Skip to content

Security

Apache Pulsar's security model spans broker authentication, BookKeeper authentication, ZooKeeper hardening, and per-namespace authorization with role-based and tenant-isolated access.

Authentication

Mechanism Use Case
TLS client certificate (x509) Cert-based auth; CN/SAN maps to a Pulsar role.
JWT tokens Stateless tokens signed by a configured key; supports symmetric (HS256) and asymmetric (RS256).
OAuth 2.0 / OIDC Token Exchange via IdP — Keycloak, Auth0, Okta, AWS Cognito.
Athenz Yahoo's identity service; predates OAuth in Pulsar's history.
SASL / Kerberos For environments standardizing on Kerberos.
HTTP basic Dev only.

Configure JWT authentication

# broker.conf
authenticationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderToken
tokenSecretKey=file:///etc/pulsar/jwt/secret.key
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationToken
brokerClientAuthenticationParameters=file:///etc/pulsar/jwt/broker.token

Configure TLS (broker)

tlsEnabled=true
tlsCertificateFilePath=/etc/pulsar/certs/server.crt
tlsKeyFilePath=/etc/pulsar/certs/server.key
tlsTrustCertsFilePath=/etc/pulsar/certs/ca.crt
tlsRequireTrustedClientCertOnConnect=true

Authorization

Pulsar authorizes by role. Roles are derived from the auth principal; the AuthorizationService consults the AuthorizationProvider to allow/deny.

Per-namespace permissions

pulsar-admin namespaces grant-permission my-tenant/ns-prod \
  --role orders-svc \
  --actions produce,consume

pulsar-admin namespaces revoke-permission my-tenant/ns-prod \
  --role orders-svc

Per-topic permissions

pulsar-admin topics grant-permission persistent://my-tenant/ns-prod/orders \
  --role downstream-svc \
  --actions consume

Tenant administrators

# broker.conf
superUserRoles=admin,break-glass

A tenant-admin role can create namespaces and grant permissions inside its own tenant.

Subscription-auth modes

subscriptionAuthMode policy values:

  • None — any role may create or use a subscription.
  • Prefix — subscription name must start with role name.

This is useful in shared topics where multiple consumers must isolate cursors.

Encryption

In transit

  • TLS 1.2 / 1.3 on all listeners: client–broker (6651), broker–broker, broker–bookie, broker–ZK.
  • mTLS supported on every listener.
  • Cipher suites configurable (tlsCiphers, tlsProtocols).

End-to-end (E2E)

Pulsar supports per-message E2E encryption:

  • Producer encrypts message payload with a symmetric key.
  • Symmetric key is wrapped with the consumer's public RSA/ECDSA key and embedded in the message metadata.
  • Brokers and bookies see only the ciphertext.
  • Multiple consumers can each have their own key wrapper.
producer.newMessage()
  .addEncryptionKey("my-app-key")
  .cryptoKeyReader(new RawFileKeyReader("public-key.pem", "private-key.pem"))
  .value(payload)
  .send();

This protects against a compromised broker reading data.

At rest

Bookie ledger files are not encrypted by Pulsar itself. Use OS-level dm-crypt or cloud-managed disk encryption. For tiered storage, configure SSE-S3 or SSE-KMS on the offload bucket.

# offload to S3 with KMS
managedLedgerOffloadDriver=aws-s3
s3ManagedLedgerOffloadBucket=pulsar-cold
s3ManagedLedgerOffloadRegion=us-east-1
s3ManagedLedgerOffloadServerSideEncryption=SSE-KMS
s3ManagedLedgerOffloadServerSideEncryptionKMSKeyId=alias/pulsar-cold-cmk

Audit Logging

  • Broker logs record auth attempts and authorization denials.
  • Pulsar 4.x adds optional structured audit log topic that records admin operations as JSON.
  • Forward to your SIEM via Pulsar IO Sink or a Functions-based exporter.

Threat Model

Threat Mitigation
Broker compromise reading data Use end-to-end encryption for sensitive payloads.
Bookie ledger leakage At-rest disk encryption; restrict bookie host access.
Geo-replication credential theft Per-cluster JWT issuer; rotate; mTLS for cross-cluster connections.
Function code injection Validate Function jars; require signed jars; isolate Function Worker network.
ZK metadata tampering ZK ACLs (digest/sasl); ZK on private network only.
Cross-tenant subscription poisoning subscriptionAuthMode=Prefix; tenant-scoped roles.
Schema poisoning is_allow_auto_update_schema=false; require admin to register schemas.
Stale-token replay Short JWT TTLs; revocation list; refresh-token rotation.
Broker-bookie spoofing mTLS between broker and bookies; bookie auth via BookKeeper SASL.
MITM on ZK ZK SASL + TLS (3.6+); ZK on private network.
Tiered-storage bucket misconfig Bucket policies block public access; CloudTrail + GuardDuty (or equivalents).
DoS via unbounded subscription Per-namespace dispatch quota + backlog quota.

CVE History (selected)

CVE Year Affected Summary
CVE-2024-23114 2024 Apache Pulsar Functions Worker Improper input validation could allow unauthorized access to Function metadata. Fix in 3.0.4 / 3.1.3 / 3.2.1.
CVE-2023-37579 2023 Pulsar Functions Worker Authorization bypass on the Function admin API.
CVE-2023-31994 2023 Pulsar Proxy Auth bypass via crafted request when proxy is in OAuth2 mode.
CVE-2023-31993 2023 Pulsar broker Auth header parsing issue.
CVE-2023-30474 2023 Pulsar TLS hostname validation could be bypassed in client.

Subscribe to Apache Security Advisories and the [email protected] list.

Hardening Checklist

  • TLS 1.3 on every listener; mTLS for broker-broker and broker-bookie.
  • JWT or OAuth 2.0 with short token TTLs and audience pinning.
  • Tenant-scoped roles; superUserRoles minimal.
  • subscriptionAuthMode=Prefix in any shared-tenant topic.
  • Schema auto-update disabled in prod; admin-only schema registration.
  • Tiered-storage bucket: SSE-KMS with CMK; bucket-policy blocks public access.
  • ZK ACLs and TLS configured; no anonymous access.
  • BookKeeper bookie auth (SASL or TLS-cert); bookies on private network.
  • End-to-end encryption for sensitive payloads.
  • Pulsar Functions jars reviewed/signed; Worker isolated from production network.
  • Audit log topic shipped to SIEM.
  • Subscribed to Apache Pulsar Security Advisories.

Cross-references