You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by "vpeddada (via GitHub)" <gi...@apache.org> on 2023/04/12 12:35:30 UTC
[GitHub] [pulsar] vpeddada opened a new issue, #20078: Provide proper exception messages for mTLS authentication
vpeddada opened a new issue, #20078:
URL: https://github.com/apache/pulsar/issues/20078
### Search before asking
- [X] I searched in the [issues](https://github.com/apache/pulsar/issues) and found nothing similar.
### Version
Java Client(Tried with 2.10.2 as well as 2.11.0)-->broker(2.11.0)
Broker instance OS: Amazon Linux 2023
Java App running OS : Windows 10
### Minimal reproduce step
1. Configure the Pulsar instance for mTLS authenticationa using Keystore. Then create the Pulsar client using the following sample code.
```
PulsarClient client = PulsarClient.builder()
.serviceUrl("pulsar+ssl://broker.example.com:6651/")
.useKeyStoreTls(true)
.tlsTrustStorePath("/var/private/tls/client.truststore.jks")
.tlsTrustStorePassword("clientpw")
.allowTlsInsecureConnection(false)
.enableTlsHostnameVerification(false)
.authentication(
"org.apache.pulsar.client.impl.auth.AuthenticationKeyStoreTls",
"keyStoreType:JKS,keyStorePath:/var/private/tls/client.keystore.jks,keyStorePassword:clientpw")
.build();
```
2. Provide incorrect keystore details or password details or incorrect configuration( Incorrect steps to create the keystore files or broker configuration).
### What did you expect to see?
Proper exception messages should be returned with relevant causes of the exception.
### What did you see instead?
For any type of issue with JKS files or password or with broker instance configuration only single exception will be returned.
> org.apache.pulsar.client.api.PulsarClientException: java.util.concurrent.CompletionException: java.lang.NullPointerException{"previous":[{"attempt":0,"error":"java.util.concurrent.CompletionException: org.apache.pulsar.client.api.PulsarClientException: java.util.concurrent.CompletionException: java.lang.NullPointerException"},{"attempt":1,"error":"java.util.concurrent.CompletionException: org.apache.pulsar.client.api.PulsarClientException: java.util.concurrent.CompletionException: java.lang.NullPointerException"},{"attempt":2,"error":"java.util.concurrent.CompletionException: org.apache.pulsar.client.api.PulsarClientException: java.util.concurrent.CompletionException: java.lang.NullPointerException"},{"attempt":3,"error":"java.util.concurrent.CompletionException: org.apache.pulsar.client.api.PulsarClientException: java.util.concurrent.CompletionException: java.lang.NullPointerException"},{"attempt":4,"error":"java.util.concurrent.CompletionException: org.apache.pulsar.client.api
.PulsarClientException: java.util.concurrent.CompletionException: java.lang.NullPointerException"},{"attempt":5,"error":"java.util.concurrent.CompletionException: org.apache.pulsar.client.api.PulsarClientException: java.util.concurrent.CompletionException: java.lang.NullPointerException"},{"attempt":6,"error":"java.util.concurrent.CompletionException: org.apache.pulsar.client.api.PulsarClientException: java.util.concurrent.CompletionException: java.lang.NullPointerException"},{"attempt":7,"error":"java.util.concurrent.CompletionException: org.apache.pulsar.client.api.PulsarClientException: java.util.concurrent.CompletionException: java.lang.NullPointerException"},{"attempt":8,"error":"java.util.concurrent.CompletionException: org.apache.pulsar.client.api.PulsarClientException: java.util.concurrent.CompletionException: java.lang.NullPointerException"}]}]..
### Anything else?
_No response_
### Are you willing to submit a PR?
- [ ] I'm willing to submit a PR!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on issue #20078: Provide proper exception messages for mTLS authentication
Posted by "tisonkun (via GitHub)" <gi...@apache.org>.
tisonkun commented on issue #20078:
URL: https://github.com/apache/pulsar/issues/20078#issuecomment-1505385185
I made a patch to improve the exception here, but I don't know if throwing an exception instead of return null and triggering NPE changes other call points. You can investigate deeper and submit a patch with the investigation, or merging this patch in your deployment and report if it works well:
```diff
diff --git a/pulsar-broker-common/src/main/java/org/apache/pulsar/jetty/tls/JettySslContextFactory.java b/pulsar-broker-common/src/main/java/org/apache/pulsar/jetty/tls/JettySslContextFactory.java
index 46a8604599..163e1ed01f 100644
--- a/pulsar-broker-common/src/main/java/org/apache/pulsar/jetty/tls/JettySslContextFactory.java
+++ b/pulsar-broker-common/src/main/java/org/apache/pulsar/jetty/tls/JettySslContextFactory.java
@@ -18,6 +18,8 @@
*/
package org.apache.pulsar.jetty.tls;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
import java.util.Set;
import javax.net.ssl.SSLContext;
import lombok.extern.slf4j.Slf4j;
@@ -110,7 +112,11 @@ public class JettySslContextFactory {
@Override
public SSLContext getSslContext() {
- return sslCtxRefresher.get();
+ try {
+ return sslCtxRefresher.get();
+ } catch (GeneralSecurityException | IOException e) {
+ return null;
+ }
}
}
}
diff --git a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SslContextAutoRefreshBuilder.java b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SslContextAutoRefreshBuilder.java
index 8c8f580046..e071c315fe 100644
--- a/pulsar-common/src/main/java/org/apache/pulsar/common/util/SslContextAutoRefreshBuilder.java
+++ b/pulsar-common/src/main/java/org/apache/pulsar/common/util/SslContextAutoRefreshBuilder.java
@@ -72,18 +72,19 @@ public abstract class SslContextAutoRefreshBuilder<T> {
*
* @return
*/
- public T get() {
+ public T get() throws GeneralSecurityException, IOException {
T ctx = getSslContext();
if (ctx == null) {
try {
- update();
+ ctx = update();
lastRefreshTime = System.currentTimeMillis();
- return getSslContext();
+ return ctx;
} catch (GeneralSecurityException | IOException e) {
log.error("Exception while trying to refresh ssl Context {}", e.getMessage(), e);
+ throw e;
}
} else {
- long now = System.currentTimeMillis();
+ final long now = System.currentTimeMillis();
if (refreshTime <= 0 || now > (lastRefreshTime + refreshTime)) {
if (needUpdate()) {
try {
@@ -91,10 +92,11 @@ public abstract class SslContextAutoRefreshBuilder<T> {
lastRefreshTime = now;
} catch (GeneralSecurityException | IOException e) {
log.error("Exception while trying to refresh ssl Context {} ", e.getMessage(), e);
+ throw e;
}
}
}
+ return ctx;
}
- return ctx;
}
}
diff --git a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/DirectProxyHandler.java b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/DirectProxyHandler.java
index d63b04b673..117acae147 100644
--- a/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/DirectProxyHandler.java
+++ b/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/DirectProxyHandler.java
@@ -189,9 +189,10 @@ public class DirectProxyHandler {
b.handler(new ChannelInitializer<SocketChannel>() {
@Override
- protected void initChannel(SocketChannel ch) {
- ch.pipeline().addLast("consolidation", new FlushConsolidationHandler(1024,
- true));
+ protected void initChannel(SocketChannel ch) throws Exception {
+ ch.pipeline().addLast(
+ "consolidation",
+ new FlushConsolidationHandler(1024, true));
if (tlsEnabledWithBroker) {
String host = targetBrokerAddress.getHostString();
int port = targetBrokerAddress.getPort();
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on issue #20078: Provide proper exception messages for mTLS authentication
Posted by "tisonkun (via GitHub)" <gi...@apache.org>.
tisonkun commented on issue #20078:
URL: https://github.com/apache/pulsar/issues/20078#issuecomment-1505335717
The server side can provide reasonable error message:
```
java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:813) ~[?:?]
at sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221) ~[?:?]
at java.security.KeyStore.load(KeyStore.java:1473) ~[?:?]
at org.apache.pulsar.common.util.keystoretls.KeyStoreSSLContext.createSSLContext(KeyStoreSSLContext.java:147) ~[classes/:?]
at org.apache.pulsar.common.util.keystoretls.KeyStoreSSLContext.createClientKeyStoreSslContext(KeyStoreSSLContext.java:236) ~[classes/:?]
at org.apache.pulsar.common.util.keystoretls.NettySSLContextAutoRefreshBuilder.update(NettySSLContextAutoRefreshBuilder.java:134) ~[classes/:?]
at org.apache.pulsar.common.util.keystoretls.NettySSLContextAutoRefreshBuilder.update(NettySSLContextAutoRefreshBuilder.java:32) ~[classes/:?]
at org.apache.pulsar.common.util.SslContextAutoRefreshBuilder.get(SslContextAutoRefreshBuilder.java:79) ~[classes/:?]
at org.apache.pulsar.client.impl.PulsarChannelInitializer.lambda$initTls$1(PulsarChannelInitializer.java:176) ~[classes/:?]
at io.netty.util.concurrent.AbstractEventExecutor.runTask$$$capture(AbstractEventExecutor.java:174) ~[netty-common-4.1.89.Final.jar:4.1.89.Final]
at io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java) ~[netty-common-4.1.89.Final.jar:4.1.89.Final]
at io.netty.util.concurrent.AbstractEventExecutor.safeExecute$$$capture(AbstractEventExecutor.java:167) ~[netty-common-4.1.89.Final.jar:4.1.89.Final]
at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java) ~[netty-common-4.1.89.Final.jar:4.1.89.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:470) ~[netty-common-4.1.89.Final.jar:4.1.89.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:569) ~[netty-transport-4.1.89.Final.jar:4.1.89.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997) ~[netty-common-4.1.89.Final.jar:4.1.89.Final]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[netty-common-4.1.89.Final.jar:4.1.89.Final]
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[netty-common-4.1.89.Final.jar:4.1.89.Final]
at java.lang.Thread.run(Thread.java:833) ~[?:?]
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:811) ~[?:?]
... 18 more
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on issue #20078: Provide proper exception messages for mTLS authentication
Posted by "tisonkun (via GitHub)" <gi...@apache.org>.
tisonkun commented on issue #20078:
URL: https://github.com/apache/pulsar/issues/20078#issuecomment-1505292118
Thanks for reporting this issue!
The exception stack can be too deep but we cannot log password:
> Caused by: org.apache.pulsar.client.api.PulsarClientException: java.util.concurrent.CompletionException: java.lang.NullPointerException: Cannot invoke "org.apache.pulsar.common.util.keystoretls.KeyStoreSSLContext.createSSLEngine(String, int)" because the return value of "org.apache.pulsar.common.util.keystoretls.NettySSLContextAutoRefreshBuilder.get()" is null{"previous":[{"attempt":0,"error":"java.util.concurrent.CompletionException: org.apache.pulsar.client.api.PulsarClientException: java.util.concurrent.CompletionException: java.lang.NullPointerException: Cannot invoke \"org.apache.pulsar.common.util.keystoretls.KeyStoreSSLContext.createSSLEngine(String, int)\" because the return value of \"org.apache.pulsar.common.util.keystoretls.NettySSLContextAutoRefreshBuilder.get()\" is null"},{"attempt":1,"error":"java.util.concurrent.CompletionException: org.apache.pulsar.client.api.PulsarClientException: java.util.concurrent.CompletionException: java.lang.NullPointerException: Cannot
invoke \"org.apache.pulsar.common.util.keystoretls.KeyStoreSSLContext.createSSLEngine(String, int)\" because the return value of \"org.apache.pulsar.common.util.keystoretls.NettySSLContextAutoRefreshBuilder.get()\" is null"},{"attempt":2,"error":"java.util.concurrent.CompletionException: org.apache.pulsar.client.api.PulsarClientException: java.util.concurrent.CompletionException: java.lang.NullPointerException: Cannot invoke \"org.apache.pulsar.common.util.keystoretls.KeyStoreSSLContext.createSSLEngine(String, int)\" because the return value of \"org.apache.pulsar.common.util.keystoretls.NettySSLContextAutoRefreshBuilder.get()\" is null"},{"attempt":3,"error":"java.util.concurrent.CompletionException: org.apache.pulsar.client.api.PulsarClientException: java.util.concurrent.CompletionException: java.lang.NullPointerException: Cannot invoke \"org.apache.pulsar.common.util.keystoretls.KeyStoreSSLContext.createSSLEngine(String, int)\" because the return value of \"org.apache.pulsar.com
mon.util.keystoretls.NettySSLContextAutoRefreshBuilder.get()\" is null"}]}
If you take a closer look, it writes:
> \"org.apache.pulsar.common.util.keystoretls.NettySSLContextAutoRefreshBuilder.get()\"
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun commented on issue #20078: Provide proper exception messages for mTLS authentication
Posted by "tisonkun (via GitHub)" <gi...@apache.org>.
tisonkun commented on issue #20078:
URL: https://github.com/apache/pulsar/issues/20078#issuecomment-1507875518
Close as answered. The meaningful exception is included in client logs, although not at the very last.
If anyone find the patch above can properly integrated to master, feel free to submit a patch to improve the experience.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] tisonkun closed issue #20078: Provide proper exception messages for mTLS authentication
Posted by "tisonkun (via GitHub)" <gi...@apache.org>.
tisonkun closed issue #20078: Provide proper exception messages for mTLS authentication
URL: https://github.com/apache/pulsar/issues/20078
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org