You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2021/05/28 07:33:41 UTC
[GitHub] [pulsar] marksilcox opened a new issue #10733: Pulsar 2.6.3 JWT enabled - /admin/v2/non-persistent/public/default 401 error
marksilcox opened a new issue #10733:
URL: https://github.com/apache/pulsar/issues/10733
Having further trouble with enabling JWT on v2.6.3. I've configured the broker and proxy as per the docs. I can connect and send messages from a Java client. However connecting through pulsar-manager fails when viewing topics or namespaces. The logs for pulsar-manager show a HTTP 500 when getting topics. If I try via the REST Api it works for `persistent` but fails with a 401 for `non-persistent`.
proxy.conf auth settings:
```
superUserRoles=admin,pulsar
authorizationEnabled=false
authorizationProvider=org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider
forwardAuthorizationCredentials=true
authenticationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderToken
anonymousUserRole=
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationToken
brokerClientAuthenticationParameters=token:{{ jwt_admin_token }}
```
broker.conf auth settings:
```
authenticationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderToken
authorizationEnabled=false
authorizationProvider=org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider
superUserRoles=admin,pulsar
anonymousUserRole=
tokenSecretKey=data:;base64,{{ jwt_secret_key }}
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationToken
brokerClientAuthenticationParameters=token:{{ jwt_admin_token }}
```
The cluster was setup using Ansible all other settings are default. The namespaces are default and there are currently no topics.
response from `/admin/v2/non-persistent/public/default`
```
--- An unexpected error occurred in the server ---
Message: HTTP 401 Unauthorized
Stacktrace:
org.apache.pulsar.client.admin.PulsarAdminException$NotAuthorizedException: HTTP 401 Unauthorized
at org.apache.pulsar.client.admin.internal.BaseResource.getApiException(BaseResource.java:217)
at org.apache.pulsar.client.admin.internal.TopicsImpl$5.failed(TopicsImpl.java:230)
....
```
response from `/admin/v2/persistent/public/default`
```
[]
```
both using the same token auth header
get the same `HTTP 500 Internal Server Error` running `pulsar-admin topics list public/default` on one of the brokers
Any help to get this sorted will be gratefully received as I have been going round in circles for a day now!
(Also posted in Slack - https://apache-pulsar.slack.com/archives/C5Z4T36F7/p1622122850190000)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] lhotari commented on issue #10733: Pulsar 2.6.3 JWT enabled - /admin/v2/non-persistent/public/default 401 error
Posted by GitBox <gi...@apache.org>.
lhotari commented on issue #10733:
URL: https://github.com/apache/pulsar/issues/10733#issuecomment-850254300
Pulsar JWT token auth in 2.6.3 contains a security vulnerability, [CVE-2021-22160](https://lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cdev.pulsar.apache.org%3E). Please upgrade to Pulsar 2.7.2 . The release process for 2.6.4 is in progress.
Regarding the configuration, it seems that the syntax for `brokerClientAuthenticationParameters` might not be correct. Please try by specifying the token without the "token:" prefix.
```
brokerClientAuthenticationParameters=<TOKEN STRING>
```
```
brokerClientAuthenticationParameters=file:///some/path/brokerclient_token.jwt
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] marksilcox commented on issue #10733: Pulsar 2.6.3 JWT enabled - /admin/v2/non-persistent/public/default 401 error
Posted by GitBox <gi...@apache.org>.
marksilcox commented on issue #10733:
URL: https://github.com/apache/pulsar/issues/10733#issuecomment-850400409
Removing the "token:" prefix or using file did not work.
I enabled debug logging and it appears that not all the requests that are called as part of `bin/pulsar-admin topics list public/default` include the `Authorization` header. I do see the header in the logs when I call `bin/pulsar-admin namespaces list public`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] marksilcox closed issue #10733: Pulsar 2.6.3 JWT enabled - /admin/v2/non-persistent/public/default 401 error
Posted by GitBox <gi...@apache.org>.
marksilcox closed issue #10733:
URL: https://github.com/apache/pulsar/issues/10733
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] lhotari edited a comment on issue #10733: Pulsar 2.6.3 JWT enabled - /admin/v2/non-persistent/public/default 401 error
Posted by GitBox <gi...@apache.org>.
lhotari edited a comment on issue #10733:
URL: https://github.com/apache/pulsar/issues/10733#issuecomment-850254300
Pulsar JWT token auth in 2.6.3 contains a security vulnerability, [CVE-2021-22160](https://lists.apache.org/thread.html/r347650d15a3e9c5f58b83e918b6ad6dedc2a63d3eb63da8e6a7be87e%40%3Cdev.pulsar.apache.org%3E). Please upgrade to Pulsar 2.7.2 . The release process for 2.6.4 is in progress.
Regarding the configuration, it seems that the syntax for `brokerClientAuthenticationParameters` might not be correct. Please try by specifying the token without the "token:" prefix.
```
brokerClientAuthenticationParameters=<TOKEN STRING>
```
or using a file url:
```
brokerClientAuthenticationParameters=file:///some/path/brokerclient_token.jwt
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] marksilcox commented on issue #10733: Pulsar 2.6.3 JWT enabled - /admin/v2/non-persistent/public/default 401 error
Posted by GitBox <gi...@apache.org>.
marksilcox commented on issue #10733:
URL: https://github.com/apache/pulsar/issues/10733#issuecomment-850436909
Solved it - there was a second `brokerClientAuthenticationPlugin` in the `broker.conf` under the bookie auth section, renamed to `bookkeeperClientAuthenticationPlugin` and everything is fine! No idea how it got changes in our ansible template file.
Thanks for you help.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org