[I] Followup: Error "Invalid Roles" during Handshake when connecting to broker via TLS with JWT-Auth [pulsar-helm-chart]

[via GitHub]

Loahrs opened a new issue, #433:
URL: https://github.com/apache/pulsar-helm-chart/issues/433

   Since I can't reopen Issue #431 I am creating a new one as followup. Somehow 
there was no "reopen" button. See the referenced Issue for more details. 
   
   I'm not able to connect my client to the pulsar cluster via a proxy using 
authentication and authorization after deploying it from the helm chart.
   
   ```
   pulsar.Client("pulsar+ssl://<proxy-address>:6651", 
                        authentication=pulsar.AuthenticationToken("<token of 
admin superuser>"), 
                        tls_allow_insecure_connection=True,   #for testing 
purpose
                        tls_validate_hostname=False)
   ```
   
   The error seems to persist even after correcting the "workaround" to be 
valid yaml, as suggested in #431 
   I tried recreating all pods and even restarting my Kubernetes Cluster. 
   
   When applying the workaround (#430 ) the authentication seems to work 
correctly. I got the following error message BEFORE applying the workaround:
   
   ```
   2024-01-16T10:18:00,153+0000 [pulsar-io-4-2] WARN 
org.apache.pulsar.broker.authorization.AuthorizationService - 
[/10.224.1.10:45766] Illegal combination of role [proxy-admin] and 
originalPrincipal [admin]: cannot specify originalPrincipal when connecting 
without valid proxy role.
   ```
   
   AFTER applying the workaround I get another error message. It logs a 
succesful authentication, but then throws "Invalid Roles". Might this be an 
issue with the authorization? 
   
   ```
   2024-01-16T12:13:55,394+0000 [pulsar-proxy-io-2-4] INFO 
org.apache.pulsar.proxy.server.ProxyConnection - [/10.224.1.30:10697] New 
connection opened
   #Authentication is succesful:
   2024-01-16T12:13:55,476+0000 [pulsar-proxy-io-2-4] INFO 
org.apache.pulsar.proxy.server.ProxyConnection - [/10.224.1.30:10697] complete 
connection, init proxy handler. authenticated with token role admin, 
hasProxyToBrokerUrl: false
   2024-01-16T12:13:55,511+0000 [pulsar-proxy-io-2-3] INFO 
org.apache.pulsar.client.impl.ConnectionPool - [[id: 0x73eeed53, 
L:/10.224.1.10:60466 - 
R:pulsar-broker.pulsar.svc.cluster.local/10.224.1.2:6651]] Connected to server
   #Something went wrong, possibly during authorization? 
   2024-01-16T12:13:55,531+0000 [pulsar-proxy-io-2-3] WARN 
org.apache.pulsar.client.impl.ClientCnx - [id: 0x73eeed53, L:/10.224.1.10:60466 
- R:pulsar-broker.pulsar.svc.cluster.local/10.224.1.2:6651] Received error from 
server: Invalid roles.
   2024-01-16T12:13:55,531+0000 [pulsar-proxy-io-2-3] WARN 
org.apache.pulsar.client.impl.ClientCnx - [id: 0x73eeed53, L:/10.224.1.10:60466 
- R:pulsar-broker.pulsar.svc.cluster.local/10.224.1.2:6651] Received unknown 
request id from server: -1
   2024-01-16T12:13:55,531+0000 [pulsar-proxy-io-2-3] INFO 
org.apache.pulsar.client.impl.ClientCnx - [id: 0x73eeed53, L:/10.224.1.10:60466 
! R:pulsar-broker.pulsar.svc.cluster.local/10.224.1.2:6651] Disconnected
   2024-01-16T12:13:55,531+0000 [pulsar-proxy-io-2-3] WARN 
org.apache.pulsar.client.impl.ConnectionPool - [[id: 0x73eeed53, 
L:/10.224.1.10:60466 ! 
R:pulsar-broker.pulsar.svc.cluster.local/10.224.1.2:6651]] Connection handshake 
failed: org.apache.pulsar.client.api.PulsarClientException: Connection already 
closed
   ```
   
   My current .yaml:
   ```
   namespace: "pulsar"
   namespaceCreate: false
   clusterName: "cluster-a"
   
   initialize: false
   
   components:
       pulsar_manager: true
       
   #workaround, see https://github.com/apache/pulsar-helm-chart/issues/427
   broker:
     configData:
       proxyRoles: 'proxy-admin'
   
   tls:
     enabled: true
     proxy:
       enabled: true
     broker:
       enabled: true
     zookeeper:
       enabled: true
   
   
   # issue selfsigning certs
   certs:
     internal_issuer:
       enabled: true
       type: selfsigning
   
   pulsar_manager:
     configData:
       ENV_SPRING_CONFIGURATION_FILE: 
"/pulsar-manager/pulsar-manager/application.properties"
       SPRING_CONFIGURATION_FILE: 
"/pulsar-manager/pulsar-manager/application.properties"
       PULSAR_MANAGER_OPTS: " -Dlog4j2.formatMsgNoLookups=true"
     replicaCount: 1
     resources:
       requests:
         memory: 650Mi   
   
   auth:
     authentication:
       enabled: true
       provider: "jwt"
       jwt:
         # Enable JWT authentication
         # If the token is generated by a secret key, set the usingSecretKey as 
true.
         # If the token is generated by a private key, set the usingSecretKey 
as false.
         usingSecretKey: true
     authorization:
       enabled: true
     superUsers:
       # broker to broker communication
       broker: "broker-admin"
       # proxy to broker communication
       proxy: "proxy-admin"
       # pulsar-admin client to broker/proxy communication
       client: "admin"
   ```
   
   
   
   **When disabling authorization (and having authentication enabled) I am able 
to make a sucessful connection from my client.** 
   Am I missing some additional configuration? 
   Thank you for your help so far!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@pulsar.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org