nodece commented on code in PR #15734: URL: https://github.com/apache/pulsar/pull/15734#discussion_r880111289
########## site2/docs/security-basic-auth.md: ########## @@ -0,0 +1,127 @@ +--- +id: security-basic-auth +title: Authentication using HTTP basic +sidebar_label: "Authentication using HTTP basic" +--- + +````mdx-code-block +import Tabs from '@theme/Tabs'; +import TabItem from '@theme/TabItem'; +```` + +[Basic authentication](https://en.wikipedia.org/wiki/Basic_access_authentication) is a simple authentication scheme built into the HTTP protocol, which uses base64-encoded username and password pairs as credentials. + +## Prerequisites + +Install [`htpasswd`](https://httpd.apache.org/docs/2.4/programs/htpasswd.html) in your environment to create a password file for storing username-password pairs. + +* For Ubuntu/Debian, run the following command to install `htpasswd`. + + ``` + apt install apache2-utils + ``` + +* For CentOS/RHEL, run the following command to install `htpasswd`. + + ``` + yum install httpd-tools + ``` + +## Create your authentication file + +:::note +Currently, you can use MD5 (recommended) and CRYPT encryption to authenticate your password. +::: + +Create a password file named `.htpasswd` with a user account `superuser/admin`: +* Use MD5 encryption (recommended): + + ``` + htpasswd -cmb .htpasswd superuser admin + ``` + +* Use CRYPT encryption: + + ``` + htpasswd -cdb .htpasswd superuser admin + ``` + +You can preview the content of your password file by running the following command: + +``` +cat .htpasswd +superuser:$apr1$GBIYZYFZ$MzLcPrvoUky16mLcK6UtX/ +``` + +## Enable basic authentication on brokers + +To configure brokers to authenticate clients, complete the following steps. + +1. Add the following parameters to the `conf/broker.conf` file. If you use a standalone Pulsar, you need to add these parameters to the `conf/standalone.conf` file. + + ``` + # Configuration to enable Basic authentication + authenticationEnabled=true + authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderBasic + + # Authentication settings of the broker itself. Used when the broker connects to other brokers, either in same or other clusters + brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationBasic + brokerClientAuthenticationParameters={"userId":"superuser","password":"admin"} + + # If this flag is set then the broker authenticates the original Auth data + # else it just accepts the originalPrincipal and authorizes it (if required). + authenticateOriginalAuthData=true + ``` + +2. Set an environment variable named `pulsar.auth.basic.conf` and the value is `.htpasswd`. Pulsar reads this environment variable to implement HTTP basic authentication. + +## Enable basic authentication on proxies + +To configure proxies to authenticate clients, complete the following steps. + +1. Add the following parameters to the `conf/proxy.conf` file: + + ``` + # For clients connecting to the proxy + authenticationEnabled=true + authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderBasic + + # For the proxy to connect to brokers + brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationBasic + brokerClientAuthenticationParameters={"userId":"superuser","password":"admin"} + + # Whether client authorization credentials are forwarded to the broker for re-authorization. + # Authentication must be enabled via authenticationEnabled=true for this to take effect. + forwardAuthorizationCredentials=true + ``` + +2. Set an environment variable named `pulsar.auth.basic.conf` and the value is `.htpasswd`. Pulsar reads this environment variable to implement HTTP basic authentication. + +## Configure basic authentication through CLI tools Review Comment: through -> in? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@pulsar.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
