You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2021/04/14 03:07:42 UTC
[GitHub] [pulsar] dragonls opened a new issue #10221: Failed to create consumer while using proxy and `Prefix` Subscription Authentication Mode
dragonls opened a new issue #10221:
URL: https://github.com/apache/pulsar/issues/10221
**Describe the bug**
I am using pulsar cluster on k8s, deployed by `pulsar-helm-chart`, having `proxy` component and using JWT for authentication.
If one namespace change the subscription authentication mode from `None` to `Prefix`, the consume can not subscribe the topic even having the valid role prefix.
**To Reproduce**
Steps to reproduce the behavior:
1. Using pulsar cluster on k8s, having `proxy` component and using JWT for authentication
2. Set the subscription authentication mode of one namespace from `None` to `Prefix`, e.g. namespace `test/auth`
3. Add a subscription `roleA-test` of topic `persistent://test/auth/topic`
3. Use role `roleA` to consume the topic `persistent://test/auth/topic`
**Expected behavior**
The consumer should subscribe and consume the topic normally.
**Screenshots**
The consumer get the error `org.apache.pulsar.client.api.PulsarClientException$AuthorizationException: Failed to subscribe ...`
**Desktop (please complete the following information):**
- OS: Linux
**Additional context**
The broker log:
```
20:31:48.269 [pulsar-io-25-4] INFO org.apache.pulsar.broker.service.ServerCnx - New connection from /9.165.129.25:52986
20:31:48.281 [pulsar-io-25-4] INFO org.apache.pulsar.broker.service.ServerCnx - [/9.165.129.25:52986] org.apache.pulsar.broker.PulsarServerException: Failed to create consumer - The subscription name needs to be prefixed by the authentication role, like proxy-admin-xxxx for topic: persistent://test/auth/p1-partition-0 with role roleA
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] dragonls edited a comment on issue #10221: Failed to create consumer while using proxy and `Prefix` Subscription Authentication Mode
Posted by GitBox <gi...@apache.org>.
dragonls edited a comment on issue #10221:
URL: https://github.com/apache/pulsar/issues/10221#issuecomment-819207592
Dig into the code, the broker will check the operation in [org.apache.pulsar.broker.service.ServerCnx#isTopicOperationAllowed](https://github.com/apache/pulsar/blob/master/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java#L305)
In this case:
`service.isAuthorizationEnabled()` is `true`, `originalPrincipal` is `roleA`, `authRole` is `proxy-admin`.
`isProxyAuthorizedFuture` will be `true`, `isAuthorizedFuture` will throw the `PulsarServerException`(actually throws in [org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider#canConsumeAsync](https://github.com/apache/pulsar/blob/master/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java#L135), passing `proxy-admin` as role will throw the exception), which results the failure of consumer.
One simple solution is that, `permissionFuture.complete(false)` instead of `permissionFuture.completeExceptionally(ex)`, not throwing the exception in [org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider#canConsumeAsync](https://github.com/apache/pulsar/blob/master/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java#L135).
But this solution may change the error message for those consumers using invalid role to subscribe, e.g., `roleB` to subscribe `persistent://test/auth/topic` with subscription `roleA-test`.
Welcome to propose better solutions.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] dragonls edited a comment on issue #10221: Failed to create consumer while using proxy and `Prefix` Subscription Authentication Mode
Posted by GitBox <gi...@apache.org>.
dragonls edited a comment on issue #10221:
URL: https://github.com/apache/pulsar/issues/10221#issuecomment-819207592
Dig into the code, the broker will check the operation in [org.apache.pulsar.broker.service.ServerCnx#isTopicOperationAllowed](https://github.com/apache/pulsar/blob/master/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java#L305)
In this case:
`service.isAuthorizationEnabled()` is `true`, `originalPrincipal` is `roleA`, `authRole` is `proxy-admin`.
`isProxyAuthorizedFuture` will be `true`, `isAuthorizedFuture` will throw the `PulsarServerException`(actually throws in [org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider#canConsumeAsync](https://github.com/apache/pulsar/blob/master/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java#L135), passing `proxy-admin` as role will throw the exception), which results the failure of consumer.
One simple solution is that, `permissionFuture.complete(false)` instead of `permissionFuture.completeExceptionally(ex)`, not throwing the exception in [org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider#canConsumeAsync](https://github.com/apache/pulsar/blob/master/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java#L135).
But I don't think it is a good solution, it may change the error message for those consumers using invalid role to subscribe, e.g., `roleB` to subscribe `persistent://test/auth/topic` with subscription `roleA-test`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] dragonls edited a comment on issue #10221: Failed to create consumer while using proxy and `Prefix` Subscription Authentication Mode
Posted by GitBox <gi...@apache.org>.
dragonls edited a comment on issue #10221:
URL: https://github.com/apache/pulsar/issues/10221#issuecomment-819207592
Dig into the code, the broker will check the operation in [org.apache.pulsar.broker.service.ServerCnx#isTopicOperationAllowed](https://github.com/apache/pulsar/blob/master/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java#L305)
In this case:
`service.isAuthorizationEnabled()` is `true`, `originalPrincipal` is `roleA`, `authRole` is `proxy-admin`.
`isProxyAuthorizedFuture` will be `true`, `isAuthorizedFuture` will throw the `PulsarServerException`(actually throws in [org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider#canConsumeAsync](https://github.com/apache/pulsar/blob/master/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java#L135), passing `proxy-admin` as role will throw the exception), which results the failure of consumer.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] dragonls commented on issue #10221: Failed to create consumer while using proxy and `Prefix` Subscription Authentication Mode
Posted by GitBox <gi...@apache.org>.
dragonls commented on issue #10221:
URL: https://github.com/apache/pulsar/issues/10221#issuecomment-819207592
Dig into the code, the broker will check the operation in [org.apache.pulsar.broker.service.ServerCnx#isTopicOperationAllowed](https://github.com/apache/pulsar/blob/master/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java#L305)
In this case:
`service.isAuthorizationEnabled()` is `true`, `originalPrincipal` is `roleA`, `authRole` is `proxy-admin`.
`isProxyAuthorizedFuture` will be `true`, `isAuthorizedFuture` will throw the `PulsarServerException`(actually throws in [org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider#canConsumeAsync](https://github.com/apache/pulsar/blob/master/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java#L135), passing `proxy-admin` as role will throw the exception), which results the failure of consumer.
One simple solution is that, `permissionFuture.complete(false)` instead of `permissionFuture.completeExceptionally(ex)`, not throwing the exception in [org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider#canConsumeAsync](https://github.com/apache/pulsar/blob/master/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java#L135)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] codelipenghui closed issue #10221: Failed to create consumer while using proxy and `Prefix` Subscription Authentication Mode
Posted by GitBox <gi...@apache.org>.
codelipenghui closed issue #10221:
URL: https://github.com/apache/pulsar/issues/10221
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org