Anonymitaet commented on a change in pull request #4771: Improve kerberos
documents
URL: https://github.com/apache/pulsar/pull/4771#discussion_r306107937
##########
File path: site2/docs/security-kerberos.md
##########
@@ -96,36 +102,54 @@ In the `pulsar_jaas.conf` file above
and the location of the keytab where the principal is stored. It allows
the broker to use the keytab specified in this section.
2. `PulsarClient` is a section name in the JASS file used by each client. This
section tells the client which principal to use inside Kerberos
and the location of the keytab where the principal is stored. It allows
the client to use the keytab specified in this section.
+ In the following example, this `PulsarClient` section will also be used in
the Pulsar internal admin configuration,
+ in cli command of `bin/pulsar-client`, `bin/pulsar-perf` and
`bin/pulsar-admin`. You can also add different section for different use case.
-It is also a choice to have 2 separate JAAS configuration files: the file for
broker will only have `PulsarBroker` section; while the one for client only
have `PulsarClient` section.
+It is also a choice to have 2 separate JAAS configuration files: the file for
broker will have both section; while the one for client only have
`PulsarClient` section.
-### Kerberos configuration for Brokers
-1. In the `broker.conf` file, set Kerberos related configuration.
+### 1.2. Kerberos configuration for Brokers
+
+#### 1.2.1. configure `broker.conf` file
+
+ In the `broker.conf` file, set Kerberos related configuration.
- Set `authenticationEnabled` to `true`;
- Set `authenticationProviders` to choose `AuthenticationProviderSasl`;
- - Set `saslJaasClientAllowedIds` regex for principal that is allowed to
connect to broker.
- - Set `saslJaasBrokerSectionName` that corresponding to the section in JAAS
configuration file for broker.
+ - Set `saslJaasClientAllowedIds` regex for principal that is allowed to
connect to broker;
+ - Set `saslJaasBrokerSectionName` that corresponding to the section in JAAS
configuration file for broker;
+ In order to get Pulsar internal admin client working right, You need these 2
configuration in `broker.conf` file.
+ - set `brokerClientAuthenticationPlugin` to client plugin
`AuthenticationSasl`;
+ - set `brokerClientAuthenticationParameters` to value in Json string
`{"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}`, in which
`PulsarClient` is the section name in above `pulsar_jaas.conf` file, and
`"serverType":"broker"` indicate that internal admin client will connect to a
Pulsar Broker;
Review comment:
```suggestion
- Set `brokerClientAuthenticationParameters` to a value in a JSON string
`{"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}`, where
`PulsarClient` is the section name in the `pulsar_jaas.conf` file, and
`"serverType":"broker"` indicates the internal admin client will connect to a
Pulsar Broker;
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
