Anonymitaet commented on a change in pull request #4771: Improve kerberos
documents
URL: https://github.com/apache/pulsar/pull/4771#discussion_r308229040
##########
File path: site2/website/versioned_docs/version-2.4.0/security-kerberos.md
##########
@@ -97,37 +101,56 @@ In the `pulsar_jaas.conf` file above
and the location of the keytab where the principal is stored. It allows
the broker to use the keytab specified in this section.
2. `PulsarClient` is a section name in the JASS file used by each client. This
section tells the client which principal to use inside Kerberos
and the location of the keytab where the principal is stored. It allows
the client to use the keytab specified in this section.
+ In the following example, this `PulsarClient` section will also be reused
in both the Pulsar internal admin configuration and in cli command of
`bin/pulsar-client`, `bin/pulsar-perf` and `bin/pulsar-admin`. You can also add
different section for different use case.
+
+You can have 2 separate JAAS configuration files:
+* the file for broker will have sections of both `PulsarBroker` and
`PulsarClient`;
+* the file for client only have `PulsarClient` section.
-It is also a choice to have 2 separate JAAS configuration files: the file for
broker will only have `PulsarBroker` section; while the one for client only
have `PulsarClient` section.
### Kerberos configuration for Brokers
-1. In the `broker.conf` file, set Kerberos related configuration.
+#### Configure `broker.conf` file
+
+ In the `broker.conf` file, set Kerberos related configurations.
- Set `authenticationEnabled` to `true`;
- Set `authenticationProviders` to choose `AuthenticationProviderSasl`;
- - Set `saslJaasClientAllowedIds` regex for principal that is allowed to
connect to broker.
- - Set `saslJaasBrokerSectionName` that corresponding to the section in JAAS
configuration file for broker.
+ - Set `saslJaasClientAllowedIds` regex for principal that is allowed to
connect to broker;
+ - Set `saslJaasBrokerSectionName` that corresponding to the section in JAAS
configuration file for broker;
+ To make Pulsar internal admin client work properly, you need to set the
configuration in the `broker.conf` file as below:
+ - Set `brokerClientAuthenticationPlugin` to client plugin
`AuthenticationSasl`;
+ - Set `brokerClientAuthenticationParameters` to value in Json string
`{"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}`, in which
`PulsarClient` is the section name in above `pulsar_jaas.conf` file, and
`"serverType":"broker"` indicate that internal admin client will connect to a
Pulsar Broker;
Review comment:
```suggestion
- Set `brokerClientAuthenticationParameters` to value in JSON string
`{"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}`, in which
`PulsarClient` is the section name in above `pulsar_jaas.conf` file, and
`"serverType":"broker"` indicate that internal admin client will connect to a
Pulsar Broker;
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
