Loading...

XML

Word

Printable

Type: Bug
Resolution: Won't Do
Priority: Critical
Fix Version/s: None
Affects Version/s: 1.11.GA
Component/s: keycloak-authorization, team/eng
Labels:
- OpenShiftTS
- regression

Blocked:
False
Ready:
False
Release Note Text:
Undefined
Steps to Reproduce:
Hide

Test scenario

Summary:

Using `quarkus-keycloak-authorization` extension, you could exclude some path to the Authz procedures, through these properties:

quarkus.keycloak.policy-enforcer.enable=true quarkus.keycloak.policy-enforcer.paths.health.path=/health/* quarkus.keycloak.policy-enforcer.paths.health.enforcement-mode=DISABLED

However when you are pointing to an openshift /k8s liveness probe, you expected that this policy applies also to auto-redirect path.

curl -vvv http://127.0.0.1:8080/health * Trying 127.0.0.1... * TCP_NODELAY set * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0) > GET /health HTTP/1.1 > Host: 127.0.0.1:8080 > User-Agent: curl/7.64.1 > Accept: */* > < HTTP/1.1 301 Moved Permanently < location: http://127.0.0.1:8080/q/health < content-length: 0 < * Connection #0 to host 127.0.0.1 left intact * Closing connection 0

Note: was working on 1.7
Show
Test scenario Summary: Using `quarkus-keycloak-authorization` extension, you could exclude some path to the Authz procedures, through these properties: quarkus.keycloak.policy-enforcer.enable= true quarkus.keycloak.policy-enforcer.paths.health.path=/health/* quarkus.keycloak.policy-enforcer.paths.health.enforcement-mode=DISABLED However when you are pointing to an openshift /k8s liveness probe, you expected that this policy applies also to auto-redirect path. curl -vvv http: //127.0.0.1:8080/health * Trying 127.0.0.1... * TCP_NODELAY set * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0) > GET /health HTTP/1.1 > Host: 127.0.0.1:8080 > User-Agent: curl/7.64.1 > Accept: */* > < HTTP/1.1 301 Moved Permanently < location: http: //127.0.0.1:8080/q/health < content-length: 0 < * Connection #0 to host 127.0.0.1 left intact * Closing connection 0 Note: was working on 1.7
[QE] How to address?:
---
Market:

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Priority: critical -> is critical because we are breaking backward compatibility

quarkus.keycloak.policy-enforcer.paths.health.path must include "/q" path.

Quarkus Version 1.7:

quarkus.keycloak.policy-enforcer.paths.health.path=/health/*

Quarkus Version 1.11:

quarkus.keycloak.policy-enforcer.paths.health.path=/q/health/*

There should be "auto-redirect" (or allow access) for such cases.

GH ref

blocks

QUARKUS-872 Non-application endpoints and /q/* Documentation

Closed

is related to

QUARKUS-744 Testing - Non application endpoints moved to /q/

Closed

Assignee:: Pedro Igor Craveiro

Reporter:: Pablo Gonzalez Granados (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2021/01/26 6:19 AM

Updated:: 2021/03/16 10:42 AM

Resolved:: 2021/03/16 10:42 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates