Security is a critical concern for any modern messaging platform, especially when dealing with sensitive data or multi-tenant environments. Apache Pulsar provides a comprehensive security framework that includes authentication, authorization, and encryption, ensuring secure communication and controlled access across producers, consumers, and administrators.

This guide covers the core concepts and configuration steps needed to secure a Pulsar cluster, highlighting best practices for production deployments.

Pulsar Security Overview

Apache Pulsar’s security architecture includes:

  • Authentication: Verifies the identity of clients and users
  • Authorization: Grants or denies access to resources based on roles
  • Encryption: Protects data in transit (TLS) and at rest (optional)

These features are modular and can be configured based on your organization’s needs.

1. Authentication in Pulsar

Authentication ensures that only verified users and services can connect to the cluster.

Supported mechanisms:

  • TLS Authentication
  • JWT Tokens
  • OAuth 2.0
  • Kerberos (via SASL)
TLS Authentication Example

Generate certificates for broker and client, then configure:

Broker Configuration (broker.conf):

authenticationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderTls
tlsEnabled=true
tlsCertificateFilePath=/path/to/broker-cert.pem
tlsKeyFilePath=/path/to/broker-key.pem

Client Configuration:

bin/pulsar-client consume persistent://my-tenant/my-ns/my-topic \
--auth-plugin org.apache.pulsar.client.impl.auth.AuthenticationTls \
--auth-params "tlsCertFile:/path/client-cert.pem,tlsKeyFile:/path/client-key.pem"
JWT Token Authentication

Generate token using Pulsar’s tool:

bin/pulsar tokens create --secret-key file:///path/to/secret.key

Set auth plugin and secret key in both broker and client.

2. Authorization and Role-Based Access Control (RBAC)

After authentication, authorization determines what a client is allowed to do.

Enable in broker.conf:

authorizationEnabled=true
authorizationProvider=org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider

Use the Pulsar admin CLI to grant permissions:

bin/pulsar-admin namespaces grant-permission \
--actions produce,consume \
--role my-app-role \
my-tenant/my-namespace

You can also restrict topic-level access and define policies for produce, consume, functions, and administration.

3. Transport Layer Security (TLS)

Use TLS encryption to secure data in transit between:

  • Brokers ↔ Clients
  • Brokers ↔ Bookies
  • Brokers ↔ Other Brokers

Enable TLS on broker side:

tlsEnabled=true
tlsCertificateFilePath=/etc/pulsar/certs/broker.pem
tlsKeyFilePath=/etc/pulsar/certs/broker.key
tlsTrustCertsFilePath=/etc/pulsar/certs/ca.pem

Client config example:

ClientBuilder client = PulsarClient.builder()
.serviceUrl("pulsar+ssl://broker:6651")
.enableTls(true)
.tlsTrustCertsFilePath("/etc/pulsar/certs/ca.pem")
.build();

4. Securing BookKeeper (Storage Layer)

Apache Pulsar uses Apache BookKeeper to persist messages. Secure communication with bookies by:

  • Enabling TLS between brokers and bookies
  • Using Zookeeper ACLs to restrict access

bookkeeper.conf:

tlsProvider=OpenSSL
tlsCertificatePath=/path/to/bookie-cert.pem
tlsKeyPath=/path/to/bookie-key.pem
tlsTrustCertsPath=/path/to/ca.pem

Enable BookKeeper authentication:

authentication.enabled=true
authentication.provider.class=org.apache.bookkeeper.auth.SASLAuthenticationProvider

5. Multi-Tenant Security

Pulsar supports multi-tenancy out of the box. Secure tenants using:

  • Separate roles per tenant
  • Resource quotas (e.g., topic limits, message rate)
  • Namespace isolation policies

This ensures that one tenant cannot interfere with or access another’s data.

6. Best Practices for Securing Pulsar

  • Always use TLS encryption for internal and external communication
  • Enable authentication and authorization in all environments (not just production)
  • Rotate tokens and certificates periodically
  • Apply least privilege by assigning only required permissions to roles
  • Monitor access and audit logs for unusual behavior
  • Integrate with external identity providers using OAuth2 or LDAP
  • Use Secrets Manager (AWS/GCP/Azure) to manage private keys securely

Conclusion

Securing Apache Pulsar is essential for protecting your data streams and ensuring compliance with modern security standards. By enabling authentication, enforcing fine-grained authorization, and encrypting communications, you can deploy Pulsar with confidence in both internal and internet-facing architectures.

Whether you’re running a multi-tenant cloud platform or an internal event bus, these security best practices help keep your messaging infrastructure safe, reliable, and compliant.