You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@pulsar.apache.org by Apache Pulsar Slack <ap...@gmail.com> on 2019/10/12 09:11:02 UTC
Slack digest for #dev - 2019-10-12
2019-10-11 13:02:59 UTC - Chris Bartholomew: @Chris Bartholomew has joined the channel
----
2019-10-11 13:39:52 UTC - Kendall Magesh-Davis: I still can’t get authentication/authorization to work when deploying from the helm chart.
I used <http://JWT.io|JWT.io> to create a HS256 token with the following payload and secret:
```{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}```
Verify signature:
```HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
525bdd873956add83f116d613f2ee50b773dabf0d2ee936a1f7135aadc48b292
) secret base64 encoded```
That generated the following token:
```eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.H76MPntO8M3f-YEN4S4xAJUUv8hVTclyDP1TtW5YuZo```
Then configured the broker config in the helm chart as follows:
```authenticationEnabled: "true"
authorizationEnabled: "true"
authenticationProviders: "org.apache.pulsar.broker.authentication.AuthenticationProviderToken"
tokenSecretKey: "data:base64,525bdd873956add83f116d613f2ee50b773dabf0d2ee936a1f7135aadc48b292"
superUserRoles: "admin"
authPlugin: "org.apache.pulsar.client.impl.auth.AuthenticationToken"
brokerClientAuthenticationPlugin: "org.apache.pulsar.client.impl.auth.AuthenticationToken"
brokerClientAuthenticationParameters: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.H76MPntO8M3f-YEN4S4xAJUUv8hVTclyDP1TtW5YuZo"
```
When deploying the helm chart, the brokers enter a `CrashLoopBackOff` state due to the following error:
` Exception while at creating producer to topic <persistent://public/functions/assignments>`
because
```13:37:28.938 [pulsar-io-24-2] WARN org.apache.pulsar.broker.service.ServerCnx - [/10.50.0.98:36752] Unable to authenticate
javax.naming.AuthenticationException: Failed to authentication token: JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted.```
----
2019-10-11 13:40:51 UTC - Kendall Magesh-Davis: What am I missing here? I feel like I’m close
----
2019-10-11 14:29:24 UTC - chris: i think the authentication parameters take a key:value string. does setting `brokerClientAuthenticationParameters:` to `token:<your-jwt-token>` work?
----
2019-10-11 14:33:20 UTC - Kendall Magesh-Davis: same error
----
2019-10-11 14:33:36 UTC - Kendall Magesh-Davis: ```brokerClientAuthenticationParameters:
----
token:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.H76MPntO8M3f-YEN4S4xAJUUv8hVTclyDP1TtW5YuZo```
----
2019-10-11 14:40:08 UTC - chris: have you tried creating jwt tokens with the pulsar cli?
----
2019-10-11 14:40:09 UTC - chris: <https://pulsar.apache.org/docs/en/security-token-admin/#secret-vs-public-private-keys>
----
2019-10-11 14:46:20 UTC - Kendall Magesh-Davis: I haven’t - but should they be any different? I probably wouldn’t use pulsar to create its own token when deploying with helm
----
2019-10-11 14:46:27 UTC - Kendall Magesh-Davis: chicken and egg scenario
----
2019-10-11 14:53:55 UTC - chris: you can download the pulsar binaries locally and run the commands before you deploy to helm. In theory they should be the same. There are also some commands to verify that the token was generated correctly `pulsar tokens show|validate`
----
2019-10-11 14:55:56 UTC - Kendall Magesh-Davis: You’re right, that would work
----
2019-10-11 14:56:09 UTC - Kendall Magesh-Davis: I’ll try that
----
2019-10-11 17:31:48 UTC - Addison Higham: okay, this is confirmed the fix the proxy issue:
<https://github.com/apache/pulsar/pull/5361>
----
2019-10-11 17:31:53 UTC - Addison Higham: @Matteo Merli ^^
----
2019-10-11 17:37:35 UTC - Matteo Merli: Change LGTM, added a comment on the test
----
2019-10-11 18:39:54 UTC - Addison Higham: I couldn't find a GH issue... any plans on when redelivery count and DLQ will be added to c++ client?
----
2019-10-11 20:04:48 UTC - Ali Ahmed: Can someone help me test out my azure ci based pull request check . I have enabled it on my fork here
<https://github.com/aahmed-se/incubator-pulsar/pull/6> , Need some one to fork my forked repo and submit a pr to it on master so I can check whetter the azure job gets picked up correctly. If this works out I will get in touch with apache infra to replace jenkins.
----
2019-10-11 20:43:47 UTC - Kendall Magesh-Davis: this is… frustrating.
`bin/pulsar tokens create-secret-key --output /opt/my-secret.key --base64`
```bin/pulsar tokens create -sk /opt/my-secret.key -s admin
Exception in thread "main" io.jsonwebtoken.io.DecodingException: Illegal base64 character: '-'
at io.jsonwebtoken.io.Base64.ctoi(Base64.java:206)
at io.jsonwebtoken.io.Base64.decodeFast(Base64.java:255)
at io.jsonwebtoken.io.Base64Decoder.decode(Base64Decoder.java:21)
at io.jsonwebtoken.io.Base64Decoder.decode(Base64Decoder.java:8)
at io.jsonwebtoken.io.ExceptionPropagatingDecoder.decode(ExceptionPropagatingDecoder.java:21)
at org.apache.pulsar.broker.authentication.utils.AuthTokenUtils.readKeyFromUrl(AuthTokenUtils.java:115)
at org.apache.pulsar.utils.auth.tokens.TokensCliUtils$CommandCreateToken.run(TokensCliUtils.java:149)
at org.apache.pulsar.utils.auth.tokens.TokensCliUtils.main(TokensCliUtils.java:319)```
----
2019-10-11 20:55:19 UTC - Kendall Magesh-Davis: worth noting - that token has no `-` character. `0YslEKx21RPnijgxbUylXjVmTTgjClJieRy3zqqjjKM=`
----
2019-10-11 21:34:54 UTC - Ali Ahmed: <https://issues.apache.org/jira/browse/INFRA-17030?jql=text%20~%20%22azure%20pipelines%22>
----