pulsar认证说明

pulsar支持TLS、Athenz、Kerberos、JSON Web Token等认证，也支持自定义认证。

pulsar基于Netty进行数据的通信，通信内容的格式是TLV。服务端处理数据的类是org.apache.pulsar.broker.service.ServerCnx，客户端处理数据的类是org.apache.pulsar.client.impl.ClientCnx，这两个类都继承PulsarDecoder，在PulsarDecoder中区分各种type，然后根据type调用各种业务处理，在CONNECT中处理认证。

可以看下pulsar中的消息类型：

case PARTITIONED_METADATA
case PARTITIONED_METADATA_RESPONSE
case LOOKUP
case LOOKUP_RESPONSE
case ACK
case ACK_RESPONSE
case CLOSE_CONSUMER
case CLOSE_PRODUCER
case CONNECT
case CONNECTED
case ERROR
case FLOW
case MESSAGE
case PRODUCER
case SEND
case SEND_ERROR
case SEND_RECEIPT
case SUBSCRIBE
case SUCCESS
case PRODUCER_SUCCESS
case UNSUBSCRIBE
case SEEK
case PING
case PONG
case REDELIVER_UNACKNOWLEDGED_MESSAGES
case CONSUMER_STATS
case CONSUMER_STATS_RESPONSE
case REACHED_END_OF_TOPIC
case GET_LAST_MESSAGE_ID
case GET_LAST_MESSAGE_ID_RESPONSE
case ACTIVE_CONSUMER_CHANGE
case GET_TOPICS_OF_NAMESPACE
case GET_TOPICS_OF_NAMESPACE_RESPONSE
case GET_SCHEMA
case GET_SCHEMA_RESPONSE
case GET_OR_CREATE_SCHEMA
case GET_OR_CREATE_SCHEMA_RESPONSE
case AUTH_CHALLENGE
case AUTH_RESPONSE
case NEW_TXN
case NEW_TXN_RESPONSE
case ADD_PARTITION_TO_TXN
case ADD_PARTITION_TO_TXN_RESPONSE
case ADD_SUBSCRIPTION_TO_TXN
case ADD_SUBSCRIPTION_TO_TXN_RESPONSE
case END_TXN
case END_TXN_RESPONSE
case END_TXN_ON_PARTITION
case END_TXN_ON_PARTITION_RESPONSE
case END_TXN_ON_SUBSCRIPTION
case END_TXN_ON_SUBSCRIPTION_RESPONSE

pulsar认证实现步骤

pulsar的认证很简单，下面两个步骤就可以完成。

1. 分别实现org.apache.pulsar.client.api.Authentication和org.apache.pulsar.broker.authentication.AuthenticationProvider接口，第一个用户客户端侧认证，第二个用户服务端侧认证。
2. 修改conf/broker.conf文件，开启认证功能。

# Enable authentication
authenticationEnabled=true
# Authentication provider name list, which is comma separated list of class names
authenticationProviders=auth.server.VVAuthenticationProvider
# Interval of time for checking for expired authentication credentials
authenticationRefreshCheckSeconds=60
# Role names that are treated as "super-user", meaning they will be able to do all admin
# operations and publish/consume from all topics
superUserRoles=vv-role,cc-role
# Authentication settings of the broker itself. Used when the broker connects to other brokers,
# either in same or other clusters
brokerClientTlsEnabled=false
brokerClientAuthenticationPlugin=auth.client2.client.VVAuthentication
brokerClientAuthenticationParameters=
brokerClientTrustCertsFilePath=

需要注意的是，broker和client之间有认证，broker和broker之间也有认证，所以在自己实现的认证接口中需要区分角色，以免造成数据处理问题。

pulsar授权说明

pulsar认证和授权是分开的，认证部分用于验证客户端是否合法，授权部分则是细分了各个客户端的权限，包含tenant、namespace、topic操作权限等。授权部分和认证部分虽然是分开的，但是授权是基于角色进行的，而角色是由认证部分生成的，所以要开启授权的前提是先开启认证。

pulsar授权实现步骤

1. 实现org.apache.pulsar.broker.authorization.AuthorizationProvider接口
2. 修改conf/broker.conf文件，开启授权功能。

# Enforce authorization
authorizationEnabled=true
# Authorization provider fully qualified class-name
authorizationProvider=auth.server.VVPulsarAuthorizationProvider

# Allow wildcard matching in authorization
# (wildcard matching only applicable if wildcard-char:
# * presents at first or last position eg: *.pulsar.service, pulsar.service.*)
authorizationAllowWildcardsMatching=false

# Role names that are treated as "super-user", meaning they will be able to do all admin
# operations and publish/consume from all topics
superUserRoles=vv-role,cc-role