Authentication using Athenz

    A decentralized Athenz system contains an (ZMS) server and an authoriZation Token System (ZTS) server.

    To begin, you need to set up Athenz service access control. You need to create domains for the provider (which provides some resources to other services with some authentication/authorization policies) and the tenant (which is provisioned to access some resources in a provider). In this case, the provider corresponds to the Pulsar service itself and the tenant corresponds to each application using Pulsar (typically, a in Pulsar).

    On the tenant side, you need to do the following things:

    1. Create a domain, such as
    2. Create a service, such as some_app, on the domain with the public key

    Note that you need to specify the private key generated in step 2 when the Pulsar client connects to the (see client configuration examples for Java and ).

    On the provider side, you need to do the following things:

    1. Create a domain, such as pulsar
    2. Create a role
    3. Add the tenant service to members of the role

    Note that you can specify any action and resource in step 2 since they are not used on Pulsar. In other words, Pulsar uses the Athenz role token only for authentication, not for authorization.

    For more specific steps involving UI, refer to Example Service Access Control Setup.

    A full listing of parameters is available in the conf/broker.conf file, you can also find the default values for those parameters in .

    For more information on Pulsar client authentication using Athenz, see the following language-specific docs:

    like pulsar-admin, , and pulsar-client use the conf/client.conf config file in a Pulsar installation.

    You need to add the following authentication parameters to the config file to use Athenz with CLI tools of Pulsar:

    2. # URL for the broker
    3. serviceUrl=https://broker.example.com:8443/
    4. # Set Athenz auth plugin and its parameters
    6. authParams={"tenantDomain":"shopping","tenantService":"some_app","providerDomain":"pulsar","privateKey":"file:///path/to/private.pem","keyId":"v1"}
    8. # Enable TLS
    9. useTls=true
    10. tlsAllowInsecureConnection=false