Loahrs opened a new issue, #431:
URL: https://github.com/apache/pulsar-helm-chart/issues/431
**Describe the bug**
I created a fresh deployment via the pulsar-helm-chart using the official
instructions. I configured my chart to use authentication and authorization. I
also enabled TLS. My python client connects to a proxy like that:
```
pulsar.Client("pulsar+ssl://<proxy-address>:6651",
authentication=pulsar.AuthenticationToken("<token of
admin superuser>"),
tls_allow_insecure_connection=True, #for testing
purpose
tls_validate_hostname=False)
```
The client log outputs the following:
```
2024-01-16 12:14:34.600 INFO [23564]
D:\a\pulsar-client-cpp\pulsar-client-cpp\lib\ClientConnection:190 | [<none> ->
pulsar+ssl://<proxy-url>:6651] Create ClientConnection, timeout=10000
2024-01-16 12:14:34.602 INFO [23564]
D:\a\pulsar-client-cpp\pulsar-client-cpp\lib\ConnectionPool:114 | Created
connection for pulsar+ssl://<proxy-url>:6651-0
2024-01-16 12:14:34.617 INFO [31320]
D:\a\pulsar-client-cpp\pulsar-client-cpp\lib\ClientConnection:404 |
[192.168.178.20:61304 -> <proxy-url>:6651] Connected to broker
2024-01-16 12:14:34.682 ERROR [31320]
D:\a\pulsar-client-cpp\pulsar-client-cpp\lib\ClientConnection:1572 |
[192.168.178.20:61304 -> <proxy-url>:6651] Failed partition-metadata lookup
req_id: 1 error: Retryable msg:
org.apache.pulsar.client.api.PulsarClientException: Connection already closed
2024-01-16 12:14:34.682 INFO [31320]
D:\a\pulsar-client-cpp\pulsar-client-cpp\lib\ClientConnection:1325 |
[192.168.178.20:61304 -> <proxy-url>:6651] Connection disconnected (refCnt: 2)
2024-01-16 12:14:34.682 INFO [31320]
D:\a\pulsar-client-cpp\pulsar-client-cpp\lib\ConnectionPool:129 | Remove
connection for pulsar+ssl://<proxy-url>:6651-0
2024-01-16 12:14:34.682 INFO [31320]
D:\a\pulsar-client-cpp\pulsar-client-cpp\lib\RetryableOperation:114 |
Reschedule
get-partition-metadata-persistent://<my-tenant>/<namespace>/task-submitted for
100 ms, remaining time: 29900 ms
```
I connected to my pulsar proxy pods and checked their log. It shows the
following:
```
apache.pulsar.proxy.server.ProxyConnection - [/10.224.1.30:10697] New
connection opened
2024-01-16T12:13:55,476+0000 [pulsar-proxy-io-2-4] INFO
org.apache.pulsar.proxy.server.ProxyConnection - [/10.224.1.30:10697] complete
connection, init proxy handler. authenticated with token role admin,
hasProxyToBrokerUrl: false
2024-01-16T12:13:55,511+0000 [pulsar-proxy-io-2-3] INFO
org.apache.pulsar.client.impl.ConnectionPool - [[id: 0x73eeed53,
L:/10.224.1.10:60466 -
R:pulsar-broker.pulsar.svc.cluster.local/10.224.1.2:6651]] Connected to server
2024-01-16T12:13:55,531+0000 [pulsar-proxy-io-2-3] WARN
org.apache.pulsar.client.impl.ClientCnx - [id: 0x73eeed53, L:/10.224.1.10:60466
- R:pulsar-broker.pulsar.svc.cluster.local/10.224.1.2:6651] Received error from
server: Invalid roles.
2024-01-16T12:13:55,531+0000 [pulsar-proxy-io-2-3] WARN
org.apache.pulsar.client.impl.ClientCnx - [id: 0x73eeed53, L:/10.224.1.10:60466
- R:pulsar-broker.pulsar.svc.cluster.local/10.224.1.2:6651] Received unknown
request id from server: -1
2024-01-16T12:13:55,531+0000 [pulsar-proxy-io-2-3] INFO
org.apache.pulsar.client.impl.ClientCnx - [id: 0x73eeed53, L:/10.224.1.10:60466
! R:pulsar-broker.pulsar.svc.cluster.local/10.224.1.2:6651] Disconnected
2024-01-16T12:13:55,531+0000 [pulsar-proxy-io-2-3] WARN
org.apache.pulsar.client.impl.ConnectionPool - [[id: 0x73eeed53,
L:/10.224.1.10:60466 !
R:pulsar-broker.pulsar.svc.cluster.local/10.224.1.2:6651]] Connection handshake
failed: org.apache.pulsar.client.api.PulsarClientException: Connection already
closed
```
The authentication as admin appears to be succesful, but then an error
"Invalid Roles" is thrown.
**What kind of configuration am I missing?** I just followed the
instructions here: https://pulsar.apache.org/docs/3.1.x/helm-deploy/
**To Reproduce**
Steps to reproduce the behavior:
I used the following .yaml:
```
namespace: "pulsar"
namespaceCreate: false
clusterName: "cluster-a"
#this was set to true when first deploying the chart. For upgrades I set it
to false.
initialize: false
#workaround, see https://github.com/apache/pulsar-helm-chart/issues/427
broker.configData:
proxyRoles: 'proxy-admin'
tls:
enabled: true
proxy:
enabled: true
broker:
enabled: true
zookeeper:
enabled: true
# issue selfsigning certs
certs:
internal_issuer:
enabled: true
type: selfsigning
components:
pulsar_manager: true
pulsar_manager:
configData:
ENV_SPRING_CONFIGURATION_FILE:
"/pulsar-manager/pulsar-manager/application.properties"
SPRING_CONFIGURATION_FILE:
"/pulsar-manager/pulsar-manager/application.properties"
PULSAR_MANAGER_OPTS: " -Dlog4j2.formatMsgNoLookups=true"
auth:
authentication:
enabled: true
provider: "jwt"
jwt:
# Enable JWT authentication
# If the token is generated by a secret key, set the usingSecretKey as
true.
# If the token is generated by a private key, set the usingSecretKey
as false.
usingSecretKey: true
authorization:
enabled: true
superUsers:
# broker to broker communication
broker: "broker-admin"
# proxy to broker communication
proxy: "proxy-admin"
# pulsar-admin client to broker/proxy communication
client: "admin"
```
**Expected behavior**
I expect to be able to connect a client to the cluster when using the
admin-token. When following the official documentation, I expect the cluster to
be configured properly.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
