srmarjani opened a new issue, #3354:
URL: https://github.com/apache/polaris/issues/3354
### Describe the bug
Hi
When using the Helm chart with authentication.type=internal and
bootstrapping a realm and client via polaris-admin-tool, the OAuth token
endpoint returns an error:
`{"error":{"message":"Last unit does not have enough valid
bits","type":"IllegalArgumentException","code":400}}`
This happens when calling /api/catalog/v1/oauth/tokens with
grant_type=client_credentials.
This happens when calling /api/catalog/v1/oauth/tokens with
grant_type=client_credentials.
`replicaCount: 1
image:
repository: apache/polaris
pullPolicy: IfNotPresent
tag: "1.2.0-incubating"
resources:
limits:
cpu: 500m
memory: 2Gi
requests:
cpu: 500m
memory: 2Gi
advancedConfig:
s3.endpoint: "http://s3.thr2.sotoon.ir/";
extraEnv:
- name: AWS_STORAGE_BUCKET
value: "s3://your-bucket-name/warehouse/"
logging:
level: DEBUG
console:
enabled: true
threshold: ALL
json: false
format: "%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c{3.}]
[%X{requestId},%X{realmId}] [%X{traceId},%X{parentId},%X{spanId},%X{sampled}]
(%t) %s%e%n"
categories:
org.apache.polaris: DEBUG
org.apache.iceberg.rest: DEBUG
realmContext:
type: default
realms:
- POLARIS
persistence:
type: relational-jdbc
relationalJdbc:
secret:
name: data-stack-secret
username: POLARIS_DB_USER
password: POLARIS_DB_PASSWORD
jdbcUrl: POLARIS_JDBC_URL
storage:
secret:
name: data-stack-secret
awsAccessKeyId: S3_ACCESS_KEY_ID
awsSecretAccessKey: S3_SECRET_ACCESS_KEY
authentication:
type: internal
authenticator:
type: default
tokenService:
type: default
tokenBroker:
type: rsa-key-pair
maxTokenGeneration: PT1H
secret:
name: data-stack-secret
rsaKeyPair:
publicKey: POLARIS_PUBLIC_KEY
privateKey: POLARIS_PRIVATE_KEY
symmetricKey:
secretKey: POLARIS_SYMMETRIC_KEY
realmOverrides: {}`
Kubernetes secret data-stack-secret contains the fields referenced above
(including RSA keys).
### To Reproduce
1.Deploy Polaris with the Helm values above.
2. Bootstrap the realm and admin client using the admin tool inside the pod:
`java -jar /deployments/polaris-admin-tool.jar bootstrap -r POLARIS -c
"POLARIS,admin,admin"
`
output
`Realm 'POLARIS' successfully bootstrapped.
Bootstrap completed successfully.`
3. Request Token:
`curl -X POST \
http://polaris.data-compute.svc.cluster.local:8181/api/catalog/v1/oauth/tokens \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-d "client_id=admin" \
-d "client_secret=admin" \
-d "scope=PRINCIPAL_ROLE:ALL"`
4.Response:
`{"error":{"message":"Last unit does not have enough valid
bits","type":"IllegalArgumentException","code":400}}
`
### Actual Behavior
The server responds with HTTP 400 and the error:
`{"error":{"message":"Last unit does not have enough valid
bits","type":"IllegalArgumentException","code":400}}
`
From the error message, it appears something fails during Base64/Base32
decoding internally.
### Expected Behavior
A valid access token should be returned for the admin client, e.g. a JSON
object containing access_token, token_type, expires_in, etc.
### Additional context
Polaris image: apache/polaris:1.2.0-incubating
Deployment: Kubernetes (Helm chart)
Authentication: type: internal, tokenBroker.type: rsa-key-pair
Java (inside container): whatever version is bundled with the
1.2.0-incubating image
Database: PostgreSQL
Kubernetes:
Helm chart version:
### System information
The realm bootstrap completes successfully, so DB connectivity and basic
configuration seem OK.
The RSA keys are provided via Kubernetes secret data-stack-secret using the
fields:
POLARIS_PUBLIC_KEY
POLARIS_PRIVATE_KEY
If there are specific expected formats (PEM vs raw, Base64, etc.) or
additional configuration required for the RSA key pair in the Helm chart, this
may not be clearly documented.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
