You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2021/09/21 11:56:46 UTC
[GitHub] [pulsar] VadimMolodyh opened a new issue #12115: "Clusters can not be empty" error on tenant creation when authentication is enabled
VadimMolodyh opened a new issue #12115:
URL: https://github.com/apache/pulsar/issues/12115
**Describe the bug**
I’m trying to set-up authentication via JWT tokens in a standalone pulsar container, but I keep getting “HTTP 412 Precondition Failed Clusters can not be empty” error when try to create a tenant via pulsar-admin command, although it works correctly with disabled authentication. According to pulsar logs it “Successfully authorized admin1 as super-user" but then “[admin1] Failed to validate due to clusters are empty”. I do have a default “clusterName=standalone” in standalone.conf but it does not help.
**To Reproduce**
Steps to reproduce the behavior:
1. I use apachepulsar/pulsar:2.7.2 docker container with "bin/pulsar standalone -nfw -nss" command (function worker is disabled to avoid auth issues).
2. I followed instructions on https://pulsar.apache.org/docs/en/security-jwt documentation page to enable authentication via symmetric secret key:
2.1. I created a symmetric secret key to /pulsar/conf/my-secret.key.
2.2. I generated a JWT token for admin1 role.
2.3. client.conf channges:
authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationToken
authParams=token:eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZG1pbjEifQ.M5THXy95jofensE7egEqwRtUGyQ1f6HtpU_si4cH_7c
2.4 standalone.conf changes:
authenticationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderToken
authorizationEnabled=true
tokenSecretKey=file:///pulsar/conf/my-secret.key
superUserRoles=admin1
3. Container successfully starts.
4. Execute "bin/pulsar-admin tenants create trade_routing_sf"
5. Get error "Failed to validate due to clusters are empty”.
**Expected behavior**
Tenant is successfully created.
**Desktop (please complete the following information):**
- OS: apachepulsar/pulsar:2.7.2 docker container
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] Shoothzj commented on issue #12115: "Clusters can not be empty" error on tenant creation when authentication is enabled
Posted by GitBox <gi...@apache.org>.
Shoothzj commented on issue #12115:
URL: https://github.com/apache/pulsar/issues/12115#issuecomment-926260691
> @Shoothzj I switched on 2.8.1 and reproduced the same issue.
>
> Here is [pulsar-auth-container.tar.gz](https://drive.google.com/file/d/1FvUILiTm0DYDrsFq_IZQUfdqV3PjiIEk/view?usp=sharing) archive with a small script (run_pulsar_container.sh) that reproduces the issue along with Dockerfile and changed config files.
did you missed to config the `brokerClientAuthenticationPlugin` and `brokerClientAuthenticationParameters ` in `standalone.conf`
It should be config like
```yaml
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationToken
brokerClientAuthenticationParameters={"token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0LXVzZXIifQ.9OHgE9ZUDeBTZs7nSMEFIuGNEX18FLR3qvy8mqxSxXw"}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] Shoothzj commented on issue #12115: "Clusters can not be empty" error on tenant creation when authentication is enabled
Posted by GitBox <gi...@apache.org>.
Shoothzj commented on issue #12115:
URL: https://github.com/apache/pulsar/issues/12115#issuecomment-925809832
I follow your operations in pulsar 2.8.1, doesn't appear this problem. Maybe you can try higher version ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] VadimMolodyh commented on issue #12115: "Clusters can not be empty" error on tenant creation when authentication is enabled
Posted by GitBox <gi...@apache.org>.
VadimMolodyh commented on issue #12115:
URL: https://github.com/apache/pulsar/issues/12115#issuecomment-926633797
@Shoothzj, thanks a lot! I tried these parameters but for some reason they it did not work on 2.7.x but it does work on 2.8.0 and 2.8.1.
So, this means that JWT token authentication does not work on 2.7.x (at least in standalone mode).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] VadimMolodyh commented on issue #12115: "Clusters can not be empty" error on tenant creation when authentication is enabled
Posted by GitBox <gi...@apache.org>.
VadimMolodyh commented on issue #12115:
URL: https://github.com/apache/pulsar/issues/12115#issuecomment-924121419
I found an example of working [pulsar standalone docker container with JWT authentication enabled](https://github.com/david-streamlio/pulsar-in-action/tree/master/docker-image/src/main/docker/standalone-secure), but the problem is that, it has "anonymousUserRole=admin" in standalone.conf, which effectively means - no authentication.
After replacing it on "anonymousUserRole=anonymous" I got errors like "org.apache.pulsar.client.admin.PulsarAdminException$NotAuthorizedException" from function worker. After disabling it by " -nfw -nss" I again got "Clusters can not be empty" error.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] VadimMolodyh closed issue #12115: "Clusters can not be empty" error on tenant creation when authentication is enabled
Posted by GitBox <gi...@apache.org>.
VadimMolodyh closed issue #12115:
URL: https://github.com/apache/pulsar/issues/12115
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] VadimMolodyh commented on issue #12115: "Clusters can not be empty" error on tenant creation when authentication is enabled
Posted by GitBox <gi...@apache.org>.
VadimMolodyh commented on issue #12115:
URL: https://github.com/apache/pulsar/issues/12115#issuecomment-925861919
@Shoothzj I switched on 2.8.1 and reproduced the same issue.
Here is [pulsar-auth-container.tar.gz](https://drive.google.com/file/d/1FvUILiTm0DYDrsFq_IZQUfdqV3PjiIEk/view?usp=sharing) archive with a small script (run_pulsar_container.sh) that reproduces the issue along with Dockerfile and changed config files.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org