Extend Authentication and Authorization in Pulsar

You can use a custom authentication mechanism by providing the implementation in the form of two plugins.

• Client authentication plugin

For the client library, you need to implement . By entering the command below, you can pass this class when you create a Pulsar client.

You can implement 2 interfaces on the client side:

• Authentication

You can find the following examples for different client authentication plugins:

• Mutual TLS
• Kerberos
• Basic auth

On the proxy/broker side, you need to configure the corresponding plugin to validate the credentials that the client sends. The proxy and broker can support multiple authentication providers at the same time.

In , you can choose to specify a list of valid providers:

You can find the following examples for different broker authentication plugins:

• Athenz
• JSON Web Token (JWT)

Authorization

Authorization is the operation that checks whether a particular “role” or “principal” has permission to perform a certain operation.

By default, you can use the embedded authorization provider provided by Pulsar. You can also configure a different authorization provider through a plugin. Note that although the Authentication plugin is designed for use in both the proxy and broker, the Authorization plugin is designed only for use on the broker.

For the implementation of the interface, refer to .