unable to login after update to latest version

[jorgheymans]

Hi,

After updating to the latest version and migrating our config to the new format:

.. we find that we're no longer able to login. I have verified LDAP connectivity is working and the correct groups are returned.

Trying to get more debugging using this:

curl -i -X POST -H "Content-Type: application/json" \
       -d '{ "configuredLevel": "TRACE" }' \
       http://localhost:8080/loggers/io.micronaut.configuration.security

doesn't work as the login page intercepts that request and returns 307.

[wilkej]

I don't know if this is related but we had some problems with the connection to our OIDC provider. He returned a claim with a role named admin and this didn't work, as akhq doesn't know a role with the name admin. We configured our OIDC provider to return a role which exists in akhq and it worked, like topic/read.

[jorgheymans]

Well on 0.14.1 this still worked, is it a regression ?

[tchiotludo]

Really busy today, but have you seen that the configuration files have changed ? (just in case not)

https://github.com/tchiotludo/akhq/releases/tag/0.16.0 The commit with the change : https://github.com/tchiotludo/akhq/commit/5ab788da22529ede3c7b640f1918304511cea6f0

[jorgheymans]

Yes, in the screenshot you can see i'm using the new format for the security: element. There are no errors on startup, so i'm assuming the format is correct.

[tchiotludo]

can you provide a full configuration files please ? This seems really weird, especially the loggers endpoint that don't work ... I need to dig it

[jorgheymans]

micronaut:
  security:
    enabled: true
    ldap:
      default:
        enabled: true
        context:
          server: 'ldap://..................'
          managerDn: '.....................'
          managerPassword: '.............'
        search:
          base: "......................."
        groups:
          enabled: true # don't need other config here as we're overriding the default LdapGroupProcessor
          base: "......................."
  jmx:
    add-to-factory: false
    register-endpoints: false
  metrics:
    enabled: false
  views:
    soy:
      enabled: false
  server:
    host: ..........................
    port: 8080
    netty:
      worker:
        threads: 30 # see https://docs.micronaut.io/latest/guide/index.html#threadPools

akhq:
  server:
    base-path: "" # if behind a reverse proxy, path to kafkahq without trailing slash (optional). Example: kafkahq is
                  # behind a reverse proxy with url http://my-server/kafkahq, set base-path: "/kafkahq".
                  # Not needed if you're behind a reverse proxy with subdomain http://kafkahq.my-server/
    access-log: # Access log configuration (optional)
      enabled: true # true by default
      name: org.akhq.log.access # Logger name
      format: "[Date: {}] [Duration: {} ms] [Url: {} {} {}] [Status: {}] [Ip: {}] [Length: {}] [Port: {}]" # Logger format

  # default kafka properties for each clients, available for admin / producer / consumer (optional)
  clients-defaults:
    consumer:
      properties:
        isolation.level: read_committed

  # list of kafka cluster available for akhq
  connections:
    kafka-nonprod:
      properties:
        bootstrap.servers: ..................
        security.protocol: SSL
        ssl.truststore.location: ..................
        ssl.truststore.password: ..................
        ssl.keystore.location: ..................
        ssl.keystore.password: ..................
        ssl.key.password: ..................
  pagination:
    page-size: 10 # number of elements per page (default : 25)
    threads: 8 # Number of parallel threads to resolve page

  # Topic list display options (optional)
  topic:
    default-view: HIDE_INTERNAL # default list view (ALL, HIDE_INTERNAL, HIDE_INTERNAL_STREAM, HIDE_STREAM)
    internal-regexps: # list of regexp to be considered as internal (internal topic can't be deleted or updated)
      - "^_.*$"
      - "^.*_schemas$"
      - "^.*connect-config$"
      - "^.*connect-offsets$1"
      - "^.*connect-status$"
    stream-regexps: # list of regexp to be considered as internal stream topic
      - "^.*-changelog$"
      - "^.*-repartition$"
      - "^.*-rekey$"
    skip-consumer-groups: true # Skip loading consumer group information when showing topics

  # Topic display data options (optional)
  topic-data:
    sort: OLDEST # default sort order (OLDEST, NEWEST) (default: OLDEST)
    size: 20 # max record per page (default: 50)
    poll-timeout: 10000 # The time, in milliseconds, spent waiting in poll if data is not available in the buffer.
    parallel: 4

  # Auth & Roles (optional)
  security:
    # so that unauthenticated users don't see anything and are redirected to the login page - no-roles
    default-group: no-roles
    groups:
      - name: reuse
        attributes:
          topics-filter-regexp: ".*"
    ldap:
      default-group: reader # built-in, needed to see all screens in read-only
      groups:
        - name: "ADM_DG"
          groups:
            - reuse

[tchiotludo]

I'll try with your configuration files, just remove some default value and it's working :

version: "3.7"

services:
  akhq:
    image: tchiotludo/akhq:dev
    network_mode: host
    environment:
      AKHQ_CONFIGURATION: |
        micronaut:
          security:
            enabled: true
            ldap:
              default:
                enabled: true
                context:
                  server: 'ldap://ldap.forumsys.com:389'
                  managerDn: 'cn=read-only-admin,dc=example,dc=com'
                  managerPassword: 'password'
                search:
                  base: "dc=example,dc=com"
                groups:
                  enabled: true
                  base: "dc=example,dc=com"
          jmx:
            add-to-factory: false
            register-endpoints: false
          metrics:
            enabled: false
          server:
            port: 28081
            netty:
              worker:
                threads: 30 # see https://docs.micronaut.io/latest/guide/index.html#threadPools

        akhq:
          server:
          connections:
            local:
              properties:
                bootstrap.servers: "local:9092"
              schema-registry:
                url: "http://schema-registry:8085"

          topic:
            skip-consumer-groups: true # Skip loading consumer group information when showing topics

          topic-data:
            size: 20 # max record per page (default: 50)
            poll-timeout: 10000 # The time, in milliseconds, spent waiting in poll if data is not available in the buffer.
            parallel: 4

          security:
            default-group: no-roles
            ldap:
              default-group: reader
              groups:
                - name: "scientists"
                  groups:
                    - admin

To be honest I don't see the issue ... Maybe try to cleanup for configuration and remove all default value.

I've a doubt on that :

    groups:
      - name: reuse
        attributes:
          topics-filter-regexp: ".*"

there is no roles defined here !

[jorgheymans]

Thanks for having a look at this. Indeed there are no roles but this used to work before. My reasoning is that the akhq group defines only the topic filter, and then in the mapping of the ldap group we give the default group reader on top.

[tchiotludo]

I don't think it was an intended behavior :smile: To be honest, I'm never think it could work like that :thinking:

If you add the reader role, it's work ?

[jorgheymans]

Indeed, when adding topic/reader i can login again thanks for the hint ! But the user only has this role. I would like it so that all users when logged in have the equivalent of the built-in reader role. Is this possible ?

[tchiotludo]

why not just add 2 groups for this users ?

      groups:
        - name: "ADM_DG"
          groups:
            - reuse
            - reader

[jorgheymans]

I have now this configuration:

  security:
    default-group: no-role
    groups:
      - name: reuse
        roles:
          - topic/read
        attributes:
          topics-filter-regexp: ".*"
    ldap:
      groups:
        - name: ADM_DG
          groups:
            - reader
            - reuse

but then in the topic overview, when clicking on the hour-glass button to the right i get this exception:

URL : http://localhost:7777/ui/401/topic

[tchiotludo]

Can you post the full configuration please ?

[jorgheymans]

It's just in my above comment

[tchiotludo]

its not the full one, just a snippet :) I want a full configuration because the error is meaning your configuration doesn't declare any kafka cluster :)

[jorgheymans]

go a bit higher up :-)

https://github.com/tchiotludo/akhq/issues/485#issuecomment-719788762

[archetec]

We have the same issue just using plain old basic-auth... It used to work and now we can't login. I removed all groups and I'm just using the default groups and it still will not work. With default-group set to "reader" we can access topics as readers, as before, but when we try to login, the login form very briefly appears and then we're back to the topics page, still not logged in. With default-group set to "no-role" then the login page appears and endlessly loops on itself and we can't login... ever.

Logs don't show any errors.

Here's my security config. It can't be more simple than that...

    security:
      default-group: reader # Default groups for all the user even unlogged user
      basic-auth:
        - username: emy
          password: 27df9ed9a477af0fcfe369c8ef3474a75cebf357d8b721ca40f1de6cfd4cbb06
          groups:
            - admin

As I said, it worked before with 0.15.0 and I just reformatted the security config to the new format... nothing else changed.

Any idea??

EDIT:

Found my issue... I just added this section:

  micronaut:
    security:
      enabled: true

Before 0.16.0 it was "optional" as.... it worked without it. Now it looks like it's mandatory.

[tchiotludo]

just for information, are you using docker image ? or jar ?

[jorgheymans]

we're using jar

[tchiotludo]

Can you look at #500 ? Maybe it's the same issue ? (jwt secret ?)

[jorgheymans]

no we don't use jwt, only ldap login.

[tchiotludo]

jwt now is the default session management and are mandatory for login. We store the current user on a jwt token but we don't provide a default secret on last release. I changed this behavior here : #470 and you can try with dev image if you want !

[jorgheymans]

Indeed, adding the jwt configuration made it work again.

[tchiotludo]

glad to know it