This is an automated email from the ASF dual-hosted git repository. sijie pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/incubator-pulsar.git
The following commit(s) were added to refs/heads/master by this push: new 9d37897 [website] remove `reference-auth.md` (#2248) 9d37897 is described below commit 9d378978026b532386d89f7af3afc6997d3bff1c Author: Sijie Guo <guosi...@gmail.com> AuthorDate: Fri Jul 27 12:11:39 2018 -0700 [website] remove `reference-auth.md` (#2248) ### Motivation This page is a duplication of `security-extending.md` ### Changes Remove the duplicated `reference-auth.md` --- site2/docs/reference-auth.md | 206 ------------------------------------------- site2/website/sidebars.json | 3 +- 2 files changed, 1 insertion(+), 208 deletions(-) diff --git a/site2/docs/reference-auth.md b/site2/docs/reference-auth.md deleted file mode 100644 index cc7e8fc..0000000 --- a/site2/docs/reference-auth.md +++ /dev/null @@ -1,206 +0,0 @@ ---- -id: reference-auth -title: Extending Authentication and Authorization in Pulsar -sidebar_label: Authn & Authz plugins ---- - -Pulsar provides a way to use custom authentication and authorization mechanisms - -## Authentication - -Pulsar supports mutual TLS and Athenz authentication plugins, and these can be used as described -[here](security-overview.md). - -It is possible to use a custom authentication mechanism by providing the implementation in the -form of two plugins one for the Client library and the other for the Pulsar Broker to validate -the credentials. - -### Client authentication plugin - -For client library, you will need to implement `org.apache.pulsar.client.api.Authentication`. This class can then be passed -when creating a Pulsar client: - -```java -PulsarClient client = PulsarClient.builder() - .serviceUrl("pulsar://localhost:6650") - .authentication(new MyAuthentication()) - .build(); -``` - -For reference, there are 2 interfaces to implement on the client side: - * `Authentication` -> [Authentication API](http://pulsar.apache.org/api/client/org/apache/pulsar/client/api/Authentication.html) - * `AuthenticationDataProvider` -> [AuthenticationDataProvider API](http://pulsar.apache.org/api/client/org/apache/pulsar/client/api/AuthenticationDataProvider.html) - - -This in turn will need to provide the client credentials in the form of `org.apache.pulsar.client.api.AuthenticationDataProvider`. This will leave -the chance to return different kinds of authentication token for different -type of connection or by passing a certificate chain to use for TLS. - - -Examples for client authentication providers can be found at: - - * Mutual TLS Auth -- https://github.com/apache/incubator-pulsar/tree/master/pulsar-client/src/main/java/org/apache/pulsar/client/impl/auth - * Athenz -- https://github.com/apache/incubator-pulsar/tree/master/pulsar-client-auth-athenz/src/main/java/org/apache/pulsar/client/impl/auth - -### Broker authentication plugin - -On broker side, we need the corresponding plugin to validate the credentials -passed by the client. Broker can support multiple authentication providers -at the same time. - -In `conf/broker.conf` it's possible to specify a list of valid providers: - -```properties -# Autentication provider name list, which is comma separated list of class names -authenticationProviders= -``` - -There is one single interface to implement `org.apache.pulsar.broker.authentication.AuthenticationProvider`: - -```java -/** - * Provider of authentication mechanism - */ -public interface AuthenticationProvider extends Closeable { - - /** - * Perform initialization for the authentication provider - * - * @param config - * broker config object - * @throws IOException - * if the initialization fails - */ - void initialize(ServiceConfiguration config) throws IOException; - - /** - * @return the authentication method name supported by this provider - */ - String getAuthMethodName(); - - /** - * Validate the authentication for the given credentials with the specified authentication data - * - * @param authData - * provider specific authentication data - * @return the "role" string for the authenticated connection, if the authentication was successful - * @throws AuthenticationException - * if the credentials are not valid - */ - String authenticate(AuthenticationDataSource authData) throws AuthenticationException; - -} -``` - -Example for Broker authentication plugins: - - * Mutual TLS -- https://github.com/apache/incubator-pulsar/blob/master/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderTls.java - * Athenz -- https://github.com/apache/incubator-pulsar/blob/master/pulsar-broker-auth-athenz/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderAthenz.java - -## Authorization - -Authorization is the operation that checks whether a particular "role" or "principal" is -allowed to perform a certain operation. - -By default, Pulsar provides an embedded authorization, though it's possible to -configure a different one through a plugin. - -To provide a custom provider, one needs to implement the - `org.apache.pulsar.broker.authorization.AuthorizationProvider` interface, have this class in the - Pulsar broker classpath and configure it in `conf/broker.conf`: - - ```properties - # Authorization provider fully qualified class-name - authorizationProvider=org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider - ``` - -```java -/** - * Provider of authorization mechanism - */ -public interface AuthorizationProvider extends Closeable { - - /** - * Perform initialization for the authorization provider - * - * @param config - * broker config object - * @param configCache - * pulsar zk configuration cache service - * @throws IOException - * if the initialization fails - */ - void initialize(ServiceConfiguration conf, ConfigurationCacheService configCache) throws IOException; - - /** - * Check if the specified role has permission to send messages to the specified fully qualified topic name. - * - * @param topicName - * the fully qualified topic name associated with the topic. - * @param role - * the app id used to send messages to the topic. - */ - CompletableFuture<Boolean> canProduceAsync(TopicName topicName, String role, - AuthenticationDataSource authenticationData); - - /** - * Check if the specified role has permission to receive messages from the specified fully qualified topic name. - * - * @param topicName - * the fully qualified topic name associated with the topic. - * @param role - * the app id used to receive messages from the topic. - * @param subscription - * the subscription name defined by the client - */ - CompletableFuture<Boolean> canConsumeAsync(TopicName topicName, String role, - AuthenticationDataSource authenticationData, String subscription); - - /** - * Check whether the specified role can perform a lookup for the specified topic. - * - * For that the caller needs to have producer or consumer permission. - * - * @param topicName - * @param role - * @return - * @throws Exception - */ - CompletableFuture<Boolean> canLookupAsync(TopicName topicName, String role, - AuthenticationDataSource authenticationData); - - /** - * - * Grant authorization-action permission on a namespace to the given client - * - * @param namespace - * @param actions - * @param role - * @param authDataJson - * additional authdata in json format - * @return CompletableFuture - * @completesWith <br/> - * IllegalArgumentException when namespace not found<br/> - * IllegalStateException when failed to grant permission - */ - CompletableFuture<Void> grantPermissionAsync(NamespaceName namespace, Set<AuthAction> actions, String role, - String authDataJson); - - /** - * Grant authorization-action permission on a topic to the given client - * - * @param topicName - * @param role - * @param authDataJson - * additional authdata in json format - * @return CompletableFuture - * @completesWith <br/> - * IllegalArgumentException when namespace not found<br/> - * IllegalStateException when failed to grant permission - */ - CompletableFuture<Void> grantPermissionAsync(TopicName topicName, Set<AuthAction> actions, String role, - String authDataJson); - -} - -``` diff --git a/site2/website/sidebars.json b/site2/website/sidebars.json index 660df1c..f37eb96 100644 --- a/site2/website/sidebars.json +++ b/site2/website/sidebars.json @@ -87,8 +87,7 @@ "reference-rest-api", "reference-cli-tools", "pulsar-admin", - "reference-configuration", - "reference-auth" + "reference-configuration" ] }, "docs-other": {