pulsar2.9.2开启jwt认证(基于k8s)
配置上之后,broker对于proxy转发过来的数据,需要鉴定client的token,也需要鉴定proxy的token。1、进入目前运行的broker容器,执行如下命令,创建private.key和public.key,放在conf文件夹下。6、修改configMappulsar-proxy的配置(在使用到proxy的集群中,认证必须在proxy也配置)8、同理,修改pulsar-proxy的s
1、进入目前运行的broker容器,执行如下命令,创建private.key和public.key,放在conf文件夹下
bin/pulsar tokens create-key-pair --output-private-key ./conf/jwt-private.key --output-public-key ./conf/jwt-public.key2、使用私钥来创建一个管理员用户的Token,保存好
bin/pulsar tokens create --private-key ./conf/jwt-private.key --subject admin使用私钥来创建一个普通用户的Token: (最后的1y代表一年的有效期,不设置为长期)
bin/pulsar tokens create --private-key ./conf/jwt-private.key --subject test-user --expiry-time 1y3、将private.key和public.key存到宿主机上
docker cp 90818242bcdb:/pulsar/conf/jwt-private.key /secret/jwt-private.key
docker cp 90818242bcdb:/pulsar/conf/jwt-public.key /secret/jwt-public.key4、将public.key新建secret
# 编码 jwt-public.key 文件为 Base64(如果还未编码)
ENCODED_KEY=$(base64 /secret/jwt-public.key | tr -d '\n')
# 使用 kubectl 创建一个 Secret
kubectl create secret generic pulsar-jwt-public-key-secret --from-literal=jwt-public-key=$ENCODED_KEY -n pulsar
5、修改configMap中的认证配置 pulsar-broker中data新增
Proxy 对于 Broker 来说也是一个客户端,他是进行了前置的校验等操作,转发给broker
此处需要配置proxyRoles的角色,可以设置为超级管理员,也可以单独配置权限。
配置上之后,broker对于proxy转发过来的数据,需要鉴定client的token,也需要鉴定proxy的token。
authenticationEnabled: 'true'
authorizationEnabled: 'true'
authenticationRefreshCheckSeconds: 60
authenticationProviders: 'org.apache.pulsar.broker.authentication.AuthenticationProviderToken'
brokerClientAuthenticationPlugin: 'org.apache.pulsar.client.impl.auth.AuthenticationToken'
brokerClientAuthenticationParameters: '{"token":"eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhZG1pbiJ9.UUlFnlvhcPHMWPNAebzWwt6R71MxKgUIKZEZA3WeJ7d74AY2O5vFit6CcF4QyMyJri8EAzLDidkrkxmRwJ0egzqmEZLYDtKtAwBSKBrucoOzsZ-gTu_escnt_Qtzpa7QGcE2KX7wpW3-2BuolBrnmaipQqoZrq54Zlse2qA9bJgObJmXAMvIAO6tmZEHqtsWCzZV1jfXjiHE8SlESeVQ8TpvoyUzD6R2Bx36LEGRACNYxs_k0E2FO0cSflWB3sCS7mOE8ksqstNLdiN54ECfIk3AlQ0ahkvRk8b4Gweq0Vv2E87NBIFVYpYKyDFiUTlVcRaCr0RQk96J6T2qVsoTfg"}'
authenticateOriginalAuthData: 'true'
superUserRoles: 'admin,proxy-role'
tokenPublicKey: '/pulsar/secret/jwt-public.key'
proxyRoles: proxy-role
6、修改configMap pulsar-proxy的配置(在使用到proxy的集群中,认证必须在proxy也配置)
注意forwardAuthorizationCredentials必须设置为true,否则proxy则不会将clinet的token转发给broker,broker会报错javax.naming.AuthenticationException: No anonymous role, and no authentication provider configured。
其次brokerClientAuthenticationParameters的token需要配置为proxy-role的token
authenticationEnabled: 'true'
authenticationProviders: org.apache.pulsar.broker.authentication.AuthenticationProviderToken
authenticationRefreshCheckSeconds: '60'
authorizationEnabled: 'true'
brokerClientAuthenticationParameters: >-
{"token":"eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJwcm94eS1yb2xlIn0.Vg7e_ahDTGCoQRKKSBGTdRhND8xI0aKG05Q1KVfETD_-rWQjoRGP_0fuxmBqFmMPNpXXKGg3-q8lbVnav7sJIwEJ-7CfsYfJiOd4f1KoP6xqWYIrkYh80Ktc0k9ZeO4zpA9uIJvdrJVzEghiS-BHXmkS7jqM35GlZM4-PxZFCqHQxgt2AlLl18ZJSYNFYfpbl7ZmI2XpAHdaeRth70JPW_hD2xE4uy8vyTpPtxB0N8kKkBhsmE8HGTo5drRyQugCaGto6WApaRrnQiu5JVeGYCAk7kFLnXO7Gt8H-r6Zv_I02gLNs31Jcfw54cADNNUx3qIhMZlIakszf0cRWx3_FQ"}
brokerClientAuthenticationPlugin: org.apache.pulsar.client.impl.auth.AuthenticationToken
brokerServiceURL: 'pulsar://pulsar-broker:6650'
brokerWebServiceURL: 'http://pulsar-broker:8080'
clusterName: pulsar
configurationStoreServers: 'pulsar-zookeeper:2181'
forwardAuthorizationCredentials: 'true'
httpNumThreads: '8'
servicePort: '6650'
statusFilePath: /pulsar/status
tokenPublicKey: /pulsar/secret/jwt-public.key
webServicePort: '80'
zookeeperServers: 'pulsar-zookeeper:2181'7、修改pulsar-broker的statefulset设置,将secret映射至/pulsar/secret/jwt-public.key
volumes:
- name: pulsar-jwt-public-key
secret:
secretName: pulsar-jwt-public-key-secret
items:
- key: jwt-public-key
path: "jwt-public-key"
containers:
volumeMounts:
- name: pulsar-jwt-public-key
mountPath: "/pulsar/secret/jwt-public.key.base64"
subPath: "jwt-public-key"
readOnly: true
#再args里将base64文件解码
base64 -d /pulsar/secret/jwt-public.key.base64 > /pulsar/secret/jwt-public.key;
8、同理,修改pulsar-proxy的statefulset的配置,保证存到容器中的public.key相同
9、在pulsar-toolset中使用pulsar-admin连接,需要配置conf/cluster.conf的配置
配置成超级管理员的token
authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationToken
authParams=token:eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhZG1pbiJ9.UUlFnlvhcPHMWPNAebzWwt6R71MxKgUIKZEZA3WeJ7d74AY2O5vFit6CcF4QyMyJri8EAzLDidkrkxmRwJ0egzqmEZLYDtKtAwBSKBrucoOzsZ-gTu_escnt_Qtzpa7QGcE2KX7wpW3-2BuolBrnmaipQqoZrq54Zlse2qA9bJgObJmXAMvIAO6tmZEHqtsWCzZV1jfXjiHE8SlESeVQ8TpvoyUzD6R2Bx36LEGRACNYxs_k0E2FO0cSflWB3sCS7mOE8ksqstNLdiN54ECfIk3AlQ0ahkvRk8b4Gweq0Vv2E87NBIFVYpYKyDFiUTlVcRaCr0RQk96J6T2qVsoTfg10、使用java连接
在3.0.0之后,这里的连接token需要与proxy-role不同
PulsarClient pulsarClient = PulsarClient.builder()
.serviceUrl("pulsar://10.0.0.27:30980")
.authentication(AuthenticationFactory.token("eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhZG1pbiJ9.UUlFnlvhcPHMWPNAebzWwt6R71MxKgUIKZEZA3WeJ7d74AY2O5vFit6CcF4QyMyJri8EAzLDidkrkxmRwJ0egzqmEZLYDtKtAwBSKBrucoOzsZ-gTu_escnt_Qtzpa7QGcE2KX7wpW3-2BuolBrnmaipQqoZrq54Zlse2qA9bJgObJmXAMvIAO6tmZEHqtsWCzZV1jfXjiHE8SlESeVQ8TpvoyUzD6R2Bx36LEGRACNYxs_k0E2FO0cSflWB3sCS7mOE8ksqstNLdiN54ECfIk3AlQ0ahkvRk8b4Gweq0Vv2E87NBIFVYpYKyDFiUTlVcRaCr0RQk96J6T2qVsoTfg"))
.build();参考文章
Apache Pulsar学习笔记12: 开启基于JWT的身份认证_pulsar的role-CSDN博客
K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容
更多推荐
7
0- 0
已为社区贡献2条内容
所有评论(0)