Uploaded image for project: 'AMQ Streams'
  1. AMQ Streams
  2. ENTMQST-4409

Make Keycloak authorizer resilient to network glitches when creating a new client session

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Normal Normal
    • 2.4.0.GA
    • 2.2.0.GA
    • kafka-broker
    • None

      In the following broker log, there is an example of a network glitch between the broker and the authorization server (400 error code).

      2022-11-16 09:22:35,783 WARN Unexpected status while fetching authorization data - will retry next time: POST request to https://example.com/auth/realms/kafka-test/protocol/openid-connect/token failed with status 400: <html>

      The client is authenticating creating a new session (1594811133), that ends up with `permissions: null` grants as a result of the network glitch, denying the request.

      2022-11-16 09:22:35,784 DEBUG Authorization grants for user OAuthKafkaPrincipal(User:4df238ee-d09f-4432-8450-3c061809d1e2, groups: null, session: 1594811133, token: eyJh**KJIg): null (io.strimzi.kafka.oauth.server.authorizer.KeycloakRBACAuthorizer) [data-plane-kafka-request-handler-7]
 permissions: null (io.strimzi.kafka.oauth.server.authorizer.KeycloakRBACAuthorizer.deny) [data-plane-kafka-request-handler-7]

2022-11-16 09:22:35,784 DEBUG Authorization DENIED - user: OAuthKafkaPrincipal(User:4df238ee-d09f-4432-8450-3c061809d1e2, groups: null, session: 1594811133, token: eyJh**KJIg), cluster: kafka, operation: READ, resource: GROUP:my-group,

      Few milliseconds later, a new client request comes in and this time the broker is able to get the client's grants and authorize the request.

      2022-11-16 09:22:35,913 DEBUG Authorization grants for user OAuthKafkaPrincipal(User:4df238ee-d09f-4432-8450-3c061809d1e2, groups: null, session: 1594811133, token: eyJh**KJIg): [{"scopes":["Read","Describe","DescribeConfigs","AlterConfigs"],"rsid":"8f8b560b-c6ae-46c8-b1d3-8ce26658c925","rsname":"Group:my-group"},{"scopes":["Read","Write","Describe","Alter","Create","DescribeConfigs","AlterConfigs"],"rsid":"7893e2ce-f7b8-4173-8dc6-bcd5634f722d","rsname":"Topic:my-topic"}] (io.strimzi.kafka.oauth.server.authorizer.KeycloakRBACAuthorizer) [data-plane-kafka-request-handler-7]

2022-11-16 09:22:35,913 DEBUG Authorization GRANTED - cluster: kafka, user: OAuthKafkaPrincipal(User:4df238ee-d09f-4432-8450-3c061809d1e2, groups: null, session: 1594811133, token: eyJh**KJIg), operation: READ, resource: GROUP:my-group

      Maybe we could evaluate the possibility of adding a retry feature that you need to explicitly enable.

            marko.strukelj@gmail.com Marko Strukelj
            rhn-support-fvaleri Federico Valeri
            Lukas Kral Lukas Kral
            Votes:
            4 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: