Re: [I] Followup: Error "Invalid Roles" during Handshake when connecting to broker via TLS with JWT-Auth [pulsar-helm-chart]

Wed, 17 Jan 2024 04:03:35 -0800 


lhotari commented on issue #433:
URL: 
https://github.com/apache/pulsar-helm-chart/issues/433#issuecomment-1895668980

   > When I use the "proxy-admin" superuser token created as a secret when 
setting up the cluster
   
   You shouldn't be using the proxy-admin token yourself. The proxy should be 
configured to use it. This is what the chart does by default with 
`brokerClientAuthenticationParameters: "file:///pulsar/tokens/proxy/token"`:
   
   ```
   apiVersion: v1
   kind: ConfigMap
   metadata:
     name: "release-name-pulsar-proxy"
     namespace: default
     labels:
       app: pulsar
       chart: pulsar-3.1.0
       release: release-name
       heritage: Helm
       cluster: release-name-pulsar
       component: proxy
   data:
     clusterName: release-name-pulsar
     statusFilePath: "/pulsar/status"
     # prometheus needs to access /metrics endpoint
     webServicePort: "8080"
     servicePort: "6650"
     brokerServiceURL: pulsar://release-name-pulsar-broker:6650
     brokerWebServiceURL: http://release-name-pulsar-broker:8080
   
     # Authentication Settings
     authenticationEnabled: "true"
     # disable authorization on proxy and forward authorization credentials to 
broker
     authorizationEnabled: "false"
     forwardAuthorizationCredentials: "true"
     superUserRoles: admin,broker-admin
     # token authentication configuration
     authenticationProviders: 
"org.apache.pulsar.broker.authentication.AuthenticationProviderToken"
     brokerClientAuthenticationParameters: "file:///pulsar/tokens/proxy/token"
     brokerClientAuthenticationPlugin: 
"org.apache.pulsar.client.impl.auth.AuthenticationToken"
     tokenPublicKey: "file:///pulsar/keys/token/public.key"
     PULSAR_GC: |
       -XX:+UseG1GC -XX:MaxGCPauseMillis=10 
-Dio.netty.leakDetectionLevel=disabled -Dio.netty.recycler.linkCapacity=1024 
-XX:+ParallelR
   efProcEnabled -XX:+UnlockExperimentalVMOptions -XX:+DoEscapeAnalysis 
-XX:ParallelGCThreads=4 -XX:ConcGCThreads=4 -XX:G1NewSizePercen
   t=50 -XX:+DisableExplicitGC -XX:-ResizePLAB -XX:+ExitOnOutOfMemoryError 
-XX:+PerfDisableSharedMem
     PULSAR_MEM: |
       -Xms64m -Xmx64m -XX:MaxDirectMemorySize=64m
     httpNumThreads: "8"
   ``` 
   
   and in proxy's statefulset:
   ```
           - name: proxy-token
             secret:
               secretName: "release-name-token-proxy-admin"
               items:
                 - key: TOKEN
                   path: proxy/token
   ```
   
   The token should have the role `proxy-admin`. 
   
   Use this command in a proxy pod shell to check the content and role of the 
token:
   ```
   ./bin/pulsar tokens show -f /pulsar/tokens/proxy/token
   ```
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to