Authentication using Kerberos

Kerberos 是一种网络身份认证协议。 通过使用秘钥加密，Kerberos 被设计成能为客户端应用程序和服务端应用程序提供很强的身份认证。

在 Pulsar 中，你可以选择使用 SASL 配合 Kerberos 来实现一种身份认证。 Pulsar 使用 Java 身份认证和授权服务（JAAS） 来配置 SASL。 因此，要使用 Kerberos 身份认证您需要提供 JAAS 配置。

本文详细介绍了如何在 Pulsar 客户端和 brokers 之间使用 SASL 来配置 Kerberos，以及如何为 Pulsar 代理配置 Kerberos。

客户端和 Broker 之间的 Kerberos 配置

先决条件

首先，您需要创建（或者已经有了）密钥分发中心（KDC）。 还需要提前配置和运行好 密钥分发中心（KDC）。

如果您的组织已经使用了 Kerberos 服务（例如 Active Directory），那就不必安装一个新的了。 如果您的组织没有使用 Kerberos 服务，则需要安装一个。 Linux 发行商可能提供了 Kerberos 包。 关于如何安装和配置 Kerberos，请参考 Ubuntu，Redhat。

注意，如果使用 Oracle Java，需要下载对应 Java 版本的 JCE 策略文件，并将它们复制到 $JAVA_HOME/jre/lib/security 目录。

Kerberos principals

如果您使用现有的 Kerberos 系统，请向 Kerberos 管理员索要集群中每个 Broker 以及使用 Kerberos 身份认证访问 Pulsar （通过客户机或工具）的每个操作系统用户的 principal。

如果您已经安装了自己的 Kerberos 系统，可以使用以下命令创建这些 principals：

### add Principals for broker
sudo /usr/sbin/kadmin.local -q 'addprinc -randkey broker/{hostname}@{REALM}'
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{broker-keytabname}.keytab broker/{hostname}@{REALM}"
### add Principals for client
sudo /usr/sbin/kadmin.local -q 'addprinc -randkey client/{hostname}@{REALM}'
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabname}.keytab client/{hostname}@{REALM}"

Note that Kerberos requires that all your hosts can be resolved with their FQDNs.

Broker principal 的第一部分（例如，broker/{hostname}@{REALM} 中的 broker）是每个主机的 serverType 。 serverType 的建议值是 Broker（当宿主机运行 Pulsar Broker 服务）和 Proxy （当宿主机运行 Pulsar Proxy 服务）。

配置如何连接到 KDC

您需要输入下面的命令来为客户端和 Broker 端指定 krb5.conf 文件的路径。 krb5.conf 文件的内容包含了默认的 Realm 和 KDC 信息。 See JDK’s Kerberos Requirements for more details.

-Djava.security.krb5.conf=/etc/pulsar/krb5.conf

Here is an example of the krb5.conf file:

In the configuration file, EXAMPLE.COM is the default realm; kdc = localhost:62037 is the kdc server url for realm EXAMPLE.COM:

[libdefaults]
 default_realm = EXAMPLE.COM
[realms]
 EXAMPLE.COM  = {
  kdc = localhost:62037
 }

Usually machines configured with kerberos already have a system wide configuration and this configuration is optional.

JAAS 配置文件

客户端和 broker 端都需要 JAAS 配置文件。 JAAS 配置文件提供了用于连接 KDC 的信息（section）。 Here is an example named pulsar_jaas.conf:

 PulsarBroker {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   storeKey=true
   useTicketCache=false
   keyTab="/etc/security/keytabs/pulsarbroker.keytab"
   principal="broker/localhost@EXAMPLE.COM";
};
 PulsarClient {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   storeKey=true
   useTicketCache=false
   keyTab="/etc/security/keytabs/pulsarclient.keytab"
   principal="client/localhost@EXAMPLE.COM";
};

You need to set the JAAS configuration file path as JVM parameter for client and broker. 例如:

    -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf

In the pulsar_jaas.conf file above

1. PulsarBroker 是 JAAS 文件中的一个节名（section name），每个 Broker 都会用到。 这节告诉 Broker 使用 Kerberos 中的哪个 principal 以及存储 principal 的 keytab 位置。 PulsarBroker 允许 Broker 使用本节中指定的 keytab。
2. PulsarClient is a section name in the JASS file that each broker uses. This section tells the client to use which principal inside Kerberos and the location of the keytab where the principal is stored. PulsarClient allows the client to use the keytab specified in this section. The following example also reuses this PulsarClient section in both the Pulsar internal admin configuration and in CLI command of bin/pulsar-client, bin/pulsar-perf and bin/pulsar-admin. You can also add different sections for different use cases.

You can have 2 separate JAAS configuration files:

• the file for a broker that has sections of both PulsarBroker and PulsarClient;
• the file for a client that only has a PulsarClient section.

Kerberos configuration for Brokers

Configure the broker.conf file

In the broker.conf file, set Kerberos related configurations.

• Set authenticationEnabled to true;
• Set authenticationProviders to choose AuthenticationProviderSasl;
• Set saslJaasClientAllowedIds regex for principal that is allowed to connect to broker;
• Set saslJaasBrokerSectionName that corresponds to the section in JAAS configuration file for broker;

To make Pulsar internal admin client work properly, you need to set the configuration in the broker.conf file as below:

• Set brokerClientAuthenticationPlugin to client plugin AuthenticationSasl;
• Set brokerClientAuthenticationParameters to value in JSON string {"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}, in which PulsarClient is the section name in the pulsar_jaas.conf file, and "serverType":"broker" indicates that the internal admin client connects to a Pulsar Broker;

Here is an example:

authenticationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderSasl
saslJaasClientAllowedIds=.*client.*
saslJaasBrokerSectionName=PulsarBroker
## Authentication settings of the broker itself. Used when the broker connects to other brokers
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl
brokerClientAuthenticationParameters={"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}

Set Broker JVM parameter

Set JVM parameters for JAAS configuration file and krb5 configuration file with additional options.

   -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf

You can add this at the end of PULSAR_EXTRA_OPTS in the file pulsar_env.sh

You must ensure that the operating system user who starts broker can reach the keytabs configured in the pulsar_jaas.conf file and kdc server in the krb5.conf file.

Kerberos configuration for clients

Java Client and Java Admin Client

In client application, include pulsar-client-auth-sasl in your project dependency.

    <dependency>
      <groupId>org.apache.pulsar</groupId>
      <artifactId>pulsar-client-auth-sasl</artifactId>
      <version>${pulsar.version}</version>
    </dependency>

Configure the authentication type to use AuthenticationSasl, and also provide the authentication parameters to it.

You need 2 parameters:

• saslJaasClientSectionName. This parameter corresponds to the section in JAAS configuration file for client;
• serverType. This parameter stands for whether this client connects to broker or proxy. And client uses this parameter to know which server side principal should be used.

When you authenticate between client and broker with the setting in above JAAS configuration file, we need to set saslJaasClientSectionName to PulsarClient and set serverType to broker.

The following is an example of creating a Java client:

System.setProperty("java.security.auth.login.config", "/etc/pulsar/pulsar_jaas.conf");
System.setProperty("java.security.krb5.conf", "/etc/pulsar/krb5.conf");
Map<String, String> authParams = Maps.newHashMap();
authParams.put("saslJaasClientSectionName", "PulsarClient");
authParams.put("serverType", "broker");
Authentication saslAuth = AuthenticationFactory
        .create(org.apache.pulsar.client.impl.auth.AuthenticationSasl.class.getName(), authParams);
PulsarClient client = PulsarClient.builder()
        .serviceUrl("pulsar://my-broker.com:6650")
        .authentication(saslAuth)
        .build();

The first two lines in the example above are hard coded, alternatively, you can set additional JVM parameters for JAAS and krb5 configuration file when you run the application like below:

java -cp -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf $APP-jar-with-dependencies.jar $CLASSNAME

You must ensure that the operating system user who starts pulsar client can reach the keytabs configured in the pulsar_jaas.conf file and kdc server in the krb5.conf file.

Configure CLI tools

If you use a command-line tool (such as bin/pulsar-client, bin/pulsar-perf and bin/pulsar-admin), you need to preform the following steps:

Step 1. Enter the command below to configure your client.conf.

authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl
authParams={"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}

Step 2. Enter the command below to set JVM parameters for JAAS configuration file and krb5 configuration file with additional options.

   -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf

You can add this at the end of PULSAR_EXTRA_OPTS in the file pulsar_tools_env.sh, or add this line OPTS="$OPTS -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf " directly to the CLI tool script.

The meaning of configurations is the same as the meaning of configurations in Java client section.

Kerberos configuration for working with Pulsar Proxy

With the above configuration, client and broker can do authentication using Kerberos.

A client that connects to Pulsar Proxy is a little different. Pulsar Proxy (as a SASL Server in Kerberos) authenticates Client (as a SASL client in Kerberos) first; and then Pulsar broker authenticates Pulsar Proxy.

Now in comparision with the above configuration between client and broker, we show you how to configure Pulsar Proxy as follows.

Create principal for Pulsar Proxy in Kerberos

You need to add new principals for Pulsar Proxy comparing with the above configuration. If you already have principals for client and broker, you only need to add the proxy principal here.

### add Principals for Pulsar Proxy
sudo /usr/sbin/kadmin.local -q 'addprinc -randkey proxy/{hostname}@{REALM}'
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{proxy-keytabname}.keytab proxy/{hostname}@{REALM}"
### add Principals for broker
sudo /usr/sbin/kadmin.local -q 'addprinc -randkey broker/{hostname}@{REALM}'
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{broker-keytabname}.keytab broker/{hostname}@{REALM}"
### add Principals for client
sudo /usr/sbin/kadmin.local -q 'addprinc -randkey client/{hostname}@{REALM}'
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/{client-keytabname}.keytab client/{hostname}@{REALM}"

Add a section in JAAS configuration file for Pulsar Proxy

In comparision with the above configuration, add a new section for Pulsar Proxy in JAAS configuration file.

Here is an example named pulsar_jaas.conf:

 PulsarBroker {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   storeKey=true
   useTicketCache=false
   keyTab="/etc/security/keytabs/pulsarbroker.keytab"
   principal="broker/localhost@EXAMPLE.COM";
};
 PulsarProxy {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   storeKey=true
   useTicketCache=false
   keyTab="/etc/security/keytabs/pulsarproxy.keytab"
   principal="proxy/localhost@EXAMPLE.COM";
};
 PulsarClient {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   storeKey=true
   useTicketCache=false
   keyTab="/etc/security/keytabs/pulsarclient.keytab"
   principal="client/localhost@EXAMPLE.COM";
};

Proxy client configuration

Pulsar client configuration is similar with client and broker configuration, except that you need to set serverType to proxy instead of broker, for the reason that you need to do the Kerberos authentication between client and proxy.

System.setProperty("java.security.auth.login.config", "/etc/pulsar/pulsar_jaas.conf");
System.setProperty("java.security.krb5.conf", "/etc/pulsar/krb5.conf");
Map<String, String> authParams = Maps.newHashMap();
authParams.put("saslJaasClientSectionName", "PulsarClient");
authParams.put("serverType", "proxy");        // ** here is the different **
Authentication saslAuth = AuthenticationFactory
        .create(org.apache.pulsar.client.impl.auth.AuthenticationSasl.class.getName(), authParams);
PulsarClient client = PulsarClient.builder()
        .serviceUrl("pulsar://my-broker.com:6650")
        .authentication(saslAuth)
        .build();

The first two lines in the example above are hard coded, alternatively, you can set additional JVM parameters for JAAS and krb5 configuration file when you run the application like below:

java -cp -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf -Djava.security.krb5.conf=/etc/pulsar/krb5.conf $APP-jar-with-dependencies.jar $CLASSNAME

Kerberos configuration for Pulsar proxy service

In the proxy.conf file, set Kerberos related configuration. Here is an example:

## related to authenticate client.
authenticationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderSasl
saslJaasClientAllowedIds=.*client.*
saslJaasBrokerSectionName=PulsarProxy
## related to be authenticated by broker
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl
brokerClientAuthenticationParameters={"saslJaasClientSectionName":"PulsarProxy", "serverType":"broker"}
forwardAuthorizationCredentials=true

The first part relates to authenticating between client and Pulsar Proxy. In this phase, client works as SASL client, while Pulsar Proxy works as SASL server.

The second part relates to authenticating between Pulsar Proxy and Pulsar Broker. In this phase, Pulsar Proxy works as SASL client, while Pulsar Broker works as SASL server.

Broker side configuration.

The broker side configuration file is the same with the above broker.conf, you do not need special configuration for Pulsar Proxy.

authenticationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderSasl
saslJaasClientAllowedIds=.*client.*
saslJaasBrokerSectionName=PulsarBroker

Regarding authorization and role token

For Kerberos authentication, we usually use the authenticated principal as the role token for Pulsar authorization. For more information of authorization in Pulsar, see security authorization.

If you enable ‘authorizationEnabled’, you need to set superUserRoles in broker.conf that corresponds to the name registered in kdc.

例如:

superUserRoles=client/{clientIp}@EXAMPLE.COM

Regarding authentication between ZooKeeper and Broker

Pulsar Broker acts as a Kerberos client when you authenticate with Zookeeper. According to ZooKeeper document, you need these settings in conf/zookeeper.conf:

authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
requireClientAuthScheme=sasl

Enter the following commands to add a section of Client configurations in the file pulsar_jaas.conf, which Pulsar Broker uses:

 Client {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   storeKey=true
   useTicketCache=false
   keyTab="/etc/security/keytabs/pulsarbroker.keytab"
   principal="broker/localhost@EXAMPLE.COM";
};

In this setting, the principal of Pulsar Broker and keyTab file indicates the role of Broker when you authenticate with ZooKeeper.

Regarding authentication between BookKeeper and Broker

Pulsar Broker acts as a Kerberos client when you authenticate with Bookie. According to BookKeeper document, you need to add bookkeeperClientAuthenticationPlugin parameter in broker.conf:

bookkeeperClientAuthenticationPlugin=org.apache.bookkeeper.sasl.SASLClientProviderFactory

In this setting, SASLClientProviderFactory creates a BookKeeper SASL client in a Broker, and the Broker uses the created SASL client to authenticate with a Bookie node.

Enter the following commands to add a section of BookKeeper configurations in the pulsar_jaas.conf that Pulsar Broker uses:

 BookKeeper {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   storeKey=true
   useTicketCache=false
   keyTab="/etc/security/keytabs/pulsarbroker.keytab"
   principal="broker/localhost@EXAMPLE.COM";
};

In this setting, the principal of Pulsar Broker and keyTab file indicates the role of Broker when you authenticate with Bookie.