You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
When the Discovery Service is registering zOSMF while the Gateway is starting, there is a timing issue with authenticating. The Gateway waits one minute before polling to see if zOSMF is registered, in this one minute, a user can send a login request to the Gateway. This login request will executing thinking zOSMF doesn't support JWTs, because the zOSMF authenticate endpoint doesn't return 401 (as it is not yet registered). Thus, the Gateway attempts to use the jwtKeyAlias to create a JWT. At this point the jwt secret hasn't been loaded, because the Gateway is waiting for zOSMF to be registered with the Discovery Service to check if the jwt secret should be loaded. So the login request uses a null jwt key argument, throwing an error.
This is a timing problem where zOSMF can be registered with the Discovery Service, but the Gateway does not yet know this and hasn't loaded the jwt key secret. A login request comes in and is routed to zOSMF because it is registered, but the jwt key secret is null as it hasn't been loaded.
Steps to Reproduce
Easiest to see this behaviour running locally with breakpoints, so put a breakpoint in JwtSecurityInitializer where waitUntilZosmfIsUp is called - currently line 96.
Start discovery service, gateway (debug mode), and mock zosmf with AuthenticateApar applied.
Wait until the gateway breakpoint is tripped, and then allow it to pass
Send a login request to the gateway. This may return Service Unavailable as zOSMF has not yet registered to the discovery service. Keep trying to send login requests.
See a response to your login request with IllegalArgumentException: Key argument cannot be null
Wait some time (~1 minute), and try to send another login request. Once the gateway has polled zOSMF, the login request will succeed
Expected behavior
Options:
Send service unavailable while the GW is waiting on zOSMF, even if zOSMF is registered with the discovery service, and only let requests through to zOSMF once the gateway is done checking if zOSMF supports JWT
Don't have GW finish starting until it is finished checking zOSMF
If user sets APIML_SECURITY_ZOSMF_JWT_AUTOCONFIGURATION_MODE=LTPA, immediately load jwt secret. However, if the mode is set to AUTO there will still be a timing issue
Adjust GW polling so that it uses a registered discovery client and checks on every registration event, rather than checking every minute
(Bad option) rely on documentation and logs to tell users to simply wait
Another possible solution would be reducing the polling time down from one minute. Though this just addresses the symptom, not the cause, and would still leave the door open for future timing issues.
Describe the bug
When the Discovery Service is registering zOSMF while the Gateway is starting, there is a timing issue with authenticating. The Gateway waits one minute before polling to see if zOSMF is registered, in this one minute, a user can send a login request to the Gateway. This login request will executing thinking zOSMF doesn't support JWTs, because the zOSMF authenticate endpoint doesn't return 401 (as it is not yet registered). Thus, the Gateway attempts to use the jwtKeyAlias to create a JWT. At this point the jwt secret hasn't been loaded, because the Gateway is waiting for zOSMF to be registered with the Discovery Service to check if the jwt secret should be loaded. So the login request uses a null jwt key argument, throwing an error.
This is a timing problem where zOSMF can be registered with the Discovery Service, but the Gateway does not yet know this and hasn't loaded the jwt key secret. A login request comes in and is routed to zOSMF because it is registered, but the jwt key secret is null as it hasn't been loaded.
Steps to Reproduce
JwtSecurityInitializer
wherewaitUntilZosmfIsUp
is called - currently line 96.AuthenticateApar
applied.Service Unavailable
as zOSMF has not yet registered to the discovery service. Keep trying to send login requests.IllegalArgumentException: Key argument cannot be null
Expected behavior
Options:
APIML_SECURITY_ZOSMF_JWT_AUTOCONFIGURATION_MODE=LTPA
, immediately load jwt secret. However, if the mode is set toAUTO
there will still be a timing issuehttps://github.com/zowe/api-layer/wiki/Issue-management
The text was updated successfully, but these errors were encountered: