This is an automated email from the ASF dual-hosted git repository.
urfree pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/pulsar-site.git
The following commit(s) were added to refs/heads/main by this push:
new 7f0757db367 Docs sync done from apache/pulsar(#9da5980)
7f0757db367 is described below
commit 7f0757db367b51717769d25c530719d547f792db
Author: Pulsar Site Updater <[email protected]>
AuthorDate: Wed Nov 16 06:01:42 2022 +0000
Docs sync done from apache/pulsar(#9da5980)
---
site2/website-next/docs/about.md | 4 +-
site2/website-next/docs/developers-landing.md | 10 +--
site2/website-next/docs/how-to-landing.md | 17 +++++
.../docs/install-deploy-upgrade-landing.md | 23 ++++++
site2/website-next/docs/reference-cli-tools.md | 2 +-
site2/website-next/docs/security-athenz.md | 38 +---------
site2/website-next/docs/security-basic-auth.md | 40 +---------
site2/website-next/docs/security-jwt.md | 42 +----------
site2/website-next/docs/security-kerberos.md | 2 +-
site2/website-next/docs/security-oauth2.md | 19 +++--
site2/website-next/docs/security-overview.md | 18 +++--
.../docs/security-tls-authentication.md | 87 ++++------------------
site2/website-next/docs/tutorials-namespace.md | 44 +++++++++++
.../website-next/docs/tutorials-produce-consume.md | 77 +++++++++++++++++++
site2/website-next/docs/tutorials-tenant.md | 54 ++++++++++++++
site2/website-next/docs/tutorials-topic.md | 39 ++++++++++
site2/website-next/sidebars.json | 4 +
17 files changed, 314 insertions(+), 206 deletions(-)
diff --git a/site2/website-next/docs/about.md b/site2/website-next/docs/about.md
index 6a1dd538372..25b093fdc0f 100644
--- a/site2/website-next/docs/about.md
+++ b/site2/website-next/docs/about.md
@@ -27,9 +27,9 @@ Select one of the content blocks below to begin your Pulsar
journey. If you ...
<BlockLinks>
<BlockLink title="About Pulsar" url="/docs/next/concepts-overview/" />
<BlockLink title="Get Started" url="/docs/next/getting-started-home/" />
- <BlockLink title="Install, Deploy, Upgrade" url="/docs/next/deploy-aws/" />
+ <BlockLink title="Install, Deploy, Upgrade"
url="/docs/next/install-deploy-upgrade-landing/" />
<BlockLink title="Pulsar for Developers"
url="/docs/next/developers-landing/" />
- <BlockLink title="How To" url="/docs/next/functions-develop/" />
+ <BlockLink title="How To" url="/docs/next/how-to-landing/" />
<BlockLink title="Reference" url="/docs/next/reference-terminology/" />
</BlockLinks>
diff --git a/site2/website-next/docs/developers-landing.md
b/site2/website-next/docs/developers-landing.md
index df03e4fe318..f5c8ccee181 100644
--- a/site2/website-next/docs/developers-landing.md
+++ b/site2/website-next/docs/developers-landing.md
@@ -1,12 +1,12 @@
---
id: developers-landing
title: Pulsar for Developers
-sidebar_label: "get started"
+sidebar_label: "Pulsar for Developers"
---
Developing applications for Pulsar can be a fun and rewarding experience. With
Pulsar, you can quickly create, deploy, and manage your services using a
powerful CLI tool and a comprehensive set of libraries. The topics below will
get you started!
-- [Simulation tools](develop-tools.md)
-- [Developing binary protocol](developing-binary-protocol.md)
-- [Modular load manager](develop-load-manager.md)
-- [Pulsar plugin development](develop-plugin.md)
+- [Develop simulation tools](develop-tools.md)
+- [Develop binary protocol](developing-binary-protocol.md)
+- [Develop load manager](develop-load-manager.md)
+- [Develop Pulsar plugin](develop-plugin.md)
diff --git a/site2/website-next/docs/how-to-landing.md
b/site2/website-next/docs/how-to-landing.md
new file mode 100644
index 00000000000..90c47b64b6b
--- /dev/null
+++ b/site2/website-next/docs/how-to-landing.md
@@ -0,0 +1,17 @@
+---
+Id: how-to-landing
+title: How-to
+sidebar_label: “”
+---
+
+
+Learning new software can be an overwhelming task, but relax – most aspects of
Pulsar can be easily configured in just a few steps. These tutorials will show
you how to quickly create topics, tenants, and namespaces, produce and consume
messages, and more!
+
+- [How to create a topic](tutorials-topic.md)
+- [How to create a tenant](tutorials-tenant.md)
+- [How to create a namespace](tutorials-namespace.md)
+- [How to produce and consume messages](tutorials-produce-consume.md)
+
+
+
+
diff --git a/site2/website-next/docs/install-deploy-upgrade-landing.md
b/site2/website-next/docs/install-deploy-upgrade-landing.md
new file mode 100644
index 00000000000..5751dca2eb5
--- /dev/null
+++ b/site2/website-next/docs/install-deploy-upgrade-landing.md
@@ -0,0 +1,23 @@
+---
+Id: install-deploy-upgrade-landing
+title: Install, Deploy and Upgrade Pulsar
+sidebar_label: “Tutorials”
+---
+
+
+Any developer can install, deploy, and upgrade Apache Pulsar in a few simple
steps and start building scalable, real-time applications quickly. The
resources below will kickstart your deployment!
+
+- [Set up a standalone Pulsar locally](getting-started-standalone.md)
+
+- [Deploy a Pulsar cluster on AWS using Terraform and Ansible](deploy-aws.md)
+
+- [Deploy a Pulsar cluster using Helm](helm-deploy.md)
+
+- [Upgrade Pulsar Helm release](helm-upgrade.md)
+
+
+
+
+
+
+
diff --git a/site2/website-next/docs/reference-cli-tools.md
b/site2/website-next/docs/reference-cli-tools.md
index 7d28866076e..3c592b19563 100644
--- a/site2/website-next/docs/reference-cli-tools.md
+++ b/site2/website-next/docs/reference-cli-tools.md
@@ -14,7 +14,7 @@ Pulsar offers several command-line tools that you can use for
managing Pulsar in
* `pulsar-shell`
* `bookkeeper`
-::: tip
+:::tip
For the latest and complete information about command-line tools, including
commands, flags, descriptions, and more information, see [Pulsar
Reference](https://pulsar.apache.org/reference).
diff --git a/site2/website-next/docs/security-athenz.md
b/site2/website-next/docs/security-athenz.md
index 3bccffd70b7..5d10173dd09 100644
--- a/site2/website-next/docs/security-athenz.md
+++ b/site2/website-next/docs/security-athenz.md
@@ -36,42 +36,17 @@ Note that you can specify any action and resource in step 2
since they are not u
For more specific steps involving the Athenz UI, refer to [Example Service
Access Control
Setup](https://github.com/AthenZ/athenz/blob/master/docs/example_service_athenz_setup.md#server-provider-domain).
-## Enable Athenz authentication on brokers
+## Enable Athenz authentication on brokers/proxies
-:::note
-
-When you are using Athenz as an authentication provider, it's highly
recommended to use [TLS encryption](security-tls-transport.md) as it can
protect role tokens from being intercepted and reused. For more details
involving TLS encryption, see [Architecture - Data
Model](https://github.com/AthenZ/athenz/blob/master/docs/data_model).
-
-:::
-
-In the `conf/broker.conf` configuration file in your Pulsar installation, you
need to provide the class name of the Athenz authentication provider as well as
a comma-separated list of provider domain names.
-
-```properties
-# Add the Athenz auth provider
-authenticationEnabled=true
-authorizationEnabled=true
-authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderAthenz
-athenzDomainNames=pulsar
-
-# Authentication settings of the broker itself. Used when the broker connects
to other brokers, either in same or other clusters
-brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationAthenz
-brokerClientAuthenticationParameters={"tenantDomain":"shopping","tenantService":"some_app","providerDomain":"pulsar","privateKey":"file:///path/to/private.pem","keyId":"v1"}
-```
-
-> A full listing of parameters is available in the `conf/broker.conf` file,
you can also find the default
-> values for those parameters in [Broker
Configuration](reference-configuration.md#broker).
-
-## Enable Athenz authentication on proxies
-
-Configure the required parameters in the `conf/proxy.conf` file in your Pulsar
installation.
+To configure brokers/proxies to authenticate clients using Authenz, add the
following parameters to the `conf/broker.conf` and the `conf/proxy.conf` files
and provide the class name of the Athenz authentication provider as well as a
comma-separated list of provider domain names. If you use a standalone Pulsar,
you need to add these parameters to the `conf/standalone.conf` file.
```properties
# Add the Athenz auth provider
authenticationEnabled=true
-authorizationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderAthenz
athenzDomainNames=pulsar
+# Authentication settings of the broker itself. Used when the broker connects
to other brokers, or when the proxy connects to brokers, either in same or
other clusters
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationAthenz
brokerClientAuthenticationParameters={"tenantDomain":"shopping","tenantService":"some_app","providerDomain":"pulsar","privateKey":"file:///path/to/private.pem","keyId":"v1"}
```
@@ -205,14 +180,9 @@ You need to add the following authentication parameters to
the `conf/client.conf
```properties
# URL for the broker
-serviceUrl=https://broker.example.com:8443/
+serviceUrl=http://broker.example.com:8080
# Set Athenz auth plugin and its parameters
authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationAthenz
authParams={"tenantDomain":"shopping","tenantService":"some_app","providerDomain":"pulsar","privateKey":"file:///path/to/private.pem","keyId":"v1"}
-
-# Enable TLS
-useTls=true
-tlsAllowInsecureConnection=false
-tlsTrustCertsFilePath=/path/to/cacert.pem
```
\ No newline at end of file
diff --git a/site2/website-next/docs/security-basic-auth.md
b/site2/website-next/docs/security-basic-auth.md
index 608a1281bef..b6aad41114f 100644
--- a/site2/website-next/docs/security-basic-auth.md
+++ b/site2/website-next/docs/security-basic-auth.md
@@ -55,9 +55,9 @@ cat path/to/.htpasswd
superuser:$apr1$GBIYZYFZ$MzLcPrvoUky16mLcK6UtX/
```
-## Enable basic authentication on brokers
+## Enable basic authentication on brokers/proxies
-To configure brokers to authenticate clients, add the following parameters to
the `conf/broker.conf` file. If you use a standalone Pulsar, you need to add
these parameters to the `conf/standalone.conf` file:
+To configure brokers/proxies to authenticate clients using basic, add the
following parameters to the `conf/broker.conf` and the `conf/proxy.conf` file.
If you use a standalone Pulsar, you need to add these parameters to the
`conf/standalone.conf` file:
```conf
# Configuration to enable Basic authentication
@@ -70,43 +70,9 @@ basicAuthConf=file:///path/to/.htpasswd
# basicAuthConf=data:;base64,YOUR-BASE64
# basicAuthConf=YOUR-BASE64
-# Authentication settings of the broker itself. Used when the broker connects
to other brokers, either in same or other clusters
+# Authentication settings of the broker itself. Used when the broker connects
to other brokers, or when the proxy connects to brokers, either in same or
other clusters
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationBasic
brokerClientAuthenticationParameters={"userId":"superuser","password":"admin"}
-
-# If this flag is set then the broker authenticates the original Auth data
-# else it just accepts the originalPrincipal and authorizes it (if required).
-authenticateOriginalAuthData=true
-```
-
-:::note
-
-You can also set an environment variable named `PULSAR_EXTRA_OPTS` and the
value is `-Dpulsar.auth.basic.conf=/path/to/.htpasswd`. Pulsar reads this
environment variable to implement HTTP basic authentication.
-
-:::
-
-## Enable basic authentication on proxies
-
-To configure proxies to authenticate clients, add the following parameters to
the `conf/proxy.conf` file:
-
-```conf
-# For clients connecting to the proxy
-authenticationEnabled=true
-authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderBasic
-
-basicAuthConf=file:///path/to/.htpasswd
-# basicAuthConf=/path/to/.htpasswd
-# When use the base64 format, you need to encode the .htpaswd content to bas64
-# basicAuthConf=data:;base64,YOUR-BASE64
-# basicAuthConf=YOUR-BASE64
-
-# For the proxy to connect to brokers
-brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationBasic
-brokerClientAuthenticationParameters={"userId":"superuser","password":"admin"}
-
-# Whether client authorization credentials are forwarded to the broker for
re-authorization.
-# Authentication must be enabled via authenticationEnabled=true for this to
take effect.
-forwardAuthorizationCredentials=true
```
:::note
diff --git a/site2/website-next/docs/security-jwt.md
b/site2/website-next/docs/security-jwt.md
index 88d0ac408d9..2ca2737db8d 100644
--- a/site2/website-next/docs/security-jwt.md
+++ b/site2/website-next/docs/security-jwt.md
@@ -91,27 +91,22 @@ The token itself does not have any permission associated.
You need to [enable au
:::
-## Enable JWT authentication on brokers
+## Enable JWT authentication on brokers/proxies
-To configure brokers to authenticate clients using JWT, add the following
parameters to the `conf/broker.conf` or `conf/standalone.conf` file.
+To configure brokers/proxies to authenticate clients using JWT, add the
following parameters to the `conf/broker.conf` and the `conf/proxy.conf` file.
If you use a standalone Pulsar, you need to add these parameters to the
`conf/standalone.conf` file:
```properties
# Configuration to enable authentication
authenticationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderToken
-# Authentication settings of the broker itself. Used when the broker connects
to other brokers, either in same or other clusters
+# Authentication settings of the broker itself. Used when the broker connects
to other brokers, or when the proxy connects to brokers, either in same or
other clusters
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationToken
brokerClientAuthenticationParameters={"token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0LXVzZXIifQ.9OHgE9ZUDeBTZs7nSMEFIuGNEX18FLR3qvy8mqxSxXw"}
# Either configure the token string or specify to read it from a file. The
following three available formats are all valid:
# brokerClientAuthenticationParameters={"token":"your-token-string"}
# brokerClientAuthenticationParameters=token:your-token-string
# brokerClientAuthenticationParameters=file:///path/to/token
-brokerClientTrustCertsFilePath=/path/my-ca/certs/ca.cert.pem
-
-# If this flag is set then the broker authenticates the original Auth data
-# else it just accepts the originalPrincipal and authorizes it (if required).
-authenticateOriginalAuthData=true
# If using secret key (Note: key files must be DER-encoded)
tokenSecretKey=file:///path/to/secret.key
@@ -122,37 +117,6 @@ tokenSecretKey=file:///path/to/secret.key
# tokenPublicKey=file:///path/to/public.key
```
-:::note
-
-Equivalent to `brokerClientAuthenticationParameters`, you need to configure
`authParams` in the `conf/client.conf` file.
-
-:::
-
-## Enable JWT authentication on proxies
-
-To configure proxies to authenticate clients using JWT, add the following
parameters to the `conf/proxy.conf` file.
-
-```properties
-# For clients connecting to the proxy
-authenticationEnabled=true
-authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderToken
-tokenSecretKey=file:///path/to/secret.key
-
-# For the proxy to connect to brokers
-brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationToken
-brokerClientAuthenticationParameters={"token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0LXVzZXIifQ.9OHgE9ZUDeBTZs7nSMEFIuGNEX18FLR3qvy8mqxSxXw"}
-# Either configure the token string or specify to read it from a file. The
following three available formats are all valid:
-# brokerClientAuthenticationParameters={"token":"your-token-string"}
-# brokerClientAuthenticationParameters=token:your-token-string
-# brokerClientAuthenticationParameters=file:///path/to/token
-```
-
-:::note
-
-The proxy uses its own token when connecting to brokers. You need to configure
the role token for this key pair in the `proxyRoles` of the brokers. For more
details, see [authorization](security-authorization.md).
-
-:::
-
## Configure JWT authentication in CLI Tools
[Command-line tools](reference-cli-tools.md) like
[`pulsar-admin`](/tools/pulsar-admin/),
[`pulsar-perf`](reference-cli-tools.md), and
[`pulsar-client`](reference-cli-tools.md) use the `conf/client.conf` config
file in a Pulsar installation.
diff --git a/site2/website-next/docs/security-kerberos.md
b/site2/website-next/docs/security-kerberos.md
index 9d7b7ddf1aa..150173bebae 100644
--- a/site2/website-next/docs/security-kerberos.md
+++ b/site2/website-next/docs/security-kerberos.md
@@ -56,7 +56,7 @@
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationPr
saslJaasClientAllowedIds=.*client.* ## regex for principals that are allowed
to connect to brokers
saslJaasServerSectionName=PulsarBroker ## corresponds to the section in the
JAAS configuration file for brokers
-## Authentication settings of the broker itself. Used when the broker connects
to other brokers
+# Authentication settings of the broker itself. Used when the broker connects
to other brokers, or when the proxy connects to brokers, either in same or
other clusters
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl
brokerClientAuthenticationParameters={"saslJaasClientSectionName":"PulsarClient",
"serverType":"broker"}
```
diff --git a/site2/website-next/docs/security-oauth2.md
b/site2/website-next/docs/security-oauth2.md
index abedc3bba57..bd994e26419 100644
--- a/site2/website-next/docs/security-oauth2.md
+++ b/site2/website-next/docs/security-oauth2.md
@@ -15,18 +15,25 @@ After communicating with the OAuth 2.0 server, the Pulsar
client gets an access
## Enable OAuth2 authentication on brokers/proxies
-To configure brokers to authenticate clients using OAuth2, add the following
parameters to the `conf/broker.conf` and `conf/proxy.conf` file.
+To configure brokers/proxies to authenticate clients using OAuth2, add the
following parameters to the `conf/broker.conf` and the `conf/proxy.conf` file.
If you use a standalone Pulsar, you need to add these parameters to the
`conf/standalone.conf` file:
```properties
# Configuration to enable authentication
authenticationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderToken
-tokenPublicKey=/path/to/publicKey
-# Authentication settings of the broker itself. Used when the broker connects
to other brokers,
-# either in same or other clusters
+
+# Authentication settings of the broker itself. Used when the broker connects
to other brokers, or when the proxy connects to brokers, either in same or
other clusters
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2
-brokerClientAuthenticationParameters={"privateKey":"/path/to/privateKey",\
-
"audience":"https://dev-kt-aa9ne.us.auth0.com/api/v2/","issuerUrl":"https://dev-kt-aa9ne.us.auth0.com"}
+brokerClientAuthenticationParameters={"privateKey":"file:///path/to/privateKey","audience":"https://dev-kt-aa9ne.us.auth0.com/api/v2/","issuerUrl":"https://dev-kt-aa9ne.us.auth0.com"}
+#
brokerClientAuthenticationParameters={"privateKey":"data:application/json;base64,privateKey-body-to-base64","audience":"https://dev-kt-aa9ne.us.auth0.com/api/v2/","issuerUrl":"https://dev-kt-aa9ne.us.auth0.com"}
+
+# If using secret key (Note: key files must be DER-encoded)
+tokenSecretKey=file:///path/to/secret.key
+# The key can also be passed inline:
+# tokenSecretKey=data:;base64,FLFyW0oLJ2Fi22KKCm21J18mbAdztfSHN/lAT5ucEKU=
+
+# If using public/private (Note: key files must be DER-encoded)
+# tokenPublicKey=file:///path/to/public.key
```
## Configure OAuth2 authentication in Pulsar clients
diff --git a/site2/website-next/docs/security-overview.md
b/site2/website-next/docs/security-overview.md
index 917b7ac7af2..a5b88c21a38 100644
--- a/site2/website-next/docs/security-overview.md
+++ b/site2/website-next/docs/security-overview.md
@@ -28,7 +28,7 @@ Encryption ensures that if an attacker gets access to your
data, the attacker ca
Authentication is the process of verifying the identity of clients. In Pulsar,
the authentication provider is responsible for properly identifying clients and
associating them with role tokens. Note that if you only enable authentication,
an authenticated role token can access all resources in the cluster.
-**How it works in Pulsar**
+### How it works in Pulsar
Pulsar provides a pluggable authentication framework, and Pulsar
brokers/proxies use this mechanism to authenticate clients.
@@ -38,13 +38,17 @@ The way how each client passes its authentication data to
brokers varies dependi
- If a client supports authentication refreshing and the credential is
expired, brokers send the `CommandAuthChallenge` command to exchange the
authentication data with the client. If the next check finds that the previous
authentication exchange has not been returned, brokers disconnect the client.
- If a client does not support authentication refreshing and the credential
is expired, brokers disconnect the client.
-:::note
+### Authentication data limitations on the proxies
-When you use proxies between clients and brokers, brokers only authenticate
proxies (known as **self-authentication**) by default. To forward the
authentication data from clients to brokers for client authentication (known as
**original authentication**), you need to:
-1. Set `forwardAuthorizationCredentials` to `true` in the `conf/proxy.conf`
file.
-2. Set `authenticateOriginalAuthData` to `true` in the `conf/broker.conf`
file, which ensures that brokers recheck the client authentication.
+When you use proxies between clients and brokers, there are two authentication
data:
+* authentication data from proxies that brokers default to authenticate -
known as **self-authentication**.
+* authentication data from clients that proxies forward to brokers for
authenticating - known as **original authentication**.
-:::
+**Important:** If your authentication data contains an expiration time, or
your authorization provider depends on the authentication data, you must:
+
+1. Ensure your authentication data of proxies has no expiration time since
brokers don't support refreshing this authentication data.
+2. Set `forwardAuthorizationCredentials` to `true` in the `conf/proxy.conf`
file.
+3. Set `authenticateOriginalAuthData` to `true` in the `conf/broker.conf`
file, which ensures that brokers recheck the client authentication.
**What's next?**
@@ -59,7 +63,7 @@ When you use proxies between clients and brokers, brokers
only authenticate prox
:::note
-Starting from 2.11.0, [TLS authentication](security-tls-authentication.md)
includes [TLS encryption](security-tls-transport.md) by default. If you
configure TLS authentication first, then TLS encryption automatically applies;
if you configure TLS encryption first, you can select any one of the above
authentication providers.
+Starting from 2.11.0, you can configure [Mutual
TLS](security-tls-transport.md) with any one of the above authentication
providers.
:::
diff --git a/site2/website-next/docs/security-tls-authentication.md
b/site2/website-next/docs/security-tls-authentication.md
index 7b86ca8e906..f37d5db1fb3 100644
--- a/site2/website-next/docs/security-tls-authentication.md
+++ b/site2/website-next/docs/security-tls-authentication.md
@@ -13,91 +13,28 @@ import TabItem from '@theme/TabItem';
TLS authentication is an extension of [TLS transport
encryption](security-tls-transport.md). Not only servers have keys and certs
that the client uses to verify the identity of servers, clients also have keys
and certs that the server uses to verify the identity of clients. You must have
TLS transport encryption configured on your cluster before you can use TLS
authentication. This guide assumes you already have TLS transport encryption
configured.
-## Create client certificates
+## Enable TLS authentication on brokers/proxies
-Client certificates are generated using the certificate authority. Server
certificates are also generated with the same certificate authority.
-
-The biggest difference between client certs and server certs is that the
**common name** for the client certificate is the **role token** that the
client is authenticated as.
-
-To use client certificates, you need to set
`tlsRequireTrustedClientCertOnConnect=true` at the broker side. For details,
refer to [TLS broker
configuration](security-tls-transport.md#configure-brokers).
-
-First, you need to enter the following command to generate the key :
-
-```bash
-openssl genrsa -out admin.key.pem 2048
-```
-
-Similar to the broker, the client expects the key to be in [PKCS
8](https://en.wikipedia.org/wiki/PKCS_8) format, so you need to convert it by
entering the following command:
-
-```bash
-openssl pkcs8 -topk8 -inform PEM -outform PEM \
- -in admin.key.pem -out admin.key-pk8.pem -nocrypt
-```
-
-Next, enter the command below to generate the certificate request. When you
are asked for a **common name**, enter the **role token** that you want this
key pair to authenticate a client as.
-
-```bash
-openssl req -config openssl.cnf \
- -key admin.key.pem -new -sha256 -out admin.csr.pem
-```
-
-:::note
-
-If `openssl.cnf` is not specified, read [Certificate
authority](security-tls-transport.md#create-a-certificate-authority) to get
`openssl.cnf`.
-
-:::
-
-Then, enter the command below to sign with a request with the certificate
authority. Note that the client certs use the **usr_cert** extension, which
allows the cert to be used for client authentication.
-
-```bash
-openssl ca -config openssl.cnf -extensions usr_cert \
- -days 1000 -notext -md sha256 \
- -in admin.csr.pem -out admin.cert.pem
-```
-
-You can get a cert, `admin.cert.pem`, and a key, `admin.key-pk8.pem` from this
command. With `ca.cert.pem`, clients can use this cert and this key to
authenticate themselves to brokers and proxies as the role token ``admin``.
-
-:::note
-
-If the "unable to load CA private key" error occurs and the reason for this
error is "No such file or directory: /etc/pki/CA/private/cakey.pem" in this
step. Try the command below to generate `cakey.pem`.
-
-```bash
-cd /etc/pki/tls/misc/CA
-./CA -newca
-```
-
-:::
-
-## Enable TLS authentication on brokers
-
-To configure brokers to authenticate clients, add the following parameters to
`broker.conf`, alongside [the configuration to enable TLS
transport](security-tls-transport.md#configure-brokers):
+To configure brokers/proxies to authenticate clients using Mutual TLS, add the
following parameters to the `conf/broker.conf` and the `conf/proxy.conf` file.
If you use a standalone Pulsar, you need to add these parameters to the
`conf/standalone.conf` file:
```properties
# Configuration to enable authentication
authenticationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderTls
-tlsRequireTrustedClientCertOnConnect=true
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationTls
-brokerClientAuthenticationParameters={"tlsCertFile":"/path/my-ca/admin.cert.pem","tlsKeyFile":"/path/my-ca/admin.key-pk8.pem"}
-brokerClientTrustCertsFilePath=/path/my-ca/certs/ca.cert.pem
-```
-
-## Enable TLS authentication on proxies
-
-To configure proxies to authenticate clients, add the following parameters to
`proxy.conf`, alongside [the configuration to enable TLS
transport](security-tls-transport.md#configure-proxies):
+brokerClientAuthenticationParameters={"tlsCertFile":"/path/to/admin.cert.pem","tlsKeyFile":"/path/to/admin.key-pk8.pem"}
+brokerClientTrustCertsFilePath=/path/to/ca.cert.pem
-The proxy should have its own client key pair for connecting to brokers. You
need to configure the role token for this key pair in the `proxyRoles` of the
brokers. See the [authorization guide](security-authorization.md) for more
details.
+tlsCertificateFilePath=/path/to/broker.cert.pem
+tlsKeyFilePath=/path/to/broker.key-pk8.pem
+tlsTrustCertsFilePath=/path/to/ca.cert.pem
-```properties
-# For clients connecting to the proxy
-authenticationEnabled=true
-authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderTls
tlsRequireTrustedClientCertOnConnect=true
+tlsAllowInsecureConnection=false
-# For the proxy to connect to brokers
-brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationTls
-brokerClientAuthenticationParameters=tlsCertFile:/path/to/proxy.cert.pem,tlsKeyFile:/path/to/proxy.key-pk8.pem
+# Tls cert refresh duration in seconds (set 0 to check on every new connection)
+tlsCertRefreshCheckDurationSec=300
```
## Configure TLS authentication in Pulsar clients
@@ -223,7 +160,6 @@
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationPr
# Enable KeyStore type
tlsEnabledWithKeyStore=true
-tlsRequireTrustedClientCertOnConnect=true
# key store
tlsKeyStoreType=JKS
@@ -244,6 +180,9 @@ brokerClientTlsTrustStorePassword=clientpw
# internal auth config
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationKeyStoreTls
brokerClientAuthenticationParameters={"keyStoreType":"JKS","keyStorePath":"/var/private/tls/client.keystore.jks","keyStorePassword":"clientpw"}
+
+tlsRequireTrustedClientCertOnConnect=true
+tlsAllowInsecureConnection=false
```
### Configure clients
diff --git a/site2/website-next/docs/tutorials-namespace.md
b/site2/website-next/docs/tutorials-namespace.md
new file mode 100644
index 00000000000..6caa4e784fb
--- /dev/null
+++ b/site2/website-next/docs/tutorials-namespace.md
@@ -0,0 +1,44 @@
+---
+Id: tutorials-namespace
+title: How to create a namespace
+sidebar_label: “Tutorials”
+---
+
+
+Pulsar namespaces are logical groupings of topics.
+
+Namespaces can be managed via:
+
+- The namespaces command of the pulsar-admin tool
+- The /admin/v2/namespaces endpoint of the admin {@inject: rest:REST:/} API
+- The namespaces method of the PulsarAdmin object in the Java API
+
+In this tutorial, we create a namespace called pulsar in the tenant apache.
Then we list namespaces of tenant apache to see if the namespace is created
successfully.
+
+Create the namespace.
+
+```bash
+bin/pulsar-admin namespaces create apache/pulsar
+```
+
+Verify the namespace.
+
+```bash
+bin/pulsar-admin namespaces list apache
+```
+
+You should see similar output to show the namespace apache/pulsar has been
successfully created.
+
+#### Related Topics
+
+- [Set up a tenant](tutorials-tenant.md)
+- [Create a topic](tutorials-topic.md)
+- [Produce and consume messages](tutorials-produce-consume.md)
+- [Manage clusters](admin-api-clusters.md)
+
+
+
+
+
+
+
diff --git a/site2/website-next/docs/tutorials-produce-consume.md
b/site2/website-next/docs/tutorials-produce-consume.md
new file mode 100644
index 00000000000..dd333f5c73d
--- /dev/null
+++ b/site2/website-next/docs/tutorials-produce-consume.md
@@ -0,0 +1,77 @@
+---
+Id: tutorials-produce-consume
+title: Produce and consume messages
+sidebar_label: “Tutorials”
+---
+
+In this tutorial, we will:
+- Configure the Pulsar client
+- Create a subscription
+- Create a producer
+- Send test messages
+- Verify the results
+
+## Prerequisites
+
+- [Create tenant](tutorials-tenant.md)
+- [Create namespace](tutorials-namespace.md)
+- [Create topic](tutorials-topic.md)
+
+## Produce and consume messages
+
+1. In the `${PULSAR_HOME}/conf/client.conf` file, replace `webServiceUrl` and
`brokerServiceUrl` with your service URL.
+
+2. Create a subscription to consume messages from `apache/pulsar/test-topic`.
+
+ ```bash
+ bin/pulsar-client consume -s sub apache/pulsar/test-topic -n 0
+ ```
+
+3. In a new terminal, create a producer and send 10 messages to test-topic.
+
+ ```bash
+ bin/pulsar-client produce apache/pulsar/test-topic -m "---------hello
apache pulsar-------" -n 10
+ ```
+
+4. Verify the results.
+
+ ```
+ ----- got message -----
+ ---------hello apache pulsar-------
+ ----- got message -----
+ ---------hello apache pulsar-------
+ ----- got message -----
+ ---------hello apache pulsar-------
+ ----- got message -----
+ ---------hello apache pulsar-------
+ ----- got message -----
+ ---------hello apache pulsar-------
+ ----- got message -----
+ ---------hello apache pulsar-------
+ ----- got message -----
+ ---------hello apache pulsar-------
+ ----- got message -----
+ ---------hello apache pulsar-------
+ ----- got message -----
+ ---------hello apache pulsar-------
+ ----- got message -----
+ ---------hello apache pulsar-------
+
+ Output from the producer side shows the messages have been produced
successfully:
+ 18:15:15.489 [main] INFO org.apache.pulsar.client.cli.PulsarClientTool -
10 messages successfully produced.
+ ```
+
+#### Related Topics
+- [Set up a tenant](tutorials-tenant.md)
+- [Create a topic](tutorials-topic.md)
+- [Create a namespace](tutorials-namespace.md)
+- [Manage clusters](admin-api-clusters.md)
+
+
+
+
+
+
+
+
+
diff --git a/site2/website-next/docs/tutorials-tenant.md
b/site2/website-next/docs/tutorials-tenant.md
new file mode 100644
index 00000000000..92192797d89
--- /dev/null
+++ b/site2/website-next/docs/tutorials-tenant.md
@@ -0,0 +1,54 @@
+---
+Id: tutorials-tenant
+title: How to set up a tenant
+sidebar_label: “Tutorials”
+---
+
+
+Pulsar is a powerful messaging system you can use to process and route high
volumes of data. Each tenant provides a distinct unit of isolation with its own
set of roles, permissions, configuration settings, and bookmarks.
+
+In this tutorial, you will create a new tenant, named “apache” in your Pulsar
cluster, hosted in K8s helm.
+
+To create a tenant:
+
+1. Enter the toolset container.
+
+ ```bash
+ kubectl exec -it -n pulsar pulsar-mini-toolset-0 -- /bin/bash
+ ```
+
+2. In the toolset container, create a tenant named apache.
+
+ ```bash
+ bin/pulsar-admin tenants create apache
+ ```
+
+3. List the tenants to see if the tenant is created successfully.
+
+ ```bash
+ bin/pulsar-admin tenants list
+ ```
+
+ You should see a similar output as below.
+
+ ```
+ The tenant apache has been successfully created.
+ "apache"
+ "public"
+ "pulsar"
+ ```
+
+#### Related Topics
+
+- [How to create a namespace](tutorials-namespace.md)
+- [How to create a topic](tutorials-topic.md)
+- [Run a standalone cluster in Kubernetes](getting-started-helm.md)
+
+
+
+
+
+
+
+
+
diff --git a/site2/website-next/docs/tutorials-topic.md
b/site2/website-next/docs/tutorials-topic.md
new file mode 100644
index 00000000000..e0ebc8fbfea
--- /dev/null
+++ b/site2/website-next/docs/tutorials-topic.md
@@ -0,0 +1,39 @@
+---
+Id: tutorials-topic
+title: How to create a topic
+sidebar_label: “Tutorials”
+---
+
+
+Apache Pulsar is a distributed messaging system that supports high performance
and low latency. Topics are the primary way to structure data in Apache Pulsar.
A Pulsar topic is a unit of storage that organizes messages into a stream. Each
message in a topic has an offset, which uniquely identifies the message within
the topic.
+
+## Prerequisites
+[Publish to partitioned
topics](admin-api-topics.md#publish-to-partitioned-topics)
+
+## Create a topic
+
+1. Create `test-topic` with 4 partitions in the namespace `apache/pulsar`.
+
+ ```bash
+ bin/pulsar-admin topics create-partitioned-topic apache/pulsar/test-topic
-p 4
+ ```
+
+2. List all the partitioned topics in the namespace `apache/pulsar`.
+
+ ```bash
+ bin/pulsar-admin topics list-partitioned-topics apache/pulsar
+ ```
+
+#### Related Topics
+
+- [How to set up a tenant](tutorials-tenant.md)
+- [How to create a namespace](tutorials-namespace.md)
+- [How to produce and consume messages](tutorial-produce-consume.md)
+
+
+
+
+
+
+
+
diff --git a/site2/website-next/sidebars.json b/site2/website-next/sidebars.json
index 4e0573602bd..44890c019e4 100644
--- a/site2/website-next/sidebars.json
+++ b/site2/website-next/sidebars.json
@@ -210,6 +210,10 @@
{
"type": "category",
"label": "Deployment",
+ "link": {
+ "type": "doc",
+ "id": "install-deploy-upgrade-landing"
+ },
"items": [
"deploy-aws",
{
