Closed Ranganath9979 closed 3 years ago
HI above is config yml file trying to set up ldap config, getting error can you please help
missing jwt configuration : https://github.com/tchiotludo/akhq#jwt
or use the new dev
image that provide a default one
Hi thought to set basic auth with my ID still unable to is my config right, what Ami is missing here?
still missing the jwt token like that :
micronaut:
security:
enabled: true
token:
jwt:
signatures:
secret:
generator:
secret: <Your secret here>
Ok I'm not sure about jwt do we need to generate tokens
You need to create a secret (or use default one on dev
image) in order to encode the session cookie (stored as jwt token).
Without that, the login can't work
I'm trying to set up ldap config Ui is coming up unable to login with ID could you please advise?
Can you enable debug with that :
curl -i -X POST -H "Content-Type: application/json" \
-d '{ "configuredLevel": "TRACE" }' \
http://localhost:8080/loggers/io.micronaut.configuration.security
Also remove secret from your post please 😅
I deleted thanks, when I run the above I'm getting 200 Ok still unable to login
HTTP/1.1 200 OK Date: Tue, 24 Nov 2020 06:27:38 GMT connection: keep-alive transfer-encoding: chunked
It will only enable a verbose log for ldap. Now look at the log if akhq to have some insight
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source) at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) at java.base/java.security.cert.CertPathBuilder.build(Unknown Source) ... 186 common frames omitted
You are using ldaps ?
If yes, you need to add the certificate like here: https://github.com/tchiotludo/akhq/issues/226#issuecomment-589811445
java -Djavax.net.ssl.keyStore=MyKeystoreFile \ -Djavax.net.ssl.keyStorePassword=mysecret \ External
Hi I need to add above in script?
I mean in application.yml file right?
no in the script launch, depending if you are using docker or jar, but please provide more information if you want help ...
I was trying to set up ldap config Ui is coming up unable to login with ID? and logs getting this error
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source) at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) at java.base/java.security.cert.CertPathBuilder.build(Unknown Source) ... 186 common frames omitted
U referred me the above link where I need to add the certificate, could you help with this
Currently I'm using docker but I need to update cookbook script later I think I need use jar file? which is later though thinking to finish with this?
so if you are using docker, you need to use JAVA_OPTS
env var with value -Djavax.net.ssl.keyStore=MyKeystoreFile -Djavax.net.ssl.keyStorePassword=mySecret
and mount the sslKeystore in your docker image, changing the MyKeystoreFile and mySecret with your values
Hi After adding JAva Opts -Djavax.net.ssl.keyStore=MyKeystoreFile -Djavax.net.ssl.keyStorePassword=mySecret
it is not starting what went wrong now, it was on after adding these options docker is not turning on could you please help
You should replace the My...
.
Also please provide a true report, this is not working is not a report :sob:
Please provide :
Hi
2020-12-08 15:59:53,239 DEBUG pGroup-1-5 LdapAuthenticationProvider Starting authentication with configuration [default] 2020-12-08 15:59:53,239 DEBUG pGroup-1-5 LdapAuthenticationProvider Attempting to initialize manager context 2020-12-08 15:59:53,243 DEBUG pGroup-1-5 LdapAuthenticationProvider Manager context initialized successfully 2020-12-08 15:59:53,243 DEBUG pGroup-1-5 LdapAuthenticationProvider Attempting to authenticate with user [a1509893] 2020-12-08 15:59:53,248 DEBUG pGroup-1-5 LdapAuthenticationProvider User found in context [CN=Chandrashekarappa\, Ranganatha 1509893,OU=Default,OU=Users,OU=Best Buy,OU=Users and Groups,DC=na,DC=bestbuy,DC=com]. Attempting to bind. 2020-12-08 15:59:53,604 DEBUG pGroup-1-5 LdapAuthenticationProvider Successfully bound user [CN=Chandrashekarappa\, Ranganatha 1509893,OU=Default,OU=Users,OU=Best Buy,OU=Users and Groups,DC=na,DC=bestbuy,DC=com]. Attempting to retrieving groups. 2020-12-08 15:59:53,970 DEBUG pGroup-1-5 .DefaultLdapGroupProcessor No groups found! 2020-12-08 15:59:53,971 DEBUG pGroup-1-5 .DefaultLdapGroupProcessor Attempting to add any additional groups... 2020-12-08 15:59:53,971 DEBUG pGroup-1-5 LdapAuthenticationProvider Group search returned [[]] for user [a1509893] 2020-12-08 15:59:53,971 TRACE pGroup-1-5 LdapAuthenticationProvider Attempting to map [a1509893] with groups [[]] to an authentication response. 2020-12-08 15:59:53,971 DEBUG pGroup-1-5 LdapAuthenticationProvider Response successfully created for [a1509893]. Response is authenticated: [true] 2020-12-08 15:59:53,973 INFO pGroup-1-5 org.akhq.log.access [Date: 2020-12-08T15:59:53.23656Z] [Duration: 736 ms] [Url: POST /login] [Status: 303] [Ip: 0] [User: 172.23.32.202]
I'm getting this error what changes I have to make?
you wanna C my .yml file?
It's seems to be your groups.base that don't match any group for your users. I don't have a lot of experience with LDAP and all the configuration that you can provide is here : https://micronaut-projects.github.io/micronaut-security/latest/guide/#ldap
Maybe you could find another people that have successfully use your ldap since it's always the same config for all tools
Hi, My issue with Ldap is resolved...now without login also others in the group can be able to open Ui and can make changes and even delete topics what changes I have to made....
Ui should respond only through login what I have to do?
:tada: https://github.com/tchiotludo/akhq#security :
akhq:
security:
default-group: no-roles
it worked thanks for now....
we are setting with, test cluster may need to set ssl there is it ok check, if reqd. anything?
sorry didn't understand
Hi I'm trying disable the option of creating/deleting topics from Akhq Ui could some please help with it?
I fixed it thankyou
I was trying to set standalone, what is the startup script that can be used to start application.yml when we are using ldap config. is it same java -Dmicronaut.config.files=/path/to/application.yml -jar akhq.jar
sudo docker run -d --env "JAVA_OPTS=-Djavax.net.ssl.trustStore=/app/truststore.jks -Djavax.net.ssl.trustStorePassword=xxxxxxx" -p 8080:8080 -v /tmp/application.yml:/app/application.yml -v /tmp/trust.jks:/app/truststore.jks 456de460c95
This I'm using to start from docker, I need help with standalone?
java -Djavax.net.ssl.trustStore=/app/truststore.jks -Djavax.net.ssl.trustStorePassword=xxxxxxx -Dmicronaut.config.files=/path/to/application.yml -jar akhq.jar
must do the trick
🎉 https://github.com/tchiotludo/akhq#security :
akhq: security: default-group: no-roles
Hi my issue was fixed I was bale to login earlier, all of sudden I'm not able to login what shall I check, and below is my yml file
akhq:
security:
default-group: no-roles # Default groups for all the user even unlogged user
# Groups definition
groups:
admin: # Group name
roles: # roles for the group
- topic/read
- node/read
- topic/data/read
- group/read
- group/offsets/update
- registry/read
- registry/version/delete
@Ranganath9979: use the dev
image,, we have changed the format of the configuration in last release and it's was a wrong idea.
So we revert on dev
one
will try thanks
micronaut:
security:
enabled: true
# Ldap authentificaton configuration
ldap:
default:
enabled: true
context:
server: 'lXXXXXXXXXXXXXXXXXXXXXX'
managerDn: 'cn=BBY-S-KAFKAHQ-DEV,OU=System,OU=Best Buy,OU=Users and Groups,DC=na,DC=bestbuy,DC=com'
managerPassword: 'XXXXXXXXXXXXXXX'
search:
enabled: true
base: "OU=Best Buy,OU=Users and Groups,DC=na,DC=bestbuy,DC=com"
filter: "sAMAccountName={0}"
groups:
enabled: true
subtree: true
base: "OU=Groups,OU=Best Buy,OU=Users and Groups,DC=na,DC=bestbuy,DC=com"
filter: "member={0}"
akhq:
security:
default-group: no-roles # Default groups for all the user even unlogged user
# Groups definition
groups:
admin: # Group name
roles: # roles for the group
- topic/read
- node/read
- topic/data/
- group/read
- group/offsets/update
- registry/read
- registry/version/
ldap:
group:
BBY-U-ENT-KAFKA:
groups:
- admin
server:
access-log: # Access log configuration (optional)
enabled: true # true by default
name: org.akhq.log.access # Logger name
format: "[Date: {}] [Duration: {} ms] [Url: {} {}] [Status: {}] [Ip: {}] [User: {}]" # Logger format
# default kafka properties for each clients, available for admin / producer / consumer (optional)
clients-defaults:
consumer:
properties:
isolation.level: read_committed
# list of kafka cluster available for akhq
connections:
my-cluster-plain-text: # url friendly name for the cluster (letter, number, _, -, ... dot are not allowed here)
properties: # standard kafka properties (optional)
bootstrap.servers: "XXXXXXXXXXXXX:9092"
schema-registry:
url: "XXXXXXXXXXXX:8081"
pagination:
page-size: 25 # number of elements per page (default : 25)
threads: 16 # Number of parallel threads to resolve page
# Topic list display options (optional)
topic:
retention: 172800000 # default retention period when creating topic
partition: 3 # default number of partition when creating topic
replication: 3 # default number of replicas when creating topic
default-view: ALL # default list view (ALL, HIDE_INTERNAL, HIDE_INTERNAL_STREAM, HIDE_STREAM)
internal-regexps: # list of regexp to be considered as internal (internal topic can't be deleted or updated)
- "^_.*$"
- "^.*_schemas$"
- "^.*connect-config$"
- "^.*connect-offsets$1"
- "^.*connect-status$"
stream-regexps: # list of regexp to be considered as internal stream topic
- "^.*-changelog$"
- "^.*-repartition$"
- "^.*-rekey$"
skip-consumer-groups: false # Skip loading consumer group information when showing topics
# Topic display data options (optional)
topic-data:
sort: # default sort order (OLDEST, NEWEST) (default: OLDEST)
size: 50 # max record per page (default: 50)
poll-timeout: 1000 # The time, in milliseconds, spent waiting in poll if data is not available in the buffer.
# Auth & Roles (optional)
# Ldap Groups configuration (when using ldap)
Hey, this is my old application.yml I was using it was working fine, now unable to login as per your instructions I used latest dev image still no luck ,could you please help me right identations
I've release a new version yesterday, no need for dev image now
mean directly I can use application.yml file and configure it?
Just make a try with latest version to be sure on the version that you are using
still unable to login
getting below error, for the above .yml file
java.lang.NullPointerException at io.micronaut.web.router.resource.ReactStaticResourceResolver.resolve(ReactStaticResourceResolver.java:34) at io.micronaut.http.server.netty.RoutingInBoundHandler.matchFile(RoutingInBoundHandler.java:630) at io.micronaut.http.server.netty.RoutingInBoundHandler.channelRead0(RoutingInBoundHandler.java:557) at io.micronaut.http.server.netty.RoutingInBoundHandler.channelRead0(RoutingInBoundHandler.java:140) at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:99) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:102) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) at io.micronaut.http.netty.stream.HttpStreamsHandler.channelRead(HttpStreamsHandler.java:196) at io.micronaut.http.netty.stream.HttpStreamsServerHandler.channelRead(HttpStreamsServerHandler.java:121) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) at io.netty.handler.codec.MessageToMessageCodec.channelRead(MessageToMessageCodec.java:111)
Hi 2021-02-18 21:29:09,363 ERROR pGroup-1-2 .s.n.RoutingInBoundHandler Unexpected error occurred: Couldn't find any clusters on your configuration file, please ensure that the configuration file is loaded correctly
I'm getting below error when I'm starting, I tried with 0.17 version aswell no luck could you please help, I'm posting my yml file aswell
micronaut:
security:
enabled: true
# Ldap authentificaton configuration
ldap:
default:
enabled: true
context:
server: 'ldaps://adldap.na.bestbuy.com:636'
managerDn: 'cn=BBY-S-KAFKAHQ-DEV,OU=System,OU=Best Buy,OU=Users and Groups,DC=na,DC=bestbuy,DC=com'
managerPassword: ''
search:
enabled: true
base: "OU=Best Buy,OU=Users and Groups,DC=na,DC=bestbuy,DC=com"
filter: "sAMAccountName={0}"
groups:
enabled: true
subtree: true
base: "OU=Groups,OU=Best Buy,OU=Users and Groups,DC=na,DC=bestbuy,DC=com"
filter: "member={0}"
server:
context-path: "/akhq" # if behind a reverse proxy, path to akhq without trailing slash (optional). Example: akhq is
# behind a reverse proxy with url http://my-server/akhq, set base-path: "/akhq".
# Not needed if you're behind a reverse proxy with subdomain http://akhq.my-server/
access-log: # Access log configuration (optional)
enabled: true # true by default
name: org.akhq.log.access # Logger name
format: "[Date: {}] [Duration: {} ms] [Url: {} {}] [Status: {}] [Ip: {}] [User: {}]" # Logger format
# default kafka properties for each clients, available for admin / producer / consumer (optional)
clients-defaults:
consumer:
properties:
isolation.level: read_committed
# list of kafka cluster available for akhq
connections:
my-cluster-plain-text: # url friendly name for the cluster (letter, number, _, -, ... dot are not allowed here)
properties: # standard kafka properties (optional)
bootstrap.servers: "dtl01s8jmq01c.na.bestbuy.com:9092"
schema-registry:
url: "http://dtl01s8jmq01c.na.bestbuy.com:8081"
pagination:
page-size: 25 # number of elements per page (default : 25)
threads: 16 # Number of parallel threads to resolve page
# Topic list display options (optional)
topic:
retention: 172800000 # default retention period when creating topic
partition: 3 # default number of partition when creating topic
replication: 3 # default number of replicas when creating topic
default-view: ALL # default list view (ALL, HIDE_INTERNAL, HIDE_INTERNAL_STREAM, HIDE_STREAM)
internal-regexps: # list of regexp to be considered as internal (internal topic can't be deleted or updated)
- "^_.*$"
- "^.*_schemas$"
- "^.*connect-config$"
- "^.*connect-offsets$1"
- "^.*connect-status$"
stream-regexps: # list of regexp to be considered as internal stream topic
- "^.*-changelog$"
- "^.*-repartition$"
- "^.*-rekey$"
skip-consumer-groups: false # Skip loading consumer group information when showing topics
# Topic display data options (optional)
topic-data:
sort: # default sort order (OLDEST, NEWEST) (default: OLDEST)
size: 50 # max record per page (default: 50)
poll-timeout: 1000 # The time, in milliseconds, spent waiting in poll if data is not available in the buffer.
# Auth & Roles (optional)
akhq:
security:
default-group: no-roles # Default groups for all the user even unlogged user
# Groups definition
groups:
admin: # Group name
roles: # roles for the group
- topic/read
- node/read
- topic/data/read
- group/read
- group/offsets/update
- registry/read
- registry/version/delete
ldap:
group:
BBY-U-ENT-KAFKA:
groups:
- admin
Debuging ldap connection can be done with
and also please format the yaml with triple `