Jennifer88huang commented on a change in pull request #5069: [doc] Improve
Pulsar Security Kerberos
URL: https://github.com/apache/pulsar/pull/5069#discussion_r319384353
##########
File path: site2/docs/security-kerberos.md
##########
@@ -187,46 +183,46 @@ The following is an example of creating a Java client:
.build();
```
-> The first two lines in the example above are hard coded, alternatively, you
can set additional JVM parameters for JAAS and krb5 configuration file when
running the application like below:
+> The first two lines in the example above are hard coded, alternatively, you
can set additional JVM parameters for JAAS and krb5 configuration file when you
are running the application like below:
```
java -cp -Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf
-Djava.security.krb5.conf=/etc/pulsar/krb5.conf $APP-jar-with-dependencies.jar
$CLASSNAME
```
-Make sure that the keytabs configured in the `pulsar_jaas.conf` file and kdc
server in the `krb5.conf` file are reachable by the operating system user who
is starting pulsar client.
+You must ensure that the operating system user who is starting pulsar client
can reach the keytabs configured in the `pulsar_jaas.conf` file and kdc server
in the `krb5.conf` file.
#### Configure CLI tools
If you are using a command-line tool (such as `bin/pulsar-client`,
`bin/pulsar-perf` and `bin/pulsar-admin`), you need to preform the following
steps:
-Step 1. Config your `client.conf`.
+Step 1. Enter the command below to config your `client.conf`.
```shell
authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl
authParams={"saslJaasClientSectionName":"PulsarClient", "serverType":"broker"}
```
-Step 2. Set JVM parameters for JAAS configuration file and krb5 configuration
file with additional options.
+Step 2. Enter the command below to set JVM parameters for JAAS configuration
file and krb5 configuration file with additional options.
```shell
-Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf
-Djava.security.krb5.conf=/etc/pulsar/krb5.conf
```
You can add this at the end of `PULSAR_EXTRA_OPTS` in the file
[`pulsar_tools_env.sh`](https://github.com/apache/pulsar/blob/master/conf/pulsar_tools_env.sh),
or add this line `OPTS="$OPTS
-Djava.security.auth.login.config=/etc/pulsar/pulsar_jaas.conf
-Djava.security.krb5.conf=/etc/pulsar/krb5.conf "` directly to the CLI tool
script.
-The meaning of configurations is the same as that in Java client section.
+The meaning of configurations is the same as the meaning of configurations in
Java client section.
## Kerberos configuration for working with Pulsar Proxy
With the above configuration, client and broker can do authentication using
Kerberos.
-If a client wants to connect to Pulsar Proxy, it is a little different. Client
(as a SASL client in Kerberos) will be authenticated by Pulsar Proxy (as a SASL
Server in Kerberos) first; and then Pulsar Proxy will be authenticated by
Pulsar broker.
+A client that connects to Pulsar Proxy is a little different. Pulsar Proxy (as
a SASL Server in Kerberos) authenticates Client (as a SASL client in Kerberos)
first; and then Pulsar broker authenticates Pulsar Proxy.
-Now comparing with the above configuration between client and broker, we will
show how to configure Pulsar Proxy.
+Now in comparision with the above configuration between client and broker, we
show you how to configure Pulsar Proxy as follows.
### Create principal for Pulsar Proxy in Kerberos
-Comparing with the above configuration, you need to add new principal for
Pulsar Proxy. If you already have principals for client and broker, only add
proxy principal here.
+In comparision with the above configuration, you need to add new principals
for Pulsar Proxy. If you already have principals for client and broker, only
add the proxy principal here.
Review comment:
re-write this sentence.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
