[GitHub] [pulsar] Apurva007 opened a new pull request, #21077: [fix][proxy] Fix Proxy 502 gateway error when it is configured with Keystore TLS and admin API is called

via GitHub Mon, 28 Aug 2023 01:18:38 -0700


Apurva007 opened a new pull request, #21077:
URL: https://github.com/apache/pulsar/pull/21077


   <!--
   ### Contribution Checklist
     
     - PR title format should be *[type][component] summary*. For details, see 
*[Guideline - Pulsar PR Naming 
Convention](https://pulsar.apache.org/contribute/develop-semantic-title/)*. 
   
     - Fill out the template below to describe the changes contributed by the 
pull request. That will give reviewers the context they need to do the review.
     
     - Each pull request should address only one issue, not mix up code from 
multiple issues.
     
     - Each commit in the pull request has a meaningful commit message
   
     - Once all items of the checklist are addressed, remove the above text and 
this checklist, leaving only the filled out template below.
   -->
   
   Fixes #21076
   
   ### Motivation
   
   Pulsar Cluster has TLS enabled. Pulsar proxy is used to connect to it using 
keystore TLS. Producer and Consumer API works properly. But when the admin API 
is used, it returns 502 gateway error.
   
   Eg. bin/pulsar-admin --admin-url https://localhost:8443 tenants list
   HTTP 502 Bad Gateway
   
   Reason: HTTP 502 Bad Gateway
   
   Found the following exception on debugging further with the JVM arguments on 
Proxy: -Dorg.eclipse.jetty.util.log.class=org.eclipse.jetty.util.log.StdErrLog 
-Dorg.eclipse.jetty.LEVEL=ALL
   
   javax.net.ssl.SSLHandshakeException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at 
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:371)
        at 
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
        at 
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:309)
        at 
java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357)
        at 
java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)
        at 
java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)
        at 
java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
        at 
java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
        at 
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277)
        at 
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1264)
        at 
java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
        at 
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1209)
        at 
org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:654)
        at 
org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.flush(SslConnection.java:1061)
        at org.eclipse.jetty.io.WriteFlusher.flush(WriteFlusher.java:422)
        at 
org.eclipse.jetty.io.WriteFlusher.completeWrite(WriteFlusher.java:378)
        at 
org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.lambda$fill$1(SslConnection.java:835)
        at 
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        at 
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        at 
io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.base/java.lang.Thread.run(Thread.java:833)
   Caused by: 
   sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target
        at 
java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
        at 
java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
        at 
java.base/sun.security.validator.Validator.validate(Validator.java:264)
        at 
java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285)
        at 
java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
        at 
java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335)
        at 
java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)
        at 
java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)
        at 
java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
        at 
java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
        at 
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277)
        at 
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1264)
        at 
java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
        at 
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1209)
        at 
org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:654)
        at 
org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.flush(SslConnection.java:1061)
        at org.eclipse.jetty.io.WriteFlusher.flush(WriteFlusher.java:422)
        at 
org.eclipse.jetty.io.WriteFlusher.completeWrite(WriteFlusher.java:378)
        at 
org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.lambda$fill$1(SslConnection.java:835)
        at 
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        at 
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        at 
io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.base/java.lang.Thread.run(Thread.java:833)
   Caused by: 
   sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target
        at 
java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
        at 
java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
        at 
java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
        at 
java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
        at 
java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
        at 
java.base/sun.security.validator.Validator.validate(Validator.java:264)
        at 
java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285)
        at 
java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
        at 
java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335)
        at 
java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)
        at 
java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)
        at 
java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
        at 
java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
        at 
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277)
        at 
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1264)
        at 
java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
        at 
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1209)
        at 
org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:654)
        at 
org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.flush(SslConnection.java:1061)
        at org.eclipse.jetty.io.WriteFlusher.flush(WriteFlusher.java:422)
        at 
org.eclipse.jetty.io.WriteFlusher.completeWrite(WriteFlusher.java:378)
        at 
org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.lambda$fill$1(SslConnection.java:835)
        at 
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
        at 
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
        at 
io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.base/java.lang.Thread.run(Thread.java:833)
   
   
   ### Modifications
   
   The Proxy http client has been modified to load the broker client configured 
keystore and truststore when broker client keystore tls is enabled. This will 
make sure that the correct method is used to generate the SSL Context.
   
   ### Verifying this change
   
   - [ ] Make sure that the change passes the CI checks.
   
   This change added tests and can be verified as follows:
   
   Added a new test called "AdminProxyHandlerKeystoreTLSTest" which verifies 
that the admin api can run even with a keystore configured proxy.
   
   
   ### Does this pull request potentially affect one of the following parts:
   
   <!-- DO NOT REMOVE THIS SECTION. CHECK THE PROPER BOX ONLY. -->
   
   *If the box was checked, please highlight the changes*
   
   - [ ] Dependencies (add or upgrade a dependency)
   - [ ] The public API
   - [ ] The schema
   - [ ] The default values of configurations
   - [ ] The threading model
   - [ ] The binary protocol
   - [ ] The REST endpoints
   - [ ] The admin CLI options
   - [ ] The metrics
   - [ ] Anything that affects deployment
   
   ### Documentation
   
   <!-- DO NOT REMOVE THIS SECTION. CHECK THE PROPER BOX ONLY. -->
   
   - [ ] `doc` <!-- Your PR contains doc changes. -->
   - [ ] `doc-required` <!-- Your PR changes impact docs and you will update 
later -->
   - [x] `doc-not-needed` <!-- Your PR changes do not impact docs -->
   - [ ] `doc-complete` <!-- Docs have been already added -->
   
   ### Matching PR in forked repository
   
   PR in forked repository: <!-- ENTER URL HERE -->
   
   <!--
   After opening this PR, the build in apache/pulsar will fail and instructions 
will
   be provided for opening a PR in the PR author's forked repository.
   
   apache/pulsar pull requests should be first tested in your own fork since 
the 
   apache/pulsar CI based on GitHub Actions has constrained resources and quota.
   GitHub Actions provides separate quota for pull requests that are executed 
in 
   a forked repository.
   
   The tests will be run in the forked repository until all PR review comments 
have
   been handled, the tests pass and the PR is approved by a reviewer.
   -->
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

[GitHub] [pulsar] Apurva007 opened a new pull request, #21077: [fix][proxy] Fix Proxy 502 gateway error when it is configured with Keystore TLS and admin API is called

Reply via email to