search

tchiotludo / akhq

Kafka GUI for Apache Kafka to manage topics, topics data, consumers group, schema registry, connect and more...
https://akhq.io/
Apache License 2.0
3.38k stars 656 forks source link

Exception from RestApiClaimProvider using the External roles and attribute mapping #984

Closed christofluethi closed 2 years ago

christofluethi commented 2 years ago

Trying to use the External roles and attribute mapping. But there is an Exception from ClaimProvider which occures if the external rest service is configured.

Am I missing something?

Logs:

DEBUG r-thread-3 LdapAuthenticationProvider Attempting to initialize manager context
DEBUG r-thread-3 LdapAuthenticationProvider Manager context initialized successfully
DEBUG r-thread-3 LdapAuthenticationProvider Attempting to authenticate with user [my-user]
DEBUG r-thread-3 LdapAuthenticationProvider User found in context [uid=my-user,ou=***,o=***,c=***]. Attempting to bind.
DEBUG r-thread-3 LdapAuthenticationProvider Successfully bound user [uid=my-user,ou=***,o=***,c=***]. Attempting to retrieving groups.
TRACE r-thread-3 .DefaultLdapGroupProcessor The following groups were found for [uid=my-user,ou=***,o=***,c=***]: [my-group]
DEBUG r-thread-3 .DefaultLdapGroupProcessor Attempting to add any additional groups...
DEBUG r-thread-3 LdapAuthenticationProvider Group search returned [[my-group]] for user [my-user]
TRACE r-thread-3 LdapAuthenticationProvider Attempting to map [my-user] with groups [[my-group]] to an authentication response.
TRACE r-thread-3 i.m.a.c.InterceptorChain   Intercepted method [io.micronaut.context.AbstractExecutableMethodsDefinition$DispatchedExecutableMethod@583b04c6] invocation on target: org.akhq.utils.RestApiClaimProvider$Intercepted@50b7f04d
TRACE r-thread-3 i.m.a.c.InterceptorChain   Proceeded to next interceptor [io.micronaut.retry.intercept.RecoveryInterceptor@41bb4a7b] in chain for method invocation: io.micronaut.context.AbstractExecutableMethodsDefinition$DispatchedExecutableMethod@583b04c6
TRACE r-thread-3 i.m.a.c.InterceptorChain   Proceeded to next interceptor [io.micronaut.http.client.interceptor.HttpClientIntroductionAdvice@726497c5] in chain for method invocation: io.micronaut.context.AbstractExecutableMethodsDefinition$DispatchedExecutableMethod@583b04c6
TRACE r-thread-3 i.m.c.DefaultBeanContext   Looking up existing bean for key: JsonMapper
TRACE r-thread-3 i.m.c.DefaultBeanContext   No existing bean found for bean key: JsonMapper
DEBUG r-thread-3 i.m.c.DefaultBeanContext   Registering singleton bean io.micronaut.jackson.databind.JacksonDatabindMapper@5539ec1c for type [JsonMapper] using bean key JacksonDatabindMapper
DEBUG r-thread-3 i.m.c.DefaultBeanContext   Resolved existing bean [io.micronaut.jackson.databind.JacksonDatabindMapper@5539ec1c] for type [JsonMapper] and qualifier [null]
TRACE r-thread-3 redentialsHttpClientFilter Did not find any OAuth 2.0 client which should decorate the request with an access token received from client credentials request
DEBUG pGroup-1-3 .m.h.c.n.DefaultHttpClient Sending HTTP POST to http://auth-service/akhq-auth
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient Content-Type: application/json
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient Accept: application/json
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient host: auth-service
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient connection: close
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient content-length: 76
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient Request Body
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient ----
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient {"providerType":"LDAP","username":"my-user","groups":["my-group"]}
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient ----
DEBUG pGroup-1-3 .m.h.c.n.DefaultHttpClient Received response 200 from http://auth-service/akhq-auth
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient Connection: close
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient Content-Type: application/json
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient Matched-Stub-Id: 11116336-2182-4dd2-9c6c-367b878e9311
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient Vary: Accept-Encoding, User-Agent
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient content-length: 130
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient Response Body
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient ----
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient {"roles":["topic/read"],"topics-filter-regexp":["my-prefix.*"],"connects-filter-regexp":[".*"],"consumer-groups-filter-regexp":[".*"]}
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient ----
DEBUG r-thread-3 .ApplicationEventPublisher Publishing event: io.micronaut.security.event.LoginFailedEvent[source=io.micronaut.security.authentication.AuthenticationFailed@1cd65b08]
TRACE r-thread-3 .ApplicationEventPublisher Established event listeners [org.akhq.utils.LoginFailedEventListener@738cf4a6] for event: io.micronaut.security.event.LoginFailedEvent[source=io.micronaut.security.authentication.AuthenticationFailed@1cd65b08]
TRACE r-thread-3 .ApplicationEventPublisher Invoking event listener [org.akhq.utils.LoginFailedEventListener@738cf4a6] for event: io.micronaut.security.event.LoginFailedEvent[source=io.micronaut.security.authentication.AuthenticationFailed@1cd65b08]
WARN  r-thread-3 u.LoginFailedEventListener Login failed reason CUSTOM, username unknown, message Exception from ClaimProvider org.akhq.utils.RestApiClaimProvider$Intercepted: null

Current Configuration:

micronaut:
  security:
    enabled: true
    ldap:
      default:
        enabled: true
        context:
          server: "${LDAP_URL}"
          managerDn: "${LDAP_MANAGER_DN}"
          managerPassword: "${LDAP_MANAGER_PASSWORD}"
        search:
          enabled: true
          base: "${LDAP_SEARCH_BASE}"
        groups:
          enabled: true
          base: "${LDAP_GROUPS_BASE}"
          filter: '(member=*)'

akhq:
  security:
    default-group: no-roles
    rest:
      enabled: true
      url: http://auth-service/akhq-auth

  # ...
tchiotludo commented 2 years ago

seems correct or don't spot the issue. Maybe @twobeeb ?

twobeeb commented 2 years ago

Yes ! @christofluethi Short version topics-filter-regexp > topicsFilterRegexp and so on.

Long version The kebab to camel case conversion doesn't work unless you are specifically using Micronaut Configuration API (for AKHQ yaml config files for instance) AKHQ Documentation is invalid. My mistake, I'm very sorry for the mislead, I will submit a PR tonight. Test case : https://github.com/tchiotludo/akhq/blob/dev/src/test/java/org/akhq/modules/RestApiClaimProviderTest.java My implementation is available here : https://github.com/michelin/ns4kafka/blob/master/api/src/main/java/com/michelin/ns4kafka/controllers/AkhqClaimProviderController.java

christofluethi commented 2 years ago

Thanks @twobeeb that worked. Created a PR, feel free to merge PR #985 or do your own.