You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2020/08/25 13:03:44 UTC
[GitHub] [pulsar] frankjkelly opened a new issue #7893: Regression: Authorization Provider implementation that worked in 2.5.2 now throws 500 on Pulsar startup
frankjkelly opened a new issue #7893:
URL: https://github.com/apache/pulsar/issues/7893
**Describe the bug**
We wrote both Authentication and Authorization Providers against Pulsar 2.5.2 and they worked in Standalone mode.
After upgrading to 2.6.1 (upgrading the client jars and the conf file) we now get a 500 error on startup.
**To Reproduce**
Steps to reproduce the behavior:
1. Write an Authorization provider that implements the required methods of `org.apache.pulsar.broker.authorization.AuthorizationProvider`
2. Define that Authorization Provider for usage in the configs e.g.
```
authenticationEnabled=true
authenticationProviders=com.cogito.platform.signal.stream.pulsar.authn.broker.CogitoAuthenticationProvider
authorizationEnabled=true
authorizationProvider=com.cogito.platform.signal.stream.pulsar.authn.broker.CogitoAuthorizationProvider
```
2. If you do not override various methods e.g.` allowTenantOperationAsync() ` then when you start up standalone you see a 500 error
**Expected behavior**
Either
1) Pulsar Starts up as before (if the methods are `default` then they should just `work`)
OR
2) Pulsar detects the improperly/incomplete Authorization provider and provides logs to ameliorate
OR
3) Pulsar logs include a stack trace to help debug
**Screenshots**
Info logs
```
19:40:12.268 [pulsar-web-54-1] INFO org.apache.pulsar.broker.admin.impl.TenantsBase - [cogito] Created tenant public
19:40:12.270 [pulsar-web-54-1] INFO org.eclipse.jetty.server.RequestLog - 127.0.0.1 - - [24/Aug/2020:19:40:12 +0000] "PUT /admin/v2/tenants/public HTTP/1.1" 204 0 "-" "Pulsar-Java-v2.6.0" 14
19:40:12.286 [pulsar-web-54-5] INFO com.cogito.platform.signal.stream.pulsar.authn.broker.CogitoAuthenticationProvider - JUST FOR INTEGRATION DEBUGGING ONLY --> (eyJhbGciOiJSXXXXXXXXXXXhWouxZd2kkmSUQ)
19:40:12.301 [pulsar-web-54-5] INFO org.eclipse.jetty.server.RequestLog - 127.0.0.1 - - [24/Aug/2020:19:40:12 +0000] "GET /admin/v2/namespaces/public HTTP/1.1" 500 6748 "-" "Pulsar-Java-v2.6.0" 16
19:40:12.304 [main] INFO org.apache.pulsar.PulsarStandalone - HTTP 500 Internal Server Error
```
Debug Logs
```
16:27:48.573 [pulsar-web-54-14] DEBUG com.cogito.platform.signal.stream.pulsar.authn.broker.CogitoAuthenticationProvider - Authenticating token . . .
16:27:48.576 [pulsar-web-54-14] DEBUG com.cogito.platform.signal.stream.pulsar.authn.broker.CogitoAuthenticationProvider - Token authenticated
16:27:48.576 [pulsar-web-54-14] DEBUG org.apache.pulsar.broker.web.AuthenticationFilter - [127.0.0.1] Authenticated HTTP request with role cogito
16:27:48.576 [pulsar-web-54-14] DEBUG org.eclipse.jetty.servlet.ServletHandler - call filter org.apache.pulsar.broker.web.ResponseHandlerFilter-7aa01bd9@7aa01bd9==org.apache.pulsar.broker.web.ResponseHandlerFilter,inst=true,async=true
16:27:48.576 [pulsar-web-54-14] DEBUG org.eclipse.jetty.servlet.ServletHandler - call servlet org.glassfish.jersey.servlet.ServletContainer-640d604@f679d7ba==org.glassfish.jersey.servlet.ServletContainer,jsp=null,order=-1,inst=true,async=true
16:27:48.583 [pulsar-web-54-14] DEBUG org.eclipse.jetty.server.HttpOutput - write(array HeapByteBuffer@6c771e32[p=0,l=7120,c=8192,r=7120]={<<<\n --- An unexpected error...d.run(Thread.java:834)\n>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00})
16:27:48.583 [pulsar-web-54-14] DEBUG org.eclipse.jetty.server.HttpOutput - write(array) s=CLOSING,api=BLOCKED,sc=false,e=null last=true agg=false flush=true async=false, len=7120 null
16:27:48.583 [pulsar-web-54-14] DEBUG org.eclipse.jetty.server.HttpChannel - sendResponse info=null content=HeapByteBuffer@79ba1771[p=0,l=7120,c=8192,r=7120]={<<<\n --- An unexpected error...d.run(Thread.java:834)\n>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00} complete=true committing=true callback=Blocker@32faa6a7{null}
16:27:48.584 [pulsar-web-54-14] DEBUG org.eclipse.jetty.server.HttpChannel - COMMIT for /admin/v2/namespaces/public on HttpChannelOverHttp@397aa579{s=HttpChannelState@3535581a{s=HANDLING rs=BLOCKING os=COMMITTED is=IDLE awp=false se=false i=true al=0},r=6,c=false/false,a=HANDLING,uri=//localhost:8080/admin/v2/namespaces/public,age=11}
500 Internal Server Error HTTP/1.1
Date: Mon, 24 Aug 2020 20:27:48 GMT
Content-Length: 7120
Content-Type: text/plain
16:27:48.584 [pulsar-web-54-14] DEBUG org.eclipse.jetty.server.HttpConnection - generate: NEED_HEADER for org.eclipse.jetty.server.HttpConnection$SendCallback@58eeee2d[PROCESSING][i=HTTP/1.1{s=500,h=3,cl=7120},cb=org.eclipse.jetty.server.HttpChannel$SendCallback@4096f060] (null,[p=0,l=7120,c=8192,r=7120],true)@START
16:27:48.584 [pulsar-web-54-14] DEBUG org.eclipse.jetty.http.HttpGenerator - generateHeaders HTTP/1.1{s=500,h=3,cl=7120} last=true content=HeapByteBuffer@79ba1771[p=0,l=7120,c=8192,r=7120]={<<<\n --- An unexpected error...d.run(Thread.java:834)\n>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00}
```
**Desktop (please complete the following information):**
- OS: [e.g. iOS]
**Additional context**
Once I implemented the default methods the problem went away
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] Joshhw commented on issue #7893: Regression: Authorization Provider implementation that worked in 2.5.2 now throws 500 on Pulsar 2.6.1 startup
Posted by GitBox <gi...@apache.org>.
Joshhw commented on issue #7893:
URL: https://github.com/apache/pulsar/issues/7893#issuecomment-864599143
> @frankjkelly Thanks for the answer. @Joshhw can you help me out here? 😅
unfortunately what you're asking is a bit vague. I don't have a blog post to point you to but really it depends on the system you're using to implement the interfaces that the custom authN/Z use. If you provide a bit more context as to what you're using for auth currently I might be able to give you some direction.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] frankjkelly commented on issue #7893: Regression: Authorization Provider implementation that worked in 2.5.2 now throws 500 on Pulsar startup
Posted by GitBox <gi...@apache.org>.
frankjkelly commented on issue #7893:
URL: https://github.com/apache/pulsar/issues/7893#issuecomment-682582539
Thanks @sijie thanks for the clarification. I guess I don't get the rationale for implementing a default method that just throws an exception rather than an abstract method which tells the developer "Hey you now have to implement these methods"?
Fair enough is there someway to improve the exception/stack trace logging in standalone. So I don't just see
```19:40:12.304 [main] INFO org.apache.pulsar.PulsarStandalone - HTTP 500 Internal Server Error```
If you point me to the right part of the code I'd be happy to throw together a PR.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] sijie commented on issue #7893: Regression: Authorization Provider implementation that worked in 2.5.2 now throws 500 on Pulsar startup
Posted by GitBox <gi...@apache.org>.
sijie commented on issue #7893:
URL: https://github.com/apache/pulsar/issues/7893#issuecomment-680408523
@frankjkelly there is a big change in AuthorizationProvider to support finer granularity access control in 2.6.0. So if you are customizing an AuthorizationProvider, you might have to implement those methods.
Alternatively, we can try to make sure the default methods use the old methods. But it will require a fair amount of refactoring work again. Let me know what you think.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] frankjkelly commented on issue #7893: Regression: Authorization Provider implementation that worked in 2.5.2 now throws 500 on Pulsar 2.6.1 startup
Posted by GitBox <gi...@apache.org>.
frankjkelly commented on issue #7893:
URL: https://github.com/apache/pulsar/issues/7893#issuecomment-842390269
Closing as focus seems to be on 2.6/2.7/2.8 not upgrades from 2.5
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] frankjkelly closed issue #7893: Regression: Authorization Provider implementation that worked in 2.5.2 now throws 500 on Pulsar 2.6.1 startup
Posted by GitBox <gi...@apache.org>.
frankjkelly closed issue #7893:
URL: https://github.com/apache/pulsar/issues/7893
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] frankjkelly closed issue #7893: Regression: Authorization Provider implementation that worked in 2.5.2 now throws 500 on Pulsar 2.6.1 startup
Posted by GitBox <gi...@apache.org>.
frankjkelly closed issue #7893:
URL: https://github.com/apache/pulsar/issues/7893
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] frankjkelly edited a comment on issue #7893: Regression: Authorization Provider implementation that worked in 2.5.2 now throws 500 on Pulsar startup
Posted by GitBox <gi...@apache.org>.
frankjkelly edited a comment on issue #7893:
URL: https://github.com/apache/pulsar/issues/7893#issuecomment-682582539
Thanks @sijie thanks for the clarification. I guess I don't get the rationale for implementing a default method that just throws an exception rather than an abstract method which tells the developer "Hey you now have to implement these methods"?
For example https://github.com/apache/pulsar/blob/48f5a2f62c148b3df617be060fefed51f3145979/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationProvider.java#L262-L269 or
https://github.com/apache/pulsar/blob/48f5a2f62c148b3df617be060fefed51f3145979/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationProvider.java#L434-L440
Fair enough if there is a reason but also is there someway to improve the exception/stack trace logging in standalone. So I don't just see
```19:40:12.304 [main] INFO org.apache.pulsar.PulsarStandalone - HTTP 500 Internal Server Error```
If you point me to the right part of the code I'd be happy to throw together a PR.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] frankjkelly commented on issue #7893: Regression: Authorization Provider implementation that worked in 2.5.2 now throws 500 on Pulsar 2.6.1 startup
Posted by GitBox <gi...@apache.org>.
frankjkelly commented on issue #7893:
URL: https://github.com/apache/pulsar/issues/7893#issuecomment-842390269
Closing as focus seems to be on 2.6/2.7/2.8 not upgrades from 2.5
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] Joshhw edited a comment on issue #7893: Regression: Authorization Provider implementation that worked in 2.5.2 now throws 500 on Pulsar 2.6.1 startup
Posted by GitBox <gi...@apache.org>.
Joshhw edited a comment on issue #7893:
URL: https://github.com/apache/pulsar/issues/7893#issuecomment-864599143
> @frankjkelly Thanks for the answer. @Joshhw can you help me out here? 😅
unfortunately what you're asking is a bit vague. I don't have a blog post to point you to but really it depends on the system you're using to implement the interfaces that the custom authN/Z use. If you provide a bit more context as to what you're using for auth currently I might be able to give you some direction. To give you some more background I implemented using key cloak as the underlying authN/Z system. I rely solely on jwks and tokenization.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org