Authentication using HTTP basic
Basic authentication is a simple authentication scheme built into the HTTP protocol, which uses base64-encoded username and password pairs as credentials.
Prerequisites
Install htpasswd
in your environment to create a password file for storing username-password pairs.
For Ubuntu/Debian, run the following command to install
htpasswd
.apt install apache2-utils
For CentOS/RHEL, run the following command to install
htpasswd
.yum install httpd-tools
Create your authentication file
Currently, you can use MD5 (recommended) and CRYPT encryption to authenticate your password.
To create a password file named .htpasswd
with a user account superuser/admin
, you can use the following methods.
Use MD5 encryption (recommended):
htpasswd -cmb /path/to/.htpasswd superuser admin
Use CRYPT encryption:
htpasswd -cdb /path/to/.htpasswd superuser admin
You can preview the content of your password file by running the following command:
cat path/to/.htpasswd
superuser:$apr1$GBIYZYFZ$MzLcPrvoUky16mLcK6UtX/
Enable basic authentication on brokers/proxies
To configure brokers/proxies to authenticate clients using basic, add the following parameters to the conf/broker.conf
and the conf/proxy.conf
file. If you use a standalone Pulsar, you need to add these parameters to the conf/standalone.conf
file:
# Configuration to enable Basic authentication
authenticationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderBasic
basicAuthConf=file:///path/to/.htpasswd
# basicAuthConf=/path/to/.htpasswd
# When use the base64 format, you need to encode the .htpaswd content to bas64
# basicAuthConf=data:;base64,YOUR-BASE64
# basicAuthConf=YOUR-BASE64
# Authentication settings of the broker itself. Used when the broker connects to other brokers, or when the proxy connects to brokers, either in same or other clusters
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationBasic
brokerClientAuthenticationParameters={"userId":"superuser","password":"admin"}
You can also set an environment variable named PULSAR_EXTRA_OPTS
and the value is -Dpulsar.auth.basic.conf=/path/to/.htpasswd
. Pulsar reads this environment variable to implement HTTP basic authentication.
Configure basic authentication in CLI tools
Command-line tools, such as Pulsar-admin, Pulsar-perf and Pulsar-client, use the conf/client.conf
file in your Pulsar installation. To configure basic authentication in Pulsar CLI tools, you need to add the following parameters to the conf/client.conf
file.
authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationBasic
authParams={"userId":"superuser","password":"admin"}
Configure basic authentication in Pulsar clients
To configure basic authentication when using Pulsar clients, you can follow the example below.
- Java
- Python
- C++
- Go
AuthenticationBasic auth = new AuthenticationBasic();
auth.configure("{\"userId\":\"superuser\",\"password\":\"admin\"}");
PulsarClient client = PulsarClient.builder()
.serviceUrl("pulsar://broker.example.com:6650")
.authentication(auth)
.build();
#include <pulsar/Client.h>
int main() {
pulsar::ClientConfiguration config;
AuthenticationPtr auth = pulsar::AuthBasic::create("admin", "123456")
config.setAuth(auth);
pulsar::Client client("pulsar://broker.example.com:6650/", config);
return 0;
}
if __name__ == "__main__":
client = Client("pulsar://broker.example.com:6650", authentication=AuthenticationBasic("admin", "123456"))
provider, err := pulsar.NewAuthenticationBasic("admin", "123456")
if err != nil {
log.Fatal(err)
}
client, err := pulsar.NewClient(pulsar.ClientOptions{
URL: "pulsar://broker.example.com:6650",
Authentication: provider,
})