Authenticating using a Token

[sammoh94]

Hi,

I am trying to use a token to create a producer but keep getting the following message

 INFO  ClientConnection:330 | [ -> ] Connected to broker
 ERROR ClientConnection:388 | [ -> ] Handshake failed: certificate verify failed
 INFO  ClientConnection:1349 | [ -> ] Connection closed
ERROR ClientImpl:182 | Error Checking/Getting Partition Metadata while creating producer on persistent://[topic] -- 5

When I try to connect locally using a token, it seems to work however when I am running it in production, I am seeing the above messages. Therefore, not sure how to replicate it locally.

Is there a way to use the token or do I have to use the certification / private key approach when initializing the client: `return new pulsar.Client({ ..., auth: { certificatePath: '', privateKeyPath: '' })

[sijie]

How do you create the producer? Can you show us the code sample?

[sammoh94]

Producer or client? I create the producer as follows:

this.producer = await client.createProducer({
        topic: generateTopicName(config.pulsar.tenant, config.pulsar.namespace),
        producerName: 'my_topic_name',
        sendTimeoutMs: 30000,
      });

The client is created as follows:

  const toAny = (pulsar as unknown) as any;
  const auth = new toAny.AuthenticationToken({ token: config.pulsar.token });

  return new pulsar.Client({
    ...PULSAR_DEFAULT_OPTS,
    serviceUrl: `pulsar+ssl://${config.pulsar.hostname}:${config.pulsar.port}`,
    authentication: auth,
  });
}

In the default ops, I am just setting the operation timeout seconds field:

export const PULSAR_DEFAULT_OPTS = {
  operationTimeoutSeconds: 30,
};

[sammoh94]

@sijie following up on this. Do you have any thoughts/ suggestions? Thanks!

[sijie]

@sammoh94 it looks that the token doesn't have permissions to access the topic. Have you verified that you are using the right token?

[Sraleik]

Any news on this ? I have the exact same Problem :(

[Matt-Esch]

Can confirm this is an issue, occurs when upgrading to pulsar > 2.6.0

[izumo27]

@Matt-Esch What kind of environment did you use? Can you tell us the details of the issue?

[Matt-Esch]

I am attempting an upgrade to node 16 which means fast-forwarding the version of pulsar-client-node we are using from 1.2.0 to 1.4.1, which comes with the minimum pulsar version requirement of 2.8.0. We find that upgrading to pulsar-client-node@v1.4.1 with pulsar 2.8.0 causes this handshake fail issue. We also find that remaining on pulsar-client-node@v1.2.0 and upgrading past pulsar >= 2.7.0 also causes the same issue, so this is likely to be a change in the underlying pulsar client or some missing/additional configuration.

This is replicable in our CI environment running on ubuntu with docker.

We run a local pulsar node from an available pulsar image apachepulsar/pulsar. We were using 2.5.0 but upgraded to 2.8.1 just to double-check this wasn't a version incompatibility (not unreasonable to think the 2.8.1 client would not work entirely with a 2.5.0 broker).

We generate a self-signed cert using cfssl v1.6.1, and we're using RSA 2048.

We use a Makefile to generate a key secret and admin/user keys

PULSAR_DOCKER_IMAGE = "apachepulsar/pulsar:2.8.1"

PULSAR = docker run --rm -v "$(CURDIR)/conf:/pulsar/conf" -v "$(CURDIR)/auth:/pulsar/auth" $(PULSAR_DOCKER_IMAGE) bin/pulsar

tokens
    $(PULSAR) tokens create-secret-key > auth/tokens/secret.key
    $(PULSAR) tokens create --secret-key file:///pulsar/auth/tokens/secret.key --subject admin > auth/tokens/admin-token
    $(PULSAR) tokens create --secret-key file:///pulsar/auth/tokens/secret.key --subject user > auth/tokens/user-token

Client config:

authParams=file:///pulsar/auth/admin-token
authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationToken
brokerServiceUrl=pulsar://localhost:6650/
tlsAllowInsecureConnection=false
tlsEnableHostnameVerification=false
tlsTrustCertsFilePath=/pulsar/auth/pulsar-ca/certs/ca.cert.pem
webServiceUrl=http://localhost:8000/

(we have a hostname mismatch due to localhost aliases being used i.e. if foo.bar.baz -> localhost)

Our standalone pulsar configuration (generated broker settings with comments stripped)

zookeeperServers=
configurationStoreServers=
brokerServicePort=6650
webServicePort=8000
bindAddress=0.0.0.0
advertisedAddress=
numIOThreads=
numHttpServerThreads=
clusterName=standalone
failureDomainsEnabled=false
zooKeeperSessionTimeoutMillis=30000
zooKeeperOperationTimeoutSeconds=30
brokerShutdownTimeoutMs=60000
backlogQuotaCheckEnabled=true
backlogQuotaCheckIntervalInSeconds=60
backlogQuotaDefaultLimitGB=10
ttlDurationDefaultInSeconds=0
brokerDeleteInactiveTopicsEnabled=true
brokerDeleteInactiveTopicsFrequencySeconds=60
messageExpiryCheckIntervalInMinutes=5
activeConsumerFailoverDelayTimeMillis=1000
subscriptionExpirationTimeMinutes=0
subscriptionRedeliveryTrackerEnabled=true
subscriptionExpiryCheckIntervalInMinutes=5
brokerDeduplicationEnabled=false
brokerDeduplicationMaxNumberOfProducers=10000
brokerDeduplicationEntriesInterval=1000
brokerDeduplicationProducerInactivityTimeoutMinutes=360
defaultNumberOfNamespaceBundles=4
clientLibraryVersionCheckEnabled=false
statusFilePath=/usr/local/apache/htdocs
maxUnackedMessagesPerConsumer=50000
maxUnackedMessagesPerSubscription=200000
maxUnackedMessagesPerBroker=0
maxUnackedMessagesPerSubscriptionOnBrokerBlocked=0.16
topicPublisherThrottlingTickTimeMillis=2
brokerPublisherThrPottlingTickTimeMillis=50
brokerPublisherThrottlingMaxMessageRate=0
brokerPublisherThrottlingMaxByteRate=0
dispatchThrottlingRatePerTopicInMsg=0
dispatchThrottlingRatePerTopicInByte=0
dispatchThrottlingRateRelativeToPublishRate=false
dispatchThrottlingOnNonBacklogConsumerEnabled=true
maxConcurrentLookupRequest=50000
maxConcurrentTopicLoadRequest=5000
maxConcurrentNonPersistentMessagePerConnection=1000
numWorkerThreadsForNonPersistentTopic=8
enablePersistentTopics=true
enableNonPersistentTopics=true
maxProducersPerTopic=0
maxConsumersPerTopic=0
maxConsumersPerSubscription=0
proxyRoles=
authenticateOriginalAuthData=false
authenticationEnabled=true
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderToken,org.apache.pulsar.broker.authentication.AuthenticationProviderTls
tokenSecretKey=file:///pulsar/auth/tokens/secret.key
authorizationEnabled=true
authorizationProvider=org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider
authorizationAllowWildcardsMatching=false
superUserRoles=admin
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationToken
brokerClientAuthenticationParameters=file:///pulsar/auth/tokens/admin-token
athenzDomainNames=
anonymousUserRole=anonymous
tokenAuthClaim=
bookkeeperClientAuthenticationPlugin=
bookkeeperClientAuthenticationParametersName=
bookkeeperClientAuthenticationParameters=
bookkeeperClientTimeoutInSeconds=30
bookkeeperClientSpeculativeReadTimeoutInMillis=0
bookkeeperClientHealthCheckEnabled=true
bookkeeperClientHealthCheckIntervalSeconds=60
bookkeeperClientHealthCheckErrorThresholdPerInterval=5
bookkeeperClientHealthCheckQuarantineTimeInSeconds=1800
bookkeeperClientRackawarePolicyEnabled=true
bookkeeperClientRegionawarePolicyEnabled=false
bookkeeperClientReorderReadSequenceEnabled=false
bookkeeperClientIsolationGroups=
bookkeeperClientSecondaryIsolationGroups=
bookkeeperClientMinAvailableBookiesInIsolationGroups=
bookkeeperTLSProviderFactoryClass=org.apache.bookkeeper.tls.TLSContextFactory
bookkeeperTLSClientAuthentication=false
bookkeeperTLSKeyFileType=PEM
bookkeeperTLSTrustCertTypes=PEM
bookkeeperTLSKeyStorePasswordPath=
bookkeeperTLSTrustStorePasswordPath=
bookkeeperTLSKeyFilePath=
bookkeeperTLSCertificateFilePath=
bookkeeperTLSTrustCertsFilePath=
bookkeeperDiskWeightBasedPlacementEnabled=false
managedLedgerDefaultEnsembleSize=1
managedLedgerDefaultWriteQuorum=1
managedLedgerDefaultAckQuorum=1
managedLedgerDigestType=CRC32C
managedLedgerNumWorkerThreads=4
managedLedgerNumSchedulerThreads=4
managedLedgerCacheSizeMB=
managedLedgerCacheCopyEntries=false
managedLedgerCacheEvictionWatermark=0.9
managedLedgerCacheEvictionFrequency=100.0
managedLedgerCacheEvictionTimeThresholdMillis=1000
managedLedgerCursorBackloggedThreshold=1000
managedLedgerDefaultMarkDeleteRateLimit=0.1
managedLedgerMaxEntriesPerLedger=50000
managedLedgerMinLedgerRolloverTimeMinutes=10
managedLedgerMaxLedgerRolloverTimeMinutes=240
managedLedgerCursorMaxEntriesPerLedger=50000
managedLedgerCursorRolloverTimeInSeconds=14400
managedLedgerMaxUnackedRangesToPersist=10000
managedLedgerMaxUnackedRangesToPersistInZooKeeper=1000
autoSkipNonRecoverableData=false
managedLedgerMetadataOperationsTimeoutSeconds=60
managedLedgerReadEntryTimeoutSeconds=0
managedLedgerAddEntryTimeoutSeconds=0
managedLedgerUnackedRangesOpenCacheSetEnabled=true
loadManagerClassName=org.apache.pulsar.broker.loadbalance.NoopLoadManager
loadBalancerEnabled=false
loadBalancerReportUpdateThresholdPercentage=10
loadBalancerReportUpdateMaxIntervalMinutes=15
loadBalancerHostUsageCheckIntervalMinutes=1
loadBalancerSheddingIntervalMinutes=1
loadBalancerSheddingGracePeriodMinutes=30
loadBalancerBrokerMaxTopics=50000
loadBalancerResourceQuotaUpdateIntervalMinutes=15
loadBalancerAutoBundleSplitEnabled=true
loadBalancerAutoUnloadSplitBundlesEnabled=true
loadBalancerNamespaceBundleMaxTopics=1000
loadBalancerNamespaceBundleMaxSessions=1000
loadBalancerNamespaceBundleMaxMsgRate=30000
loadBalancerNamespaceBundleMaxBandwidthMbytes=100
loadBalancerNamespaceMaximumBundles=128
replicationMetricsEnabled=true
replicationConnectionsPerBroker=16
replicationProducerQueueSize=1000
defaultRetentionTimeInMinutes=0
defaultRetentionSizeInMB=0
keepAliveIntervalSeconds=30
webSocketServiceEnabled=true
webSocketNumIoThreads=8
webSocketConnectionsPerBroker=8
webSocketSessionIdleTimeoutMillis=300000
exposeTopicLevelMetricsInPrometheus=true
exposePublisherStats=true
globalZookeeperServers=
brokerServicePurgeInactiveFrequencyInSeconds=60
ledgerStorageClass=org.apache.bookkeeper.bookie.storage.ldb.DbLedgerStorage
dbStorage_writeCacheMaxSizeMb=
dbStorage_readAheadCacheMaxSizeMb=
dbStorage_readAheadCacheBatchSize=1000
flushInterval=60000
dbStorage_rocksDB_blockCacheSize=
dbStorage_rocksDB_writeBufferSizeMB=4
dbStorage_rocksDB_sstSizeInMB=4
dbStorage_rocksDB_blockSize=4096
dbStorage_rocksDB_bloomFilterBitsPerKey=10
dbStorage_rocksDB_numLevels=-1
dbStorage_rocksDB_numFilesInLevel0=4
dbStorage_rocksDB_maxSizeInLevel1MB=256
journalMaxGroupWaitMSec=1
journalSyncData=false
diskUsageThreshold=0.99
diskUsageWarnThreshold=0.99
allowLoopback=true
gcWaitTime=300000
allowAutoTopicCreation=true
allowAutoTopicCreationType=non-partitioned
defaultNumPartitions=1
transactionMetadataStoreProviderClassName=org.apache.pulsar.transaction.coordinator.impl.InMemTransactionMetadataStore
tlsCertificateFilePath=/pulsar/auth/pulsar-ca/broker.cert.pem
tlsKeyFilePath=/pulsar/auth/pulsar-ca/broker.key-pk8.pem

[Sraleik]

It is now working for me with this setup:

node version: 16.13.0 pulsar-client-node: 1.5.0 apache-pulsar-client(library C++): 2.9.1

with apache-pulsar-client: 2.8.0 it was not working

[Matt-Esch]

Trying with v2.9.1 as per @Sraleik suggestion

[2021-12-24T13:39:43.164Z] 2021-12-24 13:39:42.898 INFO  [139633915127552] ClientImpl:491 | Closing Pulsar client with 0 producers and 0 consumers
[2021-12-24T13:39:43.164Z] 2021-12-24 13:39:42.898 INFO  [139633681757952] ClientConnection:181 | [<none> -> pulsar+ssl://localhost:6651] Create ClientConnection, timeout=10000
[2021-12-24T13:39:43.164Z] 2021-12-24 13:39:42.898 INFO  [139633681757952] ConnectionPool:96 | Created connection for pulsar+ssl://localhost:6651
[2021-12-24T13:39:43.164Z] 2021-12-24 13:39:42.898 INFO  [139633915127552] ClientConnection:1535 | [<none> -> pulsar+ssl://localhost:6651] Connection closed
[2021-12-24T13:39:43.164Z] Segmentation fault (core dumped)
[2021-12-24T13:39:43.164Z] Exited with code: 139.
[2021-12-24T13:39:43.164Z] Error executing child process: Error: Process exited with code 139.

[Matt-Esch]

Segfault issue tracked here: https://github.com/apache/pulsar-client-node/issues/191