momo-jun commented on code in PR #18343: URL: https://github.com/apache/pulsar/pull/18343#discussion_r1022758893
########## site2/docs/security-athenz.md: ########## @@ -36,42 +36,17 @@ Note that you can specify any action and resource in step 2 since they are not u For more specific steps involving the Athenz UI, refer to [Example Service Access Control Setup](https://github.com/AthenZ/athenz/blob/master/docs/example_service_athenz_setup.md#server-provider-domain). -## Enable Athenz authentication on brokers +## Enable Athenz authentication on brokers/proxies -:::note - -When you are using Athenz as an authentication provider, it's highly recommended to use [TLS encryption](security-tls-transport.md) as it can protect role tokens from being intercepted and reused. For more details involving TLS encryption, see [Architecture - Data Model](https://github.com/AthenZ/athenz/blob/master/docs/data_model). - -::: - -In the `conf/broker.conf` configuration file in your Pulsar installation, you need to provide the class name of the Athenz authentication provider as well as a comma-separated list of provider domain names. - -```properties -# Add the Athenz auth provider -authenticationEnabled=true -authorizationEnabled=true -authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderAthenz -athenzDomainNames=pulsar - -# Authentication settings of the broker itself. Used when the broker connects to other brokers, either in same or other clusters -brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationAthenz -brokerClientAuthenticationParameters={"tenantDomain":"shopping","tenantService":"some_app","providerDomain":"pulsar","privateKey":"file:///path/to/private.pem","keyId":"v1"} -``` - -> A full listing of parameters is available in the `conf/broker.conf` file, you can also find the default -> values for those parameters in [Broker Configuration](reference-configuration.md#broker). - -## Enable Athenz authentication on proxies - -Configure the required parameters in the `conf/proxy.conf` file in your Pulsar installation. +To configure brokers/proxies to authenticate clients using Authenz, add the following parameters to the `conf/broker.conf` and the `conf/proxy.conf` file. If you use a standalone Pulsar, you need to add these parameters to the `conf/standalone.conf` file, you need to provide the class name of the Athenz authentication provider as well as a comma-separated list of provider domain names. If you use a standalone Pulsar, you need to add these parameters to the `conf/standalone.conf` file. Review Comment: ```suggestion To configure brokers/proxies to authenticate clients using Authenz, add the following parameters to the `conf/broker.conf` and the `conf/proxy.conf` files and provide the class name of the Athenz authentication provider as well as a comma-separated list of provider domain names. If you use a standalone Pulsar, you need to add these parameters to the `conf/standalone.conf` file. ``` There is a duplicate sentence in the original text. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
