You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2019/01/23 22:50:50 UTC
[GitHub] rsamo opened a new issue #3414: pulsar-admin - HTTP 401
Authentication required / 500 Internal Server Error
rsamo opened a new issue #3414: pulsar-admin - HTTP 401 Authentication required / 500 Internal Server Error
URL: https://github.com/apache/pulsar/issues/3414
**Describe the bug**
When issuing some commands via the pulsar-admin CLI or REST API, you will receive a HTTP 401 Authentication required or 500 Internal Server Error.
**To Reproduce**
Our cluster has TLS enabled and certs issued for use by the pulsar-admin CLI. The certs and settings are picked up by the $PULSAR_HOME/conf/client.conf file.
Example $PULSAR_HOME/conf/client.conf
```sh
# Configuration for pulsar-client and pulsar-admin CLI tools
# URL for Pulsar REST API (for admin operations)
# For TLS:
webServiceUrl=https://mypulsar.cluster.com:8443/
# URL for Pulsar Binary Protocol (for produce and consume operations)
# For TLS:
brokerServiceUrl=pulsar+ssl://mypulsar.cluster.com:6651/
# Authentication plugin to authenticate with servers
# e.g. for TLS
useTLS=true
authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationTls
# Parameters passed to authentication plugin.
# A comma separated list of key:value pairs.
# Keys depend on the configured authPlugin.
# e.g. for TLS
authParams=tlsCertFile:/opt/pulsar/certificates/admin.cert.pem,tlsKeyFile:/opt/pulsar/certificates/admin.key-pk8.pem
# Allow TLS connections to servers whose certificate cannot be
# be verified to have been signed by a trusted certificate
# authority.
tlsAllowInsecureConnection=false
# Whether server hostname must match the common name of the certificate
# the server is using.
tlsEnableHostnameVerification=false
# Path for the trusted TLS certificate file.
# This cert is used to verify that any cert presented by a server
# is signed by a certificate authority. If this verification
# fails, then the cert is untrusted and the connection is dropped.
tlsTrustCertsFilePath=/opt/pulsar/certificates/ca.cert.pem
```
You can create tenants, namespaces, and perform most admin functions with no problem but when it comes to partitioned topics, that seems to be where the trouble kicks in.
If you execute an admin command that deals with partitioned topics like deletes or unsubscribes, etc., for example:
```sh
$PULSAR_HOME/bin/pulsar-admin topics delete-partitioned-topic persistent://my-tenant/my-namespace/my-topic
```
You receive:
```sh
Failed to perform http delete request: javax.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error
HTTP 500 Internal Server Error
Reason: HTTP 500 Internal Server Error`
```
And the logs for the broker show:
```sh
`17:29:34.932 [jersey-client-async-executor-1] ERROR org.apache.pulsar.broker.admin.impl.PersistentTopicsBase - [null] Failed to delete partition persistent://my-tenant/my-namespace/my-topic-partition-18
org.apache.pulsar.client.admin.PulsarAdminException$NotAuthorizedException: HTTP 401 Authentication required
at org.apache.pulsar.client.admin.internal.BaseResource.getApiException(BaseResource.java:170) ~[org.apache.pulsar-pulsar-client-admin-original-2.2.0.jar:2.2.0]
at org.apache.pulsar.client.admin.internal.BaseResource$3.failed(BaseResource.java:142) [org.apache.pulsar-pulsar-client-admin-original-2.2.0.jar:2.2.0]
at org.glassfish.jersey.client.JerseyInvocation$7.failed(JerseyInvocation.java:965) [org.glassfish.jersey.core-jersey-client-2.25.jar:?]
at org.glassfish.jersey.client.JerseyInvocation$7.completed(JerseyInvocation.java:952) [org.glassfish.jersey.core-jersey-client-2.25.jar:?]
at org.glassfish.jersey.client.ClientRuntime.processResponse(ClientRuntime.java:196) [org.glassfish.jersey.core-jersey-client-2.25.jar:?]
at org.glassfish.jersey.client.ClientRuntime.access$300(ClientRuntime.java:74) [org.glassfish.jersey.core-jersey-client-2.25.jar:?]
at org.glassfish.jersey.client.ClientRuntime$2$1$1.run(ClientRuntime.java:166) [org.glassfish.jersey.core-jersey-client-2.25.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) [org.glassfish.jersey.core-jersey-common-2.25.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) [org.glassfish.jersey.core-jersey-common-2.25.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:315) [org.glassfish.jersey.core-jersey-common-2.25.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:297) [org.glassfish.jersey.core-jersey-common-2.25.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:267) [org.glassfish.jersey.core-jersey-common-2.25.jar:?]
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:340) [org.glassfish.jersey.core-jersey-common-2.25.jar:?]
at org.glassfish.jersey.client.ClientRuntime$2$1.response(ClientRuntime.java:164) [org.glassfish.jersey.core-jersey-client-2.25.jar:?]
at org.glassfish.jersey.client.internal.HttpUrlConnector$3.run(HttpUrlConnector.java:297) [org.glassfish.jersey.core-jersey-client-2.25.jar:?]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:1.8.0_192]
at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:1.8.0_192]
at jersey.repackaged.com.google.common.util.concurrent.MoreExecutors$DirectExecutorService.execute(MoreExecutors.java:299) [org.glassfish.jersey.bundles.repackaged-jersey-guava-2.25.jar:?]
at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:112) [?:1.8.0_192]
at jersey.repackaged.com.google.common.util.concurrent.AbstractListeningExecutorService.submit(AbstractListeningExecutorService.java:50) [org.glassfish.jersey.bundles.repackaged-jersey-guava-2.25.jar:?]
at jersey.repackaged.com.google.common.util.concurrent.AbstractListeningExecutorService.submit(AbstractListeningExecutorService.java:37) [org.glassfish.jersey.bundles.repackaged-jersey-guava-2.25.jar:?]
at org.glassfish.jersey.client.internal.HttpUrlConnector.apply(HttpUrlConnector.java:293) [org.glassfish.jersey.core-jersey-client-2.25.jar:?]
at org.glassfish.jersey.client.ClientRuntime$2.run(ClientRuntime.java:180) [org.glassfish.jersey.core-jersey-client-2.25.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) [org.glassfish.jersey.core-jersey-common-2.25.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) [org.glassfish.jersey.core-jersey-common-2.25.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:315) [org.glassfish.jersey.core-jersey-common-2.25.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:297) [org.glassfish.jersey.core-jersey-common-2.25.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:267) [org.glassfish.jersey.core-jersey-common-2.25.jar:?]
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:340) [org.glassfish.jersey.core-jersey-common-2.25.jar:?]
at org.glassfish.jersey.client.ClientRuntime$3.run(ClientRuntime.java:208) [org.glassfish.jersey.core-jersey-client-2.25.jar:?]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:1.8.0_192]
at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:1.8.0_192]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_192]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_192]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_192]
Caused by: javax.ws.rs.NotAuthorizedException: HTTP 401 Authentication required
at org.glassfish.jersey.client.JerseyInvocation.convertToException(JerseyInvocation.java:1014) ~[org.glassfish.jersey.core-jersey-client-2.25.jar:?]
at org.glassfish.jersey.client.JerseyInvocation.access$900(JerseyInvocation.java:92) ~[org.glassfish.jersey.core-jersey-client-2.25.jar:?]
... 32 more
```
If you attempt to execute:
```sh
$PULSAR_HOME/bin/pulsar-admin topics partitioned-stats my-tenant/my-namespace/my-topic
```
you get:
```sh
HTTP 401 Authentication required
Reason: HTTP 401 Authentication required
```
and the logs show:
```sh
17:42:58.463 [pulsar-web-28-8] WARN org.apache.pulsar.broker.web.AuthenticationFilter - [10.126.64.36] Failed to authenticate HTTP request: Authentication required
```
If I try to delete the partitions one at a time, the commands seem to succeed but the metadata still shows the partitions exist. I can also issue unsubscribes for each partition one at a time but not bulk.
**Expected behavior**
Deletes, unsubscribes, etc. of anything dealing with partitioned topics should work as the pulsar-admin CLI help menu instructs.
**Additional context**
TLS Authentication and Authorization Enabled cluster wide
Certs provided to the admin CLI via the client.conf file
brokers and proxys all have working certs
Any help you guys might provide would be appreciated. Thanks!
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services