Install Pulsar Admin Console on Server/VM

Pulsar Admin Console is a web-based UI that administrates topics, namespaces, sources, sinks and various aspects of Apache Pulsar™ features.

The Admin Console is a VueJS application that runs in a browser. It also includes a web server that serves up the files for the Admin Console as well as providing configuration and authentication services.

This document covers:

Install Pulsar Admin Console

  1. Ensure Node version 14.18 or higher is installed. You can find the most recent Node release here, or use wget:

    wget https://nodejs.org/dist/v14.18.3/node-v14.18.3-linux-x64.tar.xz /
    tar -xf node-v14.18.3-linux-x64.tar.xz
  2. Download and install the Pulsar Admin console tarball to the VM. You can find the most recent Pulsar Admin Console release here.

    1. The tarball is also available with wget:

      wget https://github.com/datastax/pulsar-admin-console/releases/download/2.0.4/pulsar-admin-console-2.0.0.tar.gz
  3. Extract the tarball:

    tar xfvz pulsar-admin-console-2.0.4.tar.gz
  4. This will create a /pulsar-admin-console-<version> directory that contains all necessary dependencies for the Admin Console (except node).

  5. Change directory to the server subdirectory and run npm start to start the Admin Console. This will start the server listening at localhost:6454.

    cd pulsar-admin-console-2.0.4/server
    npm start
  6. Open the Admin Console at http://localhost:6454.

Port 6454 is specified in pulsar-admin-console/config/default.json. To change the default Admin Console configuration, see Configuration below.

Configuration

The default.json configuration file contains a set of general configs for the Admin Console, plus a server-specific set under server_config. The Admin Console server proxies all requests from the Admin Console to the Pulsar broker (or Pulsar proxy).

You can modify the configuration for the Admin Console in pulsar-admin-console/config/default.json, or place additional configuration files (for example, local.json) in the /config subdirectory to override parameters.

You need to configure pulsar_url to point to one of your brokers or a proxy/loadbalancer in front of the brokers (can be Pulsar proxy). The Admin Console server must be able to directly reach each broker by the IP/hostname that is returned by the Pulsar CLI command pulsar-admin brokers list <clustername>.

The cluster name can be retrieved with the CLI command pulsar-admin clusters list.

In a geo-replication configuration, use the cluster name for the local cluster. Set this cluster name in the cluster_name setting of the configuration file.

Configuration reference

These values can be modified in the JSON configuration file.

Setting Default Description

api_version

2.8.3

Version of the Pulsar client API to recommend under Samples.

auth_mode

none

Authentication mode. One of none, user, k8s, or openidconnect. See Auth modes for details.

ca_certificate

String of CA certificate to display in the console under Credentials.

clients_disabled

false

Disable test clients. Test clients depend on WebSocket proxy, so if this is not running in Pulsar cluster you may want to disable them.

cluster_name

standalone

Name of Pulsar cluster connecting to. The cluster name can be retrieved with the CLI command pulsar-admin clusters list.

functions_disabled

false

If functions are not enabled in the cluster, disable the function sections (Functions, Sinks, Sources).

grafana_url

If render_monitoring_tab is enabled, URL for Grafana.

host_overrides.http

http://localhost:8964

URL to display in console to connect to Pulsar Beam HTTP proxy.

host_overrides.pulsar

http://localhost:6650

URL to display in console to connect to Pulsar.

host_overrides.ws

//localhost:8080

URL to display in console to connect to WebSocket proxy.

notice_text

Custom notice to appear at top of console.

oauth_client_id

This is the client ID that the console will use when authenticating with authentication provider.

polling_interval

10000

How often the console polls Pulsar for updated values. In milliseconds.

render_monitoring_tab

false

Enable tab that includes links to Grafana dashboards.

server_config.admin_token

When using user or k8s auth mode, a Pulsar token is used to connect to the Pulsar cluster. This specifies the token as a string. For full access, a superuser token is recommended. The token_path setting will override this value if present.

server_config.log_level

info

Log level for the console server.

server_config.port

6454

The listen port for the console server.

server_config.pulsar_url

http://localhost:8080

URL for connecting to the Pulsar cluster. Should point to either a broker or Pulsar proxy. The console server must be able to reach this URL.

server_config.ssl.ca_path

Path to the CA certificate. To enable HTTPS, ca_path, cert_path, and key_path must all be set.

server_config.ssl.cert_path

Path to the server certificate. To enable HTTPS, ca_path, cert_path, and key_path must all be set.

server_config.ssl.hostname_validation

Verify hostname matches the TLS certificate.

server_config.ssl.key_path

Path to the TLS key. To enable HTTPS, ca_path, cert_path, and key_path must all be set.

server_config.ssl.verify_certs

false

Verify TLS certificate is trusted.

server_config.kubernetes.k8s_namespace

pulsar

When using k8s auth_mode, Kubernetes namespace that contains the username/password secrets.

server_config.kubernetes.service_host

When using k8s auth_mode, specify a custom Kubernetes host name.

server_config.kubernetes.service_port

When using k8s auth_mode, specify a custom Kubernetes port.

server_config.token_path

When using user or k8s auth mode, a Pulsar token is used to connect to the Pulsar cluster. This specifies the path to a file that contains the token to use. For full access, a superuser token is recommended. Alternatively, use admin_token.

server_config.token_secret

Secret used when signing access token for logging into the console. If not specified, a default secret is used.

server_config.user_auth.username

When using user auth_mode, the login user name.

server_config.user_auth.password

When using user auth_mode, the login password.

server_config.websocket_url

https://websocket.example.com:8500

URL for WebSocket proxy. Used by Test Clients to connect to Pulsar. The console server must be able to reach this URL.

tenant

public

The default Pulsar tenant to view when starting the console.

Auth modes

The auth_mode setting has four available configurations.

"auth_mode": "none"

No login screen is presented. Authentication must be disabled in Pulsar because the Admin Console will not attempt to authenticate.

"auth_mode": "user"

The Admin Console is protected by a login screen. Credentials are configured using the username and password settings in the /config/default.json file.
Once authenticated with these credentials, the token for connecting to Pulsar is retrieved from the server (configured using token_path or admin_token) and used to authenticate with the Pulsar cluster.

"auth_mode": "k8"

The Admin Console is protected by a login screen. The credentials are retrieved from a Kubernetes secret.

The Admin Console server must have access to a Kubernetes API, either using a kubeconfig file in the environment, or by having local access (for example, by running as a pod in a Kubernetes cluster).

The namespace for the secret is set using k8s_namespace in the /config/default.json file.
The secret name must have a prefix of dashboard-user- followed by the username.
For example, the admin user would have a secret name of dashboard-user-admin.
The password must be stored in the secret with a key of password and a value of the password itself.

Multiple secrets with the prefix can be configured to set up multiple users for the Admin Console. A password can be reset by patching the corresponding Kubernetes secret.

Once the user is authenticated using one of the Kubernetes secrets, the token for connecting to Pulsar is retrieved from the server (configured using token_path or admin_token) and used to authenticate with the Pulsar cluster.

"auth_mode": "openidconnect"

In this auth mode, the dashboard will use your login credentials to retrieve a JWT from an authentication provider.

In the DataStax Pulsar Helm Chart, this is implemented by integrating the Pulsar Admin Console with Keycloak. Upon successful retrieval of the JWT, the Admin Console will use the retrieved JWT as the bearer token when making calls to Pulsar.

In addition to configuring the auth_mode, you must also configure the oauth_client_id (see Configuration Reference). This is the client id that the Console will use when authenticating with Keycloak. Note that in Keycloak, it is important that this client exists and that it has the sub claim properly mapped to your desired Pulsar subject. Otherwise, the JWT won’t work as desired.

Connecting to an OpenID Connect Auth/Identity Provider

When opening the Admin Console, the first page is the login page. When using the openidconnect auth mode, the auth call needs to go to the Provider’s server.
In the current design, nginx must be configured to route the call to the provider. The DataStax Pulsar Helm Chart does this automatically.

Next

To install the Admin Console in a cloud environment, see the Admin Console Tutorial.