You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2019/12/16 06:20:31 UTC
[GitHub] [pulsar] zymap edited a comment on issue #5841: Biscuit customs
authentication and authorization providers usages.
zymap edited a comment on issue #5841: Biscuit customs authentication and authorization providers usages.
URL: https://github.com/apache/pulsar/issues/5841#issuecomment-565921583
Hi @KannarFr, I have reproduced your problem on my laptop.
And I got the same error as you. At the same time, the server was throwing an exception:
```
13:59:27.132 [pulsar-io-35-1] INFO com.clevercloud.biscuitpulsar.AuthenticationProviderBiscuit - Biscuit to parse: Ck0IABIFdG9waWMSB3Byb2R1Y2UaOQo3CAQSBAgAEAASBAgAEAcSCggDKgZwdWJsaWMSCwgDKgdkZWZhdWx0EggIAyoEdGVzdBIECAAQCBogEOKv5aNjujWb9Ry9wgKtXWbAdsDvyK0PeJplco-DQgUiRAogSI-HOSHn-Z16ptBB8Xbe8szZGi-05FObmBx1qJecYXMSIEAdgMiKTsxqGpeLgeJDghISDxu25CipbP6v1bxoohgM
13:59:27.195 [pulsar-io-35-1] INFO com.clevercloud.biscuitpulsar.AuthenticationProviderBiscuit - Deserialized biscuit
13:59:27.198 [pulsar-io-35-1] WARN org.apache.pulsar.broker.service.ServerCnx - [/127.0.0.1:51685] Unable to authenticate
javax.naming.AuthenticationException: This biscuit was not generated with the expected root key
at com.clevercloud.biscuitpulsar.AuthenticationProviderBiscuit.parseBiscuit(AuthenticationProviderBiscuit.java:104) ~[biscuit-pulsar-1.0-SNAPSHOT.jar:?]
at com.clevercloud.biscuitpulsar.AuthenticationProviderBiscuit.authenticate(AuthenticationProviderBiscuit.java:61) ~[biscuit-pulsar-1.0-SNAPSHOT.jar:?]
at org.apache.pulsar.broker.authentication.OneStageAuthenticationState.<init>(OneStageAuthenticationState.java:46) ~[org.apache.pulsar-pulsar-broker-common-2.4.1.jar:2.4.1]
at org.apache.pulsar.broker.authentication.AuthenticationProvider.newAuthState(AuthenticationProvider.java:76) ~[org.apache.pulsar-pulsar-broker-common-2.4.1.jar:2.4.1]
at org.apache.pulsar.broker.service.ServerCnx.handleConnect(ServerCnx.java:549) [org.apache.pulsar-pulsar-broker-2.4.1.jar:2.4.1]
at org.apache.pulsar.common.protocol.PulsarDecoder.channelRead(PulsarDecoder.java:143) [org.apache.pulsar-pulsar-common-2.4.1.jar:2.4.1]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final]
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:323) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:297) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:656) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:591) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:508) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:470) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:909) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final]
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [io.netty-netty-all-4.1.32.Final.jar:4.1.32.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_201]
13:59:27.214 [pulsar-io-35-1] INFO org.apache.pulsar.broker.service.ServerCnx - Closed connection from /127.0.0.1:51685
```
That looks like something error when authenticating the client. Is the client key is right?
Is there any association between the biscuitRootKey and the pulsar client?
```
byte[] seed = {0, 0, 0, 0};
SecureRandom rng = new SecureRandom(seed);
KeyPair root = new KeyPair(rng);
LOGGER.info("ROOT PUBLICKEY");
LOGGER.info(hex(root.public_key().key.compress().toByteArray()));
SymbolTable symbols = Biscuit.default_symbol_table();
Block authority_builder = new Block(0, symbols);
authority_builder.add_fact(fact("right", Arrays.asList(s("authority"), s("topic"), string("public"), string("default"), string("test"), s("produce"))));
Biscuit b = Biscuit.make(rng, root, Biscuit.default_symbol_table(), authority_builder.build()).get();
```
It seems we always create a new root to connect to the broker. I am not sure if this is the right process?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services