196 lines
6.7 KiB
Plaintext
196 lines
6.7 KiB
Plaintext
|
#
|
||
|
# Licensed to the Apache Software Foundation (ASF) under one
|
||
|
# or more contributor license agreements. See the NOTICE file
|
||
|
# distributed with this work for additional information
|
||
|
# regarding copyright ownership. The ASF licenses this file
|
||
|
# to you under the Apache License, Version 2.0 (the
|
||
|
# "License"); you may not use this file except in compliance
|
||
|
# with the License. You may obtain a copy of the License at
|
||
|
#
|
||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||
|
#
|
||
|
# Unless required by applicable law or agreed to in writing,
|
||
|
# software distributed under the License is distributed on an
|
||
|
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||
|
# KIND, either express or implied. See the License for the
|
||
|
# specific language governing permissions and limitations
|
||
|
# under the License.
|
||
|
#
|
||
|
|
||
|
### --- Broker Discovery --- ###
|
||
|
|
||
|
# The ZooKeeper quorum connection string (as a comma-separated list)
|
||
|
zookeeperServers=
|
||
|
|
||
|
# Configuration store connection string (as a comma-separated list)
|
||
|
configurationStoreServers=
|
||
|
|
||
|
# if Service Discovery is Disabled this url should point to the discovery service provider.
|
||
|
brokerServiceURL=
|
||
|
brokerServiceURLTLS=
|
||
|
|
||
|
# These settings are unnecessary if `zookeeperServers` is specified
|
||
|
brokerWebServiceURL=
|
||
|
brokerWebServiceURLTLS=
|
||
|
|
||
|
# If function workers are setup in a separate cluster, configure the following 2 settings
|
||
|
# to point to the function workers cluster
|
||
|
functionWorkerWebServiceURL=
|
||
|
functionWorkerWebServiceURLTLS=
|
||
|
|
||
|
# ZooKeeper session timeout (in milliseconds)
|
||
|
zookeeperSessionTimeoutMs=30000
|
||
|
|
||
|
### --- Server --- ###
|
||
|
|
||
|
# The port to use for server binary Protobuf requests
|
||
|
servicePort=6650
|
||
|
|
||
|
# The port to use to server binary Protobuf TLS requests
|
||
|
servicePortTls=
|
||
|
|
||
|
# Port that discovery service listen on
|
||
|
webServicePort=8080
|
||
|
|
||
|
# Port to use to server HTTPS request
|
||
|
webServicePortTls=
|
||
|
|
||
|
# Path for the file used to determine the rotation status for the proxy instance when responding
|
||
|
# to service discovery health checks
|
||
|
statusFilePath=
|
||
|
|
||
|
### ---Authorization --- ###
|
||
|
|
||
|
# Role names that are treated as "super-users," meaning that they will be able to perform all admin
|
||
|
# operations and publish/consume to/from all topics (as a comma-separated list)
|
||
|
superUserRoles=
|
||
|
|
||
|
# Whether authorization is enforced by the Pulsar proxy
|
||
|
authorizationEnabled=false
|
||
|
|
||
|
# Authorization provider as a fully qualified class name
|
||
|
authorizationProvider=org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider
|
||
|
|
||
|
# Whether client authorization credentials are forwared to the broker for re-authorization.
|
||
|
# Authentication must be enabled via authenticationEnabled=true for this to take effect.
|
||
|
forwardAuthorizationCredentials=false
|
||
|
|
||
|
### --- Authentication --- ###
|
||
|
|
||
|
# Whether authentication is enabled for the Pulsar proxy
|
||
|
authenticationEnabled=false
|
||
|
|
||
|
# Authentication provider name list (a comma-separated list of class names)
|
||
|
authenticationProviders=
|
||
|
|
||
|
# When this parameter is not empty, unauthenticated users perform as anonymousUserRole
|
||
|
anonymousUserRole=
|
||
|
|
||
|
### --- Client Authentication --- ###
|
||
|
|
||
|
# The three brokerClient* authentication settings below are for the proxy itself and determine how it
|
||
|
# authenticates with Pulsar brokers
|
||
|
|
||
|
# The authentication plugin used by the Pulsar proxy to authenticate with Pulsar brokers
|
||
|
brokerClientAuthenticationPlugin=
|
||
|
|
||
|
# The authentication parameters used by the Pulsar proxy to authenticate with Pulsar brokers
|
||
|
brokerClientAuthenticationParameters=
|
||
|
|
||
|
# The path to trusted certificates used by the Pulsar proxy to authenticate with Pulsar brokers
|
||
|
brokerClientTrustCertsFilePath=
|
||
|
|
||
|
# Whether TLS is enabled when communicating with Pulsar brokers
|
||
|
tlsEnabledWithBroker=false
|
||
|
|
||
|
# Tls cert refresh duration in seconds (set 0 to check on every new connection)
|
||
|
tlsCertRefreshCheckDurationSec=300
|
||
|
|
||
|
##### --- Rate Limiting --- #####
|
||
|
|
||
|
# Max concurrent inbound connections. The proxy will reject requests beyond that.
|
||
|
maxConcurrentInboundConnections=10000
|
||
|
|
||
|
# Max concurrent outbound connections. The proxy will error out requests beyond that.
|
||
|
maxConcurrentLookupRequests=50000
|
||
|
|
||
|
##### --- TLS --- #####
|
||
|
|
||
|
# Deprecated - use servicePortTls and webServicePortTls instead
|
||
|
tlsEnabledInProxy=false
|
||
|
|
||
|
# Path for the TLS certificate file
|
||
|
tlsCertificateFilePath=
|
||
|
|
||
|
# Path for the TLS private key file
|
||
|
tlsKeyFilePath=
|
||
|
|
||
|
# Path for the trusted TLS certificate file.
|
||
|
# This cert is used to verify that any certs presented by connecting clients
|
||
|
# are signed by a certificate authority. If this verification
|
||
|
# fails, then the certs are untrusted and the connections are dropped.
|
||
|
tlsTrustCertsFilePath=
|
||
|
|
||
|
# Accept untrusted TLS certificate from client.
|
||
|
# If true, a client with a cert which cannot be verified with the
|
||
|
# 'tlsTrustCertsFilePath' cert will allowed to connect to the server,
|
||
|
# though the cert will not be used for client authentication.
|
||
|
tlsAllowInsecureConnection=false
|
||
|
|
||
|
# Whether the hostname is validated when the proxy creates a TLS connection with brokers
|
||
|
tlsHostnameVerificationEnabled=false
|
||
|
|
||
|
# Specify the tls protocols the broker will use to negotiate during TLS handshake
|
||
|
# (a comma-separated list of protocol names).
|
||
|
# Examples:- [TLSv1.2, TLSv1.1, TLSv1]
|
||
|
tlsProtocols=
|
||
|
|
||
|
# Specify the tls cipher the broker will use to negotiate during TLS Handshake
|
||
|
# (a comma-separated list of ciphers).
|
||
|
# Examples:- [TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
|
||
|
tlsCiphers=
|
||
|
|
||
|
# Whether client certificates are required for TLS. Connections are rejected if the client
|
||
|
# certificate isn't trusted.
|
||
|
tlsRequireTrustedClientCertOnConnect=false
|
||
|
|
||
|
##### --- HTTP --- #####
|
||
|
|
||
|
# Http directs to redirect to non-pulsar services.
|
||
|
httpReverseProxyConfigs=
|
||
|
|
||
|
# Http output buffer size. The amount of data that will be buffered for http requests
|
||
|
# before it is flushed to the channel. A larger buffer size may result in higher http throughput
|
||
|
# though it may take longer for the client to see data.
|
||
|
# If using HTTP streaming via the reverse proxy, this should be set to the minimum value, 1,
|
||
|
# so that clients see the data as soon as possible.
|
||
|
httpOutputBufferSize=32768
|
||
|
|
||
|
# Number of threads to use for HTTP requests processing. Default is
|
||
|
# 2 * Runtime.getRuntime().availableProcessors()
|
||
|
httpNumThreads=
|
||
|
|
||
|
### --- Token Authentication Provider --- ###
|
||
|
|
||
|
## Symmetric key
|
||
|
# Configure the secret key to be used to validate auth tokens
|
||
|
# The key can be specified like:
|
||
|
# tokenSecretKey=data:base64,xxxxxxxxx
|
||
|
# tokenSecretKey=file:///my/secret.key
|
||
|
tokenSecretKey=
|
||
|
|
||
|
## Asymmetric public/private key pair
|
||
|
# Configure the public key to be used to validate auth tokens
|
||
|
# The key can be specified like:
|
||
|
# tokenPublicKey=data:base64,xxxxxxxxx
|
||
|
# tokenPublicKey=file:///my/public.key
|
||
|
tokenPublicKey=
|
||
|
|
||
|
# The token "claim" that will be interpreted as the authentication "role" or "principal" by AuthenticationProviderToken (defaults to "sub" if blank)
|
||
|
tokenAuthClaim=
|
||
|
|
||
|
### --- Deprecated config variables --- ###
|
||
|
|
||
|
# Deprecated. Use configurationStoreServers
|
||
|
globalZookeeperServers=
|