Skip to content

Commit

Permalink
[DOCS] Small improvements and clarifications around AuthN / AuthZ (ap…
Browse files Browse the repository at this point in the history
…ache#7976)

* Small documentation improvements and clarifications around AuthN / AuthZ

* PR feedback and added some clarifications
  • Loading branch information
kellyfj authored Sep 8, 2020
1 parent c9ede6e commit 18a54c4
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 11 deletions.
9 changes: 5 additions & 4 deletions site2/docs/security-authorization.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,17 +24,18 @@ superUserRoles=my-super-user-1,my-super-user-2
> A full list of parameters is available in the `conf/broker.conf` file.
> You can also find the default values for those parameters in [Broker Configuration](reference-configuration.md#broker).
Typically, you can not only use superuser roles for administrators and clients but also for broker-to-broker authorization. When you use [geo-replication](concepts-replication.md), every broker needs to be able to publish to all the other topics of clusters.
Typically, you use superuser roles for administrators, clients as well as broker-to-broker authorization. When you use [geo-replication](concepts-replication.md), every broker needs to be able to publish to all the other topics of clusters.

You can also enable the authorization for the proxy in the proxy configuration file (`conf/proxy.conf`). Once you enable the authorization on the proxy, the proxy does an additional authorization check before forwarding the request to a broker. The broker still checks the authorization of the request when the broker receives the forwarded request.
You can also enable the authorization for the proxy in the proxy configuration file (`conf/proxy.conf`). Once you enable the authorization on the proxy, the proxy does an additional authorization check before forwarding the request to a broker.
If you enable authorization on the broker, the broker checks the authorization of the request when the broker receives the forwarded request.

### Proxy Roles

By default, the broker treats the connection between a proxy and the broker as a normal user connection. The broker authenticates the user as the role configured in `proxy.conf`(see ["Enable TLS Authentication on Proxies"](security-tls-authentication.md#enable-tls-authentication-on-proxies)). However, when the user connects to the cluster through a proxy, the user rarely requires the authentication. The user expects to be able to interact with the cluster as the role for which they have authenticated with the proxy.

Pulsar uses *Proxy roles* to enable the authentication. Proxy roles are specified in the broker configuration file, [`conf/broker.conf`](reference-configuration.md#broker). If a client that is authenticated with a broker is one of its ```proxyRoles```, all requests from that client must also carry information about the role of the client that is authenticated with the proxy. This information is called the *original principle*. If the *original principle* misses, the client is not able to access anything.
Pulsar uses *Proxy roles* to enable the authentication. Proxy roles are specified in the broker configuration file, [`conf/broker.conf`](reference-configuration.md#broker). If a client that is authenticated with a broker is one of its ```proxyRoles```, all requests from that client must also carry information about the role of the client that is authenticated with the proxy. This information is called the *original principal*. If the *original principal* is absent, the client is not able to access anything.

You must authorize the *proxy role* and the *original principle* to access a resource. Thus that resource can be accessible via the proxy. Administrators can take two approaches to authorize the *proxy role* and the *original principle*.
You must authorize both the *proxy role* and the *original principal* to access a resource to ensure that the resource is accessible via the proxy. Administrators can take two approaches to authorize the *proxy role* and the *original principal*.

The more secure approach is to grant access to the proxy roles each time you grant access to a resource. For example, if you have a proxy role named `proxy1`, when the superuser creats a tenant, you should specify `proxy1` as one of the admin roles. When a role is granted permissions to produce or consume from a namespace, if that client wants to produce or consume through a proxy, you should also grant `proxy1` the same permissions.

Expand Down
16 changes: 9 additions & 7 deletions site2/docs/security-extending.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,11 @@ Pulsar provides a way to use custom authentication and authorization mechanisms.

Pulsar supports mutual TLS and Athenz authentication plugins. For how to use these authentication plugins, you can refer to the description in [Security](security-overview.md).

You can choose to use a custom authentication mechanism by providing the implementation in the form of two plugins. One plugin is for the Client library and the other plugin is for the Pulsar Broker to validate the credentials.
You can use a custom authentication mechanism by providing the implementation in the form of two plugins. One plugin is for the Client library and the other plugin is for the Pulsar Proxy and/or Pulsar Broker to validate the credentials.

### Client authentication plugin

For client library, you need to implement `org.apache.pulsar.client.api.Authentication`. By entering the command below you can pass this class when you create a Pulsar client:
For the client library, you need to implement `org.apache.pulsar.client.api.Authentication`. By entering the command below you can pass this class when you create a Pulsar client:

```java
PulsarClient client = PulsarClient.builder()
Expand All @@ -36,14 +36,14 @@ You can find examples for client authentication providers at:
* Mutual TLS Auth -- https://github.com/apache/pulsar/tree/master/pulsar-client/src/main/java/org/apache/pulsar/client/impl/auth
* Athenz -- https://github.com/apache/pulsar/tree/master/pulsar-client-auth-athenz/src/main/java/org/apache/pulsar/client/impl/auth

### Broker authentication plugin
### Proxy/Broker authentication plugin

On broker side, you need the corresponding plugin to validate the credentials that the client passes. Broker can support multiple authentication providers at the same time.
On the proxy/broker side, you need to configure the corresponding plugin to validate the credentials that the client sends. The Proxy and Broker can support multiple authentication providers at the same time.

In `conf/broker.conf` you can choose to specify a list of valid providers:

```properties
# Autentication provider name list, which is comma separated list of class names
# Authentication provider name list, which is comma separated list of class names
authenticationProviders=
```
To implement `org.apache.pulsar.broker.authentication.AuthenticationProvider` on one single interface:
Expand Down Expand Up @@ -90,9 +90,11 @@ The following is the example for Broker authentication plugins:

## Authorization

Authorization is the operation that checks whether a particular "role" or "principal" has a permission to perform a certain operation.
Authorization is the operation that checks whether a particular "role" or "principal" has permission to perform a certain operation.

By default, Pulsar provides an embedded authorization, though configuring a different one through a plugin is also an alternative choice.
By default, you can use the embedded authorization provider provided by Pulsar. You can also configure a different authorization provider through a plugin.
Note that although the Authentication plugin is designed for use in both the Proxy and Broker,
the Authorization plugin is designed only for use on the Broker however the Proxy does perform some simple Authorization checks of Roles if authorization is enabled.

To provide a custom provider, you need to implement the `org.apache.pulsar.broker.authorization.AuthorizationProvider` interface, put this class in the Pulsar broker classpath and configure the class in `conf/broker.conf`:

Expand Down

0 comments on commit 18a54c4

Please sign in to comment.