Pulsar supports mutual TLS and Athenz authentication plugins. For how to use these authentication plugins, you can refer to the description in .

You can choose to use a custom authentication mechanism by providing the implementation in the form of two plugins. One plugin is for the Client library and the other plugin is for the Pulsar Broker to validate the credentials.

For client library, you need to implement . By entering the command below you can pass this class when you create a Pulsar client:

• Authentication -> http://pulsar.apache.org/api/client/2.6.0-SNAPSHOT/org/apache/pulsar/client/api/Authentication.html
• ->

This in turn needs to provide the client credentials in the form of org.apache.pulsar.client.api.AuthenticationDataProvider. This leaves the chance to return different kinds of authentication token for different types of connection or by passing a certificate chain to use for TLS.

You can find examples for client authentication providers at:

• Athenz — https://github.com/apache/pulsar/tree/master/pulsar-client-auth-athenz/src/main/java/org/apache/pulsar/client/impl/auth

Broker authentication plugin

On broker side, you need the corresponding plugin to validate the credentials that the client passes. Broker can support multiple authentication providers at the same time.

To implement org.apache.pulsar.broker.authentication.AuthenticationProvider on one single interface:

The following is the example for Broker authentication plugins:

• Mutual TLS — https://github.com/apache/pulsar/blob/master/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderTls.java

Authorization

Authorization is the operation that checks whether a particular “role” or “principal” has a permission to perform a certain operation.

To provide a custom provider, you need to implement the interface, put this class in the Pulsar broker classpath and configure the class in conf/broker.conf: