This is an automated email from the ASF dual-hosted git repository.

mmarshall pushed a commit to branch branch-3.0
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/branch-3.0 by this push:
     new b839536cb05 [improve] AuthenticationProviderOpenID k8s error logs 
(#20135)
b839536cb05 is described below

commit b839536cb05a0e1c737d9fb87edae1e054fd301b
Author: Michael Marshall <[email protected]>
AuthorDate: Wed Apr 19 10:44:49 2023 -0500

    [improve] AuthenticationProviderOpenID k8s error logs (#20135)
    
    ### Motivation
    
    The `AuthenticationProviderOpenID` error logs from the Kubernetes client 
are not very helpful in certain cases because we only get the error's message 
and not the error's response body. See 
https://github.com/kubernetes-client/java/issues/2066 for details on the 
solution.
    
    Here is an example of a problematic error:
    
    ```
    org.apache.pulsar.broker.authentication.AuthenticationProviderList - 
Authentication failed for auth provider class 
org.apache.pulsar.broker.authentication.oidc.AuthenticationProviderOpenID:
    javax.naming.AuthenticationException: Error retrieving OpenID Provider 
Metadata from Kubernetes API server:
            at 
org.apache.pulsar.broker.authentication.oidc.OpenIDProviderMetadataCache$1.onFailure(OpenIDProviderMetadataCache.java:174)
 ~[org.apache.pulsar-pulsar-broker-auth-oidc-3.0.0.jar:3.0.0]
            at 
io.kubernetes.client.openapi.ApiClient$1.onResponse(ApiClient.java:927) 
~[io.kubernetes-client-java-api-17.0.2.jar:?]
            at 
okhttp3.internal.connection.RealCall$AsyncCall.run(RealCall.kt:519) 
~[com.squareup.okhttp3-okhttp-4.9.3.jar:?]
            at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) 
~[?:?]
            at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) 
~[?:?]
            at java.lang.Thread.run(Thread.java:833) ~[?:?]
    ```
    
    When I enable debug logging out of the API Client, I can see:
    
    ```
    INFO: 
{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden:
 User \"system:serviceaccount:michael-test:superuser\" cannot get path 
\"/.well-known/openid-configuration/\"","reason":"Forbidden","details":{},"code":403}
    
    Apr 19, 2023 2:50:25 AM okhttp3.internal.platform.Platform log
    INFO: <-- END HTTP (246-byte body)
    2023-04-19T02:50:25,832+0000 [pulsar-web-40-1] DEBUG
    ```
    
    (Note: the solution to this problem is to update the 
`system:service-account-issuer-discovery` `ClusterRole` to include endpoints 
with trailing slashes. I created 
https://github.com/kubernetes/kubernetes/issues/117455 to help solve the 
permission problem in kubernetes.)
    
    ### Modifications
    
    * Use both the message and the response body when converting a Kubernetes 
client error into a Pulsar Authentication error.
    
    ### Verifying this change
    
    This change is a trivial rework / code cleanup without any test coverage.
    
    ### Documentation
    
    - [x] `doc-not-needed`
    
    ### Matching PR in forked repository
    
    PR in forked repository: no need for a forked PR
    
    (cherry picked from commit c9c99aae0d0ca5f8ac20a326d3d76bbf8602c79c)
---
 .../java/org/apache/pulsar/broker/authentication/oidc/JwksCache.java | 5 +++--
 .../broker/authentication/oidc/OpenIDProviderMetadataCache.java      | 5 +++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git 
a/pulsar-broker-auth-oidc/src/main/java/org/apache/pulsar/broker/authentication/oidc/JwksCache.java
 
b/pulsar-broker-auth-oidc/src/main/java/org/apache/pulsar/broker/authentication/oidc/JwksCache.java
index 12ea7ec6b90..b5e038342c2 100644
--- 
a/pulsar-broker-auth-oidc/src/main/java/org/apache/pulsar/broker/authentication/oidc/JwksCache.java
+++ 
b/pulsar-broker-auth-oidc/src/main/java/org/apache/pulsar/broker/authentication/oidc/JwksCache.java
@@ -130,9 +130,10 @@ public class JwksCache {
                 @Override
                 public void onFailure(ApiException e, int statusCode, 
Map<String, List<String>> responseHeaders) {
                     
incrementFailureMetric(AuthenticationExceptionCode.ERROR_RETRIEVING_PUBLIC_KEY);
+                    // We want the message and responseBody here: 
https://github.com/kubernetes-client/java/issues/2066.
                     future.completeExceptionally(
-                            new AuthenticationException("Failed to retrieve 
public key from Kubernetes API server: "
-                                    + e.getMessage()));
+                            new AuthenticationException("Failed to retrieve 
public key from Kubernetes API server. "
+                                    + "Message: " + e.getMessage() + " 
Response body: " + e.getResponseBody()));
                 }
 
                 @Override
diff --git 
a/pulsar-broker-auth-oidc/src/main/java/org/apache/pulsar/broker/authentication/oidc/OpenIDProviderMetadataCache.java
 
b/pulsar-broker-auth-oidc/src/main/java/org/apache/pulsar/broker/authentication/oidc/OpenIDProviderMetadataCache.java
index 33d11f35a34..111399adbd7 100644
--- 
a/pulsar-broker-auth-oidc/src/main/java/org/apache/pulsar/broker/authentication/oidc/OpenIDProviderMetadataCache.java
+++ 
b/pulsar-broker-auth-oidc/src/main/java/org/apache/pulsar/broker/authentication/oidc/OpenIDProviderMetadataCache.java
@@ -165,9 +165,10 @@ class OpenIDProviderMetadataCache {
                 @Override
                 public void onFailure(ApiException e, int statusCode, 
Map<String, List<String>> responseHeaders) {
                     
incrementFailureMetric(AuthenticationExceptionCode.ERROR_RETRIEVING_PROVIDER_METADATA);
+                    // We want the message and responseBody here: 
https://github.com/kubernetes-client/java/issues/2066.
                     future.completeExceptionally(new AuthenticationException(
-                            "Error retrieving OpenID Provider Metadata from 
Kubernetes API server: "
-                                    + e.getMessage()));
+                            "Error retrieving OpenID Provider Metadata from 
Kubernetes API server. Message: "
+                                    + e.getMessage() + " Response body: " + 
e.getResponseBody()));
                 }
 
                 @Override

Reply via email to