kafka-ops / julie

A solution to help you build automation and gitops in your Apache Kafka deployments. The Kafka gitops!
MIT License
417 stars 113 forks source link

julieops overloading the ldap server via mds #568

Open vishghelani opened 1 year ago

vishghelani commented 1 year ago

Describe the bug I've noticed that for each POST request being made to the MDS service via MDSApiClient, the MDS service is making an LDAP query for the configured mds user. Every now and again the login fails for the user returning a 401. This results in some objects not being applied and thus a mismatch in the desired state vs actual.

Small portion of the metadata service log:

[2023-04-24 11:16:54,430] DEBUG Login succeeded for user1 (io.confluent.rbacapi.login.MdsLoginService) [2023-04-24 11:16:54,539] DEBUG Login succeeded for user1 (io.confluent.rbacapi.login.MdsLoginService) [2023-04-24 11:16:54,647] DEBUG Login succeeded for user1 (io.confluent.rbacapi.login.MdsLoginService) [2023-04-24 11:16:54,751] DEBUG Login succeeded for user1 (io.confluent.rbacapi.login.MdsLoginService) [2023-04-24 11:16:54,868] DEBUG Login succeeded for user1 (io.confluent.rbacapi.login.MdsLoginService) [2023-04-24 11:16:54,976] DEBUG Login succeeded for user1 (io.confluent.rbacapi.login.MdsLoginService) [2023-04-24 11:16:55,083] DEBUG Login succeeded for user1 (io.confluent.rbacapi.login.MdsLoginService) [2023-04-24 11:16:55,172] DEBUG Login failed for user1 (io.confluent.rbacapi.login.MdsLoginService) [2023-04-24 11:16:55,285] DEBUG Login succeeded for user1 (io.confluent.rbacapi.login.MdsLoginService) [2023-04-24 11:16:55,397] DEBUG Login succeeded for user1 (io.confluent.rbacapi.login.MdsLoginService) [2023-04-24 11:16:55,506] DEBUG Login succeeded for user1 (io.confluent.rbacapi.login.MdsLoginService) [2023-04-24 11:16:55,615] DEBUG Login succeeded for user1 (io.confluent.rbacapi.login.MdsLoginService) [2023-04-24 11:16:55,727] DEBUG Login succeeded for user1 (io.confluent.rbacapi.login.MdsLoginService) [2023-04-24 11:16:55,818] DEBUG Login succeeded for user1 (io.confluent.rbacapi.login.MdsLoginService) [2023-04-24 11:16:55,924] DEBUG Login succeeded for user1 (io.confluent.rbacapi.login.MdsLoginService) [2023-04-24 11:16:56,036] DEBUG Login succeeded for user1 (io.confluent.rbacapi.login.MdsLoginService) [2023-04-24 11:16:56,148] DEBUG Login succeeded for user1 (io.confluent.rbacapi.login.MdsLoginService)

To Reproduce Steps to reproduce the behavior:

  1. Enable debugging on metadata service logs (In/etc/kafka/log4j.properties):

Set to DEBUG to see user login (MdsLoginService): log4j.logger.io.confluent.rbacapi=DEBUG, metadataServiceAppender log4j.additivity.io.confluent.rbacapi=false

  1. Carry out a Julie plan/apply

  2. Observe multiple logins carried out by mds service back to ldap

Expected behavior Unfortunately I'm not a Java dev so I may be misinterpreting the code but it looks like Julie is sending the basic auth (username and password) as the authorization token for each POST request (in the MDSApiClient) rather than the bearer token obtained via the authenticate() method

Runtime (please complete the following information):