# # Licensed to the Apache Software Foundation (ASF) under one # or more contributor license agreements. See the NOTICE file # distributed with this work for additional information # regarding copyright ownership. The ASF licenses this file # to you under the Apache License, Version 2.0 (the # "License"); you may not use this file except in compliance # with the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, # software distributed under the License is distributed on an # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. # ### --- Broker Discovery --- ### # The ZooKeeper quorum connection string (as a comma-separated list) zookeeperServers= # Configuration store connection string (as a comma-separated list) configurationStoreServers= # if Service Discovery is Disabled this url should point to the discovery service provider. brokerServiceURL= brokerServiceURLTLS= # These settings are unnecessary if `zookeeperServers` is specified brokerWebServiceURL= brokerWebServiceURLTLS= # If function workers are setup in a separate cluster, configure the following 2 settings # to point to the function workers cluster functionWorkerWebServiceURL= functionWorkerWebServiceURLTLS= # ZooKeeper session timeout (in milliseconds) zookeeperSessionTimeoutMs=30000 ### --- Server --- ### # The port to use for server binary Protobuf requests servicePort=6650 # The port to use to server binary Protobuf TLS requests servicePortTls= # Port that discovery service listen on webServicePort=8080 # Port to use to server HTTPS request webServicePortTls= # Path for the file used to determine the rotation status for the proxy instance when responding # to service discovery health checks statusFilePath= ### ---Authorization --- ### # Role names that are treated as "super-users," meaning that they will be able to perform all admin # operations and publish/consume to/from all topics (as a comma-separated list) superUserRoles= # Whether authorization is enforced by the Pulsar proxy authorizationEnabled=false # Authorization provider as a fully qualified class name authorizationProvider=org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider # Whether client authorization credentials are forwared to the broker for re-authorization. # Authentication must be enabled via authenticationEnabled=true for this to take effect. forwardAuthorizationCredentials=false ### --- Authentication --- ### # Whether authentication is enabled for the Pulsar proxy authenticationEnabled=false # Authentication provider name list (a comma-separated list of class names) authenticationProviders= # When this parameter is not empty, unauthenticated users perform as anonymousUserRole anonymousUserRole= ### --- Client Authentication --- ### # The three brokerClient* authentication settings below are for the proxy itself and determine how it # authenticates with Pulsar brokers # The authentication plugin used by the Pulsar proxy to authenticate with Pulsar brokers brokerClientAuthenticationPlugin= # The authentication parameters used by the Pulsar proxy to authenticate with Pulsar brokers brokerClientAuthenticationParameters= # The path to trusted certificates used by the Pulsar proxy to authenticate with Pulsar brokers brokerClientTrustCertsFilePath= # Whether TLS is enabled when communicating with Pulsar brokers tlsEnabledWithBroker=false # Tls cert refresh duration in seconds (set 0 to check on every new connection) tlsCertRefreshCheckDurationSec=300 ##### --- Rate Limiting --- ##### # Max concurrent inbound connections. The proxy will reject requests beyond that. maxConcurrentInboundConnections=10000 # Max concurrent outbound connections. The proxy will error out requests beyond that. maxConcurrentLookupRequests=50000 ##### --- TLS --- ##### # Deprecated - use servicePortTls and webServicePortTls instead tlsEnabledInProxy=false # Path for the TLS certificate file tlsCertificateFilePath= # Path for the TLS private key file tlsKeyFilePath= # Path for the trusted TLS certificate file. # This cert is used to verify that any certs presented by connecting clients # are signed by a certificate authority. If this verification # fails, then the certs are untrusted and the connections are dropped. tlsTrustCertsFilePath= # Accept untrusted TLS certificate from client. # If true, a client with a cert which cannot be verified with the # 'tlsTrustCertsFilePath' cert will allowed to connect to the server, # though the cert will not be used for client authentication. tlsAllowInsecureConnection=false # Whether the hostname is validated when the proxy creates a TLS connection with brokers tlsHostnameVerificationEnabled=false # Specify the tls protocols the broker will use to negotiate during TLS handshake # (a comma-separated list of protocol names). # Examples:- [TLSv1.2, TLSv1.1, TLSv1] tlsProtocols= # Specify the tls cipher the broker will use to negotiate during TLS Handshake # (a comma-separated list of ciphers). # Examples:- [TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] tlsCiphers= # Whether client certificates are required for TLS. Connections are rejected if the client # certificate isn't trusted. tlsRequireTrustedClientCertOnConnect=false ##### --- HTTP --- ##### # Http directs to redirect to non-pulsar services. httpReverseProxyConfigs= # Http output buffer size. The amount of data that will be buffered for http requests # before it is flushed to the channel. A larger buffer size may result in higher http throughput # though it may take longer for the client to see data. # If using HTTP streaming via the reverse proxy, this should be set to the minimum value, 1, # so that clients see the data as soon as possible. httpOutputBufferSize=32768 # Number of threads to use for HTTP requests processing. Default is # 2 * Runtime.getRuntime().availableProcessors() httpNumThreads= ### --- Token Authentication Provider --- ### ## Symmetric key # Configure the secret key to be used to validate auth tokens # The key can be specified like: # tokenSecretKey=data:base64,xxxxxxxxx # tokenSecretKey=file:///my/secret.key tokenSecretKey= ## Asymmetric public/private key pair # Configure the public key to be used to validate auth tokens # The key can be specified like: # tokenPublicKey=data:base64,xxxxxxxxx # tokenPublicKey=file:///my/public.key tokenPublicKey= # The token "claim" that will be interpreted as the authentication "role" or "principal" by AuthenticationProviderToken (defaults to "sub" if blank) tokenAuthClaim= ### --- Deprecated config variables --- ### # Deprecated. Use configurationStoreServers globalZookeeperServers=