You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2022/07/15 12:38:24 UTC

[GitHub] [pulsar] acortes-okode opened a new issue, #16626: WebSocket 'token' request param authorization not working

acortes-okode opened a new issue, #16626:
URL: https://github.com/apache/pulsar/issues/16626

   As always, thanks a lot for your work!
   
   **Describe the bug**
   Using the `token` request param in a WebSocket URL gives an unauthorized response, it seems is not working as intended in the [documentation](https://pulsar.apache.org/docs/client-libraries-websocket/#query-param-1). I am only able to authorize using the `Authorization` header on the handshake HTTP request using a [nodejs websocket client implementation](https://www.npmjs.com/package/websocket) but this is not possible when using the browser WebSocket API.
   
   I think this was the reason the `token` request param was implemented in this [commit](https://github.com/apache/pulsar/commit/f1f272ea5e1946b430636f1e6d54eba02e78969e)  by using a request wrapper. But I'm trying to send a token using this param and the [AuthenticationFilter](https://github.com/apache/pulsar/blob/master/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/web/AuthenticationFilter.java) it's telling me that the request is unauthorized:
   
   ```log
   2022-07-15T14:11:23,010+0200 [pulsar-web-56-15] WARN  org.apache.pulsar.broker.web.AuthenticationFilter - [127.0.0.1] Failed to authenticate HTTP request: Authentication required
   2022-07-15T14:11:23,052+0200 [pulsar-web-56-15] INFO  org.eclipse.jetty.server.RequestLog - 127.0.0.1 - - [15/jul./2022:14:11:22 +0200] "GET /ws/v2/consumer/persistent/public/default/test-topic/test-sub HTTP/1.1" 401 606 "-" "-" 64
   ```
   
   For me it seems like the AuthenticationFilter is being executed before the request wrapper is applied, or directly not using the wrapped request. I've tried to download and execute the code to test this but its my first time trying to use Pulsar and I don't know still how to do it.
   
   I've found an opened [issue](https://github.com/apache/pulsar/issues/5598) about WebSocket token authentication but seems very old compared with the commit that implemented the use of the `token` request parameter and I'm not sure why it was not closed once implementation was made. I've opened a new one because of that but, of course, feel free to close or manage this issue in the best way.
   
   **To Reproduce**
   To reproduce this, I have set a standalone Pulsar configuration following the steps on [https://pulsar.apache.org/ja/docs/standalone/](https://pulsar.apache.org/ja/docs/standalone/) with version `2.10.1` and modified the `standalone.conf` in order to set up JWT authentication/authorization checking:
   
   - https://pulsar.apache.org/docs/security-jwt
   - https://pulsar.apache.org/docs/security-authorization#authorize-an-authenticated-client-with-multiple-roles
   
   Following are the properties I have modified on `standalone.conf` file:
   ```
   # Enable authentication
   authenticationEnabled=true
   
   # Authentication provider name list, which is comma separated list of class names
   authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderToken
   
   # Enforce authorization
   authorizationEnabled=true
   
   # Authorization provider fully qualified class-name
   authorizationProvider=org.apache.pulsar.broker.authorization.MultiRolesTokenAuthorizationProvider
   
   superUserRoles=superuser
   
   brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationToken
   brokerClientAuthenticationParameters={"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJyb2xlcyI6WyJzdXBlcnVzZXIiLCJ0ZXN0Il19.fwFySHYsYES_j4ggOwShLJFsYiLBP9Ng0note_bex8Q"}
   
   tokenSecretKey=data:;base64,dGVzdHNlY3JldFRvb29Mb29vb25nVG9CZVJlbWVtYmVyZWRGb3JUaGVTYWtlT2ZTaW1wbGljaXR5VW5leHBlY3RlZFdoYXRldmVyMQ==
   
   tokenAuthClaim=roles
   ```
   
   Then, I've just opened a WebSocket connection against `ws://localhost:8080/ws/v2/consumer/persistent/public/default/test-topic/test-sub?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJyb2xlcyI6WyJzdXBlcnVzZXIiXX0.t76ZTaEfMTONmznsi8DAQyJ1dtAcmlw1KVq5BisGEpw` and received the unauthorized response.
   
   As seen in a comment in the [related issue](https://github.com/apache/pulsar/issues/5598), I've tested then the WebSocket connection using a nodejs application with the [websocket](https://www.npmjs.com/package/websocket) library that allows me to put an Authorization header on the HTTP requests and it worked fine:
   
   ```js
   #!/usr/bin/env node
   console.log('Starting websocket client...');
   
   var WebSocketClient = require('websocket').client;
   
   var client = new WebSocketClient();
   
   client.on('connectFailed', function (error) {
       console.log('Connect Error: ' + error.toString());
   });
   
   client.on('connect', function (connection) {
       console.log('WebSocket Client Connected');
       connection.on('error', function (error) {
           console.log("Connection Error: " + error.toString());
       });
       connection.on('close', function () {
           console.log('echo-protocol Connection Closed');
       });
       connection.on('message', function (message) {
           console.log('Received message:', message);
       });
   });
   
   client.connect(
       'ws://localhost:8080/ws/v2/consumer/persistent/public/default/test-topic/test-sub',
       null,
       null,
       {
           'Authorization': 'Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJyb2xlcyI6WyJzdXBlcnVzZXIiXX0.t76ZTaEfMTONmznsi8DAQyJ1dtAcmlw1KVq5BisGEpw'
       }
   );
   
   ```
   
   As stated above, seems like the `AuthenticationFilter` is being executed without the wrapped request and thus is not retrieving the value of the `token` request param when checking the `Authorization` header.
   
   **Expected behavior**
   WebSocket connections should be authorized correctly when passing the `token` request parameter on the connection URL since WebSocket browser implementation does not allow to use custom HTTP headers (and it seems is the common way authorization is implemented, at least until WebSocket browser implementation is evolved to support sending HTTP headers).
   
   Thanks for all your support!
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nodece commented on issue #16626: WebSocket 'token' request param authorization not working in the broker while using `webSocketServiceEnabled=true`

Posted by GitBox <gi...@apache.org>.

nodece commented on issue #16626:
URL: https://github.com/apache/pulsar/issues/16626#issuecomment-1187033028

   I submitted a #16650 for this issue, could you review this PR?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] Technoboy- commented on issue #16626: WebSocket 'token' request param authorization not working

Posted by GitBox <gi...@apache.org>.

Technoboy- commented on issue #16626:
URL: https://github.com/apache/pulsar/issues/16626#issuecomment-1186526907

   `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJyb2xlcyI6WyJzdXBlcnVzZXIiXX0.t76ZTaEfMTONmznsi8DAQyJ1dtAcmlw1KVq5BisGEpw`
   The above token decoded with role `1234567890`, do you grant this role with `consume` permission? 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] acortes-okode commented on issue #16626: WebSocket 'token' request param authorization not working

Posted by GitBox <gi...@apache.org>.

acortes-okode commented on issue #16626:
URL: https://github.com/apache/pulsar/issues/16626#issuecomment-1186914837

   Hi @nodece, thanks for your support!
   
   Yeah, of course, I'll do it and I'll let you know once done.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] Technoboy- closed issue #16626: WebSocket 'token' request param authorization not working in the broker while using `webSocketServiceEnabled=true`

Posted by GitBox <gi...@apache.org>.

Technoboy- closed issue #16626: WebSocket 'token' request param authorization not working in the broker while using `webSocketServiceEnabled=true` 
URL: https://github.com/apache/pulsar/issues/16626


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] acortes-okode commented on issue #16626: WebSocket 'token' request param authorization not working

Posted by GitBox <gi...@apache.org>.

acortes-okode commented on issue #16626:
URL: https://github.com/apache/pulsar/issues/16626#issuecomment-1186951075

   Hi again @nodece,
   
   I managed to run websocket service as a separate component by running first Pulsar in standalone mode with `webSocketServiceEnabled=false` and then starting `bin/pulsar websocket` configuring the `websocket.conf` with the same authentication/authorization parameters and with the `medatadastore` and `pulsar-cluster` parameters to reference the standalone Pulsar instance.
   
   As you pointed out, I was able to authenticate and authorize correctly with the `token` request parameter this way! So it seems the issue does only occur if the websocket service is enabled in the broker and the AuthenticationFilter gets in the way.
   
   I'm gonna change the issue's title to reflect that. Or let me know whatever you consider I should do (close, open a new one...)
   
   Thanks again!
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nodece commented on issue #16626: WebSocket 'token' request param authorization not working

Posted by GitBox <gi...@apache.org>.

nodece commented on issue #16626:
URL: https://github.com/apache/pulsar/issues/16626#issuecomment-1186882951

   Could you launch a separate WebSocket to try it out? I checked the codebase, and I guess it is not working in the standalone Pulsar.
   
   See https://pulsar.apache.org/docs/next/client-libraries-websocket/#as-a-separate-component for launching a separate WebSocket.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] acortes-okode commented on issue #16626: WebSocket 'token' request param authorization not working

Posted by GitBox <gi...@apache.org>.

acortes-okode commented on issue #16626:
URL: https://github.com/apache/pulsar/issues/16626#issuecomment-1186825568

   Hi @Technoboy- , thanks for your time!
   
   I'm not using the `sub` claim of the token as the role one, I have configured `tokenAuthClaim=roles` in order to use the `roles` claim as the one to be checked, it has only one role and is the `superuser` one (which is also configured as the `superUserRoles `).
   
   This setup works as expected since I can consume and produce if I set that token on the `Authorization` header of the WebSocket request by using a nodejs library (or by configuring the bin/pulsar-client to use it). But I cannot make it work by using the `token` request parameter, which is the only way authorization can be set on the browser WebSocket client implementation, since it does not accept custom headers.
   
   Moreover, the error I get is the one saying `authentication required` instead of something regarding authorization and the class that is giving me the error is the [AuthenticationFilter](https://github.com/apache/pulsar/blob/master/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/web/AuthenticationFilter.java), which, by looking the code, I expect it to validate the JWT token as the secret is correct and let the authorization flow, on the [AbstractWebSocketHandler](https://github.com/apache/pulsar/blob/master/pulsar-websocket/src/main/java/org/apache/pulsar/websocket/AbstractWebSocketHandler.java#L120), to check for authorization.
   
   Thank you once again!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org