Appendix D. Security, Authentication, and Authorization in Pulsar
In this book, all of the code snippets share two qualities:
-
There is no encryption.
-
There is no authentication or authorization.
While operating a real cluster requires good authorization and authentication practices, it was not a wholly necessary requirement to enable these features for pedagogy. I thought it would be appropriate to include some details about security in Pulsar in an appendix where I could introduce some new topics in an environment that was isolated from the rest of our learning. In this appendix you’ll learn about:
-
Encryption in transit
-
Encryption at rest
-
Authentication
-
Authorization
Encryption in Transit
Encryption in transit is ensuring that data traveling over the internet is encrypted. This means that if the data were collected in transit, it could not be read by the interceptor (see Figure D-1). Encryption in transit is enabled by encrypting the messages before sending them over the wire. In Pulsar you can do that with the following:
PulsarClientpulsarClient=PulsarClient.builder().serviceUrl("pulsar://localhost:6650").build();Producerproducer=pulsarClient.newProducer().topic("persistent://my-tenant/my-ns/my-topic").addEncryptionKey("myappkey").cryptoKeyReader(newRawFileKeyReader("test_ecdsa_pubkey.pem","test_ecdsa_privkey.pem")).create();
It uses a public/private key pair for the encryption.
Figure D-1. Encryption in transit in the Pulsar topology uses public/private ...
Get Mastering Apache Pulsar now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
