JWT authentication

To enable JWT Authentication, set authentication to true:

global:
    auth:
        enabled: true

Since the only supported authentication mechanism by the operator is JWT, it’s not required to specify JWT related options. If you want to use a different authentication mechanism, disable authentication and manually configure the authentication options in the config section.

When setting up authentication, the operator will automatically generate the secret containing a private and public key. If you wish to use your own key pairs, disable the secret generation by setting initialize to false:

global:
    auth:
        enabled: true
        token:
            initialize: false

The operator expects secrets with the same name to be already present in the namespace.

Secrets must be named token-private-key and token-public-key.

 
apiVersion: v1
kind: Secret
metadata:
  name: token-private-key
type: Opaque
data:
  my-private.key: <base64 encoded private key>
apiVersion: v1
kind: Secret
metadata:
  name: token-public-key
type: Opaque
data:
  my-public.key: <base64 encoded private key>

Symmetric secret keys are not supported.

The operator also generates tokens for super user roles. By default, the super users are superuser, admin, websocket and proxy. If you wish to use another set of super users, specify them in the superUserRoles option, along with the proxyRoles:

global:
    auth:
        enabled: true
        token:
            superUserRoles:
                - superuser
                - admin
                - websocket
                - proxy
                - my-custom-user
                - my-custom-proxy-user
            proxyRoles:
                - proxy
                - my-custom-proxy-user

To generate a token for a given subject, login to the bastion pod (the bastion pod already mounts the super user token):

PULSAR_TOKEN=$(kubectl exec deployment/pulsar-bastion -- bin/pulsar tokens create --private-key token-private-key/my-private.key --subject myuser)
echo $PULSAR_TOKEN
kubectl exec deployment/pulsar-bastion -- bin/pulsar-shell -e 'admin namespaces grant-permission --role myuser --actions produce,consume public/default'
kubectl exec deployment/pulsar-bastion -- bin/pulsar-shell -e "client --auth-params \"token:$PULSAR_TOKEN\" produce -m hello public/default/topic"

Was this helpful?

Edit this page

Give Feedback

How can we improve the documentation?

© Copyright IBM Corporation 2025 | Privacy policy | Terms of use Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: Contact IBM