[GitHub] [pulsar] HistoryGift opened a new issue #11257: broker Failed to authenticate HTTP request: Invalid signature

Thu, 08 Jul 2021 01:17:07 -0700 


HistoryGift opened a new issue #11257:
URL: https://github.com/apache/pulsar/issues/11257


   **Describe the bug**
   A clear and concise description of what the bug is.
   
   broker集群和proxy配置Kerberos,客户端使用client/xxx 
keytab直接访问broker没有问题,通过proxy访问不能返回正确结果,客户端使用proxy的keytab直接访问broker没有问题
   
   具体环境如下:
   Broker  10.2.177.39
   Proxy   10.2.177.48
   
   1.1)Broker_jaas.conf
   PulsarBroker {  
      keyTab="/opt/brokers/conf/broker_10.2.177.39.keytab"
      principal="broker/[email protected]";
   };
   
   PulsarClient { 
      keyTab="/opt/brokers/conf/client_10.2.177.39.keytab"
      principal="client/[email protected]";
   };
   1.2)Broker.conf
   clusterName=pulsar-cluster
   proxyRoles=proxy
   authenticateOriginalAuthData=true
   authenticationEnabled=true
   
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderSasl
   authorizationEnabled=true
   
authorizationProvider=org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider
   authorizationAllowWildcardsMatching=true
   superUserRoles=proxy,client
   
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl
   
brokerClientAuthenticationParameters={"saslJaasClientSectionName":"PulsarClient",
 "serverType":"broker"}
   saslJaasClientAllowedIds=.*[a-zA-Z].*
   saslJaasBrokerSectionName=PulsarBroker
   
   1.3)proxy_jaas.conf
   PulsarProxy {
      keyTab="/opt/proxys/conf/proxy_10.2.177.48.keytab"
      principal="proxy/[email protected]";
   };
   
   PulsarClient {
      keyTab="/opt/proxys/conf/client_10.2.177.48.keytab"
      principal="client/[email protected]";
   };
   1.4)proxy.conf
   brokerServiceURL=pulsar://10.2.177.39:6650/
   brokerWebServiceURL=http://10.2.177.39:8080/
   superUserRoles=client,proxy
   authorizationEnabled=true
   
authorizationProvider=org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider
   authenticationEnabled=true
   
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderSasl
   anonymousUserRole=
   saslJaasClientAllowedIds=.*client.*
   saslJaasBrokerSectionName=PulsarProxy
   
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl
   
brokerClientAuthenticationParameters={"saslJaasClientSectionName":"PulsarProxy",
 "serverType":"broker"}
   clusterName=pulsar-cluster
   
   1.5)client.conf
   webServiceUrl=http://10.2.177.48:8080/
   brokerServiceUrl=pulsar://10.2.177.48:6650/
   authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationSasl
   authParams={"saslJaasClientSectionName":"PulsarClient", "serverType":"proxy"}
   
   客户端执行命令
   bin/pulsar-admin clusters list  返回HTTP 401 Unauthorized
   broker日志报错WARN  org.apache.pulsar.broker.web.AuthenticationFilter - 
[10.2.177.48] Failed to authenticate HTTP request: Invalid signature
   
   
broker中修改superUserRoles=proxy/[email protected],client/[email protected]也会报相同错误,我想知道我是缺少什么配置或者哪里配置错误了嘛


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to