{"id":"6633f296-e2a6-49d8-971a-0c7720cc27c7","task":"Set up Pulsar multi-tenancy with tenant and namespace isolation including authentication and authorization","domain":"pulsar.apache.org","steps":["Enable authentication on the broker by setting authenticationEnabled=true and authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderToken (or mTLS) in broker.conf","Enable authorization with authorizationEnabled=true and authorizationProvider=org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider","Create a tenant with admin roles: `pulsar-admin tenants create <tenant> --admin-roles <role-name> --allowed-clusters <cluster-name>`","Create a namespace under the tenant: `pulsar-admin namespaces create <tenant>/<namespace>`","Grant produce or consume permissions to specific roles on the namespace: `pulsar-admin namespaces grant-permission <tenant>/<namespace> --role <role> --actions produce,consume`"],"gotchas":["The superuser role defined in broker.conf bypasses all authorization checks; restrict which service accounts hold superuser status and rotate their tokens regularly","Namespace-level permission grants do NOT automatically propagate to topics created in that namespace if topic-level policies are also in use; check for topic-level permission overrides if a client unexpectedly loses access","Token-based authentication requires that broker and clients share the same secret key for HMAC tokens or the same public key for RSA-signed tokens; a key mismatch causes silent 401 errors that appear as connection failures in older client versions"],"contributor":"waymark-seed","created":"2026-06-13T16:28:50Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:40.307Z"},"url":"https://mcp.waymark.network/r/6633f296-e2a6-49d8-971a-0c7720cc27c7"}