Troubles testing using standalone cluster and authentication/authorization #22718

srenatus · 2024-05-15T14:12:34Z

srenatus
May 15, 2024

I'm using testcontainers-go's pulsar module to start a Pulsar instance in integration tests. It's all hunky dory until I've added some environment variables to enable authentication and authorization:

			tc_pulsar.WithPulsarEnv("authenticationEnabled", "true"),
			tc_pulsar.WithPulsarEnv("authorizationEnabled", "true"),
			tc_pulsar.WithPulsarEnv("tokenSecretKey", testSecretKey),
			tc_pulsar.WithPulsarEnv("authenticationProviders", "org.apache.pulsar.broker.authentication.AuthenticationProviderToken"),
			tc_pulsar.WithPulsarEnv("superUserRoles", "admin")

The WithPulsarEnv function will prepend PULSAR_PREFIX_ to the key and set the env var for the container. It does what it's supposed to do -- I can connect to the broker afterwards with that token, but during standalone startup, it fails to create the cluster/tenant/namespace -- So I cannot use that from my tests like I could without authentication/authorization. Am I missing something? Is this the wrong method to set up authn/authz? Thanks!

More details

These are the first few lines of container logs:

[/pulsar/conf/standalone.conf] Updating config authenticationEnabled = true
[/pulsar/conf/standalone.conf] Updating config authenticationProviders = org.apache.pulsar.broker.authentication.AuthenticationProviderToken
[/pulsar/conf/standalone.conf] Updating config authorizationEnabled = true
[/pulsar/conf/standalone.conf] Updating config superUserRoles = admin
[/pulsar/conf/standalone.conf] Updating config tokenSecretKey = ********

not more -- so I could have forgotten to update something else. Have I?

The first failure-ish thing I see in the logs is this:

2024-05-16T07:51:03,103+0000 [pulsar-web-47-15] WARN  org.apache.pulsar.broker.web.AuthenticationFilter - [192.168.215.1] Failed to authenticate HTTP request: Authentication required
2024-05-16T07:51:03,143+0000 [pulsar-web-47-15] INFO  org.eclipse.jetty.server.RequestLog - 192.168.215.1 - - [16/May/2024:07:51:03 +0000] "GET /admin/v2/clusters HTTP/1.1" 401 556 "-" "Go-http-client/1.1" 64
2024-05-16T07:51:03,297+0000 [pulsar-io-18-1] INFO  org.apache.pulsar.broker.service.ServerCnx - [/192.168.215.1:50712] connected with role=admin using authMethod=token, clientVersion=Pulsar Go version unknown, clientProtocolVersion=18, proxyVersion=null
2024-05-16T07:51:03,323+0000 [pulsar-io-18-1] WARN  org.apache.pulsar.broker.web.PulsarWebResource - Namespace public/default not found
2024-05-16T07:51:03,344+0000 [pulsar-io-18-1] WARN  org.apache.pulsar.broker.service.ServerCnx - Failed to get Partitioned Metadata [/192.168.215.1:50712] persistent://public/default/cipot: Namespace not found
org.apache.pulsar.broker.web.RestException: Namespace not found
	at org.apache.pulsar.broker.web.PulsarWebResource.lambda$checkLocalOrGetPeerReplicationCluster$29(PulsarWebResource.java:932) ~[org.apache.pulsar-pulsar-broker-3.2.2.jar:3.2.2]
	at java.util.concurrent.CompletableFuture.uniAcceptNow(CompletableFuture.java:757) ~[?:?]
	at java.util.concurrent.CompletableFuture.uniAcceptStage(CompletableFuture.java:735) ~[?:?]
	at java.util.concurrent.CompletableFuture.thenAccept(CompletableFuture.java:2182) ~[?:?]
	at org.apache.pulsar.broker.web.PulsarWebResource.checkLocalOrGetPeerReplicationCluster(PulsarWebResource.java:891) ~[org.apache.pulsar-pulsar-broker-3.2.2.jar:3.2.2]
	at org.apache.pulsar.broker.admin.impl.PersistentTopicsBase.unsafeGetPartitionedTopicMetadataAsync(PersistentTopicsBase.java:4416) ~[org.apache.pulsar-pulsar-broker-3.2.2.jar:3.2.2]
	at org.apache.pulsar.broker.service.ServerCnx.lambda$handlePartitionMetadataRequest$7(ServerCnx.java:609) ~[org.apache.pulsar-pulsar-broker-3.2.2.jar:3.2.2]

Where the cipot topic suggests that it's from my test code, which tries to publish a message on that topic.

However, I suspect that this is just running too early -- I can fix that. Further down in the logs, I find this:

2024-05-16T07:51:03,983+0000 [main] ERROR org.apache.pulsar.PulsarStandalone - Failed to create namespace public/default on cluster standalone and tenant public
org.apache.pulsar.client.admin.PulsarAdminException$NotAuthorizedException: HTTP 401 {
"servlet":"org.glassfish.jersey.servlet.ServletContainer-4c3de38e",
"message":"Authentication required",
"url":"/admin/v2/clusters",
"status":"401"
}
	at org.apache.pulsar.client.admin.PulsarAdminException.wrap(PulsarAdminException.java:252) ~[org.apache.pulsar-pulsar-client-admin-api-3.2.2.jar:3.2.2]
	at org.apache.pulsar.client.admin.internal.BaseResource.sync(BaseResource.java:352) ~[org.apache.pulsar-pulsar-client-admin-original-3.2.2.jar:3.2.2]
	at org.apache.pulsar.client.admin.internal.ClustersImpl.getClusters(ClustersImpl.java:57) ~[org.apache.pulsar-pulsar-client-admin-original-3.2.2.jar:3.2.2]
	at org.apache.pulsar.PulsarStandalone.createNameSpace(PulsarStandalone.java:375) ~[org.apache.pulsar-pulsar-broker-3.2.2.jar:3.2.2]
	at org.apache.pulsar.PulsarStandalone.start(PulsarStandalone.java:354) ~[org.apache.pulsar-pulsar-broker-3.2.2.jar:3.2.2]
	at org.apache.pulsar.PulsarStandaloneStarter.main(PulsarStandaloneStarter.java:149) ~[org.apache.pulsar-pulsar-broker-3.2.2.jar:3.2.2]
	Suppressed: org.apache.pulsar.client.admin.PulsarAdminException$NotAuthorizedException: HTTP 401 {
"servlet":"org.glassfish.jersey.servlet.ServletContainer-4c3de38e",
"message":"Authentication required",
"url":"/admin/v2/clusters",
"status":"401"
}
		at org.apache.pulsar.client.admin.internal.BaseResource.getApiException(BaseResource.java:281) ~[org.apache.pulsar-pulsar-client-admin-original-3.2.2.jar:3.2.2]
		at org.apache.pulsar.client.admin.internal.BaseResource$FutureCallback.failed(BaseResource.java:373) ~[org.apache.pulsar-pulsar-client-admin-original-3.2.2.jar:3.2.2]
		at org.glassfish.jersey.client.JerseyInvocation$1.failed(JerseyInvocation.java:882) ~[org.glassfish.jersey.core-jersey-client-2.34.jar:?]
		at org.glassfish.jersey.client.JerseyInvocation$1.completed(JerseyInvocation.java:863) ~[org.glassfish.jersey.core-jersey-client-2.34.jar:?]
		at org.glassfish.jersey.client.ClientRuntime.processResponse(ClientRuntime.java:229) ~[org.glassfish.jersey.core-jersey-client-2.34.jar:?]
		at org.glassfish.jersey.client.ClientRuntime.access$200(ClientRuntime.java:62) ~[org.glassfish.jersey.core-jersey-client-2.34.jar:?]
		at org.glassfish.jersey.client.ClientRuntime$2.lambda$response$0(ClientRuntime.java:173) ~[org.glassfish.jersey.core-jersey-client-2.34.jar:?]
		at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248) ~[org.glassfish.jersey.core-jersey-common-2.34.jar:?]
		at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244) ~[org.glassfish.jersey.core-jersey-common-2.34.jar:?]
		at org.glassfish.jersey.internal.Errors.process(Errors.java:292) ~[org.glassfish.jersey.core-jersey-common-2.34.jar:?]
		at org.glassfish.jersey.internal.Errors.process(Errors.java:274) ~[org.glassfish.jersey.core-jersey-common-2.34.jar:?]
		at org.glassfish.jersey.internal.Errors.process(Errors.java:244) ~[org.glassfish.jersey.core-jersey-common-2.34.jar:?]
		at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:288) ~[org.glassfish.jersey.core-jersey-common-2.34.jar:?]
		at org.glassfish.jersey.client.ClientRuntime$2.response(ClientRuntime.java:173) ~[org.glassfish.jersey.core-jersey-client-2.34.jar:?]
		at org.apache.pulsar.client.admin.internal.http.AsyncHttpConnector.lambda$apply$1(AsyncHttpConnector.java:254) ~[org.apache.pulsar-pulsar-client-admin-original-3.2.2.jar:3.2.2]
		at java.util.concurrent.CompletableFuture.uniWhenComplete(CompletableFuture.java:863) ~[?:?]
		at java.util.concurrent.CompletableFuture$UniWhenComplete.tryFire(CompletableFuture.java:841) ~[?:?]
		at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:510) ~[?:?]
		at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:2147) ~[?:?]
		at org.apache.pulsar.client.admin.internal.http.AsyncHttpConnector.lambda$retryOperation$4(AsyncHttpConnector.java:296) ~[org.apache.pulsar-pulsar-client-admin-original-3.2.2.jar:3.2.2]
		at java.util.concurrent.CompletableFuture.uniWhenComplete(CompletableFuture.java:863) ~[?:?]
		at java.util.concurrent.CompletableFuture$UniWhenComplete.tryFire(CompletableFuture.java:841) ~[?:?]
		at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:510) ~[?:?]
		at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:2147) ~[?:?]
		at org.asynchttpclient.netty.NettyResponseFuture.loadContent(NettyResponseFuture.java:222) ~[org.asynchttpclient-async-http-client-2.12.1.jar:?]
		at org.asynchttpclient.netty.NettyResponseFuture.done(NettyResponseFuture.java:257) ~[org.asynchttpclient-async-http-client-2.12.1.jar:?]
		at org.asynchttpclient.netty.handler.AsyncHttpClientHandler.finishUpdate(AsyncHttpClientHandler.java:241) ~[org.asynchttpclient-async-http-client-2.12.1.jar:?]
		at org.asynchttpclient.netty.handler.HttpHandler.handleChunk(HttpHandler.java:114) ~[org.asynchttpclient-async-http-client-2.12.1.jar:?]
		at org.asynchttpclient.netty.handler.HttpHandler.handleRead(HttpHandler.java:143) ~[org.asynchttpclient-async-http-client-2.12.1.jar:?]
		at org.asynchttpclient.netty.handler.AsyncHttpClientHandler.channelRead(AsyncHttpClientHandler.java:78) ~[org.asynchttpclient-async-http-client-2.12.1.jar:?]
		at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
		at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
		at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
		at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103) ~[io.netty-netty-codec-4.1.105.Final.jar:4.1.105.Final]
		at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
		at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
		at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
		at io.netty.channel.CombinedChannelDuplexHandler$DelegatingChannelHandlerContext.fireChannelRead(CombinedChannelDuplexHandler.java:436) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
		at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:346) ~[io.netty-netty-codec-4.1.105.Final.jar:4.1.105.Final]
		at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:318) ~[io.netty-netty-codec-4.1.105.Final.jar:4.1.105.Final]
		at io.netty.channel.CombinedChannelDuplexHandler.channelRead(CombinedChannelDuplexHandler.java:251) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
		at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
		at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
		at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
		at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
		at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
		at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
		at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
		at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
		at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
		at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
		at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
		at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
		at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997) ~[io.netty-netty-common-4.1.105.Final.jar:4.1.105.Final]
		at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[io.netty-netty-common-4.1.105.Final.jar:4.1.105.Final]
		at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[io.netty-netty-common-4.1.105.Final.jar:4.1.105.Final]
		at java.lang.Thread.run(Thread.java:840) ~[?:?]
	Caused by: javax.ws.rs.NotAuthorizedException: HTTP 401 {
"servlet":"org.glassfish.jersey.servlet.ServletContainer-4c3de38e",
"message":"Authentication required",
"url":"/admin/v2/clusters",
"status":"401"
}
		at org.glassfish.jersey.client.JerseyInvocation.convertToException(JerseyInvocation.java:942) ~[org.glassfish.jersey.core-jersey-client-2.34.jar:?]
		at org.glassfish.jersey.client.JerseyInvocation.access$700(JerseyInvocation.java:82) ~[org.glassfish.jersey.core-jersey-client-2.34.jar:?]
		... 54 more
Caused by: javax.ws.rs.NotAuthorizedException: HTTP 401 {
"servlet":"org.glassfish.jersey.servlet.ServletContainer-4c3de38e",
"message":"Authentication required",
"url":"/admin/v2/clusters",
"status":"401"
}
	at org.glassfish.jersey.client.JerseyInvocation.convertToException(JerseyInvocation.java:942) ~[org.glassfish.jersey.core-jersey-client-2.34.jar:?]
	at org.glassfish.jersey.client.JerseyInvocation.access$700(JerseyInvocation.java:82) ~[org.glassfish.jersey.core-jersey-client-2.34.jar:?]
	at org.glassfish.jersey.client.JerseyInvocation$1.completed(JerseyInvocation.java:863) ~[org.glassfish.jersey.core-jersey-client-2.34.jar:?]
	at org.glassfish.jersey.client.ClientRuntime.processResponse(ClientRuntime.java:229) ~[org.glassfish.jersey.core-jersey-client-2.34.jar:?]
	at org.glassfish.jersey.client.ClientRuntime.access$200(ClientRuntime.java:62) ~[org.glassfish.jersey.core-jersey-client-2.34.jar:?]
	at org.glassfish.jersey.client.ClientRuntime$2.lambda$response$0(ClientRuntime.java:173) ~[org.glassfish.jersey.core-jersey-client-2.34.jar:?]
	at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248) ~[org.glassfish.jersey.core-jersey-common-2.34.jar:?]
	at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244) ~[org.glassfish.jersey.core-jersey-common-2.34.jar:?]
	at org.glassfish.jersey.internal.Errors.process(Errors.java:292) ~[org.glassfish.jersey.core-jersey-common-2.34.jar:?]
	at org.glassfish.jersey.internal.Errors.process(Errors.java:274) ~[org.glassfish.jersey.core-jersey-common-2.34.jar:?]
	at org.glassfish.jersey.internal.Errors.process(Errors.java:244) ~[org.glassfish.jersey.core-jersey-common-2.34.jar:?]
	at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:288) ~[org.glassfish.jersey.core-jersey-common-2.34.jar:?]
	at org.glassfish.jersey.client.ClientRuntime$2.response(ClientRuntime.java:173) ~[org.glassfish.jersey.core-jersey-client-2.34.jar:?]
	at org.apache.pulsar.client.admin.internal.http.AsyncHttpConnector.lambda$apply$1(AsyncHttpConnector.java:254) ~[org.apache.pulsar-pulsar-client-admin-original-3.2.2.jar:3.2.2]
	at java.util.concurrent.CompletableFuture.uniWhenComplete(CompletableFuture.java:863) ~[?:?]
	at java.util.concurrent.CompletableFuture$UniWhenComplete.tryFire(CompletableFuture.java:841) ~[?:?]
	at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:510) ~[?:?]
	at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:2147) ~[?:?]
	at org.apache.pulsar.client.admin.internal.http.AsyncHttpConnector.lambda$retryOperation$4(AsyncHttpConnector.java:296) ~[org.apache.pulsar-pulsar-client-admin-original-3.2.2.jar:3.2.2]
	at java.util.concurrent.CompletableFuture.uniWhenComplete(CompletableFuture.java:863) ~[?:?]
	at java.util.concurrent.CompletableFuture$UniWhenComplete.tryFire(CompletableFuture.java:841) ~[?:?]
	at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:510) ~[?:?]
	at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:2147) ~[?:?]
	at org.asynchttpclient.netty.NettyResponseFuture.loadContent(NettyResponseFuture.java:222) ~[org.asynchttpclient-async-http-client-2.12.1.jar:?]
	at org.asynchttpclient.netty.NettyResponseFuture.done(NettyResponseFuture.java:257) ~[org.asynchttpclient-async-http-client-2.12.1.jar:?]
	at org.asynchttpclient.netty.handler.AsyncHttpClientHandler.finishUpdate(AsyncHttpClientHandler.java:241) ~[org.asynchttpclient-async-http-client-2.12.1.jar:?]
	at org.asynchttpclient.netty.handler.HttpHandler.handleChunk(HttpHandler.java:114) ~[org.asynchttpclient-async-http-client-2.12.1.jar:?]
	at org.asynchttpclient.netty.handler.HttpHandler.handleRead(HttpHandler.java:143) ~[org.asynchttpclient-async-http-client-2.12.1.jar:?]
	at org.asynchttpclient.netty.handler.AsyncHttpClientHandler.channelRead(AsyncHttpClientHandler.java:78) ~[org.asynchttpclient-async-http-client-2.12.1.jar:?]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
	at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103) ~[io.netty-netty-codec-4.1.105.Final.jar:4.1.105.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
	at io.netty.channel.CombinedChannelDuplexHandler$DelegatingChannelHandlerContext.fireChannelRead(CombinedChannelDuplexHandler.java:436) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:346) ~[io.netty-netty-codec-4.1.105.Final.jar:4.1.105.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:318) ~[io.netty-netty-codec-4.1.105.Final.jar:4.1.105.Final]
	at io.netty.channel.CombinedChannelDuplexHandler.channelRead(CombinedChannelDuplexHandler.java:251) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) ~[io.netty-netty-transport-4.1.105.Final.jar:4.1.105.Final]
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997) ~[io.netty-netty-common-4.1.105.Final.jar:4.1.105.Final]
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[io.netty-netty-common-4.1.105.Final.jar:4.1.105.Final]
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[io.netty-netty-common-4.1.105.Final.jar:4.1.105.Final]
	at java.lang.Thread.run(Thread.java:840) ~[?:?

In my reading, this means the StandaloneStarter can't create the tenant/namespace because it itself is lacking authentication. How can I configure the StandaloneStarter to use the token for authn?

srenatus · 2024-05-16T08:32:03Z

srenatus
May 16, 2024
Author

I had indeed forgotten this section of the docs. Adding these env vars,

tc_pulsar.WithPulsarEnv("brokerClientAuthenticationPlugin", "org.apache.pulsar.client.impl.auth.AuthenticationToken"),
tc_pulsar.WithPulsarEnv("brokerClientAuthenticationParameters", fmt.Sprintf(`{"token": "%s"}`, testToken))

the standalone service comes up flawlessly.

The testcontainers-go waitstrategy had also to be updated -- it worked fine with this:

	tc, err := tc_pulsar.RunContainer(ctx,
		append(cs,
			tc_pulsar.WithPulsarEnv("authenticationEnabled", "true"),
			tc_pulsar.WithPulsarEnv("authorizationEnabled", "true"),
			tc_pulsar.WithPulsarEnv("tokenSecretKey", testSecretKey),
			tc_pulsar.WithPulsarEnv("authenticationProviders", "org.apache.pulsar.broker.authentication.AuthenticationProviderToken"),
			tc_pulsar.WithPulsarEnv("brokerClientAuthenticationPlugin", "org.apache.pulsar.client.impl.auth.AuthenticationToken"),
			tc_pulsar.WithPulsarEnv("brokerClientAuthenticationParameters", fmt.Sprintf(`{"token": "%s"}`, testToken)),
			tc_pulsar.WithPulsarEnv("superUserRoles", "admin"),
			testcontainers.WithImage("docker.io/apachepulsar/pulsar:3.2.2"),
			testcontainers.WithWaitStrategy(
				wait.ForHTTP("/admin/v2/clusters").
					WithHeaders(map[string]string{
						"Authorization": "Bearer " + testToken,
					}).
					WithPort("8080/tcp").
					WithStatusCodeMatcher(func(status int) bool { return status == 200 }).
					WithResponseMatcher(func(r io.Reader) bool {
						respBytes, _ := io.ReadAll(r)
						resp := string(respBytes)
						return resp == `["standalone"]`
					}),
			),
		)...)
	if err != nil {
		t.Fatalf("could not start pulsar: %s", err)
	}

testSecretKey and testToken were generated like this:

$ bin/pulsar tokens create-secret-key -o secret.key
$ bin/pulsar tokens create -sk file:///pulsar/secret.key -s admin
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZG1pbiJ9.DanjiED-2Aw_K96f__VNoHTtr7CW0ENYaX3zT3CHtWc
$ bin/pulsar tokens validate -sk file:///pulsar/secret.key eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZG1pbiJ9.DanjiED-2Aw_K96f__VNoHTtr7CW0ENYaX3zT3CHtWc
{sub=admin}
$ base64 < secret.key
EpaPAaTyeQBXW3Gvv3fCzR4OW/G7iserFq7U5G3H0rg=
$ bin/pulsar tokens validate -sk "data:;base64,EpaPAaTyeQBXW3Gvv3fCzR4OW/G7iserFq7U5G3H0rg=" eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZG1pbiJ9.DanjiED-2Aw_K96f__VNoHTtr7CW0ENYaX3zT3CHtWc
{sub=admin

in a running apache/pulsar container.

Thanks to @alpreu for helping be get unblocked 🙌

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Troubles testing using standalone cluster and authentication/authorization #22718

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment

{{title}}

Select a reply

Troubles testing using standalone cluster and authentication/authorization #22718

srenatus May 15, 2024

More details

Replies: 1 comment

srenatus May 16, 2024 Author

srenatus
May 15, 2024

srenatus
May 16, 2024
Author