You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2020/09/02 10:34:49 UTC
[GitHub] [pulsar] cuzyoucant opened a new issue #7960: AuthenticationOAuth2 as Authentication Plugin in Pulsar Proxy
cuzyoucant opened a new issue #7960:
URL: https://github.com/apache/pulsar/issues/7960
**Describe the bug**
When setting AuthenticationOAuth2 as brokerClientAuthenticationPlugin the proxy crashes on start-up with an uncaught Exception with message "null".
Relevant config:
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2
brokerClientAuthenticationParameters={"grant_type": "client_credentials","issuerUrl": "https://example.com/your/auth/url/here","audience": "my_audience", "privateKey": "file:/path/to/keyfile/cc.json"}
The cc.json contains client_id and client_secret as described in the documentation.
**To Reproduce**
Steps to reproduce the behavior:
1. Set brokerClientAuthenticationPlugin and brokerClientAuthenticationParameters as described seen above.
2. Start the proxy.
**Expected behavior**
The proxy should be able to get a token from our OAuth provider and authenticate itself to the broker.
**Desktop (please complete the following information):**
- OS: Pulsar is currently running in an kubernetes cluster. We also tried with the standalone version to no avail.
**Additional context**
The broker is defined with the same config in terms of plugin and authenticationParameters and is able to get a token.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] sijie commented on issue #7960: AuthenticationOAuth2 as Authentication Plugin in Pulsar Proxy
Posted by GitBox <gi...@apache.org>.
sijie commented on issue #7960:
URL: https://github.com/apache/pulsar/issues/7960#issuecomment-686269458
@jiazhai Can you take a look?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] cuzyoucant commented on issue #7960: AuthenticationOAuth2 as Authentication Plugin in Pulsar Proxy
Posted by GitBox <gi...@apache.org>.
cuzyoucant commented on issue #7960:
URL: https://github.com/apache/pulsar/issues/7960#issuecomment-687084907
@jiazhai There are no logs regarding this server-side. My guess is that the method .getAuthData() which returns the AuthenticationDataProvider Object returns an empty object, since the object should be containing the token. And for the token to be present it needs to call the underlying authenticate method which is assume the AuthenticationFactory.create() doesnt do. Hope that makes somewhat of a sense.
Here are the relevant configs from the proxy and broker.
broker:
```
brokerClientAuthenticationPlugin: org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2
brokerClientAuthenticationParameters: '{"grant_type": "client_credentials","issuerUrl":
"https://abc.com/auth/realms/myrealm","audience": "my_aud", "privateKey":
"file:/pulsar/credentials/pulsar-broker-cred.json"}'
webServicePortTls: "8443"
brokerServicePortTls: "6651"
tlsCertificateFilePath: /pulsar/certs/broker/tls.crt
tlsKeyFilePath: /pulsar/certs/broker/tls.key
tlsTrustCertsFilePath: /pulsar/certs/ca/ca.crt
tokenPublicAlg: RS256
tokenPublicKey: /pulsar/keys/pulsar-pub.key
```
proxy:
```
brokerServiceURLTLS: pulsar+ssl://pulsar-broker:6651
brokerWebServiceURLTLS: https://pulsar-broker:8443
servicePortTls: "6651"
tlsAllowInsecureConnection: "false"
tlsCertRefreshCheckDurationSec: "300"
tlsCertificateFilePath: /pulsar/certs/proxy/tls.crt
tlsEnabledInProxy: "true"
tlsEnabledWithBroker: "true"
tlsKeyFilePath: /pulsar/certs/proxy/tls.key
tlsTrustCertsFilePath: /pulsar/certs/ca/ca.crt
webServicePortTls: "443"
tokenPublicAlg: RS256
tokenPublicKey: /pulsar/keys/pulsar-pub.key
```
Eveything not configured here is set to default. I hope thats all!
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] jiazhai commented on issue #7960: AuthenticationOAuth2 as Authentication Plugin in Pulsar Proxy
Posted by GitBox <gi...@apache.org>.
jiazhai commented on issue #7960:
URL: https://github.com/apache/pulsar/issues/7960#issuecomment-686343461
@cuzyoucant How is the tls configured?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] jiazhai commented on issue #7960: AuthenticationOAuth2 as Authentication Plugin in Pulsar Proxy
Posted by GitBox <gi...@apache.org>.
jiazhai commented on issue #7960:
URL: https://github.com/apache/pulsar/issues/7960#issuecomment-686385381
Thanks @cuzyoucant , also, Are there any suspicious logs in server-side ?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] jiazhai edited a comment on issue #7960: AuthenticationOAuth2 as Authentication Plugin in Pulsar Proxy
Posted by GitBox <gi...@apache.org>.
jiazhai edited a comment on issue #7960:
URL: https://github.com/apache/pulsar/issues/7960#issuecomment-686343461
@cuzyoucant How is the tls configured? I suspected it is enabled for "tlsEnabledWithKeyStore" ?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] cuzyoucant commented on issue #7960: AuthenticationOAuth2 as Authentication Plugin in Pulsar Proxy
Posted by GitBox <gi...@apache.org>.
cuzyoucant commented on issue #7960:
URL: https://github.com/apache/pulsar/issues/7960#issuecomment-686354984
@jiazhai I can update you about the exact config tomorrow. I do not have it by hand right know.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] cuzyoucant commented on issue #7960: AuthenticationOAuth2 as Authentication Plugin in Pulsar Proxy
Posted by GitBox <gi...@apache.org>.
cuzyoucant commented on issue #7960:
URL: https://github.com/apache/pulsar/issues/7960#issuecomment-688212671
@zymap They are set. I just double checked. Sorry i missed those. I got the config file in a very weird formatted way and i just copy/pasted everything that i thought was related to TLS.
Like i mentioned above, when i pass in a dummy token everything works as expected. As soon as the proxy gets its first request it notices that he token is invalid and gets a new one from our OAuth provider.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] zymap commented on issue #7960: AuthenticationOAuth2 as Authentication Plugin in Pulsar Proxy
Posted by GitBox <gi...@apache.org>.
zymap commented on issue #7960:
URL: https://github.com/apache/pulsar/issues/7960#issuecomment-688008997
@cuzyoucant It seems there is no `brokerClientAutheticationPlugin` and `brokerClientAuthenticationParameters` in your proxy configuration file, I think you might need to configure them in the proxy as well.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] jiazhai removed a comment on issue #7960: AuthenticationOAuth2 as Authentication Plugin in Pulsar Proxy
Posted by GitBox <gi...@apache.org>.
jiazhai removed a comment on issue #7960:
URL: https://github.com/apache/pulsar/issues/7960#issuecomment-686339088
` if (serviceConfig.isTlsEnabledWithBroker())` This means proxy will use tls to communicate with broker, and it expect the
`brokerClientAuthenticationPlugin` and `brokerClientAuthenticationParameters` should be related with tls config, instead of oauth2 config.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] cuzyoucant commented on issue #7960: AuthenticationOAuth2 as Authentication Plugin in Pulsar Proxy
Posted by GitBox <gi...@apache.org>.
cuzyoucant commented on issue #7960:
URL: https://github.com/apache/pulsar/issues/7960#issuecomment-685684259
After some more debugging we found some additional information about the bug.
We got it to run in the standalone after disabling TLS connections in the config. It would be quite the hassle to disable all TLS connections in the kubernetes cluster so i can't say if disabling TLS would get it to work in kubernetes.
After some digging in the sourcecode i found the part where it is checked if TLS is enabled in the config and depending on that, some other code is executed. With some extra exception handling i am pretty sure the uncaught exception is comming from there.
In the file ServiceChannelInitializer.java beginning in line 87 to 116.
If TLS is not enabled with the broker, this part is skipped and the proxy works. If it is enabled this part throws and Exception with message "null" somewhere which is never caught.
I hope this helps to identify the problem.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] sijie closed issue #7960: AuthenticationOAuth2 as Authentication Plugin in Pulsar Proxy
Posted by GitBox <gi...@apache.org>.
sijie closed issue #7960:
URL: https://github.com/apache/pulsar/issues/7960
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] cuzyoucant commented on issue #7960: AuthenticationOAuth2 as Authentication Plugin in Pulsar Proxy
Posted by GitBox <gi...@apache.org>.
cuzyoucant commented on issue #7960:
URL: https://github.com/apache/pulsar/issues/7960#issuecomment-686351973
@jiazhai The parameters for oauth2 are configured and are working, because as i pass in a dummytoken the proxy starts, notices that the token is invalid and gets a new one, and then the proxy works just fine.
We are currently not using the keystore, so the "tlsEnabledWithKeyStore" is not set to true in our configuration.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] sijie closed issue #7960: AuthenticationOAuth2 as Authentication Plugin in Pulsar Proxy
Posted by GitBox <gi...@apache.org>.
sijie closed issue #7960:
URL: https://github.com/apache/pulsar/issues/7960
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] sijie closed issue #7960: AuthenticationOAuth2 as Authentication Plugin in Pulsar Proxy
Posted by GitBox <gi...@apache.org>.
sijie closed issue #7960:
URL: https://github.com/apache/pulsar/issues/7960
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] sijie closed issue #7960: AuthenticationOAuth2 as Authentication Plugin in Pulsar Proxy
Posted by GitBox <gi...@apache.org>.
sijie closed issue #7960:
URL: https://github.com/apache/pulsar/issues/7960
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] jiazhai commented on issue #7960: AuthenticationOAuth2 as Authentication Plugin in Pulsar Proxy
Posted by GitBox <gi...@apache.org>.
jiazhai commented on issue #7960:
URL: https://github.com/apache/pulsar/issues/7960#issuecomment-686335674
@cuzyoucant Thanks for the report.
>So the problem seems to be the Authentication Object from the AuthenticationFactory in line 91/92 returning an empty AuthenticationDataOAuth2 Object when getAuthData() is called on it.
Is this because the parameters for oauth2 not configured right?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] cuzyoucant commented on issue #7960: AuthenticationOAuth2 as Authentication Plugin in Pulsar Proxy
Posted by GitBox <gi...@apache.org>.
cuzyoucant commented on issue #7960:
URL: https://github.com/apache/pulsar/issues/7960#issuecomment-685795777
After some even more debugging i narrowed it done even more.
In the same file ServiceChannelInitializer.java line 85 to 89 when the AuthenticationFactory builds the Authentication Object with AuthenticationOAuth2.
After some testing i noticed that if i provide a dummy Object from AuthenticationDataOAuth2 with an invalid token as parameter the proxy starts up correctly. After the proxy gets its first request it checks the token, notices that it is not valid anymore and gets a new one.
So the problem seems to be the Authentication Object from the AuthenticationFactory in line 91/92 returning an empty AuthenticationDataOAuth2 Object when getAuthData() is called on it.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] zymap commented on issue #7960: AuthenticationOAuth2 as Authentication Plugin in Pulsar Proxy
Posted by GitBox <gi...@apache.org>.
zymap commented on issue #7960:
URL: https://github.com/apache/pulsar/issues/7960#issuecomment-689425857
@cuzyoucant Finally, I reproduce this issue on my local and fix it here #8019. Feel free to take a look and left comments.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] jiazhai commented on issue #7960: AuthenticationOAuth2 as Authentication Plugin in Pulsar Proxy
Posted by GitBox <gi...@apache.org>.
jiazhai commented on issue #7960:
URL: https://github.com/apache/pulsar/issues/7960#issuecomment-686339088
` if (serviceConfig.isTlsEnabledWithBroker())` This means proxy will use tls to communicate with broker, and it expect the
`brokerClientAuthenticationPlugin` and `brokerClientAuthenticationParameters` should be related with tls config, instead of oauth2 config.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org