Authentication using HTTP basic

Basic authentication is a simple authentication scheme built into the HTTP protocol, which uses base64-encoded username and password pairs as credentials.

Prerequisites

Install htpasswd in your environment to create a password file for storing username-password pairs.

  • For Ubuntu/Debian, run the following command to install htpasswd.

    1. apt install apache2-utils

  • For CentOS/RHEL, run the following command to install htpasswd.

    1. yum install httpd-tools

Create your authentication file

Authentication using HTTP basic - 图1note

Currently, you can use MD5 (recommended) and CRYPT encryption to authenticate your password.

Create a password file named .htpasswd with a user account superuser/admin:

  • Use MD5 encryption (recommended):

    1. htpasswd -cmb /path/to/.htpasswd superuser admin

  • Use CRYPT encryption:

    1. htpasswd -cdb /path/to/.htpasswd superuser admin

You can preview the content of your password file by running the following command:

  1. cat path/to/.htpasswd
  2. superuser:$apr1$GBIYZYFZ$MzLcPrvoUky16mLcK6UtX/

Enable basic authentication on brokers/proxies

To configure brokers/proxies to authenticate clients using basic, add the following parameters to the conf/broker.conf and the conf/proxy.conf file. If you use a standalone Pulsar, you need to add these parameters to the conf/standalone.conf file:

  1. # Configuration to enable Basic authentication
  2. authenticationEnabled=true
  3. authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderBasic
  5. basicAuthConf=file:///path/to/.htpasswd
  6. # basicAuthConf=/path/to/.htpasswd
  7. # When use the base64 format, you need to encode the .htpaswd content to bas64
  8. # basicAuthConf=data:;base64,YOUR-BASE64
  9. # basicAuthConf=YOUR-BASE64
  11. # Authentication settings of the broker itself. Used when the broker connects to other brokers, or when the proxy connects to brokers, either in same or other clusters
  12. brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationBasic
  13. brokerClientAuthenticationParameters={"userId":"superuser","password":"admin"}

Authentication using HTTP basic - 图2note

You can also set an environment variable named PULSAR_EXTRA_OPTS and the value is -Dpulsar.auth.basic.conf=/path/to/.htpasswd. Pulsar reads this environment variable to implement HTTP basic authentication.

Configure basic authentication in CLI tools

Command-line tools, such as Pulsar-admin, Pulsar-perf and Pulsar-client, use the conf/client.conf file in your Pulsar installation. To configure basic authentication in Pulsar CLI tools, you need to add the following parameters to the conf/client.conf file.

  1. authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationBasic
  2. authParams={"userId":"superuser","password":"admin"}

Configure basic authentication in Pulsar clients

The following example shows how to configure basic authentication when using Pulsar clients.

  • Java
  • Python
  • C++
  • Go
  1. AuthenticationBasic auth = new AuthenticationBasic();
  2. auth.configure("{\"userId\":\"superuser\",\"password\":\"admin\"}");
  3. PulsarClient client = PulsarClient.builder()
  4.    .serviceUrl("pulsar://broker.example.com:6650")
  5.    .authentication(auth)
  6.    .build();
  1. #include <pulsar/Client.h>
  3. int main() {
  4.     pulsar::ClientConfiguration config;
  5.     AuthenticationPtr auth = pulsar::AuthBasic::create("admin", "123456")
  6.     config.setAuth(auth);
  7.     pulsar::Client client("pulsar://broker.example.com:6650/", config);
  9.     return 0;
  10. }
  1. if __name__ == "__main__":
  2.    client = Client("pulsar://broker.example.com:6650", authentication=AuthenticationBasic("admin", "123456"))
  1.     provider, err := pulsar.NewAuthenticationBasic("admin", "123456")
  2.     if err != nil {
  3.         log.Fatal(err)
  4.     }
  5.     client, err := pulsar.NewClient(pulsar.ClientOptions{
  6.         URL: "pulsar://broker.example.com:6650",
  7.         Authentication: provider,
  8.     })