Athenz 是一个基于角色的身份验证/授权系统。 In Pulsar, Athenz role tokens (aka z-tokens) can be used to establish the identify of the client.

Athenz 身份验证设置

In a decentralized Athenz system there is both an authoriZation Management System (ZMS) server and an authoriZation Token System (ZTS) server.

首先,你需要设置 Athenz 的服务访问控制。 You should create domains for the provider (which provides some resources to other services with some authentication/authorization policies) and the tenant (which is provisioned to access some resources in a provider). 在这种情况下,供应商与 Pulsar 服务本身相对应,租户与使用 Pulsar 的每个应用程序相对应(通常情况下)。 Pulsar 租户 )。

创建租户域和服务

On the tenant side, you need to:

  1. 创建一个域名,如 购物
  2. 生成私钥/公钥对
  3. 使用公钥在域上创建服务,例如 some _app

Note that the private key generated in step 2 needs to be specified when the Pulsar client connects to the broker (see client configuration examples for Java and C++).

For more specific steps involving the Athenz UI, please refer to this doc.

创建提供商域并将租户服务添加到某些角色成员

On the provider side, you need to:

  1. 创建一个域名,例如 pulsar
  2. 创建角色
  3. 将租户服务添加到角色成员

Note that in step 2 any action and resource can be specified since they are not used on Pulsar. 换句话说,Pulsar 只使用 Athenz 角色令牌进行身份验证,而不是进行授权。

For more specific steps involving UI, please refer to this doc.

配置 Athenz 的 broker

TLS encryption strongly recommended

Please note that using TLS encryption is strongly recommended when using Athenz as an authentication provider, as it can protect role tokens from being intercepted and reused (see also this doc).

conf/broker.onf 中,你的 Pulsar 安装的配置文件,需要提供 Athenz 身份验证提供者的类名以及一个逗号分隔的提供者域名列表。

  1. # Add the Athenz auth provider
  2. authenticationEnabled=true
  3. authorizationEnabled=true
  4. authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderAthenz
  5. athenzDomainNames=pulsar
  7. # Enable TLS
  8. tlsEnabled=true
  9. tlsCertificateFilePath=/path/to/broker-cert.pem
  10. tlsKeyFilePath=/path/to/broker-key.pem
  12. # Authentication settings of the broker itself. Used when the broker connects to other brokers, either in same or other clusters
  13. brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationAthenz
  14. brokerClientAuthenticationParameters={"tenantDomain":"shopping","tenantService":"some_app","providerDomain":"pulsar","privateKey":"file:///path/to/private.pem","keyId":"v1"}

A full listing of parameters available in the conf/broker.conf file, as well as the default values for those parameters, can be found in Broker Configuration.

配置 Athenz 客户端

关于使用 Athenz 的 Pulsar 客户端身份验证的更多信息,请参阅以下针对语言的文件:

配置 Athenz 的 CLI 工具

命令行工具 pulsar-admin, pulsar-perf pulsar-client 使用 conf/client. onf 配置文件在 Pulsar 安装中。

You’ll need to add the following authentication parameters to that file to use Athenz with Pulsar’s CLI tools:

  1. # URL for the broker
  2. serviceUrl=https://broker.example.com:8443/
  4. # Set Athenz auth plugin and its parameters
  5. authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationAthenz
  6. authParams={"tenantDomain":"shopping","tenantService":"some_app","providerDomain":"pulsar","privateKey":"file:///path/to/private.pem","keyId":"v1"}
  8. # Enable TLS
  9. useTls=true
  10. tlsAllowInsecureConnection=false
  11. tlsTrustCertsFilePath=/path/to/cacert.pem