Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configure OAuth principal.builder.class also for controllers #9682

Merged
merged 2 commits into from Feb 14, 2024
Merged

Configure OAuth principal.builder.class also for controllers #9682

merged 2 commits into from Feb 14, 2024

Conversation

im-konge
Copy link
Member

Type of change

  • Fixup

Description

Currently when we are using OAuth authentication with Keycloak authorization, it works fine for ZK mode and KRaft mode with Kafka nodes that have mixed roles (cotroller and broker). But in case that we switch to KRaft mode with separate roles set for the nodes (so separate NodePool for controllers and for brokers), the controller Pods are not starting because of this exception:

2024-02-13 15:15:50,159 ERROR Encountered fatal fault: caught exception (org.apache.kafka.server.fault.ProcessTerminatingFaultHandler) [main]
io.strimzi.kafka.oauth.common.ConfigException: This authorizer requires io.strimzi.kafka.oauth.server.OAuthKafkaPrincipalBuilder as 'principal.builder.class'
        at io.strimzi.kafka.oauth.server.authorizer.Configuration.<init>(Configuration.java:113)
        at io.strimzi.kafka.oauth.server.authorizer.KeycloakAuthorizer.configure(KeycloakAuthorizer.java:73)
        at kafka.server.ControllerServer.$anonfun$startup$11(ControllerServer.scala:157)
        at kafka.server.ControllerServer.$anonfun$startup$11$adapted(ControllerServer.scala:157)
        at scala.Option.foreach(Option.scala:437)
        at kafka.server.ControllerServer.startup(ControllerServer.scala:157)
        at kafka.server.KafkaRaftServer.$anonfun$startup$1(KafkaRaftServer.scala:95)
        at kafka.server.KafkaRaftServer.$anonfun$startup$1$adapted(KafkaRaftServer.scala:95)
        at scala.Option.foreach(Option.scala:437)
        at kafka.server.KafkaRaftServer.startup(KafkaRaftServer.scala:95)
        at kafka.Kafka$.main(Kafka.scala:113)
        at kafka.Kafka.main(Kafka.scala)

That's happening because we are not setting the principal.builder.class for controller nodes.

This PR moves the configureOAuthPrincipalBuilderIfNeeded method outside of the if block that contains operations for non-controllers nodes.

Checklist

  • Make sure all tests pass

@im-konge
Configure OAuth principal.builder.class also for controllers
4042367 
Signed-off-by: Lukas Kral <lukywill16@gmail.com>
@im-konge
add unit test
90f8f2c 
Signed-off-by: Lukas Kral <lukywill16@gmail.com>
@im-konge im-konge self-assigned this Feb 13, 2024
@im-konge im-konge added this to the 0.40.0 milestone Feb 13, 2024
@scholzj
Copy link
Member

scholzj commented Feb 13, 2024

/azp run kraft-regression

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@scholzj scholzj merged commit 891624a into strimzi:main Feb 14, 2024
21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@scholzj scholzj scholzj approved these changes

@ppatierno ppatierno ppatierno approved these changes

@see-quick see-quick see-quick approved these changes

@mstruk mstruk Awaiting requested review from mstruk

Assignees

@im-konge im-konge

Labels
needs review
Projects
None yet
Milestone
0.40.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@im-konge @scholzj @ppatierno @see-quick