="hljs-selector-class">.apache</span><span class="hljs-selector-class">.zookeeper</span><span class="hljs-selector-class">.server</span><span class="hljs-selector-class">.auth</span><span class="hljs-selector-class">.SASLAuthenticationProvider</span>
+requireClientAuthScheme=sasl
+</code></pre>
+<p>And add a section of <code>Client</code> configurations in the file <code>pulsar_jaas.conf</code>, which is used by Pulsar Broker:</p>
+<pre><code class="hljs"><span class="hljs-built_in"> Client </span>{
+ com.sun.security.auth.module.Krb5LoginModule required
+ <span class="hljs-attribute">useKeyTab</span>=<span class="hljs-literal">true</span>
+ <span class="hljs-attribute">storeKey</span>=<span class="hljs-literal">true</span>
+ <span class="hljs-attribute">useTicketCache</span>=<span class="hljs-literal">false</span>
+ <span class="hljs-attribute">keyTab</span>=<span class="hljs-string">"/etc/security/keytabs/pulsarbroker.keytab"</span>
+ <span class="hljs-attribute">principal</span>=<span class="hljs-string">"broker/localhost@EXAMPLE.COM"</span>;
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with ZooKeeper.</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-bookkeeper-and-broker"></a><a href="#regarding-authentication-between-bookkeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Bookie. According to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>, you need to add <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code>:</p>
<pre><code class="hljs">bookkeeperClientAuthenticationPlugin=org<span class="hljs-selector-class">.apache</span><span class="hljs-selector-class">.bookkeeper</span><span class="hljs-selector-class">.sasl</span><span class="hljs-selector-class">.SASLClientProviderFactory</span>
</code></pre>
-<p>For more details of how to configure Kerberos for BookKeeper and Zookeeper, refer to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>.</p>
-</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/en/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/en/security-authorization"><span>Authorization and ACLs</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configuration for Kerber [...]
+<p>In this setting, <code>SASLClientProviderFactory</code> creates a BookKeeper SASL client in a Broker, and the Broker uses the created SASL client to authenticate with a Bookie node.</p>
+<p>And add a section of <code>BookKeeper</code> configurations in the <code>pulsar_jaas.conf</code> that used by Pulsar Broker:</p>
+<pre><code class="hljs"> BookKeeper {
+ com.sun.security.auth.module.Krb5LoginModule required
+ <span class="hljs-attribute">useKeyTab</span>=<span class="hljs-literal">true</span>
+ <span class="hljs-attribute">storeKey</span>=<span class="hljs-literal">true</span>
+ <span class="hljs-attribute">useTicketCache</span>=<span class="hljs-literal">false</span>
+ <span class="hljs-attribute">keyTab</span>=<span class="hljs-string">"/etc/security/keytabs/pulsarbroker.keytab"</span>
+ <span class="hljs-attribute">principal</span>=<span class="hljs-string">"broker/localhost@EXAMPLE.COM"</span>;
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with Bookie.</p>
+</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/en/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/en/security-authorization"><span>Authorization and ACLs</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configuration for Kerber [...]
const community = document.querySelector("a[href='#community']").parentNode;
const communityMenu =
'<li>' +
diff --git a/content/docs/fr/next/schema-get-started.html b/content/docs/fr/next/schema-get-started.html
index ad433c9..c13da7b 100644
--- a/content/docs/fr/next/schema-get-started.html
+++ b/content/docs/fr/next/schema-get-started.html
@@ -1,4 +1,4 @@
-<!DOCTYPE html><html lang="fr"><head><meta charSet="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><title>Get started · Apache Pulsar</title><meta name="viewport" content="width=device-width"/><meta name="generator" content="Docusaurus"/><meta name="description" content="When a schema is enabled, Pulsar does parse data, it takes bytes as inputs and sends bytes as outputs. While data has meaning beyond bytes, you need to parse data and might encounter parse exceptions which [...]
+<!DOCTYPE html><html lang="fr"><head><meta charSet="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><title>Get started · Apache Pulsar</title><meta name="viewport" content="width=device-width"/><meta name="generator" content="Docusaurus"/><meta name="description" content="## Schema Registry"/><meta name="docsearch:version" content="next"/><meta name="docsearch:language" content="fr"/><meta property="og:title" content="Get started · Apache Pulsar"/><meta property="og:type" c [...]
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
@@ -74,7 +74,20 @@
};
}
});
- </script></nav></div><div class="container mainContainer"><div class="wrapper"><div class="post"><header class="postHeader"><a class="edit-page-link button" href="https://crowdin.com/project/apache-pulsar/fr" target="_blank" rel="noreferrer noopener">Translate</a><h1 class="postHeaderTitle">Get started</h1></header><article><div><span><p>When a schema is enabled, Pulsar does parse data, it takes bytes as inputs and sends bytes as outputs. While data has meaning beyond bytes, you [...]
+ </script></nav></div><div class="container mainContainer"><div class="wrapper"><div class="post"><header class="postHeader"><a class="edit-page-link button" href="https://crowdin.com/project/apache-pulsar/fr" target="_blank" rel="noreferrer noopener">Translate</a><h1 class="postHeaderTitle">Get started</h1></header><article><div><span><h2><a class="anchor" aria-hidden="true" id="schema-registry"></a><a href="#schema-registry" aria-hidden="true" class="hash-link"><svg class="hash- [...]
+<p>Type safety is extremely important in any application built around a message bus like Pulsar.</p>
+<p>Producers and consumers need some kind of mechanism for coordinating types at the topic level to aviod various potential problems arise. For example, serialization and deserialization issues.</p>
+<p>Applications typically adopt one of the following approaches to guarantee type safety in messaging. Both approaches are available in Pulsar, and you're free to adopt one or the other or to mix and match on a per-topic basis.</p>
+<h3><a class="anchor" aria-hidden="true" id="client-side-approach"></a><a href="#client-side-approach" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1 [...]
+<p>Producers and consumers are responsible for not only serializing and deserializing messages (which consist of raw bytes) but also "knowing" which types are being transmitted via which topics.</p>
+<p>If a producer is sending temperature sensor data on the topic <code>topic-1</code>, consumers of that topic will run into trouble if they attempt to parse that data as moisture sensor readings.</p>
+<p>Producers and consumers can send and receive messages consisting of raw byte arrays and leave all type safety enforcement to the application on an "out-of-band" basis.</p>
+<h3><a class="anchor" aria-hidden="true" id="server-side-approach"></a><a href="#server-side-approach" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1 [...]
+<p>Producers and consumers inform the system which data types can be transmitted via the topic.</p>
+<p>With this approach, the messaging system enforces type safety and ensures that producers and consumers remain synced.</p>
+<p>Pulsar has a built-in <strong>schema registry</strong> that enables clients to upload data schemas on a per-topic basis. Those schemas dictate which data types are recognized as valid for that topic.</p>
+<h2><a class="anchor" aria-hidden="true" id="why-use-schema"></a><a href="#why-use-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0- [...]
+<p>When a schema is enabled, Pulsar does parse data, it takes bytes as inputs and sends bytes as outputs. While data has meaning beyond bytes, you need to parse data and might encounter parse exceptions which mainly occur in the following situations:</p>
<ul>
<li><p>The field does not exist</p></li>
<li><p>The field type has changed (for example, <code>string</code> is changed to <code>int</code>)</p></li>
@@ -89,7 +102,7 @@
}
</code></pre>
<p>When constructing a producer with the <em>User</em> class, you can specify a schema or not as below.</p>
-<h2><a class="anchor" aria-hidden="true" id="without-schema"></a><a href="#without-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0- [...]
+<h3><a class="anchor" aria-hidden="true" id="without-schema"></a><a href="#without-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0- [...]
<p>If you construct a producer without specifying a schema, then the producer can only produce messages of type <code>byte[]</code>. If you have a POJO class, you need to serialize the POJO into bytes before sending messages.</p>
<p><strong>Example</strong></p>
<pre><code class="hljs">Producer<byte[]> producer = client.newProducer()
@@ -99,7 +112,7 @@ User user = new User(“Tom”, 28);
byte[] message = … // serialize the `user` by yourself;
producer.send(message);
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="with-schema"></a><a href="#with-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42 [...]
+<h3><a class="anchor" aria-hidden="true" id="with-schema"></a><a href="#with-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42 [...]
<p>If you construct a producer with specifying a schema, then you can send a class to a topic directly without worrying about how to serialize POJOs into bytes.</p>
<p><strong>Example</strong></p>
<p>This example constructs a producer with the <em>JSONSchema</em>, and you can send the <em>User</em> class to topics directly without worrying about how to serialize it into bytes.</p>
@@ -109,9 +122,9 @@ producer.send(message);
User user = new User(“Tom”, 28);
producer.send(User);
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="summary"></a><a href="#summary" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1- [...]
+<h3><a class="anchor" aria-hidden="true" id="summary"></a><a href="#summary" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1- [...]
<p>When constructing a producer with a schema, you do not need to serialize messages into bytes, instead Pulsar schema does this job in the background.</p>
-</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/fr/next/concepts-schema-registry"><span class="arrow-prev">← </span><span>Schema Registry</span></a><a class="docs-next button" href="/docs/fr/next/functions-overview"><span>Overview</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#without-schema">Without schema</a></li><li><a href="#with-schema">With schema</a></li><li [...]
+</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/fr/next/concepts-schema-registry"><span class="arrow-prev">← </span><span>Schema Registry</span></a><a class="docs-next button" href="/docs/fr/next/functions-overview"><span>Overview</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#schema-registry">Schema Registry</a><ul class="toc-headings"><li><a href="#client-side-ap [...]
const community = document.querySelector("a[href='#community']").parentNode;
const communityMenu =
'<li>' +
diff --git a/content/docs/fr/next/schema-get-started/index.html b/content/docs/fr/next/schema-get-started/index.html
index ad433c9..c13da7b 100644
--- a/content/docs/fr/next/schema-get-started/index.html
+++ b/content/docs/fr/next/schema-get-started/index.html
@@ -1,4 +1,4 @@
-<!DOCTYPE html><html lang="fr"><head><meta charSet="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><title>Get started · Apache Pulsar</title><meta name="viewport" content="width=device-width"/><meta name="generator" content="Docusaurus"/><meta name="description" content="When a schema is enabled, Pulsar does parse data, it takes bytes as inputs and sends bytes as outputs. While data has meaning beyond bytes, you need to parse data and might encounter parse exceptions which [...]
+<!DOCTYPE html><html lang="fr"><head><meta charSet="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><title>Get started · Apache Pulsar</title><meta name="viewport" content="width=device-width"/><meta name="generator" content="Docusaurus"/><meta name="description" content="## Schema Registry"/><meta name="docsearch:version" content="next"/><meta name="docsearch:language" content="fr"/><meta property="og:title" content="Get started · Apache Pulsar"/><meta property="og:type" c [...]
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
@@ -74,7 +74,20 @@
};
}
});
- </script></nav></div><div class="container mainContainer"><div class="wrapper"><div class="post"><header class="postHeader"><a class="edit-page-link button" href="https://crowdin.com/project/apache-pulsar/fr" target="_blank" rel="noreferrer noopener">Translate</a><h1 class="postHeaderTitle">Get started</h1></header><article><div><span><p>When a schema is enabled, Pulsar does parse data, it takes bytes as inputs and sends bytes as outputs. While data has meaning beyond bytes, you [...]
+ </script></nav></div><div class="container mainContainer"><div class="wrapper"><div class="post"><header class="postHeader"><a class="edit-page-link button" href="https://crowdin.com/project/apache-pulsar/fr" target="_blank" rel="noreferrer noopener">Translate</a><h1 class="postHeaderTitle">Get started</h1></header><article><div><span><h2><a class="anchor" aria-hidden="true" id="schema-registry"></a><a href="#schema-registry" aria-hidden="true" class="hash-link"><svg class="hash- [...]
+<p>Type safety is extremely important in any application built around a message bus like Pulsar.</p>
+<p>Producers and consumers need some kind of mechanism for coordinating types at the topic level to aviod various potential problems arise. For example, serialization and deserialization issues.</p>
+<p>Applications typically adopt one of the following approaches to guarantee type safety in messaging. Both approaches are available in Pulsar, and you're free to adopt one or the other or to mix and match on a per-topic basis.</p>
+<h3><a class="anchor" aria-hidden="true" id="client-side-approach"></a><a href="#client-side-approach" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1 [...]
+<p>Producers and consumers are responsible for not only serializing and deserializing messages (which consist of raw bytes) but also "knowing" which types are being transmitted via which topics.</p>
+<p>If a producer is sending temperature sensor data on the topic <code>topic-1</code>, consumers of that topic will run into trouble if they attempt to parse that data as moisture sensor readings.</p>
+<p>Producers and consumers can send and receive messages consisting of raw byte arrays and leave all type safety enforcement to the application on an "out-of-band" basis.</p>
+<h3><a class="anchor" aria-hidden="true" id="server-side-approach"></a><a href="#server-side-approach" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1 [...]
+<p>Producers and consumers inform the system which data types can be transmitted via the topic.</p>
+<p>With this approach, the messaging system enforces type safety and ensures that producers and consumers remain synced.</p>
+<p>Pulsar has a built-in <strong>schema registry</strong> that enables clients to upload data schemas on a per-topic basis. Those schemas dictate which data types are recognized as valid for that topic.</p>
+<h2><a class="anchor" aria-hidden="true" id="why-use-schema"></a><a href="#why-use-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0- [...]
+<p>When a schema is enabled, Pulsar does parse data, it takes bytes as inputs and sends bytes as outputs. While data has meaning beyond bytes, you need to parse data and might encounter parse exceptions which mainly occur in the following situations:</p>
<ul>
<li><p>The field does not exist</p></li>
<li><p>The field type has changed (for example, <code>string</code> is changed to <code>int</code>)</p></li>
@@ -89,7 +102,7 @@
}
</code></pre>
<p>When constructing a producer with the <em>User</em> class, you can specify a schema or not as below.</p>
-<h2><a class="anchor" aria-hidden="true" id="without-schema"></a><a href="#without-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0- [...]
+<h3><a class="anchor" aria-hidden="true" id="without-schema"></a><a href="#without-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0- [...]
<p>If you construct a producer without specifying a schema, then the producer can only produce messages of type <code>byte[]</code>. If you have a POJO class, you need to serialize the POJO into bytes before sending messages.</p>
<p><strong>Example</strong></p>
<pre><code class="hljs">Producer<byte[]> producer = client.newProducer()
@@ -99,7 +112,7 @@ User user = new User(“Tom”, 28);
byte[] message = … // serialize the `user` by yourself;
producer.send(message);
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="with-schema"></a><a href="#with-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42 [...]
+<h3><a class="anchor" aria-hidden="true" id="with-schema"></a><a href="#with-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42 [...]
<p>If you construct a producer with specifying a schema, then you can send a class to a topic directly without worrying about how to serialize POJOs into bytes.</p>
<p><strong>Example</strong></p>
<p>This example constructs a producer with the <em>JSONSchema</em>, and you can send the <em>User</em> class to topics directly without worrying about how to serialize it into bytes.</p>
@@ -109,9 +122,9 @@ producer.send(message);
User user = new User(“Tom”, 28);
producer.send(User);
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="summary"></a><a href="#summary" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1- [...]
+<h3><a class="anchor" aria-hidden="true" id="summary"></a><a href="#summary" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1- [...]
<p>When constructing a producer with a schema, you do not need to serialize messages into bytes, instead Pulsar schema does this job in the background.</p>
-</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/fr/next/concepts-schema-registry"><span class="arrow-prev">← </span><span>Schema Registry</span></a><a class="docs-next button" href="/docs/fr/next/functions-overview"><span>Overview</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#without-schema">Without schema</a></li><li><a href="#with-schema">With schema</a></li><li [...]
+</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/fr/next/concepts-schema-registry"><span class="arrow-prev">← </span><span>Schema Registry</span></a><a class="docs-next button" href="/docs/fr/next/functions-overview"><span>Overview</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#schema-registry">Schema Registry</a><ul class="toc-headings"><li><a href="#client-side-ap [...]
const community = document.querySelector("a[href='#community']").parentNode;
const communityMenu =
'<li>' +
diff --git a/content/docs/fr/next/security-kerberos.html b/content/docs/fr/next/security-kerberos.html
index 9cd806f..651e196 100644
--- a/content/docs/fr/next/security-kerberos.html
+++ b/content/docs/fr/next/security-kerberos.html
@@ -93,6 +93,7 @@ sudo /usr/sbin/kadmin.local -q 'addprinc -randkey client/{hostname}@{REALM}'
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabname}.keytab client/{hostname}@{REALM}"
</code></pre>
<p>Note that it is a <em>Kerberos</em> requirement that all your hosts can be resolved with their FQDNs.</p>
+<p>The first part of Broker principal (for example, <code>broker</code> in <code>broker/{hostname}@{REALM}</code>) is the <code>serverType</code> of each host, The suggested values of <code>serverType</code> are <code>broker</code> (host machine runs service Pulsar Broker) and <code>proxy</code> (host machine runs service Pulsar Proxy).</p>
<h4><a class="anchor" aria-hidden="true" id="configure-how-to-connect-to-kdc"></a><a href="#configure-how-to-connect-to-kdc" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 [...]
<p>You need to specify the path to the <code>krb5.conf</code> file for both client and broker side. The contents of <code>krb5.conf</code> file indicate the default Realm and KDC information. See <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html">JDK’s Kerberos Requirements</a> for more details.</p>
<pre><code class="hljs css language-shell">-Djava.security.krb5.conf=/etc/pulsar/krb5.conf
@@ -134,32 +135,41 @@ sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabnam
<p>In the <code>pulsar_jaas.conf</code> file above</p>
<ol>
<li><code>PulsarBroker</code> is a section name in the JAAS file used by each broker. This section tells the broker which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the broker to use the keytab specified in this section.</li>
-<li><code>PulsarClient</code> is a section name in the JASS file used by each client. This section tells the client which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section.</li>
+<li><code>PulsarClient</code> is a section name in the JASS file used by each client. This section tells the client which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section. In the following example, this <code>PulsarClient</code> section will also be reused in both the Pulsar internal admin configuration and in CLI command of <code>bin/pulsar-client</code>, <code>bin/pulsar-perf< [...]
</ol>
-<p>It is also a choice to have 2 separate JAAS configuration files: the file for broker will only have <code>PulsarBroker</code> section; while the one for client only have <code>PulsarClient</code> section.</p>
+<p>You can have 2 separate JAAS configuration files:</p>
+<ul>
+<li>the file for a broker has sections of both <code>PulsarBroker</code> and <code>PulsarClient</code>;</li>
+<li>the file for a client only has a <code>PulsarClient</code> section.</li>
+</ul>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-brokers"></a><a href="#kerberos-configuration-for-brokers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
-<ol>
-<li>In the <code>broker.conf</code> file, set Kerberos related configuration.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="configure-brokerconf-file"></a><a href="#configure-brokerconf-file" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c [...]
+<p>In the <code>broker.conf</code> file, set Kerberos related configurations.</p>
<ul>
<li><p>Set <code>authenticationEnabled</code> to <code>true</code>;</p></li>
<li><p>Set <code>authenticationProviders</code> to choose <code>AuthenticationProviderSasl</code>;</p></li>
-<li><p>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker.</p></li>
-<li><p>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker.</p>
+<li><p>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker;</p></li>
+<li><p>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker;</p>
+<p>To make Pulsar internal admin client work properly, you need to set the configuration in the <code>broker.conf</code> file as below:</p></li>
+<li><p>Set <code>brokerClientAuthenticationPlugin</code> to client plugin <code>AuthenticationSasl</code>;</p></li>
+<li><p>Set <code>brokerClientAuthenticationParameters</code> to value in JSON string <code>{"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}</code>, in which <code>PulsarClient</code> is the section name in above <code>pulsar_jaas.conf</code> file, and <code>"serverType":"broker"</code> indicate that internal admin client will connect to a Pulsar Broker;</p>
<p>Here is an example:</p>
<p>authenticationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderSasl
saslJaasClientAllowedIds=.<em>client.</em>
-saslJaasBrokerSectionName=PulsarBroker</p></li>
+saslJaasBrokerSectionName=PulsarBroker</p>
+<h2><a class="anchor" aria-hidden="true" id="authentication-settings-of-the-broker-itself-used-when-the-broker-connects-to-other-brokers"></a><a href="#authentication-settings-of-the-broker-itself-used-when-the-broker-connects-to-other-brokers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2. [...]
+<p>brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl
+brokerClientAuthenticationParameters={"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}</p></li>
</ul>
-<ol start="2">
-<li>Set JVM parameter for JAAS configuration file and krb5 configuration file with additional option.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="set-broker-jvm-parameter"></a><a href="#set-broker-jvm-parameter" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-. [...]
+<p>Set JVM parameters for JAAS configuration file and krb5 configuration file with additional options.</p>
<pre><code class="hljs css language-shell"> -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf
</code></pre>
<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_env.sh"><code>pulsar_env.sh</code></a></p>
<p>Make sure that the keytabs configured in the <code>pulsar_jaas.conf</code> file and kdc server in the <code>krb5.conf</code> file are reachable by the operating system user who is starting broker.</p>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-clients"></a><a href="#kerberos-configuration-for-clients" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
+<h4><a class="anchor" aria-hidden="true" id="java-client-and-java-admin-client"></a><a href="#java-client-and-java-admin-client" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S1 [...]
<p>In client application, include <code>pulsar-client-auth-sasl</code> in your project dependency.</p>
<pre><code class="hljs"> <dependency>
<groupId>org.apache.pulsar</groupId>
@@ -198,20 +208,23 @@ java -cp -Djava.security.auth.login.<span class="hljs-attribute">config</span>=/
<br />Make sure that the keytabs configured <span class="hljs-keyword">in</span> the `pulsar_jaas.conf` file <span class="hljs-keyword">and</span> kdc<span class="hljs-built_in"> server </span><span class="hljs-keyword">in</span> the `krb5.conf` file are reachable by the operating<span class="hljs-built_in"> system user </span>who is starting pulsar client.
- <span class="hljs-keyword">If</span> you are using command line, you can continue with these <span class="hljs-keyword">step</span>:
+ #### Configure CLI tools
+
+ <span class="hljs-keyword">If</span> you are using a command-line<span class="hljs-built_in"> tool </span>(such as `bin/pulsar-client`, `bin/pulsar-perf` <span class="hljs-keyword">and</span> `bin/pulsar-admin`), you need <span class="hljs-keyword">to</span> preform the following steps:
- 1.<span class="hljs-built_in"> Config </span>your `client.conf`:
+ <span class="hljs-keyword">Step</span> 1.<span class="hljs-built_in"> Config </span>your `client.conf`.
```shell
<span class="hljs-attribute">authPlugin</span>=org.apache.pulsar.client.impl.auth.AuthenticationSasl
authParams={<span class="hljs-string">"saslJaasClientSectionName"</span>:<span class="hljs-string">"PulsarClient"</span>, <span class="hljs-string">"serverType"</span>:<span class="hljs-string">"broker"</span>}
-2. <span class="hljs-builtin-name">Set</span> JVM parameter <span class="hljs-keyword">for</span> JAAS configuration file <span class="hljs-keyword">and</span> krb5 configuration file with additional option.
+<span class="hljs-keyword">Step</span> 2. <span class="hljs-builtin-name">Set</span> JVM parameters <span class="hljs-keyword">for</span> JAAS configuration file <span class="hljs-keyword">and</span> krb5 configuration file with additional options.
```shell
-Djava.security.auth.login.<span class="hljs-attribute">config</span>=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.<span class="hljs-attribute">conf</span>=/etc/pulsar/krb5.conf
</code></pre>
-<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a></p>
+<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a>, or add this line <code>OPTS="$OPTS -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf "</code> directly to the CLI tool script.</p>
+<p>The meaning of configurations is the same as that in Java client section.</p>
<h2><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-working-with-pulsar-proxy"></a><a href="#kerberos-configuration-for-working-with-pulsar-proxy" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S [...]
<p>With the above configuration, client and broker can do authentication using Kerberos.</p>
<p>If a client wants to connect to Pulsar Proxy, it is a little different. Client (as a SASL client in Kerberos) will be authenticated by Pulsar Proxy (as a SASL Server in Kerberos) first; and then Pulsar Proxy will be authenticated by Pulsar broker.</p>
@@ -293,7 +306,7 @@ java -cp -Djava.security.auth.login.<span class="hljs-attribute">config</span>=/
## related <span class="hljs-keyword">to</span> be authenticated by broker
<span class="hljs-attribute">brokerClientAuthenticationPlugin</span>=org.apache.pulsar.client.impl.auth.AuthenticationSasl
- <span class="hljs-attribute">brokerClientAuthenticationParameters</span>=saslJaasClientSectionName:PulsarProxy,serverType:broker
+ brokerClientAuthenticationParameters={<span class="hljs-string">"saslJaasClientSectionName"</span>:<span class="hljs-string">"PulsarProxy"</span>, <span class="hljs-string">"serverType"</span>:<span class="hljs-string">"broker"</span>}
<span class="hljs-attribute">forwardAuthorizationCredentials</span>=<span class="hljs-literal">true</span>
@@ -322,12 +335,39 @@ The broker side configuration file is the same with the above `broker.conf`, you
```bash
<span class="hljs-attribute">superUserRoles</span>=client/{clientIp}@EXAMPLE.COM
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="regarding-authorization-between-bookkeeper-and-zookeeper"></a><a href="#regarding-authorization-between-bookkeeper-and-zookeeper" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.2 [...]
-<p>Adding <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code> is a prerequisite for Broker (as a Kerberos client) being authenticated by Bookie (as a Kerberos Server):</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-zookeeper-and-broker"></a><a href="#regarding-authentication-between-zookeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2. [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Zookeeper. According to <a href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication">ZooKeeper document</a>, you need these settings in <code>conf/zookeeper.conf</code>:</p>
+<pre><code class="hljs">authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
+requireClientAuthScheme=sasl
+</code></pre>
+<p>And add a section of <code>Client</code> configurations in the file <code>pulsar_jaas.conf</code>, which is used by Pulsar Broker:</p>
+<pre><code class="hljs"> Client {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useKeyTab=true
+ storeKey=true
+ useTicketCache=false
+ keyTab="/etc/security/keytabs/pulsarbroker.keytab"
+ principal="broker/localhost@EXAMPLE.COM";
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with ZooKeeper.</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-bookkeeper-and-broker"></a><a href="#regarding-authentication-between-bookkeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Bookie. According to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>, you need to add <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code>:</p>
<pre><code class="hljs">bookkeeperClientAuthenticationPlugin=org.apache.bookkeeper.sasl.SASLClientProviderFactory
</code></pre>
-<p>For more details of how to configure Kerberos for BookKeeper and Zookeeper, refer to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>.</p>
-</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/fr/next/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/fr/next/security-authorization"><span>Authorization and ACLs</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configuration [...]
+<p>In this setting, <code>SASLClientProviderFactory</code> creates a BookKeeper SASL client in a Broker, and the Broker uses the created SASL client to authenticate with a Bookie node.</p>
+<p>And add a section of <code>BookKeeper</code> configurations in the <code>pulsar_jaas.conf</code> that used by Pulsar Broker:</p>
+<pre><code class="hljs"> BookKeeper {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useKeyTab=true
+ storeKey=true
+ useTicketCache=false
+ keyTab="/etc/security/keytabs/pulsarbroker.keytab"
+ principal="broker/localhost@EXAMPLE.COM";
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with Bookie.</p>
+</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/fr/next/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/fr/next/security-authorization"><span>Authorization and ACLs</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configuration [...]
const community = document.querySelector("a[href='#community']").parentNode;
const communityMenu =
'<li>' +
diff --git a/content/docs/fr/next/security-kerberos/index.html b/content/docs/fr/next/security-kerberos/index.html
index 9cd806f..651e196 100644
--- a/content/docs/fr/next/security-kerberos/index.html
+++ b/content/docs/fr/next/security-kerberos/index.html
@@ -93,6 +93,7 @@ sudo /usr/sbin/kadmin.local -q 'addprinc -randkey client/{hostname}@{REALM}'
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabname}.keytab client/{hostname}@{REALM}"
</code></pre>
<p>Note that it is a <em>Kerberos</em> requirement that all your hosts can be resolved with their FQDNs.</p>
+<p>The first part of Broker principal (for example, <code>broker</code> in <code>broker/{hostname}@{REALM}</code>) is the <code>serverType</code> of each host, The suggested values of <code>serverType</code> are <code>broker</code> (host machine runs service Pulsar Broker) and <code>proxy</code> (host machine runs service Pulsar Proxy).</p>
<h4><a class="anchor" aria-hidden="true" id="configure-how-to-connect-to-kdc"></a><a href="#configure-how-to-connect-to-kdc" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 [...]
<p>You need to specify the path to the <code>krb5.conf</code> file for both client and broker side. The contents of <code>krb5.conf</code> file indicate the default Realm and KDC information. See <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html">JDK’s Kerberos Requirements</a> for more details.</p>
<pre><code class="hljs css language-shell">-Djava.security.krb5.conf=/etc/pulsar/krb5.conf
@@ -134,32 +135,41 @@ sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabnam
<p>In the <code>pulsar_jaas.conf</code> file above</p>
<ol>
<li><code>PulsarBroker</code> is a section name in the JAAS file used by each broker. This section tells the broker which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the broker to use the keytab specified in this section.</li>
-<li><code>PulsarClient</code> is a section name in the JASS file used by each client. This section tells the client which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section.</li>
+<li><code>PulsarClient</code> is a section name in the JASS file used by each client. This section tells the client which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section. In the following example, this <code>PulsarClient</code> section will also be reused in both the Pulsar internal admin configuration and in CLI command of <code>bin/pulsar-client</code>, <code>bin/pulsar-perf< [...]
</ol>
-<p>It is also a choice to have 2 separate JAAS configuration files: the file for broker will only have <code>PulsarBroker</code> section; while the one for client only have <code>PulsarClient</code> section.</p>
+<p>You can have 2 separate JAAS configuration files:</p>
+<ul>
+<li>the file for a broker has sections of both <code>PulsarBroker</code> and <code>PulsarClient</code>;</li>
+<li>the file for a client only has a <code>PulsarClient</code> section.</li>
+</ul>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-brokers"></a><a href="#kerberos-configuration-for-brokers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
-<ol>
-<li>In the <code>broker.conf</code> file, set Kerberos related configuration.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="configure-brokerconf-file"></a><a href="#configure-brokerconf-file" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c [...]
+<p>In the <code>broker.conf</code> file, set Kerberos related configurations.</p>
<ul>
<li><p>Set <code>authenticationEnabled</code> to <code>true</code>;</p></li>
<li><p>Set <code>authenticationProviders</code> to choose <code>AuthenticationProviderSasl</code>;</p></li>
-<li><p>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker.</p></li>
-<li><p>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker.</p>
+<li><p>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker;</p></li>
+<li><p>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker;</p>
+<p>To make Pulsar internal admin client work properly, you need to set the configuration in the <code>broker.conf</code> file as below:</p></li>
+<li><p>Set <code>brokerClientAuthenticationPlugin</code> to client plugin <code>AuthenticationSasl</code>;</p></li>
+<li><p>Set <code>brokerClientAuthenticationParameters</code> to value in JSON string <code>{"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}</code>, in which <code>PulsarClient</code> is the section name in above <code>pulsar_jaas.conf</code> file, and <code>"serverType":"broker"</code> indicate that internal admin client will connect to a Pulsar Broker;</p>
<p>Here is an example:</p>
<p>authenticationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderSasl
saslJaasClientAllowedIds=.<em>client.</em>
-saslJaasBrokerSectionName=PulsarBroker</p></li>
+saslJaasBrokerSectionName=PulsarBroker</p>
+<h2><a class="anchor" aria-hidden="true" id="authentication-settings-of-the-broker-itself-used-when-the-broker-connects-to-other-brokers"></a><a href="#authentication-settings-of-the-broker-itself-used-when-the-broker-connects-to-other-brokers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2. [...]
+<p>brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl
+brokerClientAuthenticationParameters={"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}</p></li>
</ul>
-<ol start="2">
-<li>Set JVM parameter for JAAS configuration file and krb5 configuration file with additional option.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="set-broker-jvm-parameter"></a><a href="#set-broker-jvm-parameter" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-. [...]
+<p>Set JVM parameters for JAAS configuration file and krb5 configuration file with additional options.</p>
<pre><code class="hljs css language-shell"> -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf
</code></pre>
<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_env.sh"><code>pulsar_env.sh</code></a></p>
<p>Make sure that the keytabs configured in the <code>pulsar_jaas.conf</code> file and kdc server in the <code>krb5.conf</code> file are reachable by the operating system user who is starting broker.</p>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-clients"></a><a href="#kerberos-configuration-for-clients" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
+<h4><a class="anchor" aria-hidden="true" id="java-client-and-java-admin-client"></a><a href="#java-client-and-java-admin-client" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S1 [...]
<p>In client application, include <code>pulsar-client-auth-sasl</code> in your project dependency.</p>
<pre><code class="hljs"> <dependency>
<groupId>org.apache.pulsar</groupId>
@@ -198,20 +208,23 @@ java -cp -Djava.security.auth.login.<span class="hljs-attribute">config</span>=/
<br />Make sure that the keytabs configured <span class="hljs-keyword">in</span> the `pulsar_jaas.conf` file <span class="hljs-keyword">and</span> kdc<span class="hljs-built_in"> server </span><span class="hljs-keyword">in</span> the `krb5.conf` file are reachable by the operating<span class="hljs-built_in"> system user </span>who is starting pulsar client.
- <span class="hljs-keyword">If</span> you are using command line, you can continue with these <span class="hljs-keyword">step</span>:
+ #### Configure CLI tools
+
+ <span class="hljs-keyword">If</span> you are using a command-line<span class="hljs-built_in"> tool </span>(such as `bin/pulsar-client`, `bin/pulsar-perf` <span class="hljs-keyword">and</span> `bin/pulsar-admin`), you need <span class="hljs-keyword">to</span> preform the following steps:
- 1.<span class="hljs-built_in"> Config </span>your `client.conf`:
+ <span class="hljs-keyword">Step</span> 1.<span class="hljs-built_in"> Config </span>your `client.conf`.
```shell
<span class="hljs-attribute">authPlugin</span>=org.apache.pulsar.client.impl.auth.AuthenticationSasl
authParams={<span class="hljs-string">"saslJaasClientSectionName"</span>:<span class="hljs-string">"PulsarClient"</span>, <span class="hljs-string">"serverType"</span>:<span class="hljs-string">"broker"</span>}
-2. <span class="hljs-builtin-name">Set</span> JVM parameter <span class="hljs-keyword">for</span> JAAS configuration file <span class="hljs-keyword">and</span> krb5 configuration file with additional option.
+<span class="hljs-keyword">Step</span> 2. <span class="hljs-builtin-name">Set</span> JVM parameters <span class="hljs-keyword">for</span> JAAS configuration file <span class="hljs-keyword">and</span> krb5 configuration file with additional options.
```shell
-Djava.security.auth.login.<span class="hljs-attribute">config</span>=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.<span class="hljs-attribute">conf</span>=/etc/pulsar/krb5.conf
</code></pre>
-<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a></p>
+<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a>, or add this line <code>OPTS="$OPTS -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf "</code> directly to the CLI tool script.</p>
+<p>The meaning of configurations is the same as that in Java client section.</p>
<h2><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-working-with-pulsar-proxy"></a><a href="#kerberos-configuration-for-working-with-pulsar-proxy" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S [...]
<p>With the above configuration, client and broker can do authentication using Kerberos.</p>
<p>If a client wants to connect to Pulsar Proxy, it is a little different. Client (as a SASL client in Kerberos) will be authenticated by Pulsar Proxy (as a SASL Server in Kerberos) first; and then Pulsar Proxy will be authenticated by Pulsar broker.</p>
@@ -293,7 +306,7 @@ java -cp -Djava.security.auth.login.<span class="hljs-attribute">config</span>=/
## related <span class="hljs-keyword">to</span> be authenticated by broker
<span class="hljs-attribute">brokerClientAuthenticationPlugin</span>=org.apache.pulsar.client.impl.auth.AuthenticationSasl
- <span class="hljs-attribute">brokerClientAuthenticationParameters</span>=saslJaasClientSectionName:PulsarProxy,serverType:broker
+ brokerClientAuthenticationParameters={<span class="hljs-string">"saslJaasClientSectionName"</span>:<span class="hljs-string">"PulsarProxy"</span>, <span class="hljs-string">"serverType"</span>:<span class="hljs-string">"broker"</span>}
<span class="hljs-attribute">forwardAuthorizationCredentials</span>=<span class="hljs-literal">true</span>
@@ -322,12 +335,39 @@ The broker side configuration file is the same with the above `broker.conf`, you
```bash
<span class="hljs-attribute">superUserRoles</span>=client/{clientIp}@EXAMPLE.COM
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="regarding-authorization-between-bookkeeper-and-zookeeper"></a><a href="#regarding-authorization-between-bookkeeper-and-zookeeper" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.2 [...]
-<p>Adding <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code> is a prerequisite for Broker (as a Kerberos client) being authenticated by Bookie (as a Kerberos Server):</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-zookeeper-and-broker"></a><a href="#regarding-authentication-between-zookeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2. [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Zookeeper. According to <a href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication">ZooKeeper document</a>, you need these settings in <code>conf/zookeeper.conf</code>:</p>
+<pre><code class="hljs">authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
+requireClientAuthScheme=sasl
+</code></pre>
+<p>And add a section of <code>Client</code> configurations in the file <code>pulsar_jaas.conf</code>, which is used by Pulsar Broker:</p>
+<pre><code class="hljs"> Client {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useKeyTab=true
+ storeKey=true
+ useTicketCache=false
+ keyTab="/etc/security/keytabs/pulsarbroker.keytab"
+ principal="broker/localhost@EXAMPLE.COM";
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with ZooKeeper.</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-bookkeeper-and-broker"></a><a href="#regarding-authentication-between-bookkeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Bookie. According to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>, you need to add <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code>:</p>
<pre><code class="hljs">bookkeeperClientAuthenticationPlugin=org.apache.bookkeeper.sasl.SASLClientProviderFactory
</code></pre>
-<p>For more details of how to configure Kerberos for BookKeeper and Zookeeper, refer to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>.</p>
-</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/fr/next/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/fr/next/security-authorization"><span>Authorization and ACLs</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configuration [...]
+<p>In this setting, <code>SASLClientProviderFactory</code> creates a BookKeeper SASL client in a Broker, and the Broker uses the created SASL client to authenticate with a Bookie node.</p>
+<p>And add a section of <code>BookKeeper</code> configurations in the <code>pulsar_jaas.conf</code> that used by Pulsar Broker:</p>
+<pre><code class="hljs"> BookKeeper {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useKeyTab=true
+ storeKey=true
+ useTicketCache=false
+ keyTab="/etc/security/keytabs/pulsarbroker.keytab"
+ principal="broker/localhost@EXAMPLE.COM";
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with Bookie.</p>
+</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/fr/next/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/fr/next/security-authorization"><span>Authorization and ACLs</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configuration [...]
const community = document.querySelector("a[href='#community']").parentNode;
const communityMenu =
'<li>' +
diff --git a/content/docs/fr/security-kerberos.html b/content/docs/fr/security-kerberos.html
index 98ae708..796afba 100644
--- a/content/docs/fr/security-kerberos.html
+++ b/content/docs/fr/security-kerberos.html
@@ -93,6 +93,7 @@ sudo /usr/sbin/kadmin.local -q 'addprinc -randkey client/{hostname}@{REALM}'
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabname}.keytab client/{hostname}@{REALM}"
</code></pre>
<p>Note that it is a <em>Kerberos</em> requirement that all your hosts can be resolved with their FQDNs.</p>
+<p>The first part of Broker principal (for example, <code>broker</code> in <code>broker/{hostname}@{REALM}</code>) is the <code>serverType</code> of each host, The suggested values of <code>serverType</code> are <code>broker</code> (host machine runs service Pulsar Broker) and <code>proxy</code> (host machine runs service Pulsar Proxy).</p>
<h4><a class="anchor" aria-hidden="true" id="configure-how-to-connect-to-kdc"></a><a href="#configure-how-to-connect-to-kdc" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 [...]
<p>You need to specify the path to the <code>krb5.conf</code> file for both client and broker side. The contents of <code>krb5.conf</code> file indicate the default Realm and KDC information. See <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html">JDK’s Kerberos Requirements</a> for more details.</p>
<pre><code class="hljs css language-shell">-Djava.security.krb5.conf=/etc/pulsar/krb5.conf
@@ -134,32 +135,41 @@ sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabnam
<p>In the <code>pulsar_jaas.conf</code> file above</p>
<ol>
<li><code>PulsarBroker</code> is a section name in the JAAS file used by each broker. This section tells the broker which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the broker to use the keytab specified in this section.</li>
-<li><code>PulsarClient</code> is a section name in the JASS file used by each client. This section tells the client which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section.</li>
+<li><code>PulsarClient</code> is a section name in the JASS file used by each client. This section tells the client which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section. In the following example, this <code>PulsarClient</code> section will also be reused in both the Pulsar internal admin configuration and in CLI command of <code>bin/pulsar-client</code>, <code>bin/pulsar-perf< [...]
</ol>
-<p>It is also a choice to have 2 separate JAAS configuration files: the file for broker will only have <code>PulsarBroker</code> section; while the one for client only have <code>PulsarClient</code> section.</p>
+<p>You can have 2 separate JAAS configuration files:</p>
+<ul>
+<li>the file for a broker has sections of both <code>PulsarBroker</code> and <code>PulsarClient</code>;</li>
+<li>the file for a client only has a <code>PulsarClient</code> section.</li>
+</ul>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-brokers"></a><a href="#kerberos-configuration-for-brokers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
-<ol>
-<li>In the <code>broker.conf</code> file, set Kerberos related configuration.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="configure-brokerconf-file"></a><a href="#configure-brokerconf-file" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c [...]
+<p>In the <code>broker.conf</code> file, set Kerberos related configurations.</p>
<ul>
<li><p>Set <code>authenticationEnabled</code> to <code>true</code>;</p></li>
<li><p>Set <code>authenticationProviders</code> to choose <code>AuthenticationProviderSasl</code>;</p></li>
-<li><p>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker.</p></li>
-<li><p>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker.</p>
+<li><p>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker;</p></li>
+<li><p>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker;</p>
+<p>To make Pulsar internal admin client work properly, you need to set the configuration in the <code>broker.conf</code> file as below:</p></li>
+<li><p>Set <code>brokerClientAuthenticationPlugin</code> to client plugin <code>AuthenticationSasl</code>;</p></li>
+<li><p>Set <code>brokerClientAuthenticationParameters</code> to value in JSON string <code>{"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}</code>, in which <code>PulsarClient</code> is the section name in above <code>pulsar_jaas.conf</code> file, and <code>"serverType":"broker"</code> indicate that internal admin client will connect to a Pulsar Broker;</p>
<p>Here is an example:</p>
<p>authenticationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderSasl
saslJaasClientAllowedIds=.<em>client.</em>
-saslJaasBrokerSectionName=PulsarBroker</p></li>
+saslJaasBrokerSectionName=PulsarBroker</p>
+<h2><a class="anchor" aria-hidden="true" id="authentication-settings-of-the-broker-itself-used-when-the-broker-connects-to-other-brokers"></a><a href="#authentication-settings-of-the-broker-itself-used-when-the-broker-connects-to-other-brokers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2. [...]
+<p>brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl
+brokerClientAuthenticationParameters={"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}</p></li>
</ul>
-<ol start="2">
-<li>Set JVM parameter for JAAS configuration file and krb5 configuration file with additional option.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="set-broker-jvm-parameter"></a><a href="#set-broker-jvm-parameter" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-. [...]
+<p>Set JVM parameters for JAAS configuration file and krb5 configuration file with additional options.</p>
<pre><code class="hljs css language-shell"> -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf
</code></pre>
<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_env.sh"><code>pulsar_env.sh</code></a></p>
<p>Make sure that the keytabs configured in the <code>pulsar_jaas.conf</code> file and kdc server in the <code>krb5.conf</code> file are reachable by the operating system user who is starting broker.</p>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-clients"></a><a href="#kerberos-configuration-for-clients" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
+<h4><a class="anchor" aria-hidden="true" id="java-client-and-java-admin-client"></a><a href="#java-client-and-java-admin-client" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S1 [...]
<p>In client application, include <code>pulsar-client-auth-sasl</code> in your project dependency.</p>
<pre><code class="hljs"> <dependency>
<groupId>org.apache.pulsar</groupId>
@@ -198,20 +208,23 @@ java -cp -Djava.security.auth.login.<span class="hljs-attribute">config</span>=/
<br />Make sure that the keytabs configured <span class="hljs-keyword">in</span> the `pulsar_jaas.conf` file <span class="hljs-keyword">and</span> kdc<span class="hljs-built_in"> server </span><span class="hljs-keyword">in</span> the `krb5.conf` file are reachable by the operating<span class="hljs-built_in"> system user </span>who is starting pulsar client.
- <span class="hljs-keyword">If</span> you are using command line, you can continue with these <span class="hljs-keyword">step</span>:
+ #### Configure CLI tools
+
+ <span class="hljs-keyword">If</span> you are using a command-line<span class="hljs-built_in"> tool </span>(such as `bin/pulsar-client`, `bin/pulsar-perf` <span class="hljs-keyword">and</span> `bin/pulsar-admin`), you need <span class="hljs-keyword">to</span> preform the following steps:
- 1.<span class="hljs-built_in"> Config </span>your `client.conf`:
+ <span class="hljs-keyword">Step</span> 1.<span class="hljs-built_in"> Config </span>your `client.conf`.
```shell
<span class="hljs-attribute">authPlugin</span>=org.apache.pulsar.client.impl.auth.AuthenticationSasl
authParams={<span class="hljs-string">"saslJaasClientSectionName"</span>:<span class="hljs-string">"PulsarClient"</span>, <span class="hljs-string">"serverType"</span>:<span class="hljs-string">"broker"</span>}
-2. <span class="hljs-builtin-name">Set</span> JVM parameter <span class="hljs-keyword">for</span> JAAS configuration file <span class="hljs-keyword">and</span> krb5 configuration file with additional option.
+<span class="hljs-keyword">Step</span> 2. <span class="hljs-builtin-name">Set</span> JVM parameters <span class="hljs-keyword">for</span> JAAS configuration file <span class="hljs-keyword">and</span> krb5 configuration file with additional options.
```shell
-Djava.security.auth.login.<span class="hljs-attribute">config</span>=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.<span class="hljs-attribute">conf</span>=/etc/pulsar/krb5.conf
</code></pre>
-<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a></p>
+<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a>, or add this line <code>OPTS="$OPTS -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf "</code> directly to the CLI tool script.</p>
+<p>The meaning of configurations is the same as that in Java client section.</p>
<h2><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-working-with-pulsar-proxy"></a><a href="#kerberos-configuration-for-working-with-pulsar-proxy" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S [...]
<p>With the above configuration, client and broker can do authentication using Kerberos.</p>
<p>If a client wants to connect to Pulsar Proxy, it is a little different. Client (as a SASL client in Kerberos) will be authenticated by Pulsar Proxy (as a SASL Server in Kerberos) first; and then Pulsar Proxy will be authenticated by Pulsar broker.</p>
@@ -293,7 +306,7 @@ java -cp -Djava.security.auth.login.<span class="hljs-attribute">config</span>=/
## related <span class="hljs-keyword">to</span> be authenticated by broker
<span class="hljs-attribute">brokerClientAuthenticationPlugin</span>=org.apache.pulsar.client.impl.auth.AuthenticationSasl
- <span class="hljs-attribute">brokerClientAuthenticationParameters</span>=saslJaasClientSectionName:PulsarProxy,serverType:broker
+ brokerClientAuthenticationParameters={<span class="hljs-string">"saslJaasClientSectionName"</span>:<span class="hljs-string">"PulsarProxy"</span>, <span class="hljs-string">"serverType"</span>:<span class="hljs-string">"broker"</span>}
<span class="hljs-attribute">forwardAuthorizationCredentials</span>=<span class="hljs-literal">true</span>
@@ -322,12 +335,39 @@ The broker side configuration file is the same with the above `broker.conf`, you
```bash
<span class="hljs-attribute">superUserRoles</span>=client/{clientIp}@EXAMPLE.COM
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="regarding-authorization-between-bookkeeper-and-zookeeper"></a><a href="#regarding-authorization-between-bookkeeper-and-zookeeper" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.2 [...]
-<p>Adding <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code> is a prerequisite for Broker (as a Kerberos client) being authenticated by Bookie (as a Kerberos Server):</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-zookeeper-and-broker"></a><a href="#regarding-authentication-between-zookeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2. [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Zookeeper. According to <a href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication">ZooKeeper document</a>, you need these settings in <code>conf/zookeeper.conf</code>:</p>
+<pre><code class="hljs">authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
+requireClientAuthScheme=sasl
+</code></pre>
+<p>And add a section of <code>Client</code> configurations in the file <code>pulsar_jaas.conf</code>, which is used by Pulsar Broker:</p>
+<pre><code class="hljs"> Client {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useKeyTab=true
+ storeKey=true
+ useTicketCache=false
+ keyTab="/etc/security/keytabs/pulsarbroker.keytab"
+ principal="broker/localhost@EXAMPLE.COM";
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with ZooKeeper.</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-bookkeeper-and-broker"></a><a href="#regarding-authentication-between-bookkeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Bookie. According to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>, you need to add <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code>:</p>
<pre><code class="hljs">bookkeeperClientAuthenticationPlugin=org.apache.bookkeeper.sasl.SASLClientProviderFactory
</code></pre>
-<p>For more details of how to configure Kerberos for BookKeeper and Zookeeper, refer to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>.</p>
-</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/fr/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/fr/security-authorization"><span>Authorization and ACLs</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configuration for Kerber [...]
+<p>In this setting, <code>SASLClientProviderFactory</code> creates a BookKeeper SASL client in a Broker, and the Broker uses the created SASL client to authenticate with a Bookie node.</p>
+<p>And add a section of <code>BookKeeper</code> configurations in the <code>pulsar_jaas.conf</code> that used by Pulsar Broker:</p>
+<pre><code class="hljs"> BookKeeper {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useKeyTab=true
+ storeKey=true
+ useTicketCache=false
+ keyTab="/etc/security/keytabs/pulsarbroker.keytab"
+ principal="broker/localhost@EXAMPLE.COM";
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with Bookie.</p>
+</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/fr/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/fr/security-authorization"><span>Authorization and ACLs</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configuration for Kerber [...]
const community = document.querySelector("a[href='#community']").parentNode;
const communityMenu =
'<li>' +
diff --git a/content/docs/fr/security-kerberos/index.html b/content/docs/fr/security-kerberos/index.html
index 98ae708..796afba 100644
--- a/content/docs/fr/security-kerberos/index.html
+++ b/content/docs/fr/security-kerberos/index.html
@@ -93,6 +93,7 @@ sudo /usr/sbin/kadmin.local -q 'addprinc -randkey client/{hostname}@{REALM}'
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabname}.keytab client/{hostname}@{REALM}"
</code></pre>
<p>Note that it is a <em>Kerberos</em> requirement that all your hosts can be resolved with their FQDNs.</p>
+<p>The first part of Broker principal (for example, <code>broker</code> in <code>broker/{hostname}@{REALM}</code>) is the <code>serverType</code> of each host, The suggested values of <code>serverType</code> are <code>broker</code> (host machine runs service Pulsar Broker) and <code>proxy</code> (host machine runs service Pulsar Proxy).</p>
<h4><a class="anchor" aria-hidden="true" id="configure-how-to-connect-to-kdc"></a><a href="#configure-how-to-connect-to-kdc" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 [...]
<p>You need to specify the path to the <code>krb5.conf</code> file for both client and broker side. The contents of <code>krb5.conf</code> file indicate the default Realm and KDC information. See <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html">JDK’s Kerberos Requirements</a> for more details.</p>
<pre><code class="hljs css language-shell">-Djava.security.krb5.conf=/etc/pulsar/krb5.conf
@@ -134,32 +135,41 @@ sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabnam
<p>In the <code>pulsar_jaas.conf</code> file above</p>
<ol>
<li><code>PulsarBroker</code> is a section name in the JAAS file used by each broker. This section tells the broker which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the broker to use the keytab specified in this section.</li>
-<li><code>PulsarClient</code> is a section name in the JASS file used by each client. This section tells the client which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section.</li>
+<li><code>PulsarClient</code> is a section name in the JASS file used by each client. This section tells the client which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section. In the following example, this <code>PulsarClient</code> section will also be reused in both the Pulsar internal admin configuration and in CLI command of <code>bin/pulsar-client</code>, <code>bin/pulsar-perf< [...]
</ol>
-<p>It is also a choice to have 2 separate JAAS configuration files: the file for broker will only have <code>PulsarBroker</code> section; while the one for client only have <code>PulsarClient</code> section.</p>
+<p>You can have 2 separate JAAS configuration files:</p>
+<ul>
+<li>the file for a broker has sections of both <code>PulsarBroker</code> and <code>PulsarClient</code>;</li>
+<li>the file for a client only has a <code>PulsarClient</code> section.</li>
+</ul>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-brokers"></a><a href="#kerberos-configuration-for-brokers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
-<ol>
-<li>In the <code>broker.conf</code> file, set Kerberos related configuration.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="configure-brokerconf-file"></a><a href="#configure-brokerconf-file" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c [...]
+<p>In the <code>broker.conf</code> file, set Kerberos related configurations.</p>
<ul>
<li><p>Set <code>authenticationEnabled</code> to <code>true</code>;</p></li>
<li><p>Set <code>authenticationProviders</code> to choose <code>AuthenticationProviderSasl</code>;</p></li>
-<li><p>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker.</p></li>
-<li><p>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker.</p>
+<li><p>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker;</p></li>
+<li><p>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker;</p>
+<p>To make Pulsar internal admin client work properly, you need to set the configuration in the <code>broker.conf</code> file as below:</p></li>
+<li><p>Set <code>brokerClientAuthenticationPlugin</code> to client plugin <code>AuthenticationSasl</code>;</p></li>
+<li><p>Set <code>brokerClientAuthenticationParameters</code> to value in JSON string <code>{"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}</code>, in which <code>PulsarClient</code> is the section name in above <code>pulsar_jaas.conf</code> file, and <code>"serverType":"broker"</code> indicate that internal admin client will connect to a Pulsar Broker;</p>
<p>Here is an example:</p>
<p>authenticationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderSasl
saslJaasClientAllowedIds=.<em>client.</em>
-saslJaasBrokerSectionName=PulsarBroker</p></li>
+saslJaasBrokerSectionName=PulsarBroker</p>
+<h2><a class="anchor" aria-hidden="true" id="authentication-settings-of-the-broker-itself-used-when-the-broker-connects-to-other-brokers"></a><a href="#authentication-settings-of-the-broker-itself-used-when-the-broker-connects-to-other-brokers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2. [...]
+<p>brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl
+brokerClientAuthenticationParameters={"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}</p></li>
</ul>
-<ol start="2">
-<li>Set JVM parameter for JAAS configuration file and krb5 configuration file with additional option.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="set-broker-jvm-parameter"></a><a href="#set-broker-jvm-parameter" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-. [...]
+<p>Set JVM parameters for JAAS configuration file and krb5 configuration file with additional options.</p>
<pre><code class="hljs css language-shell"> -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf
</code></pre>
<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_env.sh"><code>pulsar_env.sh</code></a></p>
<p>Make sure that the keytabs configured in the <code>pulsar_jaas.conf</code> file and kdc server in the <code>krb5.conf</code> file are reachable by the operating system user who is starting broker.</p>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-clients"></a><a href="#kerberos-configuration-for-clients" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
+<h4><a class="anchor" aria-hidden="true" id="java-client-and-java-admin-client"></a><a href="#java-client-and-java-admin-client" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S1 [...]
<p>In client application, include <code>pulsar-client-auth-sasl</code> in your project dependency.</p>
<pre><code class="hljs"> <dependency>
<groupId>org.apache.pulsar</groupId>
@@ -198,20 +208,23 @@ java -cp -Djava.security.auth.login.<span class="hljs-attribute">config</span>=/
<br />Make sure that the keytabs configured <span class="hljs-keyword">in</span> the `pulsar_jaas.conf` file <span class="hljs-keyword">and</span> kdc<span class="hljs-built_in"> server </span><span class="hljs-keyword">in</span> the `krb5.conf` file are reachable by the operating<span class="hljs-built_in"> system user </span>who is starting pulsar client.
- <span class="hljs-keyword">If</span> you are using command line, you can continue with these <span class="hljs-keyword">step</span>:
+ #### Configure CLI tools
+
+ <span class="hljs-keyword">If</span> you are using a command-line<span class="hljs-built_in"> tool </span>(such as `bin/pulsar-client`, `bin/pulsar-perf` <span class="hljs-keyword">and</span> `bin/pulsar-admin`), you need <span class="hljs-keyword">to</span> preform the following steps:
- 1.<span class="hljs-built_in"> Config </span>your `client.conf`:
+ <span class="hljs-keyword">Step</span> 1.<span class="hljs-built_in"> Config </span>your `client.conf`.
```shell
<span class="hljs-attribute">authPlugin</span>=org.apache.pulsar.client.impl.auth.AuthenticationSasl
authParams={<span class="hljs-string">"saslJaasClientSectionName"</span>:<span class="hljs-string">"PulsarClient"</span>, <span class="hljs-string">"serverType"</span>:<span class="hljs-string">"broker"</span>}
-2. <span class="hljs-builtin-name">Set</span> JVM parameter <span class="hljs-keyword">for</span> JAAS configuration file <span class="hljs-keyword">and</span> krb5 configuration file with additional option.
+<span class="hljs-keyword">Step</span> 2. <span class="hljs-builtin-name">Set</span> JVM parameters <span class="hljs-keyword">for</span> JAAS configuration file <span class="hljs-keyword">and</span> krb5 configuration file with additional options.
```shell
-Djava.security.auth.login.<span class="hljs-attribute">config</span>=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.<span class="hljs-attribute">conf</span>=/etc/pulsar/krb5.conf
</code></pre>
-<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a></p>
+<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a>, or add this line <code>OPTS="$OPTS -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf "</code> directly to the CLI tool script.</p>
+<p>The meaning of configurations is the same as that in Java client section.</p>
<h2><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-working-with-pulsar-proxy"></a><a href="#kerberos-configuration-for-working-with-pulsar-proxy" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S [...]
<p>With the above configuration, client and broker can do authentication using Kerberos.</p>
<p>If a client wants to connect to Pulsar Proxy, it is a little different. Client (as a SASL client in Kerberos) will be authenticated by Pulsar Proxy (as a SASL Server in Kerberos) first; and then Pulsar Proxy will be authenticated by Pulsar broker.</p>
@@ -293,7 +306,7 @@ java -cp -Djava.security.auth.login.<span class="hljs-attribute">config</span>=/
## related <span class="hljs-keyword">to</span> be authenticated by broker
<span class="hljs-attribute">brokerClientAuthenticationPlugin</span>=org.apache.pulsar.client.impl.auth.AuthenticationSasl
- <span class="hljs-attribute">brokerClientAuthenticationParameters</span>=saslJaasClientSectionName:PulsarProxy,serverType:broker
+ brokerClientAuthenticationParameters={<span class="hljs-string">"saslJaasClientSectionName"</span>:<span class="hljs-string">"PulsarProxy"</span>, <span class="hljs-string">"serverType"</span>:<span class="hljs-string">"broker"</span>}
<span class="hljs-attribute">forwardAuthorizationCredentials</span>=<span class="hljs-literal">true</span>
@@ -322,12 +335,39 @@ The broker side configuration file is the same with the above `broker.conf`, you
```bash
<span class="hljs-attribute">superUserRoles</span>=client/{clientIp}@EXAMPLE.COM
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="regarding-authorization-between-bookkeeper-and-zookeeper"></a><a href="#regarding-authorization-between-bookkeeper-and-zookeeper" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.2 [...]
-<p>Adding <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code> is a prerequisite for Broker (as a Kerberos client) being authenticated by Bookie (as a Kerberos Server):</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-zookeeper-and-broker"></a><a href="#regarding-authentication-between-zookeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2. [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Zookeeper. According to <a href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication">ZooKeeper document</a>, you need these settings in <code>conf/zookeeper.conf</code>:</p>
+<pre><code class="hljs">authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
+requireClientAuthScheme=sasl
+</code></pre>
+<p>And add a section of <code>Client</code> configurations in the file <code>pulsar_jaas.conf</code>, which is used by Pulsar Broker:</p>
+<pre><code class="hljs"> Client {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useKeyTab=true
+ storeKey=true
+ useTicketCache=false
+ keyTab="/etc/security/keytabs/pulsarbroker.keytab"
+ principal="broker/localhost@EXAMPLE.COM";
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with ZooKeeper.</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-bookkeeper-and-broker"></a><a href="#regarding-authentication-between-bookkeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Bookie. According to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>, you need to add <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code>:</p>
<pre><code class="hljs">bookkeeperClientAuthenticationPlugin=org.apache.bookkeeper.sasl.SASLClientProviderFactory
</code></pre>
-<p>For more details of how to configure Kerberos for BookKeeper and Zookeeper, refer to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>.</p>
-</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/fr/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/fr/security-authorization"><span>Authorization and ACLs</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configuration for Kerber [...]
+<p>In this setting, <code>SASLClientProviderFactory</code> creates a BookKeeper SASL client in a Broker, and the Broker uses the created SASL client to authenticate with a Bookie node.</p>
+<p>And add a section of <code>BookKeeper</code> configurations in the <code>pulsar_jaas.conf</code> that used by Pulsar Broker:</p>
+<pre><code class="hljs"> BookKeeper {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useKeyTab=true
+ storeKey=true
+ useTicketCache=false
+ keyTab="/etc/security/keytabs/pulsarbroker.keytab"
+ principal="broker/localhost@EXAMPLE.COM";
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with Bookie.</p>
+</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/fr/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/fr/security-authorization"><span>Authorization and ACLs</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configuration for Kerber [...]
const community = document.querySelector("a[href='#community']").parentNode;
const communityMenu =
'<li>' +
diff --git a/content/docs/ja/next/schema-get-started.html b/content/docs/ja/next/schema-get-started.html
index 3426c5a..38c2824 100644
--- a/content/docs/ja/next/schema-get-started.html
+++ b/content/docs/ja/next/schema-get-started.html
@@ -1,4 +1,4 @@
-<!DOCTYPE html><html lang="ja"><head><meta charSet="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><title>Get started · Apache Pulsar</title><meta name="viewport" content="width=device-width"/><meta name="generator" content="Docusaurus"/><meta name="description" content="When a schema is enabled, Pulsar does parse data, it takes bytes as inputs and sends bytes as outputs. While data has meaning beyond bytes, you need to parse data and might encounter parse exceptions which [...]
+<!DOCTYPE html><html lang="ja"><head><meta charSet="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><title>Get started · Apache Pulsar</title><meta name="viewport" content="width=device-width"/><meta name="generator" content="Docusaurus"/><meta name="description" content="## Schema Registry"/><meta name="docsearch:version" content="next"/><meta name="docsearch:language" content="ja"/><meta property="og:title" content="Get started · Apache Pulsar"/><meta property="og:type" c [...]
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
@@ -74,7 +74,20 @@
};
}
});
- </script></nav></div><div class="container mainContainer"><div class="wrapper"><div class="post"><header class="postHeader"><a class="edit-page-link button" href="https://crowdin.com/project/apache-pulsar/ja" target="_blank" rel="noreferrer noopener">Translate</a><h1 class="postHeaderTitle">Get started</h1></header><article><div><span><p>When a schema is enabled, Pulsar does parse data, it takes bytes as inputs and sends bytes as outputs. While data has meaning beyond bytes, you [...]
+ </script></nav></div><div class="container mainContainer"><div class="wrapper"><div class="post"><header class="postHeader"><a class="edit-page-link button" href="https://crowdin.com/project/apache-pulsar/ja" target="_blank" rel="noreferrer noopener">Translate</a><h1 class="postHeaderTitle">Get started</h1></header><article><div><span><h2><a class="anchor" aria-hidden="true" id="schema-registry"></a><a href="#schema-registry" aria-hidden="true" class="hash-link"><svg class="hash- [...]
+<p>Type safety is extremely important in any application built around a message bus like Pulsar.</p>
+<p>Producers and consumers need some kind of mechanism for coordinating types at the topic level to aviod various potential problems arise. For example, serialization and deserialization issues.</p>
+<p>Applications typically adopt one of the following approaches to guarantee type safety in messaging. Both approaches are available in Pulsar, and you're free to adopt one or the other or to mix and match on a per-topic basis.</p>
+<h3><a class="anchor" aria-hidden="true" id="client-side-approach"></a><a href="#client-side-approach" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1 [...]
+<p>Producers and consumers are responsible for not only serializing and deserializing messages (which consist of raw bytes) but also "knowing" which types are being transmitted via which topics.</p>
+<p>If a producer is sending temperature sensor data on the topic <code>topic-1</code>, consumers of that topic will run into trouble if they attempt to parse that data as moisture sensor readings.</p>
+<p>Producers and consumers can send and receive messages consisting of raw byte arrays and leave all type safety enforcement to the application on an "out-of-band" basis.</p>
+<h3><a class="anchor" aria-hidden="true" id="server-side-approach"></a><a href="#server-side-approach" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1 [...]
+<p>Producers and consumers inform the system which data types can be transmitted via the topic.</p>
+<p>With this approach, the messaging system enforces type safety and ensures that producers and consumers remain synced.</p>
+<p>Pulsar has a built-in <strong>schema registry</strong> that enables clients to upload data schemas on a per-topic basis. Those schemas dictate which data types are recognized as valid for that topic.</p>
+<h2><a class="anchor" aria-hidden="true" id="why-use-schema"></a><a href="#why-use-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0- [...]
+<p>When a schema is enabled, Pulsar does parse data, it takes bytes as inputs and sends bytes as outputs. While data has meaning beyond bytes, you need to parse data and might encounter parse exceptions which mainly occur in the following situations:</p>
<ul>
<li><p>The field does not exist</p></li>
<li><p>The field type has changed (for example, <code>string</code> is changed to <code>int</code>)</p></li>
@@ -89,7 +102,7 @@
}
</code></pre>
<p>When constructing a producer with the <em>User</em> class, you can specify a schema or not as below.</p>
-<h2><a class="anchor" aria-hidden="true" id="without-schema"></a><a href="#without-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0- [...]
+<h3><a class="anchor" aria-hidden="true" id="without-schema"></a><a href="#without-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0- [...]
<p>If you construct a producer without specifying a schema, then the producer can only produce messages of type <code>byte[]</code>. If you have a POJO class, you need to serialize the POJO into bytes before sending messages.</p>
<p><strong>Example</strong></p>
<pre><code class="hljs">Producer<byte[]> producer = client.newProducer()
@@ -99,7 +112,7 @@ User user = new User(“Tom”, 28);
byte[] message = … // serialize the `user` by yourself;
producer.send(message);
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="with-schema"></a><a href="#with-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42 [...]
+<h3><a class="anchor" aria-hidden="true" id="with-schema"></a><a href="#with-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42 [...]
<p>If you construct a producer with specifying a schema, then you can send a class to a topic directly without worrying about how to serialize POJOs into bytes.</p>
<p><strong>Example</strong></p>
<p>This example constructs a producer with the <em>JSONSchema</em>, and you can send the <em>User</em> class to topics directly without worrying about how to serialize it into bytes.</p>
@@ -109,9 +122,9 @@ producer.send(message);
User user = new User(“Tom”, 28);
producer.send(User);
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="summary"></a><a href="#summary" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1- [...]
+<h3><a class="anchor" aria-hidden="true" id="summary"></a><a href="#summary" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1- [...]
<p>When constructing a producer with a schema, you do not need to serialize messages into bytes, instead Pulsar schema does this job in the background.</p>
-</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/ja/next/concepts-schema-registry"><span class="arrow-prev">← </span><span>Schema Registry</span></a><a class="docs-next button" href="/docs/ja/next/functions-overview"><span>概要</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#without-schema">Without schema</a></li><li><a href="#with-schema">With schema</a></li><li><a hr [...]
+</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/ja/next/concepts-schema-registry"><span class="arrow-prev">← </span><span>Schema Registry</span></a><a class="docs-next button" href="/docs/ja/next/functions-overview"><span>概要</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#schema-registry">Schema Registry</a><ul class="toc-headings"><li><a href="#client-side-approach [...]
const community = document.querySelector("a[href='#community']").parentNode;
const communityMenu =
'<li>' +
diff --git a/content/docs/ja/next/schema-get-started/index.html b/content/docs/ja/next/schema-get-started/index.html
index 3426c5a..38c2824 100644
--- a/content/docs/ja/next/schema-get-started/index.html
+++ b/content/docs/ja/next/schema-get-started/index.html
@@ -1,4 +1,4 @@
-<!DOCTYPE html><html lang="ja"><head><meta charSet="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><title>Get started · Apache Pulsar</title><meta name="viewport" content="width=device-width"/><meta name="generator" content="Docusaurus"/><meta name="description" content="When a schema is enabled, Pulsar does parse data, it takes bytes as inputs and sends bytes as outputs. While data has meaning beyond bytes, you need to parse data and might encounter parse exceptions which [...]
+<!DOCTYPE html><html lang="ja"><head><meta charSet="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><title>Get started · Apache Pulsar</title><meta name="viewport" content="width=device-width"/><meta name="generator" content="Docusaurus"/><meta name="description" content="## Schema Registry"/><meta name="docsearch:version" content="next"/><meta name="docsearch:language" content="ja"/><meta property="og:title" content="Get started · Apache Pulsar"/><meta property="og:type" c [...]
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
@@ -74,7 +74,20 @@
};
}
});
- </script></nav></div><div class="container mainContainer"><div class="wrapper"><div class="post"><header class="postHeader"><a class="edit-page-link button" href="https://crowdin.com/project/apache-pulsar/ja" target="_blank" rel="noreferrer noopener">Translate</a><h1 class="postHeaderTitle">Get started</h1></header><article><div><span><p>When a schema is enabled, Pulsar does parse data, it takes bytes as inputs and sends bytes as outputs. While data has meaning beyond bytes, you [...]
+ </script></nav></div><div class="container mainContainer"><div class="wrapper"><div class="post"><header class="postHeader"><a class="edit-page-link button" href="https://crowdin.com/project/apache-pulsar/ja" target="_blank" rel="noreferrer noopener">Translate</a><h1 class="postHeaderTitle">Get started</h1></header><article><div><span><h2><a class="anchor" aria-hidden="true" id="schema-registry"></a><a href="#schema-registry" aria-hidden="true" class="hash-link"><svg class="hash- [...]
+<p>Type safety is extremely important in any application built around a message bus like Pulsar.</p>
+<p>Producers and consumers need some kind of mechanism for coordinating types at the topic level to aviod various potential problems arise. For example, serialization and deserialization issues.</p>
+<p>Applications typically adopt one of the following approaches to guarantee type safety in messaging. Both approaches are available in Pulsar, and you're free to adopt one or the other or to mix and match on a per-topic basis.</p>
+<h3><a class="anchor" aria-hidden="true" id="client-side-approach"></a><a href="#client-side-approach" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1 [...]
+<p>Producers and consumers are responsible for not only serializing and deserializing messages (which consist of raw bytes) but also "knowing" which types are being transmitted via which topics.</p>
+<p>If a producer is sending temperature sensor data on the topic <code>topic-1</code>, consumers of that topic will run into trouble if they attempt to parse that data as moisture sensor readings.</p>
+<p>Producers and consumers can send and receive messages consisting of raw byte arrays and leave all type safety enforcement to the application on an "out-of-band" basis.</p>
+<h3><a class="anchor" aria-hidden="true" id="server-side-approach"></a><a href="#server-side-approach" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1 [...]
+<p>Producers and consumers inform the system which data types can be transmitted via the topic.</p>
+<p>With this approach, the messaging system enforces type safety and ensures that producers and consumers remain synced.</p>
+<p>Pulsar has a built-in <strong>schema registry</strong> that enables clients to upload data schemas on a per-topic basis. Those schemas dictate which data types are recognized as valid for that topic.</p>
+<h2><a class="anchor" aria-hidden="true" id="why-use-schema"></a><a href="#why-use-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0- [...]
+<p>When a schema is enabled, Pulsar does parse data, it takes bytes as inputs and sends bytes as outputs. While data has meaning beyond bytes, you need to parse data and might encounter parse exceptions which mainly occur in the following situations:</p>
<ul>
<li><p>The field does not exist</p></li>
<li><p>The field type has changed (for example, <code>string</code> is changed to <code>int</code>)</p></li>
@@ -89,7 +102,7 @@
}
</code></pre>
<p>When constructing a producer with the <em>User</em> class, you can specify a schema or not as below.</p>
-<h2><a class="anchor" aria-hidden="true" id="without-schema"></a><a href="#without-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0- [...]
+<h3><a class="anchor" aria-hidden="true" id="without-schema"></a><a href="#without-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0- [...]
<p>If you construct a producer without specifying a schema, then the producer can only produce messages of type <code>byte[]</code>. If you have a POJO class, you need to serialize the POJO into bytes before sending messages.</p>
<p><strong>Example</strong></p>
<pre><code class="hljs">Producer<byte[]> producer = client.newProducer()
@@ -99,7 +112,7 @@ User user = new User(“Tom”, 28);
byte[] message = … // serialize the `user` by yourself;
producer.send(message);
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="with-schema"></a><a href="#with-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42 [...]
+<h3><a class="anchor" aria-hidden="true" id="with-schema"></a><a href="#with-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42 [...]
<p>If you construct a producer with specifying a schema, then you can send a class to a topic directly without worrying about how to serialize POJOs into bytes.</p>
<p><strong>Example</strong></p>
<p>This example constructs a producer with the <em>JSONSchema</em>, and you can send the <em>User</em> class to topics directly without worrying about how to serialize it into bytes.</p>
@@ -109,9 +122,9 @@ producer.send(message);
User user = new User(“Tom”, 28);
producer.send(User);
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="summary"></a><a href="#summary" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1- [...]
+<h3><a class="anchor" aria-hidden="true" id="summary"></a><a href="#summary" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1- [...]
<p>When constructing a producer with a schema, you do not need to serialize messages into bytes, instead Pulsar schema does this job in the background.</p>
-</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/ja/next/concepts-schema-registry"><span class="arrow-prev">← </span><span>Schema Registry</span></a><a class="docs-next button" href="/docs/ja/next/functions-overview"><span>概要</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#without-schema">Without schema</a></li><li><a href="#with-schema">With schema</a></li><li><a hr [...]
+</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/ja/next/concepts-schema-registry"><span class="arrow-prev">← </span><span>Schema Registry</span></a><a class="docs-next button" href="/docs/ja/next/functions-overview"><span>概要</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#schema-registry">Schema Registry</a><ul class="toc-headings"><li><a href="#client-side-approach [...]
const community = document.querySelector("a[href='#community']").parentNode;
const communityMenu =
'<li>' +
diff --git a/content/docs/ja/next/security-kerberos.html b/content/docs/ja/next/security-kerberos.html
index 92b67e8..96eef9b 100644
--- a/content/docs/ja/next/security-kerberos.html
+++ b/content/docs/ja/next/security-kerberos.html
@@ -93,6 +93,7 @@ sudo /usr/sbin/kadmin.local -q 'addprinc -randkey client/{hostname}@{REALM}'
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabname}.keytab client/{hostname}@{REALM}"
</code></pre>
<p>Note that it is a <em>Kerberos</em> requirement that all your hosts can be resolved with their FQDNs.</p>
+<p>The first part of Broker principal (for example, <code>broker</code> in <code>broker/{hostname}@{REALM}</code>) is the <code>serverType</code> of each host, The suggested values of <code>serverType</code> are <code>broker</code> (host machine runs service Pulsar Broker) and <code>proxy</code> (host machine runs service Pulsar Proxy).</p>
<h4><a class="anchor" aria-hidden="true" id="configure-how-to-connect-to-kdc"></a><a href="#configure-how-to-connect-to-kdc" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 [...]
<p>You need to specify the path to the <code>krb5.conf</code> file for both client and broker side. The contents of <code>krb5.conf</code> file indicate the default Realm and KDC information. See <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html">JDK’s Kerberos Requirements</a> for more details.</p>
<pre><code class="hljs css language-shell">-Djava.security.krb5.conf=/etc/pulsar/krb5.conf
@@ -134,32 +135,41 @@ sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabnam
<p>In the <code>pulsar_jaas.conf</code> file above</p>
<ol>
<li><code>PulsarBroker</code> is a section name in the JAAS file used by each broker. This section tells the broker which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the broker to use the keytab specified in this section.</li>
-<li><code>PulsarClient</code> is a section name in the JASS file used by each client. This section tells the client which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section.</li>
+<li><code>PulsarClient</code> is a section name in the JASS file used by each client. This section tells the client which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section. In the following example, this <code>PulsarClient</code> section will also be reused in both the Pulsar internal admin configuration and in CLI command of <code>bin/pulsar-client</code>, <code>bin/pulsar-perf< [...]
</ol>
-<p>It is also a choice to have 2 separate JAAS configuration files: the file for broker will only have <code>PulsarBroker</code> section; while the one for client only have <code>PulsarClient</code> section.</p>
+<p>You can have 2 separate JAAS configuration files:</p>
+<ul>
+<li>the file for a broker has sections of both <code>PulsarBroker</code> and <code>PulsarClient</code>;</li>
+<li>the file for a client only has a <code>PulsarClient</code> section.</li>
+</ul>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-brokers"></a><a href="#kerberos-configuration-for-brokers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
-<ol>
-<li>In the <code>broker.conf</code> file, set Kerberos related configuration.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="configure-brokerconf-file"></a><a href="#configure-brokerconf-file" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c [...]
+<p>In the <code>broker.conf</code> file, set Kerberos related configurations.</p>
<ul>
<li><p>Set <code>authenticationEnabled</code> to <code>true</code>;</p></li>
<li><p>Set <code>authenticationProviders</code> to choose <code>AuthenticationProviderSasl</code>;</p></li>
-<li><p>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker.</p></li>
-<li><p>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker.</p>
+<li><p>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker;</p></li>
+<li><p>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker;</p>
+<p>To make Pulsar internal admin client work properly, you need to set the configuration in the <code>broker.conf</code> file as below:</p></li>
+<li><p>Set <code>brokerClientAuthenticationPlugin</code> to client plugin <code>AuthenticationSasl</code>;</p></li>
+<li><p>Set <code>brokerClientAuthenticationParameters</code> to value in JSON string <code>{"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}</code>, in which <code>PulsarClient</code> is the section name in above <code>pulsar_jaas.conf</code> file, and <code>"serverType":"broker"</code> indicate that internal admin client will connect to a Pulsar Broker;</p>
<p>Here is an example:</p>
<p>authenticationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderSasl
saslJaasClientAllowedIds=.<em>client.</em>
-saslJaasBrokerSectionName=PulsarBroker</p></li>
+saslJaasBrokerSectionName=PulsarBroker</p>
+<h2><a class="anchor" aria-hidden="true" id="authentication-settings-of-the-broker-itself-used-when-the-broker-connects-to-other-brokers"></a><a href="#authentication-settings-of-the-broker-itself-used-when-the-broker-connects-to-other-brokers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2. [...]
+<p>brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl
+brokerClientAuthenticationParameters={"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}</p></li>
</ul>
-<ol start="2">
-<li>Set JVM parameter for JAAS configuration file and krb5 configuration file with additional option.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="set-broker-jvm-parameter"></a><a href="#set-broker-jvm-parameter" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-. [...]
+<p>Set JVM parameters for JAAS configuration file and krb5 configuration file with additional options.</p>
<pre><code class="hljs css language-shell"> -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf
</code></pre>
<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_env.sh"><code>pulsar_env.sh</code></a></p>
<p>Make sure that the keytabs configured in the <code>pulsar_jaas.conf</code> file and kdc server in the <code>krb5.conf</code> file are reachable by the operating system user who is starting broker.</p>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-clients"></a><a href="#kerberos-configuration-for-clients" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
+<h4><a class="anchor" aria-hidden="true" id="java-client-and-java-admin-client"></a><a href="#java-client-and-java-admin-client" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S1 [...]
<p>In client application, include <code>pulsar-client-auth-sasl</code> in your project dependency.</p>
<pre><code class="hljs"> <dependency>
<groupId>org.apache.pulsar</groupId>
@@ -198,20 +208,23 @@ java -cp -Djava.security.auth.login.<span class="hljs-attribute">config</span>=/
<br />Make sure that the keytabs configured <span class="hljs-keyword">in</span> the `pulsar_jaas.conf` file <span class="hljs-keyword">and</span> kdc<span class="hljs-built_in"> server </span><span class="hljs-keyword">in</span> the `krb5.conf` file are reachable by the operating<span class="hljs-built_in"> system user </span>who is starting pulsar client.
- <span class="hljs-keyword">If</span> you are using command line, you can continue with these <span class="hljs-keyword">step</span>:
+ #### Configure CLI tools
+
+ <span class="hljs-keyword">If</span> you are using a command-line<span class="hljs-built_in"> tool </span>(such as `bin/pulsar-client`, `bin/pulsar-perf` <span class="hljs-keyword">and</span> `bin/pulsar-admin`), you need <span class="hljs-keyword">to</span> preform the following steps:
- 1.<span class="hljs-built_in"> Config </span>your `client.conf`:
+ <span class="hljs-keyword">Step</span> 1.<span class="hljs-built_in"> Config </span>your `client.conf`.
```shell
<span class="hljs-attribute">authPlugin</span>=org.apache.pulsar.client.impl.auth.AuthenticationSasl
authParams={<span class="hljs-string">"saslJaasClientSectionName"</span>:<span class="hljs-string">"PulsarClient"</span>, <span class="hljs-string">"serverType"</span>:<span class="hljs-string">"broker"</span>}
-2. <span class="hljs-builtin-name">Set</span> JVM parameter <span class="hljs-keyword">for</span> JAAS configuration file <span class="hljs-keyword">and</span> krb5 configuration file with additional option.
+<span class="hljs-keyword">Step</span> 2. <span class="hljs-builtin-name">Set</span> JVM parameters <span class="hljs-keyword">for</span> JAAS configuration file <span class="hljs-keyword">and</span> krb5 configuration file with additional options.
```shell
-Djava.security.auth.login.<span class="hljs-attribute">config</span>=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.<span class="hljs-attribute">conf</span>=/etc/pulsar/krb5.conf
</code></pre>
-<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a></p>
+<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a>, or add this line <code>OPTS="$OPTS -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf "</code> directly to the CLI tool script.</p>
+<p>The meaning of configurations is the same as that in Java client section.</p>
<h2><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-working-with-pulsar-proxy"></a><a href="#kerberos-configuration-for-working-with-pulsar-proxy" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S [...]
<p>With the above configuration, client and broker can do authentication using Kerberos.</p>
<p>If a client wants to connect to Pulsar Proxy, it is a little different. Client (as a SASL client in Kerberos) will be authenticated by Pulsar Proxy (as a SASL Server in Kerberos) first; and then Pulsar Proxy will be authenticated by Pulsar broker.</p>
@@ -293,7 +306,7 @@ java -cp -Djava.security.auth.login.<span class="hljs-attribute">config</span>=/
## related <span class="hljs-keyword">to</span> be authenticated by broker
<span class="hljs-attribute">brokerClientAuthenticationPlugin</span>=org.apache.pulsar.client.impl.auth.AuthenticationSasl
- <span class="hljs-attribute">brokerClientAuthenticationParameters</span>=saslJaasClientSectionName:PulsarProxy,serverType:broker
+ brokerClientAuthenticationParameters={<span class="hljs-string">"saslJaasClientSectionName"</span>:<span class="hljs-string">"PulsarProxy"</span>, <span class="hljs-string">"serverType"</span>:<span class="hljs-string">"broker"</span>}
<span class="hljs-attribute">forwardAuthorizationCredentials</span>=<span class="hljs-literal">true</span>
@@ -322,12 +335,39 @@ The broker side configuration file is the same with the above `broker.conf`, you
```bash
<span class="hljs-attribute">superUserRoles</span>=client/{clientIp}@EXAMPLE.COM
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="regarding-authorization-between-bookkeeper-and-zookeeper"></a><a href="#regarding-authorization-between-bookkeeper-and-zookeeper" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.2 [...]
-<p>Adding <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code> is a prerequisite for Broker (as a Kerberos client) being authenticated by Bookie (as a Kerberos Server):</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-zookeeper-and-broker"></a><a href="#regarding-authentication-between-zookeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2. [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Zookeeper. According to <a href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication">ZooKeeper document</a>, you need these settings in <code>conf/zookeeper.conf</code>:</p>
+<pre><code class="hljs">authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
+requireClientAuthScheme=sasl
+</code></pre>
+<p>And add a section of <code>Client</code> configurations in the file <code>pulsar_jaas.conf</code>, which is used by Pulsar Broker:</p>
+<pre><code class="hljs"> Client {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useKeyTab=true
+ storeKey=true
+ useTicketCache=false
+ keyTab="/etc/security/keytabs/pulsarbroker.keytab"
+ principal="broker/localhost@EXAMPLE.COM";
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with ZooKeeper.</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-bookkeeper-and-broker"></a><a href="#regarding-authentication-between-bookkeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Bookie. According to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>, you need to add <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code>:</p>
<pre><code class="hljs">bookkeeperClientAuthenticationPlugin=org.apache.bookkeeper.sasl.SASLClientProviderFactory
</code></pre>
-<p>For more details of how to configure Kerberos for BookKeeper and Zookeeper, refer to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>.</p>
-</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/ja/next/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/ja/next/security-authorization"><span>認可と ACL</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configuration for Kerberos be [...]
+<p>In this setting, <code>SASLClientProviderFactory</code> creates a BookKeeper SASL client in a Broker, and the Broker uses the created SASL client to authenticate with a Bookie node.</p>
+<p>And add a section of <code>BookKeeper</code> configurations in the <code>pulsar_jaas.conf</code> that used by Pulsar Broker:</p>
+<pre><code class="hljs"> BookKeeper {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useKeyTab=true
+ storeKey=true
+ useTicketCache=false
+ keyTab="/etc/security/keytabs/pulsarbroker.keytab"
+ principal="broker/localhost@EXAMPLE.COM";
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with Bookie.</p>
+</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/ja/next/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/ja/next/security-authorization"><span>認可と ACL</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configuration for Kerberos be [...]
const community = document.querySelector("a[href='#community']").parentNode;
const communityMenu =
'<li>' +
diff --git a/content/docs/ja/next/security-kerberos/index.html b/content/docs/ja/next/security-kerberos/index.html
index 92b67e8..96eef9b 100644
--- a/content/docs/ja/next/security-kerberos/index.html
+++ b/content/docs/ja/next/security-kerberos/index.html
@@ -93,6 +93,7 @@ sudo /usr/sbin/kadmin.local -q 'addprinc -randkey client/{hostname}@{REALM}'
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabname}.keytab client/{hostname}@{REALM}"
</code></pre>
<p>Note that it is a <em>Kerberos</em> requirement that all your hosts can be resolved with their FQDNs.</p>
+<p>The first part of Broker principal (for example, <code>broker</code> in <code>broker/{hostname}@{REALM}</code>) is the <code>serverType</code> of each host, The suggested values of <code>serverType</code> are <code>broker</code> (host machine runs service Pulsar Broker) and <code>proxy</code> (host machine runs service Pulsar Proxy).</p>
<h4><a class="anchor" aria-hidden="true" id="configure-how-to-connect-to-kdc"></a><a href="#configure-how-to-connect-to-kdc" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 [...]
<p>You need to specify the path to the <code>krb5.conf</code> file for both client and broker side. The contents of <code>krb5.conf</code> file indicate the default Realm and KDC information. See <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html">JDK’s Kerberos Requirements</a> for more details.</p>
<pre><code class="hljs css language-shell">-Djava.security.krb5.conf=/etc/pulsar/krb5.conf
@@ -134,32 +135,41 @@ sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabnam
<p>In the <code>pulsar_jaas.conf</code> file above</p>
<ol>
<li><code>PulsarBroker</code> is a section name in the JAAS file used by each broker. This section tells the broker which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the broker to use the keytab specified in this section.</li>
-<li><code>PulsarClient</code> is a section name in the JASS file used by each client. This section tells the client which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section.</li>
+<li><code>PulsarClient</code> is a section name in the JASS file used by each client. This section tells the client which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section. In the following example, this <code>PulsarClient</code> section will also be reused in both the Pulsar internal admin configuration and in CLI command of <code>bin/pulsar-client</code>, <code>bin/pulsar-perf< [...]
</ol>
-<p>It is also a choice to have 2 separate JAAS configuration files: the file for broker will only have <code>PulsarBroker</code> section; while the one for client only have <code>PulsarClient</code> section.</p>
+<p>You can have 2 separate JAAS configuration files:</p>
+<ul>
+<li>the file for a broker has sections of both <code>PulsarBroker</code> and <code>PulsarClient</code>;</li>
+<li>the file for a client only has a <code>PulsarClient</code> section.</li>
+</ul>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-brokers"></a><a href="#kerberos-configuration-for-brokers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
-<ol>
-<li>In the <code>broker.conf</code> file, set Kerberos related configuration.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="configure-brokerconf-file"></a><a href="#configure-brokerconf-file" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c [...]
+<p>In the <code>broker.conf</code> file, set Kerberos related configurations.</p>
<ul>
<li><p>Set <code>authenticationEnabled</code> to <code>true</code>;</p></li>
<li><p>Set <code>authenticationProviders</code> to choose <code>AuthenticationProviderSasl</code>;</p></li>
-<li><p>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker.</p></li>
-<li><p>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker.</p>
+<li><p>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker;</p></li>
+<li><p>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker;</p>
+<p>To make Pulsar internal admin client work properly, you need to set the configuration in the <code>broker.conf</code> file as below:</p></li>
+<li><p>Set <code>brokerClientAuthenticationPlugin</code> to client plugin <code>AuthenticationSasl</code>;</p></li>
+<li><p>Set <code>brokerClientAuthenticationParameters</code> to value in JSON string <code>{"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}</code>, in which <code>PulsarClient</code> is the section name in above <code>pulsar_jaas.conf</code> file, and <code>"serverType":"broker"</code> indicate that internal admin client will connect to a Pulsar Broker;</p>
<p>Here is an example:</p>
<p>authenticationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderSasl
saslJaasClientAllowedIds=.<em>client.</em>
-saslJaasBrokerSectionName=PulsarBroker</p></li>
+saslJaasBrokerSectionName=PulsarBroker</p>
+<h2><a class="anchor" aria-hidden="true" id="authentication-settings-of-the-broker-itself-used-when-the-broker-connects-to-other-brokers"></a><a href="#authentication-settings-of-the-broker-itself-used-when-the-broker-connects-to-other-brokers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2. [...]
+<p>brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl
+brokerClientAuthenticationParameters={"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}</p></li>
</ul>
-<ol start="2">
-<li>Set JVM parameter for JAAS configuration file and krb5 configuration file with additional option.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="set-broker-jvm-parameter"></a><a href="#set-broker-jvm-parameter" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-. [...]
+<p>Set JVM parameters for JAAS configuration file and krb5 configuration file with additional options.</p>
<pre><code class="hljs css language-shell"> -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf
</code></pre>
<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_env.sh"><code>pulsar_env.sh</code></a></p>
<p>Make sure that the keytabs configured in the <code>pulsar_jaas.conf</code> file and kdc server in the <code>krb5.conf</code> file are reachable by the operating system user who is starting broker.</p>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-clients"></a><a href="#kerberos-configuration-for-clients" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
+<h4><a class="anchor" aria-hidden="true" id="java-client-and-java-admin-client"></a><a href="#java-client-and-java-admin-client" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S1 [...]
<p>In client application, include <code>pulsar-client-auth-sasl</code> in your project dependency.</p>
<pre><code class="hljs"> <dependency>
<groupId>org.apache.pulsar</groupId>
@@ -198,20 +208,23 @@ java -cp -Djava.security.auth.login.<span class="hljs-attribute">config</span>=/
<br />Make sure that the keytabs configured <span class="hljs-keyword">in</span> the `pulsar_jaas.conf` file <span class="hljs-keyword">and</span> kdc<span class="hljs-built_in"> server </span><span class="hljs-keyword">in</span> the `krb5.conf` file are reachable by the operating<span class="hljs-built_in"> system user </span>who is starting pulsar client.
- <span class="hljs-keyword">If</span> you are using command line, you can continue with these <span class="hljs-keyword">step</span>:
+ #### Configure CLI tools
+
+ <span class="hljs-keyword">If</span> you are using a command-line<span class="hljs-built_in"> tool </span>(such as `bin/pulsar-client`, `bin/pulsar-perf` <span class="hljs-keyword">and</span> `bin/pulsar-admin`), you need <span class="hljs-keyword">to</span> preform the following steps:
- 1.<span class="hljs-built_in"> Config </span>your `client.conf`:
+ <span class="hljs-keyword">Step</span> 1.<span class="hljs-built_in"> Config </span>your `client.conf`.
```shell
<span class="hljs-attribute">authPlugin</span>=org.apache.pulsar.client.impl.auth.AuthenticationSasl
authParams={<span class="hljs-string">"saslJaasClientSectionName"</span>:<span class="hljs-string">"PulsarClient"</span>, <span class="hljs-string">"serverType"</span>:<span class="hljs-string">"broker"</span>}
-2. <span class="hljs-builtin-name">Set</span> JVM parameter <span class="hljs-keyword">for</span> JAAS configuration file <span class="hljs-keyword">and</span> krb5 configuration file with additional option.
+<span class="hljs-keyword">Step</span> 2. <span class="hljs-builtin-name">Set</span> JVM parameters <span class="hljs-keyword">for</span> JAAS configuration file <span class="hljs-keyword">and</span> krb5 configuration file with additional options.
```shell
-Djava.security.auth.login.<span class="hljs-attribute">config</span>=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.<span class="hljs-attribute">conf</span>=/etc/pulsar/krb5.conf
</code></pre>
-<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a></p>
+<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a>, or add this line <code>OPTS="$OPTS -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf "</code> directly to the CLI tool script.</p>
+<p>The meaning of configurations is the same as that in Java client section.</p>
<h2><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-working-with-pulsar-proxy"></a><a href="#kerberos-configuration-for-working-with-pulsar-proxy" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S [...]
<p>With the above configuration, client and broker can do authentication using Kerberos.</p>
<p>If a client wants to connect to Pulsar Proxy, it is a little different. Client (as a SASL client in Kerberos) will be authenticated by Pulsar Proxy (as a SASL Server in Kerberos) first; and then Pulsar Proxy will be authenticated by Pulsar broker.</p>
@@ -293,7 +306,7 @@ java -cp -Djava.security.auth.login.<span class="hljs-attribute">config</span>=/
## related <span class="hljs-keyword">to</span> be authenticated by broker
<span class="hljs-attribute">brokerClientAuthenticationPlugin</span>=org.apache.pulsar.client.impl.auth.AuthenticationSasl
- <span class="hljs-attribute">brokerClientAuthenticationParameters</span>=saslJaasClientSectionName:PulsarProxy,serverType:broker
+ brokerClientAuthenticationParameters={<span class="hljs-string">"saslJaasClientSectionName"</span>:<span class="hljs-string">"PulsarProxy"</span>, <span class="hljs-string">"serverType"</span>:<span class="hljs-string">"broker"</span>}
<span class="hljs-attribute">forwardAuthorizationCredentials</span>=<span class="hljs-literal">true</span>
@@ -322,12 +335,39 @@ The broker side configuration file is the same with the above `broker.conf`, you
```bash
<span class="hljs-attribute">superUserRoles</span>=client/{clientIp}@EXAMPLE.COM
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="regarding-authorization-between-bookkeeper-and-zookeeper"></a><a href="#regarding-authorization-between-bookkeeper-and-zookeeper" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.2 [...]
-<p>Adding <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code> is a prerequisite for Broker (as a Kerberos client) being authenticated by Bookie (as a Kerberos Server):</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-zookeeper-and-broker"></a><a href="#regarding-authentication-between-zookeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2. [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Zookeeper. According to <a href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication">ZooKeeper document</a>, you need these settings in <code>conf/zookeeper.conf</code>:</p>
+<pre><code class="hljs">authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
+requireClientAuthScheme=sasl
+</code></pre>
+<p>And add a section of <code>Client</code> configurations in the file <code>pulsar_jaas.conf</code>, which is used by Pulsar Broker:</p>
+<pre><code class="hljs"> Client {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useKeyTab=true
+ storeKey=true
+ useTicketCache=false
+ keyTab="/etc/security/keytabs/pulsarbroker.keytab"
+ principal="broker/localhost@EXAMPLE.COM";
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with ZooKeeper.</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-bookkeeper-and-broker"></a><a href="#regarding-authentication-between-bookkeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Bookie. According to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>, you need to add <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code>:</p>
<pre><code class="hljs">bookkeeperClientAuthenticationPlugin=org.apache.bookkeeper.sasl.SASLClientProviderFactory
</code></pre>
-<p>For more details of how to configure Kerberos for BookKeeper and Zookeeper, refer to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>.</p>
-</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/ja/next/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/ja/next/security-authorization"><span>認可と ACL</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configuration for Kerberos be [...]
+<p>In this setting, <code>SASLClientProviderFactory</code> creates a BookKeeper SASL client in a Broker, and the Broker uses the created SASL client to authenticate with a Bookie node.</p>
+<p>And add a section of <code>BookKeeper</code> configurations in the <code>pulsar_jaas.conf</code> that used by Pulsar Broker:</p>
+<pre><code class="hljs"> BookKeeper {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useKeyTab=true
+ storeKey=true
+ useTicketCache=false
+ keyTab="/etc/security/keytabs/pulsarbroker.keytab"
+ principal="broker/localhost@EXAMPLE.COM";
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with Bookie.</p>
+</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/ja/next/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/ja/next/security-authorization"><span>認可と ACL</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configuration for Kerberos be [...]
const community = document.querySelector("a[href='#community']").parentNode;
const communityMenu =
'<li>' +
diff --git a/content/docs/ja/security-kerberos.html b/content/docs/ja/security-kerberos.html
index 3621458..9da3455 100644
--- a/content/docs/ja/security-kerberos.html
+++ b/content/docs/ja/security-kerberos.html
@@ -93,6 +93,7 @@ sudo /usr/sbin/kadmin.local -q 'addprinc -randkey client/{hostname}@{REALM}'
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabname}.keytab client/{hostname}@{REALM}"
</code></pre>
<p>Note that it is a <em>Kerberos</em> requirement that all your hosts can be resolved with their FQDNs.</p>
+<p>The first part of Broker principal (for example, <code>broker</code> in <code>broker/{hostname}@{REALM}</code>) is the <code>serverType</code> of each host, The suggested values of <code>serverType</code> are <code>broker</code> (host machine runs service Pulsar Broker) and <code>proxy</code> (host machine runs service Pulsar Proxy).</p>
<h4><a class="anchor" aria-hidden="true" id="configure-how-to-connect-to-kdc"></a><a href="#configure-how-to-connect-to-kdc" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 [...]
<p>You need to specify the path to the <code>krb5.conf</code> file for both client and broker side. The contents of <code>krb5.conf</code> file indicate the default Realm and KDC information. See <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html">JDK’s Kerberos Requirements</a> for more details.</p>
<pre><code class="hljs css language-shell">-Djava.security.krb5.conf=/etc/pulsar/krb5.conf
@@ -134,32 +135,41 @@ sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabnam
<p>In the <code>pulsar_jaas.conf</code> file above</p>
<ol>
<li><code>PulsarBroker</code> is a section name in the JAAS file used by each broker. This section tells the broker which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the broker to use the keytab specified in this section.</li>
-<li><code>PulsarClient</code> is a section name in the JASS file used by each client. This section tells the client which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section.</li>
+<li><code>PulsarClient</code> is a section name in the JASS file used by each client. This section tells the client which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section. In the following example, this <code>PulsarClient</code> section will also be reused in both the Pulsar internal admin configuration and in CLI command of <code>bin/pulsar-client</code>, <code>bin/pulsar-perf< [...]
</ol>
-<p>It is also a choice to have 2 separate JAAS configuration files: the file for broker will only have <code>PulsarBroker</code> section; while the one for client only have <code>PulsarClient</code> section.</p>
+<p>You can have 2 separate JAAS configuration files:</p>
+<ul>
+<li>the file for a broker has sections of both <code>PulsarBroker</code> and <code>PulsarClient</code>;</li>
+<li>the file for a client only has a <code>PulsarClient</code> section.</li>
+</ul>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-brokers"></a><a href="#kerberos-configuration-for-brokers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
-<ol>
-<li>In the <code>broker.conf</code> file, set Kerberos related configuration.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="configure-brokerconf-file"></a><a href="#configure-brokerconf-file" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c [...]
+<p>In the <code>broker.conf</code> file, set Kerberos related configurations.</p>
<ul>
<li><p>Set <code>authenticationEnabled</code> to <code>true</code>;</p></li>
<li><p>Set <code>authenticationProviders</code> to choose <code>AuthenticationProviderSasl</code>;</p></li>
-<li><p>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker.</p></li>
-<li><p>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker.</p>
+<li><p>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker;</p></li>
+<li><p>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker;</p>
+<p>To make Pulsar internal admin client work properly, you need to set the configuration in the <code>broker.conf</code> file as below:</p></li>
+<li><p>Set <code>brokerClientAuthenticationPlugin</code> to client plugin <code>AuthenticationSasl</code>;</p></li>
+<li><p>Set <code>brokerClientAuthenticationParameters</code> to value in JSON string <code>{"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}</code>, in which <code>PulsarClient</code> is the section name in above <code>pulsar_jaas.conf</code> file, and <code>"serverType":"broker"</code> indicate that internal admin client will connect to a Pulsar Broker;</p>
<p>Here is an example:</p>
<p>authenticationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderSasl
saslJaasClientAllowedIds=.<em>client.</em>
-saslJaasBrokerSectionName=PulsarBroker</p></li>
+saslJaasBrokerSectionName=PulsarBroker</p>
+<h2><a class="anchor" aria-hidden="true" id="authentication-settings-of-the-broker-itself-used-when-the-broker-connects-to-other-brokers"></a><a href="#authentication-settings-of-the-broker-itself-used-when-the-broker-connects-to-other-brokers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2. [...]
+<p>brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl
+brokerClientAuthenticationParameters={"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}</p></li>
</ul>
-<ol start="2">
-<li>Set JVM parameter for JAAS configuration file and krb5 configuration file with additional option.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="set-broker-jvm-parameter"></a><a href="#set-broker-jvm-parameter" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-. [...]
+<p>Set JVM parameters for JAAS configuration file and krb5 configuration file with additional options.</p>
<pre><code class="hljs css language-shell"> -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf
</code></pre>
<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_env.sh"><code>pulsar_env.sh</code></a></p>
<p>Make sure that the keytabs configured in the <code>pulsar_jaas.conf</code> file and kdc server in the <code>krb5.conf</code> file are reachable by the operating system user who is starting broker.</p>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-clients"></a><a href="#kerberos-configuration-for-clients" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
+<h4><a class="anchor" aria-hidden="true" id="java-client-and-java-admin-client"></a><a href="#java-client-and-java-admin-client" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S1 [...]
<p>In client application, include <code>pulsar-client-auth-sasl</code> in your project dependency.</p>
<pre><code class="hljs"> <dependency>
<groupId>org.apache.pulsar</groupId>
@@ -198,20 +208,23 @@ java -cp -Djava.security.auth.login.<span class="hljs-attribute">config</span>=/
<br />Make sure that the keytabs configured <span class="hljs-keyword">in</span> the `pulsar_jaas.conf` file <span class="hljs-keyword">and</span> kdc<span class="hljs-built_in"> server </span><span class="hljs-keyword">in</span> the `krb5.conf` file are reachable by the operating<span class="hljs-built_in"> system user </span>who is starting pulsar client.
- <span class="hljs-keyword">If</span> you are using command line, you can continue with these <span class="hljs-keyword">step</span>:
+ #### Configure CLI tools
+
+ <span class="hljs-keyword">If</span> you are using a command-line<span class="hljs-built_in"> tool </span>(such as `bin/pulsar-client`, `bin/pulsar-perf` <span class="hljs-keyword">and</span> `bin/pulsar-admin`), you need <span class="hljs-keyword">to</span> preform the following steps:
- 1.<span class="hljs-built_in"> Config </span>your `client.conf`:
+ <span class="hljs-keyword">Step</span> 1.<span class="hljs-built_in"> Config </span>your `client.conf`.
```shell
<span class="hljs-attribute">authPlugin</span>=org.apache.pulsar.client.impl.auth.AuthenticationSasl
authParams={<span class="hljs-string">"saslJaasClientSectionName"</span>:<span class="hljs-string">"PulsarClient"</span>, <span class="hljs-string">"serverType"</span>:<span class="hljs-string">"broker"</span>}
-2. <span class="hljs-builtin-name">Set</span> JVM parameter <span class="hljs-keyword">for</span> JAAS configuration file <span class="hljs-keyword">and</span> krb5 configuration file with additional option.
+<span class="hljs-keyword">Step</span> 2. <span class="hljs-builtin-name">Set</span> JVM parameters <span class="hljs-keyword">for</span> JAAS configuration file <span class="hljs-keyword">and</span> krb5 configuration file with additional options.
```shell
-Djava.security.auth.login.<span class="hljs-attribute">config</span>=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.<span class="hljs-attribute">conf</span>=/etc/pulsar/krb5.conf
</code></pre>
-<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a></p>
+<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a>, or add this line <code>OPTS="$OPTS -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf "</code> directly to the CLI tool script.</p>
+<p>The meaning of configurations is the same as that in Java client section.</p>
<h2><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-working-with-pulsar-proxy"></a><a href="#kerberos-configuration-for-working-with-pulsar-proxy" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S [...]
<p>With the above configuration, client and broker can do authentication using Kerberos.</p>
<p>If a client wants to connect to Pulsar Proxy, it is a little different. Client (as a SASL client in Kerberos) will be authenticated by Pulsar Proxy (as a SASL Server in Kerberos) first; and then Pulsar Proxy will be authenticated by Pulsar broker.</p>
@@ -293,7 +306,7 @@ java -cp -Djava.security.auth.login.<span class="hljs-attribute">config</span>=/
## related <span class="hljs-keyword">to</span> be authenticated by broker
<span class="hljs-attribute">brokerClientAuthenticationPlugin</span>=org.apache.pulsar.client.impl.auth.AuthenticationSasl
- <span class="hljs-attribute">brokerClientAuthenticationParameters</span>=saslJaasClientSectionName:PulsarProxy,serverType:broker
+ brokerClientAuthenticationParameters={<span class="hljs-string">"saslJaasClientSectionName"</span>:<span class="hljs-string">"PulsarProxy"</span>, <span class="hljs-string">"serverType"</span>:<span class="hljs-string">"broker"</span>}
<span class="hljs-attribute">forwardAuthorizationCredentials</span>=<span class="hljs-literal">true</span>
@@ -322,12 +335,39 @@ The broker side configuration file is the same with the above `broker.conf`, you
```bash
<span class="hljs-attribute">superUserRoles</span>=client/{clientIp}@EXAMPLE.COM
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="regarding-authorization-between-bookkeeper-and-zookeeper"></a><a href="#regarding-authorization-between-bookkeeper-and-zookeeper" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.2 [...]
-<p>Adding <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code> is a prerequisite for Broker (as a Kerberos client) being authenticated by Bookie (as a Kerberos Server):</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-zookeeper-and-broker"></a><a href="#regarding-authentication-between-zookeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2. [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Zookeeper. According to <a href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication">ZooKeeper document</a>, you need these settings in <code>conf/zookeeper.conf</code>:</p>
+<pre><code class="hljs">authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
+requireClientAuthScheme=sasl
+</code></pre>
+<p>And add a section of <code>Client</code> configurations in the file <code>pulsar_jaas.conf</code>, which is used by Pulsar Broker:</p>
+<pre><code class="hljs"> Client {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useKeyTab=true
+ storeKey=true
+ useTicketCache=false
+ keyTab="/etc/security/keytabs/pulsarbroker.keytab"
+ principal="broker/localhost@EXAMPLE.COM";
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with ZooKeeper.</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-bookkeeper-and-broker"></a><a href="#regarding-authentication-between-bookkeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Bookie. According to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>, you need to add <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code>:</p>
<pre><code class="hljs">bookkeeperClientAuthenticationPlugin=org.apache.bookkeeper.sasl.SASLClientProviderFactory
</code></pre>
-<p>For more details of how to configure Kerberos for BookKeeper and Zookeeper, refer to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>.</p>
-</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/ja/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/ja/security-authorization"><span>認可と ACL</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configuration for Kerberos between Clie [...]
+<p>In this setting, <code>SASLClientProviderFactory</code> creates a BookKeeper SASL client in a Broker, and the Broker uses the created SASL client to authenticate with a Bookie node.</p>
+<p>And add a section of <code>BookKeeper</code> configurations in the <code>pulsar_jaas.conf</code> that used by Pulsar Broker:</p>
+<pre><code class="hljs"> BookKeeper {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useKeyTab=true
+ storeKey=true
+ useTicketCache=false
+ keyTab="/etc/security/keytabs/pulsarbroker.keytab"
+ principal="broker/localhost@EXAMPLE.COM";
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with Bookie.</p>
+</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/ja/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/ja/security-authorization"><span>認可と ACL</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configuration for Kerberos between Clie [...]
const community = document.querySelector("a[href='#community']").parentNode;
const communityMenu =
'<li>' +
diff --git a/content/docs/ja/security-kerberos/index.html b/content/docs/ja/security-kerberos/index.html
index 3621458..9da3455 100644
--- a/content/docs/ja/security-kerberos/index.html
+++ b/content/docs/ja/security-kerberos/index.html
@@ -93,6 +93,7 @@ sudo /usr/sbin/kadmin.local -q 'addprinc -randkey client/{hostname}@{REALM}'
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabname}.keytab client/{hostname}@{REALM}"
</code></pre>
<p>Note that it is a <em>Kerberos</em> requirement that all your hosts can be resolved with their FQDNs.</p>
+<p>The first part of Broker principal (for example, <code>broker</code> in <code>broker/{hostname}@{REALM}</code>) is the <code>serverType</code> of each host, The suggested values of <code>serverType</code> are <code>broker</code> (host machine runs service Pulsar Broker) and <code>proxy</code> (host machine runs service Pulsar Proxy).</p>
<h4><a class="anchor" aria-hidden="true" id="configure-how-to-connect-to-kdc"></a><a href="#configure-how-to-connect-to-kdc" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 [...]
<p>You need to specify the path to the <code>krb5.conf</code> file for both client and broker side. The contents of <code>krb5.conf</code> file indicate the default Realm and KDC information. See <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html">JDK’s Kerberos Requirements</a> for more details.</p>
<pre><code class="hljs css language-shell">-Djava.security.krb5.conf=/etc/pulsar/krb5.conf
@@ -134,32 +135,41 @@ sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabnam
<p>In the <code>pulsar_jaas.conf</code> file above</p>
<ol>
<li><code>PulsarBroker</code> is a section name in the JAAS file used by each broker. This section tells the broker which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the broker to use the keytab specified in this section.</li>
-<li><code>PulsarClient</code> is a section name in the JASS file used by each client. This section tells the client which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section.</li>
+<li><code>PulsarClient</code> is a section name in the JASS file used by each client. This section tells the client which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section. In the following example, this <code>PulsarClient</code> section will also be reused in both the Pulsar internal admin configuration and in CLI command of <code>bin/pulsar-client</code>, <code>bin/pulsar-perf< [...]
</ol>
-<p>It is also a choice to have 2 separate JAAS configuration files: the file for broker will only have <code>PulsarBroker</code> section; while the one for client only have <code>PulsarClient</code> section.</p>
+<p>You can have 2 separate JAAS configuration files:</p>
+<ul>
+<li>the file for a broker has sections of both <code>PulsarBroker</code> and <code>PulsarClient</code>;</li>
+<li>the file for a client only has a <code>PulsarClient</code> section.</li>
+</ul>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-brokers"></a><a href="#kerberos-configuration-for-brokers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
-<ol>
-<li>In the <code>broker.conf</code> file, set Kerberos related configuration.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="configure-brokerconf-file"></a><a href="#configure-brokerconf-file" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c [...]
+<p>In the <code>broker.conf</code> file, set Kerberos related configurations.</p>
<ul>
<li><p>Set <code>authenticationEnabled</code> to <code>true</code>;</p></li>
<li><p>Set <code>authenticationProviders</code> to choose <code>AuthenticationProviderSasl</code>;</p></li>
-<li><p>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker.</p></li>
-<li><p>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker.</p>
+<li><p>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker;</p></li>
+<li><p>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker;</p>
+<p>To make Pulsar internal admin client work properly, you need to set the configuration in the <code>broker.conf</code> file as below:</p></li>
+<li><p>Set <code>brokerClientAuthenticationPlugin</code> to client plugin <code>AuthenticationSasl</code>;</p></li>
+<li><p>Set <code>brokerClientAuthenticationParameters</code> to value in JSON string <code>{"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}</code>, in which <code>PulsarClient</code> is the section name in above <code>pulsar_jaas.conf</code> file, and <code>"serverType":"broker"</code> indicate that internal admin client will connect to a Pulsar Broker;</p>
<p>Here is an example:</p>
<p>authenticationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderSasl
saslJaasClientAllowedIds=.<em>client.</em>
-saslJaasBrokerSectionName=PulsarBroker</p></li>
+saslJaasBrokerSectionName=PulsarBroker</p>
+<h2><a class="anchor" aria-hidden="true" id="authentication-settings-of-the-broker-itself-used-when-the-broker-connects-to-other-brokers"></a><a href="#authentication-settings-of-the-broker-itself-used-when-the-broker-connects-to-other-brokers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2. [...]
+<p>brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl
+brokerClientAuthenticationParameters={"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}</p></li>
</ul>
-<ol start="2">
-<li>Set JVM parameter for JAAS configuration file and krb5 configuration file with additional option.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="set-broker-jvm-parameter"></a><a href="#set-broker-jvm-parameter" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-. [...]
+<p>Set JVM parameters for JAAS configuration file and krb5 configuration file with additional options.</p>
<pre><code class="hljs css language-shell"> -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf
</code></pre>
<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_env.sh"><code>pulsar_env.sh</code></a></p>
<p>Make sure that the keytabs configured in the <code>pulsar_jaas.conf</code> file and kdc server in the <code>krb5.conf</code> file are reachable by the operating system user who is starting broker.</p>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-clients"></a><a href="#kerberos-configuration-for-clients" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
+<h4><a class="anchor" aria-hidden="true" id="java-client-and-java-admin-client"></a><a href="#java-client-and-java-admin-client" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S1 [...]
<p>In client application, include <code>pulsar-client-auth-sasl</code> in your project dependency.</p>
<pre><code class="hljs"> <dependency>
<groupId>org.apache.pulsar</groupId>
@@ -198,20 +208,23 @@ java -cp -Djava.security.auth.login.<span class="hljs-attribute">config</span>=/
<br />Make sure that the keytabs configured <span class="hljs-keyword">in</span> the `pulsar_jaas.conf` file <span class="hljs-keyword">and</span> kdc<span class="hljs-built_in"> server </span><span class="hljs-keyword">in</span> the `krb5.conf` file are reachable by the operating<span class="hljs-built_in"> system user </span>who is starting pulsar client.
- <span class="hljs-keyword">If</span> you are using command line, you can continue with these <span class="hljs-keyword">step</span>:
+ #### Configure CLI tools
+
+ <span class="hljs-keyword">If</span> you are using a command-line<span class="hljs-built_in"> tool </span>(such as `bin/pulsar-client`, `bin/pulsar-perf` <span class="hljs-keyword">and</span> `bin/pulsar-admin`), you need <span class="hljs-keyword">to</span> preform the following steps:
- 1.<span class="hljs-built_in"> Config </span>your `client.conf`:
+ <span class="hljs-keyword">Step</span> 1.<span class="hljs-built_in"> Config </span>your `client.conf`.
```shell
<span class="hljs-attribute">authPlugin</span>=org.apache.pulsar.client.impl.auth.AuthenticationSasl
authParams={<span class="hljs-string">"saslJaasClientSectionName"</span>:<span class="hljs-string">"PulsarClient"</span>, <span class="hljs-string">"serverType"</span>:<span class="hljs-string">"broker"</span>}
-2. <span class="hljs-builtin-name">Set</span> JVM parameter <span class="hljs-keyword">for</span> JAAS configuration file <span class="hljs-keyword">and</span> krb5 configuration file with additional option.
+<span class="hljs-keyword">Step</span> 2. <span class="hljs-builtin-name">Set</span> JVM parameters <span class="hljs-keyword">for</span> JAAS configuration file <span class="hljs-keyword">and</span> krb5 configuration file with additional options.
```shell
-Djava.security.auth.login.<span class="hljs-attribute">config</span>=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.<span class="hljs-attribute">conf</span>=/etc/pulsar/krb5.conf
</code></pre>
-<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a></p>
+<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a>, or add this line <code>OPTS="$OPTS -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf "</code> directly to the CLI tool script.</p>
+<p>The meaning of configurations is the same as that in Java client section.</p>
<h2><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-working-with-pulsar-proxy"></a><a href="#kerberos-configuration-for-working-with-pulsar-proxy" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S [...]
<p>With the above configuration, client and broker can do authentication using Kerberos.</p>
<p>If a client wants to connect to Pulsar Proxy, it is a little different. Client (as a SASL client in Kerberos) will be authenticated by Pulsar Proxy (as a SASL Server in Kerberos) first; and then Pulsar Proxy will be authenticated by Pulsar broker.</p>
@@ -293,7 +306,7 @@ java -cp -Djava.security.auth.login.<span class="hljs-attribute">config</span>=/
## related <span class="hljs-keyword">to</span> be authenticated by broker
<span class="hljs-attribute">brokerClientAuthenticationPlugin</span>=org.apache.pulsar.client.impl.auth.AuthenticationSasl
- <span class="hljs-attribute">brokerClientAuthenticationParameters</span>=saslJaasClientSectionName:PulsarProxy,serverType:broker
+ brokerClientAuthenticationParameters={<span class="hljs-string">"saslJaasClientSectionName"</span>:<span class="hljs-string">"PulsarProxy"</span>, <span class="hljs-string">"serverType"</span>:<span class="hljs-string">"broker"</span>}
<span class="hljs-attribute">forwardAuthorizationCredentials</span>=<span class="hljs-literal">true</span>
@@ -322,12 +335,39 @@ The broker side configuration file is the same with the above `broker.conf`, you
```bash
<span class="hljs-attribute">superUserRoles</span>=client/{clientIp}@EXAMPLE.COM
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="regarding-authorization-between-bookkeeper-and-zookeeper"></a><a href="#regarding-authorization-between-bookkeeper-and-zookeeper" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.2 [...]
-<p>Adding <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code> is a prerequisite for Broker (as a Kerberos client) being authenticated by Bookie (as a Kerberos Server):</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-zookeeper-and-broker"></a><a href="#regarding-authentication-between-zookeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2. [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Zookeeper. According to <a href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication">ZooKeeper document</a>, you need these settings in <code>conf/zookeeper.conf</code>:</p>
+<pre><code class="hljs">authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
+requireClientAuthScheme=sasl
+</code></pre>
+<p>And add a section of <code>Client</code> configurations in the file <code>pulsar_jaas.conf</code>, which is used by Pulsar Broker:</p>
+<pre><code class="hljs"> Client {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useKeyTab=true
+ storeKey=true
+ useTicketCache=false
+ keyTab="/etc/security/keytabs/pulsarbroker.keytab"
+ principal="broker/localhost@EXAMPLE.COM";
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with ZooKeeper.</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-bookkeeper-and-broker"></a><a href="#regarding-authentication-between-bookkeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Bookie. According to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>, you need to add <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code>:</p>
<pre><code class="hljs">bookkeeperClientAuthenticationPlugin=org.apache.bookkeeper.sasl.SASLClientProviderFactory
</code></pre>
-<p>For more details of how to configure Kerberos for BookKeeper and Zookeeper, refer to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>.</p>
-</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/ja/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/ja/security-authorization"><span>認可と ACL</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configuration for Kerberos between Clie [...]
+<p>In this setting, <code>SASLClientProviderFactory</code> creates a BookKeeper SASL client in a Broker, and the Broker uses the created SASL client to authenticate with a Bookie node.</p>
+<p>And add a section of <code>BookKeeper</code> configurations in the <code>pulsar_jaas.conf</code> that used by Pulsar Broker:</p>
+<pre><code class="hljs"> BookKeeper {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useKeyTab=true
+ storeKey=true
+ useTicketCache=false
+ keyTab="/etc/security/keytabs/pulsarbroker.keytab"
+ principal="broker/localhost@EXAMPLE.COM";
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with Bookie.</p>
+</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/ja/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/ja/security-authorization"><span>認可と ACL</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configuration for Kerberos between Clie [...]
const community = document.querySelector("a[href='#community']").parentNode;
const communityMenu =
'<li>' +
diff --git a/content/docs/zh-CN/next/schema-get-started.html b/content/docs/zh-CN/next/schema-get-started.html
index 8a910bd..c727226 100644
--- a/content/docs/zh-CN/next/schema-get-started.html
+++ b/content/docs/zh-CN/next/schema-get-started.html
@@ -1,4 +1,4 @@
-<!DOCTYPE html><html lang="zh-CN"><head><meta charSet="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><title>Get started · Apache Pulsar</title><meta name="viewport" content="width=device-width"/><meta name="generator" content="Docusaurus"/><meta name="description" content="When a schema is enabled, Pulsar does parse data, it takes bytes as inputs and sends bytes as outputs. While data has meaning beyond bytes, you need to parse data and might encounter parse exceptions wh [...]
+<!DOCTYPE html><html lang="zh-CN"><head><meta charSet="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><title>Get started · Apache Pulsar</title><meta name="viewport" content="width=device-width"/><meta name="generator" content="Docusaurus"/><meta name="description" content="## Schema管理服务"/><meta name="docsearch:version" content="next"/><meta name="docsearch:language" content="zh-CN"/><meta property="og:title" content="Get started · Apache Pulsar"/><meta property="og:type" [...]
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
@@ -74,7 +74,20 @@
};
}
});
- </script></nav></div><div class="container mainContainer"><div class="wrapper"><div class="post"><header class="postHeader"><a class="edit-page-link button" href="https://crowdin.com/project/apache-pulsar/zh-CN" target="_blank" rel="noreferrer noopener">Translate</a><h1 class="postHeaderTitle">Get started</h1></header><article><div><span><p>When a schema is enabled, Pulsar does parse data, it takes bytes as inputs and sends bytes as outputs. While data has meaning beyond bytes, y [...]
+ </script></nav></div><div class="container mainContainer"><div class="wrapper"><div class="post"><header class="postHeader"><a class="edit-page-link button" href="https://crowdin.com/project/apache-pulsar/zh-CN" target="_blank" rel="noreferrer noopener">Translate</a><h1 class="postHeaderTitle">Get started</h1></header><article><div><span><h2><a class="anchor" aria-hidden="true" id="schema管理服务"></a><a href="#schema管理服务" aria-hidden="true" class="hash-link"><svg class="hash-link-ic [...]
+<p>对于围绕消息总线如pulsar搭建的应用来说,类型安全非常的重要。</p>
+<p>Producers and consumers need some kind of mechanism for coordinating types at the topic level to aviod various potential problems arise. For example, serialization and deserialization issues.</p>
+<p>Applications typically adopt one of the following approaches to guarantee type safety in messaging. 这两种方法都被Pulsar支持,你可以在topic的基础上,自由选择采用哪一种,或者混用。</p>
+<h3><a class="anchor" aria-hidden="true" id="client-side-approach"></a><a href="#client-side-approach" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1 [...]
+<p>Producers and consumers are responsible for not only serializing and deserializing messages (which consist of raw bytes) but also "knowing" which types are being transmitted via which topics.</p>
+<p>If a producer is sending temperature sensor data on the topic <code>topic-1</code>, consumers of that topic will run into trouble if they attempt to parse that data as moisture sensor readings.</p>
+<p>Producers and consumers can send and receive messages consisting of raw byte arrays and leave all type safety enforcement to the application on an "out-of-band" basis.</p>
+<h3><a class="anchor" aria-hidden="true" id="server-side-approach"></a><a href="#server-side-approach" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1 [...]
+<p>Producers and consumers inform the system which data types can be transmitted via the topic.</p>
+<p>通过这种方法,消息系统强制执行类型安全, 并确保生产者和消费者保持同步。</p>
+<p>Pulsar has a built-in <strong>schema registry</strong> that enables clients to upload data schemas on a per-topic basis. 这些schema显示了,topic可以识别哪些数据类型为有效。</p>
+<h2><a class="anchor" aria-hidden="true" id="why-use-schema"></a><a href="#why-use-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0- [...]
+<p>When a schema is enabled, Pulsar does parse data, it takes bytes as inputs and sends bytes as outputs. While data has meaning beyond bytes, you need to parse data and might encounter parse exceptions which mainly occur in the following situations:</p>
<ul>
<li><p>The field does not exist</p></li>
<li><p>The field type has changed (for example, <code>string</code> is changed to <code>int</code>)</p></li>
@@ -89,7 +102,7 @@
}
</code></pre>
<p>When constructing a producer with the <em>User</em> class, you can specify a schema or not as below.</p>
-<h2><a class="anchor" aria-hidden="true" id="without-schema"></a><a href="#without-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0- [...]
+<h3><a class="anchor" aria-hidden="true" id="without-schema"></a><a href="#without-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0- [...]
<p>If you construct a producer without specifying a schema, then the producer can only produce messages of type <code>byte[]</code>. If you have a POJO class, you need to serialize the POJO into bytes before sending messages.</p>
<p><strong>Example</strong></p>
<pre><code class="hljs">Producer<byte[]> producer = client.newProducer()
@@ -99,7 +112,7 @@ User user = new User(“Tom”, 28);
byte[] message = … // serialize the `user` by yourself;
producer.send(message);
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="with-schema"></a><a href="#with-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42 [...]
+<h3><a class="anchor" aria-hidden="true" id="with-schema"></a><a href="#with-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42 [...]
<p>If you construct a producer with specifying a schema, then you can send a class to a topic directly without worrying about how to serialize POJOs into bytes.</p>
<p><strong>Example</strong></p>
<p>This example constructs a producer with the <em>JSONSchema</em>, and you can send the <em>User</em> class to topics directly without worrying about how to serialize it into bytes.</p>
@@ -109,9 +122,9 @@ producer.send(message);
User user = new User(“Tom”, 28);
producer.send(User);
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="summary"></a><a href="#summary" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1- [...]
+<h3><a class="anchor" aria-hidden="true" id="summary"></a><a href="#summary" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1- [...]
<p>When constructing a producer with a schema, you do not need to serialize messages into bytes, instead Pulsar schema does this job in the background.</p>
-</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/zh-CN/next/concepts-schema-registry"><span class="arrow-prev">← </span><span>Schema管理服务</span></a><a class="docs-next button" href="/docs/zh-CN/next/functions-overview"><span>概述</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#without-schema">Without schema</a></li><li><a href="#with-schema">With schema</a></li><li><a h [...]
+</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/zh-CN/next/concepts-schema-registry"><span class="arrow-prev">← </span><span>Schema管理服务</span></a><a class="docs-next button" href="/docs/zh-CN/next/functions-overview"><span>概述</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#schema管理服务">Schema管理服务</a><ul class="toc-headings"><li><a href="#client-side-approach">Client- [...]
const community = document.querySelector("a[href='#community']").parentNode;
const communityMenu =
'<li>' +
diff --git a/content/docs/zh-CN/next/schema-get-started/index.html b/content/docs/zh-CN/next/schema-get-started/index.html
index 8a910bd..c727226 100644
--- a/content/docs/zh-CN/next/schema-get-started/index.html
+++ b/content/docs/zh-CN/next/schema-get-started/index.html
@@ -1,4 +1,4 @@
-<!DOCTYPE html><html lang="zh-CN"><head><meta charSet="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><title>Get started · Apache Pulsar</title><meta name="viewport" content="width=device-width"/><meta name="generator" content="Docusaurus"/><meta name="description" content="When a schema is enabled, Pulsar does parse data, it takes bytes as inputs and sends bytes as outputs. While data has meaning beyond bytes, you need to parse data and might encounter parse exceptions wh [...]
+<!DOCTYPE html><html lang="zh-CN"><head><meta charSet="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><title>Get started · Apache Pulsar</title><meta name="viewport" content="width=device-width"/><meta name="generator" content="Docusaurus"/><meta name="description" content="## Schema管理服务"/><meta name="docsearch:version" content="next"/><meta name="docsearch:language" content="zh-CN"/><meta property="og:title" content="Get started · Apache Pulsar"/><meta property="og:type" [...]
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
@@ -74,7 +74,20 @@
};
}
});
- </script></nav></div><div class="container mainContainer"><div class="wrapper"><div class="post"><header class="postHeader"><a class="edit-page-link button" href="https://crowdin.com/project/apache-pulsar/zh-CN" target="_blank" rel="noreferrer noopener">Translate</a><h1 class="postHeaderTitle">Get started</h1></header><article><div><span><p>When a schema is enabled, Pulsar does parse data, it takes bytes as inputs and sends bytes as outputs. While data has meaning beyond bytes, y [...]
+ </script></nav></div><div class="container mainContainer"><div class="wrapper"><div class="post"><header class="postHeader"><a class="edit-page-link button" href="https://crowdin.com/project/apache-pulsar/zh-CN" target="_blank" rel="noreferrer noopener">Translate</a><h1 class="postHeaderTitle">Get started</h1></header><article><div><span><h2><a class="anchor" aria-hidden="true" id="schema管理服务"></a><a href="#schema管理服务" aria-hidden="true" class="hash-link"><svg class="hash-link-ic [...]
+<p>对于围绕消息总线如pulsar搭建的应用来说,类型安全非常的重要。</p>
+<p>Producers and consumers need some kind of mechanism for coordinating types at the topic level to aviod various potential problems arise. For example, serialization and deserialization issues.</p>
+<p>Applications typically adopt one of the following approaches to guarantee type safety in messaging. 这两种方法都被Pulsar支持,你可以在topic的基础上,自由选择采用哪一种,或者混用。</p>
+<h3><a class="anchor" aria-hidden="true" id="client-side-approach"></a><a href="#client-side-approach" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1 [...]
+<p>Producers and consumers are responsible for not only serializing and deserializing messages (which consist of raw bytes) but also "knowing" which types are being transmitted via which topics.</p>
+<p>If a producer is sending temperature sensor data on the topic <code>topic-1</code>, consumers of that topic will run into trouble if they attempt to parse that data as moisture sensor readings.</p>
+<p>Producers and consumers can send and receive messages consisting of raw byte arrays and leave all type safety enforcement to the application on an "out-of-band" basis.</p>
+<h3><a class="anchor" aria-hidden="true" id="server-side-approach"></a><a href="#server-side-approach" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1 [...]
+<p>Producers and consumers inform the system which data types can be transmitted via the topic.</p>
+<p>通过这种方法,消息系统强制执行类型安全, 并确保生产者和消费者保持同步。</p>
+<p>Pulsar has a built-in <strong>schema registry</strong> that enables clients to upload data schemas on a per-topic basis. 这些schema显示了,topic可以识别哪些数据类型为有效。</p>
+<h2><a class="anchor" aria-hidden="true" id="why-use-schema"></a><a href="#why-use-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0- [...]
+<p>When a schema is enabled, Pulsar does parse data, it takes bytes as inputs and sends bytes as outputs. While data has meaning beyond bytes, you need to parse data and might encounter parse exceptions which mainly occur in the following situations:</p>
<ul>
<li><p>The field does not exist</p></li>
<li><p>The field type has changed (for example, <code>string</code> is changed to <code>int</code>)</p></li>
@@ -89,7 +102,7 @@
}
</code></pre>
<p>When constructing a producer with the <em>User</em> class, you can specify a schema or not as below.</p>
-<h2><a class="anchor" aria-hidden="true" id="without-schema"></a><a href="#without-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0- [...]
+<h3><a class="anchor" aria-hidden="true" id="without-schema"></a><a href="#without-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0- [...]
<p>If you construct a producer without specifying a schema, then the producer can only produce messages of type <code>byte[]</code>. If you have a POJO class, you need to serialize the POJO into bytes before sending messages.</p>
<p><strong>Example</strong></p>
<pre><code class="hljs">Producer<byte[]> producer = client.newProducer()
@@ -99,7 +112,7 @@ User user = new User(“Tom”, 28);
byte[] message = … // serialize the `user` by yourself;
producer.send(message);
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="with-schema"></a><a href="#with-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42 [...]
+<h3><a class="anchor" aria-hidden="true" id="with-schema"></a><a href="#with-schema" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42 [...]
<p>If you construct a producer with specifying a schema, then you can send a class to a topic directly without worrying about how to serialize POJOs into bytes.</p>
<p><strong>Example</strong></p>
<p>This example constructs a producer with the <em>JSONSchema</em>, and you can send the <em>User</em> class to topics directly without worrying about how to serialize it into bytes.</p>
@@ -109,9 +122,9 @@ producer.send(message);
User user = new User(“Tom”, 28);
producer.send(User);
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="summary"></a><a href="#summary" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1- [...]
+<h3><a class="anchor" aria-hidden="true" id="summary"></a><a href="#summary" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1- [...]
<p>When constructing a producer with a schema, you do not need to serialize messages into bytes, instead Pulsar schema does this job in the background.</p>
-</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/zh-CN/next/concepts-schema-registry"><span class="arrow-prev">← </span><span>Schema管理服务</span></a><a class="docs-next button" href="/docs/zh-CN/next/functions-overview"><span>概述</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#without-schema">Without schema</a></li><li><a href="#with-schema">With schema</a></li><li><a h [...]
+</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/zh-CN/next/concepts-schema-registry"><span class="arrow-prev">← </span><span>Schema管理服务</span></a><a class="docs-next button" href="/docs/zh-CN/next/functions-overview"><span>概述</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#schema管理服务">Schema管理服务</a><ul class="toc-headings"><li><a href="#client-side-approach">Client- [...]
const community = document.querySelector("a[href='#community']").parentNode;
const communityMenu =
'<li>' +
diff --git a/content/docs/zh-CN/next/security-kerberos.html b/content/docs/zh-CN/next/security-kerberos.html
index 120c471..0e585ce 100644
--- a/content/docs/zh-CN/next/security-kerberos.html
+++ b/content/docs/zh-CN/next/security-kerberos.html
@@ -93,6 +93,7 @@ sudo /usr/sbin/kadmin.local -q 'addprinc -randkey client/{hostname}@{REALM}'
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabname}.keytab client/{hostname}@{REALM}"
</code></pre>
<p>Note that it is a <em>Kerberos</em> requirement that all your hosts can be resolved with their FQDNs.</p>
+<p>The first part of Broker principal (for example, <code>broker</code> in <code>broker/{hostname}@{REALM}</code>) is the <code>serverType</code> of each host, The suggested values of <code>serverType</code> are <code>broker</code> (host machine runs service Pulsar Broker) and <code>proxy</code> (host machine runs service Pulsar Proxy).</p>
<h4><a class="anchor" aria-hidden="true" id="configure-how-to-connect-to-kdc"></a><a href="#configure-how-to-connect-to-kdc" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 [...]
<p>You need to specify the path to the <code>krb5.conf</code> file for both client and broker side. The contents of <code>krb5.conf</code> file indicate the default Realm and KDC information. See <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html">JDK’s Kerberos Requirements</a> for more details.</p>
<pre><code class="hljs css language-shell">-Djava.security.krb5.conf=/etc/pulsar/krb5.conf
@@ -134,32 +135,41 @@ sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabnam
<p>In the <code>pulsar_jaas.conf</code> file above</p>
<ol>
<li><code>PulsarBroker</code> is a section name in the JAAS file used by each broker. This section tells the broker which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the broker to use the keytab specified in this section.</li>
-<li><code>PulsarClient</code> is a section name in the JASS file used by each client. This section tells the client which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section.</li>
+<li><code>PulsarClient</code> is a section name in the JASS file used by each client. This section tells the client which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section. In the following example, this <code>PulsarClient</code> section will also be reused in both the Pulsar internal admin configuration and in CLI command of <code>bin/pulsar-client</code>, <code>bin/pulsar-perf< [...]
</ol>
-<p>It is also a choice to have 2 separate JAAS configuration files: the file for broker will only have <code>PulsarBroker</code> section; while the one for client only have <code>PulsarClient</code> section.</p>
+<p>You can have 2 separate JAAS configuration files:</p>
+<ul>
+<li>the file for a broker has sections of both <code>PulsarBroker</code> and <code>PulsarClient</code>;</li>
+<li>the file for a client only has a <code>PulsarClient</code> section.</li>
+</ul>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-brokers"></a><a href="#kerberos-configuration-for-brokers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
-<ol>
-<li>In the <code>broker.conf</code> file, set Kerberos related configuration.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="configure-brokerconf-file"></a><a href="#configure-brokerconf-file" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c [...]
+<p>In the <code>broker.conf</code> file, set Kerberos related configurations.</p>
<ul>
<li><p>Set <code>authenticationEnabled</code> to <code>true</code>;</p></li>
<li><p>Set <code>authenticationProviders</code> to choose <code>AuthenticationProviderSasl</code>;</p></li>
-<li><p>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker.</p></li>
-<li><p>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker.</p>
+<li><p>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker;</p></li>
+<li><p>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker;</p>
+<p>To make Pulsar internal admin client work properly, you need to set the configuration in the <code>broker.conf</code> file as below:</p></li>
+<li><p>Set <code>brokerClientAuthenticationPlugin</code> to client plugin <code>AuthenticationSasl</code>;</p></li>
+<li><p>Set <code>brokerClientAuthenticationParameters</code> to value in JSON string <code>{"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}</code>, in which <code>PulsarClient</code> is the section name in above <code>pulsar_jaas.conf</code> file, and <code>"serverType":"broker"</code> indicate that internal admin client will connect to a Pulsar Broker;</p>
<p>Here is an example:</p>
<p>authenticationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderSasl
saslJaasClientAllowedIds=.<em>client.</em>
-saslJaasBrokerSectionName=PulsarBroker</p></li>
+saslJaasBrokerSectionName=PulsarBroker</p>
+<h2><a class="anchor" aria-hidden="true" id="authentication-settings-of-the-broker-itself-used-when-the-broker-connects-to-other-brokers"></a><a href="#authentication-settings-of-the-broker-itself-used-when-the-broker-connects-to-other-brokers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2. [...]
+<p>brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl
+brokerClientAuthenticationParameters={"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}</p></li>
</ul>
-<ol start="2">
-<li>Set JVM parameter for JAAS configuration file and krb5 configuration file with additional option.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="set-broker-jvm-parameter"></a><a href="#set-broker-jvm-parameter" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-. [...]
+<p>Set JVM parameters for JAAS configuration file and krb5 configuration file with additional options.</p>
<pre><code class="hljs css language-shell"> -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf
</code></pre>
<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_env.sh"><code>pulsar_env.sh</code></a></p>
<p>Make sure that the keytabs configured in the <code>pulsar_jaas.conf</code> file and kdc server in the <code>krb5.conf</code> file are reachable by the operating system user who is starting broker.</p>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-clients"></a><a href="#kerberos-configuration-for-clients" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
+<h4><a class="anchor" aria-hidden="true" id="java-client-and-java-admin-client"></a><a href="#java-client-and-java-admin-client" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S1 [...]
<p>In client application, include <code>pulsar-client-auth-sasl</code> in your project dependency.</p>
<pre><code class="hljs"> <dependency>
<groupId>org.apache.pulsar</groupId>
@@ -198,20 +208,23 @@ java -cp -Djava.security.auth.login.<span class="hljs-attribute">config</span>=/
<br />Make sure that the keytabs configured <span class="hljs-keyword">in</span> the `pulsar_jaas.conf` file <span class="hljs-keyword">and</span> kdc<span class="hljs-built_in"> server </span><span class="hljs-keyword">in</span> the `krb5.conf` file are reachable by the operating<span class="hljs-built_in"> system user </span>who is starting pulsar client.
- <span class="hljs-keyword">If</span> you are using command line, you can continue with these <span class="hljs-keyword">step</span>:
+ #### Configure CLI tools
+
+ <span class="hljs-keyword">If</span> you are using a command-line<span class="hljs-built_in"> tool </span>(such as `bin/pulsar-client`, `bin/pulsar-perf` <span class="hljs-keyword">and</span> `bin/pulsar-admin`), you need <span class="hljs-keyword">to</span> preform the following steps:
- 1.<span class="hljs-built_in"> Config </span>your `client.conf`:
+ <span class="hljs-keyword">Step</span> 1.<span class="hljs-built_in"> Config </span>your `client.conf`.
```shell
<span class="hljs-attribute">authPlugin</span>=org.apache.pulsar.client.impl.auth.AuthenticationSasl
authParams={<span class="hljs-string">"saslJaasClientSectionName"</span>:<span class="hljs-string">"PulsarClient"</span>, <span class="hljs-string">"serverType"</span>:<span class="hljs-string">"broker"</span>}
-2. <span class="hljs-builtin-name">Set</span> JVM parameter <span class="hljs-keyword">for</span> JAAS configuration file <span class="hljs-keyword">and</span> krb5 configuration file with additional option.
+<span class="hljs-keyword">Step</span> 2. <span class="hljs-builtin-name">Set</span> JVM parameters <span class="hljs-keyword">for</span> JAAS configuration file <span class="hljs-keyword">and</span> krb5 configuration file with additional options.
```shell
-Djava.security.auth.login.<span class="hljs-attribute">config</span>=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.<span class="hljs-attribute">conf</span>=/etc/pulsar/krb5.conf
</code></pre>
-<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a></p>
+<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a>, or add this line <code>OPTS="$OPTS -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf "</code> directly to the CLI tool script.</p>
+<p>The meaning of configurations is the same as that in Java client section.</p>
<h2><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-working-with-pulsar-proxy"></a><a href="#kerberos-configuration-for-working-with-pulsar-proxy" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S [...]
<p>With the above configuration, client and broker can do authentication using Kerberos.</p>
<p>If a client wants to connect to Pulsar Proxy, it is a little different. Client (as a SASL client in Kerberos) will be authenticated by Pulsar Proxy (as a SASL Server in Kerberos) first; and then Pulsar Proxy will be authenticated by Pulsar broker.</p>
@@ -293,7 +306,7 @@ java -cp -Djava.security.auth.login.<span class="hljs-attribute">config</span>=/
## related <span class="hljs-keyword">to</span> be authenticated by broker
<span class="hljs-attribute">brokerClientAuthenticationPlugin</span>=org.apache.pulsar.client.impl.auth.AuthenticationSasl
- <span class="hljs-attribute">brokerClientAuthenticationParameters</span>=saslJaasClientSectionName:PulsarProxy,serverType:broker
+ brokerClientAuthenticationParameters={<span class="hljs-string">"saslJaasClientSectionName"</span>:<span class="hljs-string">"PulsarProxy"</span>, <span class="hljs-string">"serverType"</span>:<span class="hljs-string">"broker"</span>}
<span class="hljs-attribute">forwardAuthorizationCredentials</span>=<span class="hljs-literal">true</span>
@@ -322,12 +335,39 @@ The broker side configuration file is the same with the above `broker.conf`, you
```bash
<span class="hljs-attribute">superUserRoles</span>=client/{clientIp}@EXAMPLE.COM
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="regarding-authorization-between-bookkeeper-and-zookeeper"></a><a href="#regarding-authorization-between-bookkeeper-and-zookeeper" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.2 [...]
-<p>Adding <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code> is a prerequisite for Broker (as a Kerberos client) being authenticated by Bookie (as a Kerberos Server):</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-zookeeper-and-broker"></a><a href="#regarding-authentication-between-zookeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2. [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Zookeeper. According to <a href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication">ZooKeeper document</a>, you need these settings in <code>conf/zookeeper.conf</code>:</p>
+<pre><code class="hljs">authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
+requireClientAuthScheme=sasl
+</code></pre>
+<p>And add a section of <code>Client</code> configurations in the file <code>pulsar_jaas.conf</code>, which is used by Pulsar Broker:</p>
+<pre><code class="hljs"> Client {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useKeyTab=true
+ storeKey=true
+ useTicketCache=false
+ keyTab="/etc/security/keytabs/pulsarbroker.keytab"
+ principal="broker/localhost@EXAMPLE.COM";
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with ZooKeeper.</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-bookkeeper-and-broker"></a><a href="#regarding-authentication-between-bookkeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Bookie. According to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>, you need to add <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code>:</p>
<pre><code class="hljs">bookkeeperClientAuthenticationPlugin=org.apache.bookkeeper.sasl.SASLClientProviderFactory
</code></pre>
-<p>For more details of how to configure Kerberos for BookKeeper and Zookeeper, refer to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>.</p>
-</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/zh-CN/next/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/zh-CN/next/security-authorization"><span>Authorization and ACLs</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configur [...]
+<p>In this setting, <code>SASLClientProviderFactory</code> creates a BookKeeper SASL client in a Broker, and the Broker uses the created SASL client to authenticate with a Bookie node.</p>
+<p>And add a section of <code>BookKeeper</code> configurations in the <code>pulsar_jaas.conf</code> that used by Pulsar Broker:</p>
+<pre><code class="hljs"> BookKeeper {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useKeyTab=true
+ storeKey=true
+ useTicketCache=false
+ keyTab="/etc/security/keytabs/pulsarbroker.keytab"
+ principal="broker/localhost@EXAMPLE.COM";
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with Bookie.</p>
+</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/zh-CN/next/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/zh-CN/next/security-authorization"><span>Authorization and ACLs</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configur [...]
const community = document.querySelector("a[href='#community']").parentNode;
const communityMenu =
'<li>' +
diff --git a/content/docs/zh-CN/next/security-kerberos/index.html b/content/docs/zh-CN/next/security-kerberos/index.html
index 120c471..0e585ce 100644
--- a/content/docs/zh-CN/next/security-kerberos/index.html
+++ b/content/docs/zh-CN/next/security-kerberos/index.html
@@ -93,6 +93,7 @@ sudo /usr/sbin/kadmin.local -q 'addprinc -randkey client/{hostname}@{REALM}'
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabname}.keytab client/{hostname}@{REALM}"
</code></pre>
<p>Note that it is a <em>Kerberos</em> requirement that all your hosts can be resolved with their FQDNs.</p>
+<p>The first part of Broker principal (for example, <code>broker</code> in <code>broker/{hostname}@{REALM}</code>) is the <code>serverType</code> of each host, The suggested values of <code>serverType</code> are <code>broker</code> (host machine runs service Pulsar Broker) and <code>proxy</code> (host machine runs service Pulsar Proxy).</p>
<h4><a class="anchor" aria-hidden="true" id="configure-how-to-connect-to-kdc"></a><a href="#configure-how-to-connect-to-kdc" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 [...]
<p>You need to specify the path to the <code>krb5.conf</code> file for both client and broker side. The contents of <code>krb5.conf</code> file indicate the default Realm and KDC information. See <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html">JDK’s Kerberos Requirements</a> for more details.</p>
<pre><code class="hljs css language-shell">-Djava.security.krb5.conf=/etc/pulsar/krb5.conf
@@ -134,32 +135,41 @@ sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabnam
<p>In the <code>pulsar_jaas.conf</code> file above</p>
<ol>
<li><code>PulsarBroker</code> is a section name in the JAAS file used by each broker. This section tells the broker which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the broker to use the keytab specified in this section.</li>
-<li><code>PulsarClient</code> is a section name in the JASS file used by each client. This section tells the client which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section.</li>
+<li><code>PulsarClient</code> is a section name in the JASS file used by each client. This section tells the client which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section. In the following example, this <code>PulsarClient</code> section will also be reused in both the Pulsar internal admin configuration and in CLI command of <code>bin/pulsar-client</code>, <code>bin/pulsar-perf< [...]
</ol>
-<p>It is also a choice to have 2 separate JAAS configuration files: the file for broker will only have <code>PulsarBroker</code> section; while the one for client only have <code>PulsarClient</code> section.</p>
+<p>You can have 2 separate JAAS configuration files:</p>
+<ul>
+<li>the file for a broker has sections of both <code>PulsarBroker</code> and <code>PulsarClient</code>;</li>
+<li>the file for a client only has a <code>PulsarClient</code> section.</li>
+</ul>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-brokers"></a><a href="#kerberos-configuration-for-brokers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
-<ol>
-<li>In the <code>broker.conf</code> file, set Kerberos related configuration.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="configure-brokerconf-file"></a><a href="#configure-brokerconf-file" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c [...]
+<p>In the <code>broker.conf</code> file, set Kerberos related configurations.</p>
<ul>
<li><p>Set <code>authenticationEnabled</code> to <code>true</code>;</p></li>
<li><p>Set <code>authenticationProviders</code> to choose <code>AuthenticationProviderSasl</code>;</p></li>
-<li><p>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker.</p></li>
-<li><p>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker.</p>
+<li><p>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker;</p></li>
+<li><p>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker;</p>
+<p>To make Pulsar internal admin client work properly, you need to set the configuration in the <code>broker.conf</code> file as below:</p></li>
+<li><p>Set <code>brokerClientAuthenticationPlugin</code> to client plugin <code>AuthenticationSasl</code>;</p></li>
+<li><p>Set <code>brokerClientAuthenticationParameters</code> to value in JSON string <code>{"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}</code>, in which <code>PulsarClient</code> is the section name in above <code>pulsar_jaas.conf</code> file, and <code>"serverType":"broker"</code> indicate that internal admin client will connect to a Pulsar Broker;</p>
<p>Here is an example:</p>
<p>authenticationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderSasl
saslJaasClientAllowedIds=.<em>client.</em>
-saslJaasBrokerSectionName=PulsarBroker</p></li>
+saslJaasBrokerSectionName=PulsarBroker</p>
+<h2><a class="anchor" aria-hidden="true" id="authentication-settings-of-the-broker-itself-used-when-the-broker-connects-to-other-brokers"></a><a href="#authentication-settings-of-the-broker-itself-used-when-the-broker-connects-to-other-brokers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2. [...]
+<p>brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl
+brokerClientAuthenticationParameters={"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}</p></li>
</ul>
-<ol start="2">
-<li>Set JVM parameter for JAAS configuration file and krb5 configuration file with additional option.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="set-broker-jvm-parameter"></a><a href="#set-broker-jvm-parameter" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-. [...]
+<p>Set JVM parameters for JAAS configuration file and krb5 configuration file with additional options.</p>
<pre><code class="hljs css language-shell"> -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf
</code></pre>
<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_env.sh"><code>pulsar_env.sh</code></a></p>
<p>Make sure that the keytabs configured in the <code>pulsar_jaas.conf</code> file and kdc server in the <code>krb5.conf</code> file are reachable by the operating system user who is starting broker.</p>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-clients"></a><a href="#kerberos-configuration-for-clients" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
+<h4><a class="anchor" aria-hidden="true" id="java-client-and-java-admin-client"></a><a href="#java-client-and-java-admin-client" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S1 [...]
<p>In client application, include <code>pulsar-client-auth-sasl</code> in your project dependency.</p>
<pre><code class="hljs"> <dependency>
<groupId>org.apache.pulsar</groupId>
@@ -198,20 +208,23 @@ java -cp -Djava.security.auth.login.<span class="hljs-attribute">config</span>=/
<br />Make sure that the keytabs configured <span class="hljs-keyword">in</span> the `pulsar_jaas.conf` file <span class="hljs-keyword">and</span> kdc<span class="hljs-built_in"> server </span><span class="hljs-keyword">in</span> the `krb5.conf` file are reachable by the operating<span class="hljs-built_in"> system user </span>who is starting pulsar client.
- <span class="hljs-keyword">If</span> you are using command line, you can continue with these <span class="hljs-keyword">step</span>:
+ #### Configure CLI tools
+
+ <span class="hljs-keyword">If</span> you are using a command-line<span class="hljs-built_in"> tool </span>(such as `bin/pulsar-client`, `bin/pulsar-perf` <span class="hljs-keyword">and</span> `bin/pulsar-admin`), you need <span class="hljs-keyword">to</span> preform the following steps:
- 1.<span class="hljs-built_in"> Config </span>your `client.conf`:
+ <span class="hljs-keyword">Step</span> 1.<span class="hljs-built_in"> Config </span>your `client.conf`.
```shell
<span class="hljs-attribute">authPlugin</span>=org.apache.pulsar.client.impl.auth.AuthenticationSasl
authParams={<span class="hljs-string">"saslJaasClientSectionName"</span>:<span class="hljs-string">"PulsarClient"</span>, <span class="hljs-string">"serverType"</span>:<span class="hljs-string">"broker"</span>}
-2. <span class="hljs-builtin-name">Set</span> JVM parameter <span class="hljs-keyword">for</span> JAAS configuration file <span class="hljs-keyword">and</span> krb5 configuration file with additional option.
+<span class="hljs-keyword">Step</span> 2. <span class="hljs-builtin-name">Set</span> JVM parameters <span class="hljs-keyword">for</span> JAAS configuration file <span class="hljs-keyword">and</span> krb5 configuration file with additional options.
```shell
-Djava.security.auth.login.<span class="hljs-attribute">config</span>=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.<span class="hljs-attribute">conf</span>=/etc/pulsar/krb5.conf
</code></pre>
-<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a></p>
+<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a>, or add this line <code>OPTS="$OPTS -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf "</code> directly to the CLI tool script.</p>
+<p>The meaning of configurations is the same as that in Java client section.</p>
<h2><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-working-with-pulsar-proxy"></a><a href="#kerberos-configuration-for-working-with-pulsar-proxy" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S [...]
<p>With the above configuration, client and broker can do authentication using Kerberos.</p>
<p>If a client wants to connect to Pulsar Proxy, it is a little different. Client (as a SASL client in Kerberos) will be authenticated by Pulsar Proxy (as a SASL Server in Kerberos) first; and then Pulsar Proxy will be authenticated by Pulsar broker.</p>
@@ -293,7 +306,7 @@ java -cp -Djava.security.auth.login.<span class="hljs-attribute">config</span>=/
## related <span class="hljs-keyword">to</span> be authenticated by broker
<span class="hljs-attribute">brokerClientAuthenticationPlugin</span>=org.apache.pulsar.client.impl.auth.AuthenticationSasl
- <span class="hljs-attribute">brokerClientAuthenticationParameters</span>=saslJaasClientSectionName:PulsarProxy,serverType:broker
+ brokerClientAuthenticationParameters={<span class="hljs-string">"saslJaasClientSectionName"</span>:<span class="hljs-string">"PulsarProxy"</span>, <span class="hljs-string">"serverType"</span>:<span class="hljs-string">"broker"</span>}
<span class="hljs-attribute">forwardAuthorizationCredentials</span>=<span class="hljs-literal">true</span>
@@ -322,12 +335,39 @@ The broker side configuration file is the same with the above `broker.conf`, you
```bash
<span class="hljs-attribute">superUserRoles</span>=client/{clientIp}@EXAMPLE.COM
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="regarding-authorization-between-bookkeeper-and-zookeeper"></a><a href="#regarding-authorization-between-bookkeeper-and-zookeeper" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.2 [...]
-<p>Adding <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code> is a prerequisite for Broker (as a Kerberos client) being authenticated by Bookie (as a Kerberos Server):</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-zookeeper-and-broker"></a><a href="#regarding-authentication-between-zookeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2. [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Zookeeper. According to <a href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication">ZooKeeper document</a>, you need these settings in <code>conf/zookeeper.conf</code>:</p>
+<pre><code class="hljs">authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
+requireClientAuthScheme=sasl
+</code></pre>
+<p>And add a section of <code>Client</code> configurations in the file <code>pulsar_jaas.conf</code>, which is used by Pulsar Broker:</p>
+<pre><code class="hljs"> Client {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useKeyTab=true
+ storeKey=true
+ useTicketCache=false
+ keyTab="/etc/security/keytabs/pulsarbroker.keytab"
+ principal="broker/localhost@EXAMPLE.COM";
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with ZooKeeper.</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-bookkeeper-and-broker"></a><a href="#regarding-authentication-between-bookkeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Bookie. According to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>, you need to add <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code>:</p>
<pre><code class="hljs">bookkeeperClientAuthenticationPlugin=org.apache.bookkeeper.sasl.SASLClientProviderFactory
</code></pre>
-<p>For more details of how to configure Kerberos for BookKeeper and Zookeeper, refer to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>.</p>
-</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/zh-CN/next/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/zh-CN/next/security-authorization"><span>Authorization and ACLs</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configur [...]
+<p>In this setting, <code>SASLClientProviderFactory</code> creates a BookKeeper SASL client in a Broker, and the Broker uses the created SASL client to authenticate with a Bookie node.</p>
+<p>And add a section of <code>BookKeeper</code> configurations in the <code>pulsar_jaas.conf</code> that used by Pulsar Broker:</p>
+<pre><code class="hljs"> BookKeeper {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useKeyTab=true
+ storeKey=true
+ useTicketCache=false
+ keyTab="/etc/security/keytabs/pulsarbroker.keytab"
+ principal="broker/localhost@EXAMPLE.COM";
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with Bookie.</p>
+</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/zh-CN/next/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/zh-CN/next/security-authorization"><span>Authorization and ACLs</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configur [...]
const community = document.querySelector("a[href='#community']").parentNode;
const communityMenu =
'<li>' +
diff --git a/content/docs/zh-CN/security-kerberos.html b/content/docs/zh-CN/security-kerberos.html
index 0161af8..4b03112 100644
--- a/content/docs/zh-CN/security-kerberos.html
+++ b/content/docs/zh-CN/security-kerberos.html
@@ -93,6 +93,7 @@ sudo /usr/sbin/kadmin.local -q 'addprinc -randkey client/{hostname}@{REALM}'
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabname}.keytab client/{hostname}@{REALM}"
</code></pre>
<p>Note that it is a <em>Kerberos</em> requirement that all your hosts can be resolved with their FQDNs.</p>
+<p>The first part of Broker principal (for example, <code>broker</code> in <code>broker/{hostname}@{REALM}</code>) is the <code>serverType</code> of each host, The suggested values of <code>serverType</code> are <code>broker</code> (host machine runs service Pulsar Broker) and <code>proxy</code> (host machine runs service Pulsar Proxy).</p>
<h4><a class="anchor" aria-hidden="true" id="configure-how-to-connect-to-kdc"></a><a href="#configure-how-to-connect-to-kdc" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 [...]
<p>You need to specify the path to the <code>krb5.conf</code> file for both client and broker side. The contents of <code>krb5.conf</code> file indicate the default Realm and KDC information. See <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html">JDK’s Kerberos Requirements</a> for more details.</p>
<pre><code class="hljs css language-shell">-Djava.security.krb5.conf=/etc/pulsar/krb5.conf
@@ -134,32 +135,41 @@ sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabnam
<p>In the <code>pulsar_jaas.conf</code> file above</p>
<ol>
<li><code>PulsarBroker</code> is a section name in the JAAS file used by each broker. This section tells the broker which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the broker to use the keytab specified in this section.</li>
-<li><code>PulsarClient</code> is a section name in the JASS file used by each client. This section tells the client which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section.</li>
+<li><code>PulsarClient</code> is a section name in the JASS file used by each client. This section tells the client which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section. In the following example, this <code>PulsarClient</code> section will also be reused in both the Pulsar internal admin configuration and in CLI command of <code>bin/pulsar-client</code>, <code>bin/pulsar-perf< [...]
</ol>
-<p>It is also a choice to have 2 separate JAAS configuration files: the file for broker will only have <code>PulsarBroker</code> section; while the one for client only have <code>PulsarClient</code> section.</p>
+<p>You can have 2 separate JAAS configuration files:</p>
+<ul>
+<li>the file for a broker has sections of both <code>PulsarBroker</code> and <code>PulsarClient</code>;</li>
+<li>the file for a client only has a <code>PulsarClient</code> section.</li>
+</ul>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-brokers"></a><a href="#kerberos-configuration-for-brokers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
-<ol>
-<li>In the <code>broker.conf</code> file, set Kerberos related configuration.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="configure-brokerconf-file"></a><a href="#configure-brokerconf-file" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c [...]
+<p>In the <code>broker.conf</code> file, set Kerberos related configurations.</p>
<ul>
<li><p>Set <code>authenticationEnabled</code> to <code>true</code>;</p></li>
<li><p>Set <code>authenticationProviders</code> to choose <code>AuthenticationProviderSasl</code>;</p></li>
-<li><p>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker.</p></li>
-<li><p>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker.</p>
+<li><p>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker;</p></li>
+<li><p>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker;</p>
+<p>To make Pulsar internal admin client work properly, you need to set the configuration in the <code>broker.conf</code> file as below:</p></li>
+<li><p>Set <code>brokerClientAuthenticationPlugin</code> to client plugin <code>AuthenticationSasl</code>;</p></li>
+<li><p>Set <code>brokerClientAuthenticationParameters</code> to value in JSON string <code>{"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}</code>, in which <code>PulsarClient</code> is the section name in above <code>pulsar_jaas.conf</code> file, and <code>"serverType":"broker"</code> indicate that internal admin client will connect to a Pulsar Broker;</p>
<p>Here is an example:</p>
<p>authenticationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderSasl
saslJaasClientAllowedIds=.<em>client.</em>
-saslJaasBrokerSectionName=PulsarBroker</p></li>
+saslJaasBrokerSectionName=PulsarBroker</p>
+<h2><a class="anchor" aria-hidden="true" id="authentication-settings-of-the-broker-itself-used-when-the-broker-connects-to-other-brokers"></a><a href="#authentication-settings-of-the-broker-itself-used-when-the-broker-connects-to-other-brokers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2. [...]
+<p>brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl
+brokerClientAuthenticationParameters={"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}</p></li>
</ul>
-<ol start="2">
-<li>Set JVM parameter for JAAS configuration file and krb5 configuration file with additional option.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="set-broker-jvm-parameter"></a><a href="#set-broker-jvm-parameter" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-. [...]
+<p>Set JVM parameters for JAAS configuration file and krb5 configuration file with additional options.</p>
<pre><code class="hljs css language-shell"> -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf
</code></pre>
<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_env.sh"><code>pulsar_env.sh</code></a></p>
<p>Make sure that the keytabs configured in the <code>pulsar_jaas.conf</code> file and kdc server in the <code>krb5.conf</code> file are reachable by the operating system user who is starting broker.</p>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-clients"></a><a href="#kerberos-configuration-for-clients" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
+<h4><a class="anchor" aria-hidden="true" id="java-client-and-java-admin-client"></a><a href="#java-client-and-java-admin-client" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S1 [...]
<p>In client application, include <code>pulsar-client-auth-sasl</code> in your project dependency.</p>
<pre><code class="hljs"> <dependency>
<groupId>org.apache.pulsar</groupId>
@@ -198,20 +208,23 @@ java -cp -Djava.security.auth.login.<span class="hljs-attribute">config</span>=/
<br />Make sure that the keytabs configured <span class="hljs-keyword">in</span> the `pulsar_jaas.conf` file <span class="hljs-keyword">and</span> kdc<span class="hljs-built_in"> server </span><span class="hljs-keyword">in</span> the `krb5.conf` file are reachable by the operating<span class="hljs-built_in"> system user </span>who is starting pulsar client.
- <span class="hljs-keyword">If</span> you are using command line, you can continue with these <span class="hljs-keyword">step</span>:
+ #### Configure CLI tools
+
+ <span class="hljs-keyword">If</span> you are using a command-line<span class="hljs-built_in"> tool </span>(such as `bin/pulsar-client`, `bin/pulsar-perf` <span class="hljs-keyword">and</span> `bin/pulsar-admin`), you need <span class="hljs-keyword">to</span> preform the following steps:
- 1.<span class="hljs-built_in"> Config </span>your `client.conf`:
+ <span class="hljs-keyword">Step</span> 1.<span class="hljs-built_in"> Config </span>your `client.conf`.
```shell
<span class="hljs-attribute">authPlugin</span>=org.apache.pulsar.client.impl.auth.AuthenticationSasl
authParams={<span class="hljs-string">"saslJaasClientSectionName"</span>:<span class="hljs-string">"PulsarClient"</span>, <span class="hljs-string">"serverType"</span>:<span class="hljs-string">"broker"</span>}
-2. <span class="hljs-builtin-name">Set</span> JVM parameter <span class="hljs-keyword">for</span> JAAS configuration file <span class="hljs-keyword">and</span> krb5 configuration file with additional option.
+<span class="hljs-keyword">Step</span> 2. <span class="hljs-builtin-name">Set</span> JVM parameters <span class="hljs-keyword">for</span> JAAS configuration file <span class="hljs-keyword">and</span> krb5 configuration file with additional options.
```shell
-Djava.security.auth.login.<span class="hljs-attribute">config</span>=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.<span class="hljs-attribute">conf</span>=/etc/pulsar/krb5.conf
</code></pre>
-<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a></p>
+<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a>, or add this line <code>OPTS="$OPTS -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf "</code> directly to the CLI tool script.</p>
+<p>The meaning of configurations is the same as that in Java client section.</p>
<h2><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-working-with-pulsar-proxy"></a><a href="#kerberos-configuration-for-working-with-pulsar-proxy" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S [...]
<p>With the above configuration, client and broker can do authentication using Kerberos.</p>
<p>If a client wants to connect to Pulsar Proxy, it is a little different. Client (as a SASL client in Kerberos) will be authenticated by Pulsar Proxy (as a SASL Server in Kerberos) first; and then Pulsar Proxy will be authenticated by Pulsar broker.</p>
@@ -293,7 +306,7 @@ java -cp -Djava.security.auth.login.<span class="hljs-attribute">config</span>=/
## related <span class="hljs-keyword">to</span> be authenticated by broker
<span class="hljs-attribute">brokerClientAuthenticationPlugin</span>=org.apache.pulsar.client.impl.auth.AuthenticationSasl
- <span class="hljs-attribute">brokerClientAuthenticationParameters</span>=saslJaasClientSectionName:PulsarProxy,serverType:broker
+ brokerClientAuthenticationParameters={<span class="hljs-string">"saslJaasClientSectionName"</span>:<span class="hljs-string">"PulsarProxy"</span>, <span class="hljs-string">"serverType"</span>:<span class="hljs-string">"broker"</span>}
<span class="hljs-attribute">forwardAuthorizationCredentials</span>=<span class="hljs-literal">true</span>
@@ -322,12 +335,39 @@ The broker side configuration file is the same with the above `broker.conf`, you
```bash
<span class="hljs-attribute">superUserRoles</span>=client/{clientIp}@EXAMPLE.COM
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="regarding-authorization-between-bookkeeper-and-zookeeper"></a><a href="#regarding-authorization-between-bookkeeper-and-zookeeper" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.2 [...]
-<p>Adding <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code> is a prerequisite for Broker (as a Kerberos client) being authenticated by Bookie (as a Kerberos Server):</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-zookeeper-and-broker"></a><a href="#regarding-authentication-between-zookeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2. [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Zookeeper. According to <a href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication">ZooKeeper document</a>, you need these settings in <code>conf/zookeeper.conf</code>:</p>
+<pre><code class="hljs">authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
+requireClientAuthScheme=sasl
+</code></pre>
+<p>And add a section of <code>Client</code> configurations in the file <code>pulsar_jaas.conf</code>, which is used by Pulsar Broker:</p>
+<pre><code class="hljs"> Client {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useKeyTab=true
+ storeKey=true
+ useTicketCache=false
+ keyTab="/etc/security/keytabs/pulsarbroker.keytab"
+ principal="broker/localhost@EXAMPLE.COM";
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with ZooKeeper.</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-bookkeeper-and-broker"></a><a href="#regarding-authentication-between-bookkeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Bookie. According to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>, you need to add <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code>:</p>
<pre><code class="hljs">bookkeeperClientAuthenticationPlugin=org.apache.bookkeeper.sasl.SASLClientProviderFactory
</code></pre>
-<p>For more details of how to configure Kerberos for BookKeeper and Zookeeper, refer to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>.</p>
-</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/zh-CN/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/zh-CN/security-authorization"><span>Authorization and ACLs</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configuration for [...]
+<p>In this setting, <code>SASLClientProviderFactory</code> creates a BookKeeper SASL client in a Broker, and the Broker uses the created SASL client to authenticate with a Bookie node.</p>
+<p>And add a section of <code>BookKeeper</code> configurations in the <code>pulsar_jaas.conf</code> that used by Pulsar Broker:</p>
+<pre><code class="hljs"> BookKeeper {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useKeyTab=true
+ storeKey=true
+ useTicketCache=false
+ keyTab="/etc/security/keytabs/pulsarbroker.keytab"
+ principal="broker/localhost@EXAMPLE.COM";
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with Bookie.</p>
+</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/zh-CN/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/zh-CN/security-authorization"><span>Authorization and ACLs</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configuration for [...]
const community = document.querySelector("a[href='#community']").parentNode;
const communityMenu =
'<li>' +
diff --git a/content/docs/zh-CN/security-kerberos/index.html b/content/docs/zh-CN/security-kerberos/index.html
index 0161af8..4b03112 100644
--- a/content/docs/zh-CN/security-kerberos/index.html
+++ b/content/docs/zh-CN/security-kerberos/index.html
@@ -93,6 +93,7 @@ sudo /usr/sbin/kadmin.local -q 'addprinc -randkey client/{hostname}@{REALM}'
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabname}.keytab client/{hostname}@{REALM}"
</code></pre>
<p>Note that it is a <em>Kerberos</em> requirement that all your hosts can be resolved with their FQDNs.</p>
+<p>The first part of Broker principal (for example, <code>broker</code> in <code>broker/{hostname}@{REALM}</code>) is the <code>serverType</code> of each host, The suggested values of <code>serverType</code> are <code>broker</code> (host machine runs service Pulsar Broker) and <code>proxy</code> (host machine runs service Pulsar Proxy).</p>
<h4><a class="anchor" aria-hidden="true" id="configure-how-to-connect-to-kdc"></a><a href="#configure-how-to-connect-to-kdc" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 [...]
<p>You need to specify the path to the <code>krb5.conf</code> file for both client and broker side. The contents of <code>krb5.conf</code> file indicate the default Realm and KDC information. See <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html">JDK’s Kerberos Requirements</a> for more details.</p>
<pre><code class="hljs css language-shell">-Djava.security.krb5.conf=/etc/pulsar/krb5.conf
@@ -134,32 +135,41 @@ sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabnam
<p>In the <code>pulsar_jaas.conf</code> file above</p>
<ol>
<li><code>PulsarBroker</code> is a section name in the JAAS file used by each broker. This section tells the broker which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the broker to use the keytab specified in this section.</li>
-<li><code>PulsarClient</code> is a section name in the JASS file used by each client. This section tells the client which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section.</li>
+<li><code>PulsarClient</code> is a section name in the JASS file used by each client. This section tells the client which principal to use inside Kerberos and the location of the keytab where the principal is stored. It allows the client to use the keytab specified in this section. In the following example, this <code>PulsarClient</code> section will also be reused in both the Pulsar internal admin configuration and in CLI command of <code>bin/pulsar-client</code>, <code>bin/pulsar-perf< [...]
</ol>
-<p>It is also a choice to have 2 separate JAAS configuration files: the file for broker will only have <code>PulsarBroker</code> section; while the one for client only have <code>PulsarClient</code> section.</p>
+<p>You can have 2 separate JAAS configuration files:</p>
+<ul>
+<li>the file for a broker has sections of both <code>PulsarBroker</code> and <code>PulsarClient</code>;</li>
+<li>the file for a client only has a <code>PulsarClient</code> section.</li>
+</ul>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-brokers"></a><a href="#kerberos-configuration-for-brokers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
-<ol>
-<li>In the <code>broker.conf</code> file, set Kerberos related configuration.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="configure-brokerconf-file"></a><a href="#configure-brokerconf-file" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c [...]
+<p>In the <code>broker.conf</code> file, set Kerberos related configurations.</p>
<ul>
<li><p>Set <code>authenticationEnabled</code> to <code>true</code>;</p></li>
<li><p>Set <code>authenticationProviders</code> to choose <code>AuthenticationProviderSasl</code>;</p></li>
-<li><p>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker.</p></li>
-<li><p>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker.</p>
+<li><p>Set <code>saslJaasClientAllowedIds</code> regex for principal that is allowed to connect to broker;</p></li>
+<li><p>Set <code>saslJaasBrokerSectionName</code> that corresponding to the section in JAAS configuration file for broker;</p>
+<p>To make Pulsar internal admin client work properly, you need to set the configuration in the <code>broker.conf</code> file as below:</p></li>
+<li><p>Set <code>brokerClientAuthenticationPlugin</code> to client plugin <code>AuthenticationSasl</code>;</p></li>
+<li><p>Set <code>brokerClientAuthenticationParameters</code> to value in JSON string <code>{"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}</code>, in which <code>PulsarClient</code> is the section name in above <code>pulsar_jaas.conf</code> file, and <code>"serverType":"broker"</code> indicate that internal admin client will connect to a Pulsar Broker;</p>
<p>Here is an example:</p>
<p>authenticationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderSasl
saslJaasClientAllowedIds=.<em>client.</em>
-saslJaasBrokerSectionName=PulsarBroker</p></li>
+saslJaasBrokerSectionName=PulsarBroker</p>
+<h2><a class="anchor" aria-hidden="true" id="authentication-settings-of-the-broker-itself-used-when-the-broker-connects-to-other-brokers"></a><a href="#authentication-settings-of-the-broker-itself-used-when-the-broker-connects-to-other-brokers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2. [...]
+<p>brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl
+brokerClientAuthenticationParameters={"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}</p></li>
</ul>
-<ol start="2">
-<li>Set JVM parameter for JAAS configuration file and krb5 configuration file with additional option.</li>
-</ol>
+<h4><a class="anchor" aria-hidden="true" id="set-broker-jvm-parameter"></a><a href="#set-broker-jvm-parameter" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-. [...]
+<p>Set JVM parameters for JAAS configuration file and krb5 configuration file with additional options.</p>
<pre><code class="hljs css language-shell"> -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf
</code></pre>
<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_env.sh"><code>pulsar_env.sh</code></a></p>
<p>Make sure that the keytabs configured in the <code>pulsar_jaas.conf</code> file and kdc server in the <code>krb5.conf</code> file are reachable by the operating system user who is starting broker.</p>
<h3><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-clients"></a><a href="#kerberos-configuration-for-clients" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5 [...]
+<h4><a class="anchor" aria-hidden="true" id="java-client-and-java-admin-client"></a><a href="#java-client-and-java-admin-client" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S1 [...]
<p>In client application, include <code>pulsar-client-auth-sasl</code> in your project dependency.</p>
<pre><code class="hljs"> <dependency>
<groupId>org.apache.pulsar</groupId>
@@ -198,20 +208,23 @@ java -cp -Djava.security.auth.login.<span class="hljs-attribute">config</span>=/
<br />Make sure that the keytabs configured <span class="hljs-keyword">in</span> the `pulsar_jaas.conf` file <span class="hljs-keyword">and</span> kdc<span class="hljs-built_in"> server </span><span class="hljs-keyword">in</span> the `krb5.conf` file are reachable by the operating<span class="hljs-built_in"> system user </span>who is starting pulsar client.
- <span class="hljs-keyword">If</span> you are using command line, you can continue with these <span class="hljs-keyword">step</span>:
+ #### Configure CLI tools
+
+ <span class="hljs-keyword">If</span> you are using a command-line<span class="hljs-built_in"> tool </span>(such as `bin/pulsar-client`, `bin/pulsar-perf` <span class="hljs-keyword">and</span> `bin/pulsar-admin`), you need <span class="hljs-keyword">to</span> preform the following steps:
- 1.<span class="hljs-built_in"> Config </span>your `client.conf`:
+ <span class="hljs-keyword">Step</span> 1.<span class="hljs-built_in"> Config </span>your `client.conf`.
```shell
<span class="hljs-attribute">authPlugin</span>=org.apache.pulsar.client.impl.auth.AuthenticationSasl
authParams={<span class="hljs-string">"saslJaasClientSectionName"</span>:<span class="hljs-string">"PulsarClient"</span>, <span class="hljs-string">"serverType"</span>:<span class="hljs-string">"broker"</span>}
-2. <span class="hljs-builtin-name">Set</span> JVM parameter <span class="hljs-keyword">for</span> JAAS configuration file <span class="hljs-keyword">and</span> krb5 configuration file with additional option.
+<span class="hljs-keyword">Step</span> 2. <span class="hljs-builtin-name">Set</span> JVM parameters <span class="hljs-keyword">for</span> JAAS configuration file <span class="hljs-keyword">and</span> krb5 configuration file with additional options.
```shell
-Djava.security.auth.login.<span class="hljs-attribute">config</span>=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.<span class="hljs-attribute">conf</span>=/etc/pulsar/krb5.conf
</code></pre>
-<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a></p>
+<p>You can add this at the end of <code>PULSAR_EXTRA_OPTS</code> in the file <a href="https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh"><code>pulsar_tools_env.sh</code></a>, or add this line <code>OPTS="$OPTS -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf "</code> directly to the CLI tool script.</p>
+<p>The meaning of configurations is the same as that in Java client section.</p>
<h2><a class="anchor" aria-hidden="true" id="kerberos-configuration-for-working-with-pulsar-proxy"></a><a href="#kerberos-configuration-for-working-with-pulsar-proxy" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S [...]
<p>With the above configuration, client and broker can do authentication using Kerberos.</p>
<p>If a client wants to connect to Pulsar Proxy, it is a little different. Client (as a SASL client in Kerberos) will be authenticated by Pulsar Proxy (as a SASL Server in Kerberos) first; and then Pulsar Proxy will be authenticated by Pulsar broker.</p>
@@ -293,7 +306,7 @@ java -cp -Djava.security.auth.login.<span class="hljs-attribute">config</span>=/
## related <span class="hljs-keyword">to</span> be authenticated by broker
<span class="hljs-attribute">brokerClientAuthenticationPlugin</span>=org.apache.pulsar.client.impl.auth.AuthenticationSasl
- <span class="hljs-attribute">brokerClientAuthenticationParameters</span>=saslJaasClientSectionName:PulsarProxy,serverType:broker
+ brokerClientAuthenticationParameters={<span class="hljs-string">"saslJaasClientSectionName"</span>:<span class="hljs-string">"PulsarProxy"</span>, <span class="hljs-string">"serverType"</span>:<span class="hljs-string">"broker"</span>}
<span class="hljs-attribute">forwardAuthorizationCredentials</span>=<span class="hljs-literal">true</span>
@@ -322,12 +335,39 @@ The broker side configuration file is the same with the above `broker.conf`, you
```bash
<span class="hljs-attribute">superUserRoles</span>=client/{clientIp}@EXAMPLE.COM
</code></pre>
-<h2><a class="anchor" aria-hidden="true" id="regarding-authorization-between-bookkeeper-and-zookeeper"></a><a href="#regarding-authorization-between-bookkeeper-and-zookeeper" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.2 [...]
-<p>Adding <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code> is a prerequisite for Broker (as a Kerberos client) being authenticated by Bookie (as a Kerberos Server):</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-zookeeper-and-broker"></a><a href="#regarding-authentication-between-zookeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2. [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Zookeeper. According to <a href="https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication">ZooKeeper document</a>, you need these settings in <code>conf/zookeeper.conf</code>:</p>
+<pre><code class="hljs">authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
+requireClientAuthScheme=sasl
+</code></pre>
+<p>And add a section of <code>Client</code> configurations in the file <code>pulsar_jaas.conf</code>, which is used by Pulsar Broker:</p>
+<pre><code class="hljs"> Client {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useKeyTab=true
+ storeKey=true
+ useTicketCache=false
+ keyTab="/etc/security/keytabs/pulsarbroker.keytab"
+ principal="broker/localhost@EXAMPLE.COM";
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with ZooKeeper.</p>
+<h2><a class="anchor" aria-hidden="true" id="regarding-authentication-between-bookkeeper-and-broker"></a><a href="#regarding-authentication-between-bookkeeper-and-broker" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 [...]
+<p>Pulsar Broker acts as a Kerberos client when authenticating with Bookie. According to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>, you need to add <code>bookkeeperClientAuthenticationPlugin</code> parameter in <code>broker.conf</code>:</p>
<pre><code class="hljs">bookkeeperClientAuthenticationPlugin=org.apache.bookkeeper.sasl.SASLClientProviderFactory
</code></pre>
-<p>For more details of how to configure Kerberos for BookKeeper and Zookeeper, refer to <a href="http://bookkeeper.apache.org/docs/latest/security/sasl/">BookKeeper document</a>.</p>
-</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/zh-CN/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/zh-CN/security-authorization"><span>Authorization and ACLs</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configuration for [...]
+<p>In this setting, <code>SASLClientProviderFactory</code> creates a BookKeeper SASL client in a Broker, and the Broker uses the created SASL client to authenticate with a Bookie node.</p>
+<p>And add a section of <code>BookKeeper</code> configurations in the <code>pulsar_jaas.conf</code> that used by Pulsar Broker:</p>
+<pre><code class="hljs"> BookKeeper {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useKeyTab=true
+ storeKey=true
+ useTicketCache=false
+ keyTab="/etc/security/keytabs/pulsarbroker.keytab"
+ principal="broker/localhost@EXAMPLE.COM";
+};
+</code></pre>
+<p>In this setting, Pulsar Broker's principal and keyTab file indicates Broker's role when authenticating with Bookie.</p>
+</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/zh-CN/security-athenz"><span class="arrow-prev">← </span><span>Authentication using Athenz</span></a><a class="docs-next button" href="/docs/zh-CN/security-authorization"><span>Authorization and ACLs</span><span class="arrow-next"> →</span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#configuration-for-kerberos-between-client-and-broker">Configuration for [...]
const community = document.querySelector("a[href='#community']").parentNode;
const communityMenu =
'<li>' +
diff --git a/content/swagger/2.5.0-SNAPSHOT/swagger.json b/content/swagger/2.5.0-SNAPSHOT/swagger.json
index 7214cf4..dedae65 100644
--- a/content/swagger/2.5.0-SNAPSHOT/swagger.json
+++ b/content/swagger/2.5.0-SNAPSHOT/swagger.json
@@ -4784,7 +4784,7 @@
"200" : {
"description" : "successful operation",
"schema" : {
- "$ref" : "#/definitions/NonPersistentTopicStats"
+ "$ref" : "#/definitions/TopicStats"
}
},
"401" : {
@@ -8515,10 +8515,10 @@
"type" : "string"
}
},
- "connectedSince" : {
+ "clientVersion" : {
"type" : "string"
},
- "clientVersion" : {
+ "connectedSince" : {
"type" : "string"
},
"address" : {
@@ -8866,11 +8866,14 @@
"type" : "number",
"format" : "double"
},
- "bandwidthIn" : {
- "$ref" : "#/definitions/ResourceUsage"
+ "underLoaded" : {
+ "type" : "boolean"
},
- "bandwidthOut" : {
- "$ref" : "#/definitions/ResourceUsage"
+ "overLoaded" : {
+ "type" : "boolean"
+ },
+ "loadReportType" : {
+ "type" : "string"
},
"msgThroughputOut" : {
"type" : "number",
@@ -8880,26 +8883,23 @@
"type" : "integer",
"format" : "int64"
},
+ "bandwidthIn" : {
+ "$ref" : "#/definitions/ResourceUsage"
+ },
"cpu" : {
"$ref" : "#/definitions/ResourceUsage"
},
- "underLoaded" : {
- "type" : "boolean"
+ "directMemory" : {
+ "$ref" : "#/definitions/ResourceUsage"
},
"msgThroughputIn" : {
"type" : "number",
"format" : "double"
},
- "loadReportType" : {
- "type" : "string"
- },
- "overLoaded" : {
- "type" : "boolean"
- },
- "memory" : {
+ "bandwidthOut" : {
"$ref" : "#/definitions/ResourceUsage"
},
- "directMemory" : {
+ "memory" : {
"$ref" : "#/definitions/ResourceUsage"
}
}
@@ -9068,13 +9068,13 @@
"type" : "number",
"format" : "double"
},
- "producerName" : {
+ "clientVersion" : {
"type" : "string"
},
- "connectedSince" : {
+ "producerName" : {
"type" : "string"
},
- "clientVersion" : {
+ "connectedSince" : {
"type" : "string"
},
"address" : {
@@ -9739,13 +9739,13 @@
"type" : "string"
}
},
- "producerName" : {
+ "clientVersion" : {
"type" : "string"
},
- "connectedSince" : {
+ "producerName" : {
"type" : "string"
},
- "clientVersion" : {
+ "connectedSince" : {
"type" : "string"
},
"address" : {
@@ -9804,15 +9804,15 @@
"ResourceDescription" : {
"type" : "object",
"properties" : {
- "usagePct" : {
- "type" : "integer",
- "format" : "int32"
- },
"resourceUsage" : {
"type" : "object",
"additionalProperties" : {
"$ref" : "#/definitions/ResourceUsage"
}
+ },
+ "usagePct" : {
+ "type" : "integer",
+ "format" : "int32"
}
}
},
diff --git a/content/swagger/2.5.0-SNAPSHOT/swaggerfunctions.json b/content/swagger/2.5.0-SNAPSHOT/swaggerfunctions.json
index 9f5b3ad..33e86fd 100644
--- a/content/swagger/2.5.0-SNAPSHOT/swaggerfunctions.json
+++ b/content/swagger/2.5.0-SNAPSHOT/swaggerfunctions.json
@@ -1348,6 +1348,12 @@
"Message" : {
"type" : "object",
"properties" : {
+ "messageId" : {
+ "$ref" : "#/definitions/MessageId"
+ },
+ "producerName" : {
+ "type" : "string"
+ },
"sequenceId" : {
"type" : "integer",
"format" : "int64"
@@ -1366,9 +1372,6 @@
"topicName" : {
"type" : "string"
},
- "encryptionCtx" : {
- "$ref" : "#/definitions/EncryptionContext"
- },
"redeliveryCount" : {
"type" : "integer",
"format" : "int32"
@@ -1387,6 +1390,9 @@
"format" : "byte"
}
},
+ "replicatedFrom" : {
+ "type" : "string"
+ },
"orderingKey" : {
"type" : "array",
"items" : {
@@ -1394,14 +1400,8 @@
"format" : "byte"
}
},
- "producerName" : {
- "type" : "string"
- },
- "messageId" : {
- "$ref" : "#/definitions/MessageId"
- },
- "replicatedFrom" : {
- "type" : "string"
+ "encryptionCtx" : {
+ "$ref" : "#/definitions/EncryptionContext"
},
"data" : {
"type" : "array",