From 4c7188df68e09d5de5fa3d8762a1d8f5fd4e60e3 Mon Sep 17 00:00:00 2001 From: Zixuan Liu Date: Fri, 5 Aug 2022 12:25:31 +0800 Subject: [PATCH] [improve][doc] Add more configuration methods for basic authentication Signed-off-by: Zixuan Liu --- site2/docs/security-basic-auth.md | 76 +++++++++++++++++++------------ 1 file changed, 46 insertions(+), 30 deletions(-) diff --git a/site2/docs/security-basic-auth.md b/site2/docs/security-basic-auth.md index 2585526bb478af..07b5ce1469b979 100644 --- a/site2/docs/security-basic-auth.md +++ b/site2/docs/security-basic-auth.md @@ -55,47 +55,63 @@ superuser:$apr1$GBIYZYFZ$MzLcPrvoUky16mLcK6UtX/ ## Enable basic authentication on brokers -To configure brokers to authenticate clients, complete the following steps. +To configure brokers to authenticate clients, add the following parameters to the `conf/broker.conf` file. If you use a standalone Pulsar, you need to add these parameters to the `conf/standalone.conf` file: -1. Add the following parameters to the `conf/broker.conf` file. If you use a standalone Pulsar, you need to add these parameters to the `conf/standalone.conf` file. - - ``` - # Configuration to enable Basic authentication - authenticationEnabled=true - authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderBasic +``` +# Configuration to enable Basic authentication +authenticationEnabled=true +authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderBasic + +basicAuthConf=file:///path/to/.htpasswd +# basicAuthConf=/path/to/.htpasswd +# When use the base64 format, you need to encode the .htpaswd content to bas64 +# basicAuthConf=data:;base64,YOUR-BASE64 +# basicAuthConf=YOUR-BASE64 + +# Authentication settings of the broker itself. Used when the broker connects to other brokers, either in same or other clusters +brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationBasic +brokerClientAuthenticationParameters={"userId":"superuser","password":"admin"} + +# If this flag is set then the broker authenticates the original Auth data +# else it just accepts the originalPrincipal and authorizes it (if required). +authenticateOriginalAuthData=true +``` - # Authentication settings of the broker itself. Used when the broker connects to other brokers, either in same or other clusters - brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationBasic - brokerClientAuthenticationParameters={"userId":"superuser","password":"admin"} +:::note - # If this flag is set then the broker authenticates the original Auth data - # else it just accepts the originalPrincipal and authorizes it (if required). - authenticateOriginalAuthData=true - ``` +You can also set an environment variable named `PULSAR_EXTRA_OPTS` and the value is `-Dpulsar.auth.basic.conf=/path/to/.htpasswd`. Pulsar reads this environment variable to implement HTTP basic authentication. -2. Set an environment variable named `PULSAR_EXTRA_OPTS` and the value is `-Dpulsar.auth.basic.conf=/path/to/.htpasswd`. Pulsar reads this environment variable to implement HTTP basic authentication. +::: ## Enable basic authentication on proxies -To configure proxies to authenticate clients, complete the following steps. +To configure proxies to authenticate clients, add the following parameters to the `conf/proxy.conf` file: -1. Add the following parameters to the `conf/proxy.conf` file: - - ``` - # For clients connecting to the proxy - authenticationEnabled=true - authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderBasic +``` +# For clients connecting to the proxy +authenticationEnabled=true +authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderBasic + +basicAuthConf=file:///path/to/.htpasswd +# basicAuthConf=/path/to/.htpasswd +# When use the base64 format, you need to encode the .htpaswd content to bas64 +# basicAuthConf=data:;base64,YOUR-BASE64 +# basicAuthConf=YOUR-BASE64 + +# For the proxy to connect to brokers +brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationBasic +brokerClientAuthenticationParameters={"userId":"superuser","password":"admin"} + +# Whether client authorization credentials are forwarded to the broker for re-authorization. +# Authentication must be enabled via authenticationEnabled=true for this to take effect. +forwardAuthorizationCredentials=true +``` - # For the proxy to connect to brokers - brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationBasic - brokerClientAuthenticationParameters={"userId":"superuser","password":"admin"} +:::note - # Whether client authorization credentials are forwarded to the broker for re-authorization. - # Authentication must be enabled via authenticationEnabled=true for this to take effect. - forwardAuthorizationCredentials=true - ``` +You can also set an environment variable named `PULSAR_EXTRA_OPTS` and the value is `-Dpulsar.auth.basic.conf=/path/to/.htpasswd`. Pulsar reads this environment variable to implement HTTP basic authentication. -2. Set an environment variable named `PULSAR_EXTRA_OPTS` and the value is `-Dpulsar.auth.basic.conf=/path/to/.htpasswd`. Pulsar reads this environment variable to implement HTTP basic authentication. +::: ## Configure basic authentication in CLI tools