Extending Authentication and Authorization in Pulsar

Pulsar support mutual TLS and Athenz authentication plugins, and these can be used as describedin Security.

It is possible to use a custom authentication mechanism by providing the implementation in theform of two plugins one for the Client library and the other for the Pulsar Broker to validatethe credentials.

For client library, you will need to implement . This class can then be passedwhen creating a Pulsar client:

• Authentication ->

Examples for client authentication providers can be found at:

• Mutual TLS Auth — https://github.com/apache/pulsar/tree/master/pulsar-client/src/main/java/org/apache/pulsar/client/impl/auth
• Athenz —

Broker authentication plugin

On broker side, we need the corresponding plugin to validate the credentialspassed by the client. Broker can support multiple authentication providersat the same time.

In it's possible to specify a list of valid providers:

Example for Broker authentication plugins:

• Athenz —

Authorization

Authorization is the operation that checks whether a particular "role" or "principal" isallowed to perform a certain operation.

By default, Pulsar provides an embedded authorization, though it's possible toconfigure a different one through a plugin.