Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exception from RestApiClaimProvider using the External roles and attribute mapping #984

Closed
christofluethi opened this issue Jan 18, 2022 · 3 comments
Closed

Exception from RestApiClaimProvider using the External roles and attribute mapping #984

christofluethi opened this issue Jan 18, 2022 · 3 comments

Comments

@christofluethi
Copy link
Contributor

Trying to use the External roles and attribute mapping. But there is an Exception from ClaimProvider which occures if the external rest service is configured.

Am I missing something?

Logs:

DEBUG r-thread-3 LdapAuthenticationProvider Attempting to initialize manager context
DEBUG r-thread-3 LdapAuthenticationProvider Manager context initialized successfully
DEBUG r-thread-3 LdapAuthenticationProvider Attempting to authenticate with user [my-user]
DEBUG r-thread-3 LdapAuthenticationProvider User found in context [uid=my-user,ou=***,o=***,c=***]. Attempting to bind.
DEBUG r-thread-3 LdapAuthenticationProvider Successfully bound user [uid=my-user,ou=***,o=***,c=***]. Attempting to retrieving groups.
TRACE r-thread-3 .DefaultLdapGroupProcessor The following groups were found for [uid=my-user,ou=***,o=***,c=***]: [my-group]
DEBUG r-thread-3 .DefaultLdapGroupProcessor Attempting to add any additional groups...
DEBUG r-thread-3 LdapAuthenticationProvider Group search returned [[my-group]] for user [my-user]
TRACE r-thread-3 LdapAuthenticationProvider Attempting to map [my-user] with groups [[my-group]] to an authentication response.
TRACE r-thread-3 i.m.a.c.InterceptorChain   Intercepted method [io.micronaut.context.AbstractExecutableMethodsDefinition$DispatchedExecutableMethod@583b04c6] invocation on target: org.akhq.utils.RestApiClaimProvider$Intercepted@50b7f04d
TRACE r-thread-3 i.m.a.c.InterceptorChain   Proceeded to next interceptor [io.micronaut.retry.intercept.RecoveryInterceptor@41bb4a7b] in chain for method invocation: io.micronaut.context.AbstractExecutableMethodsDefinition$DispatchedExecutableMethod@583b04c6
TRACE r-thread-3 i.m.a.c.InterceptorChain   Proceeded to next interceptor [io.micronaut.http.client.interceptor.HttpClientIntroductionAdvice@726497c5] in chain for method invocation: io.micronaut.context.AbstractExecutableMethodsDefinition$DispatchedExecutableMethod@583b04c6
TRACE r-thread-3 i.m.c.DefaultBeanContext   Looking up existing bean for key: JsonMapper
TRACE r-thread-3 i.m.c.DefaultBeanContext   No existing bean found for bean key: JsonMapper
DEBUG r-thread-3 i.m.c.DefaultBeanContext   Registering singleton bean io.micronaut.jackson.databind.JacksonDatabindMapper@5539ec1c for type [JsonMapper] using bean key JacksonDatabindMapper
DEBUG r-thread-3 i.m.c.DefaultBeanContext   Resolved existing bean [io.micronaut.jackson.databind.JacksonDatabindMapper@5539ec1c] for type [JsonMapper] and qualifier [null]
TRACE r-thread-3 redentialsHttpClientFilter Did not find any OAuth 2.0 client which should decorate the request with an access token received from client credentials request
DEBUG pGroup-1-3 .m.h.c.n.DefaultHttpClient Sending HTTP POST to http://auth-service/akhq-auth
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient Content-Type: application/json
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient Accept: application/json
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient host: auth-service
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient connection: close
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient content-length: 76
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient Request Body
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient ----
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient {"providerType":"LDAP","username":"my-user","groups":["my-group"]}
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient ----
DEBUG pGroup-1-3 .m.h.c.n.DefaultHttpClient Received response 200 from http://auth-service/akhq-auth
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient Connection: close
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient Content-Type: application/json
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient Matched-Stub-Id: 11116336-2182-4dd2-9c6c-367b878e9311
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient Vary: Accept-Encoding, User-Agent
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient content-length: 130
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient Response Body
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient ----
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient {"roles":["topic/read"],"topics-filter-regexp":["my-prefix.*"],"connects-filter-regexp":[".*"],"consumer-groups-filter-regexp":[".*"]}
TRACE pGroup-1-3 .m.h.c.n.DefaultHttpClient ----
DEBUG r-thread-3 .ApplicationEventPublisher Publishing event: io.micronaut.security.event.LoginFailedEvent[source=io.micronaut.security.authentication.AuthenticationFailed@1cd65b08]
TRACE r-thread-3 .ApplicationEventPublisher Established event listeners [org.akhq.utils.LoginFailedEventListener@738cf4a6] for event: io.micronaut.security.event.LoginFailedEvent[source=io.micronaut.security.authentication.AuthenticationFailed@1cd65b08]
TRACE r-thread-3 .ApplicationEventPublisher Invoking event listener [org.akhq.utils.LoginFailedEventListener@738cf4a6] for event: io.micronaut.security.event.LoginFailedEvent[source=io.micronaut.security.authentication.AuthenticationFailed@1cd65b08]
WARN  r-thread-3 u.LoginFailedEventListener Login failed reason CUSTOM, username unknown, message Exception from ClaimProvider org.akhq.utils.RestApiClaimProvider$Intercepted: null

Current Configuration:

micronaut:
  security:
    enabled: true
    ldap:
      default:
        enabled: true
        context:
          server: "${LDAP_URL}"
          managerDn: "${LDAP_MANAGER_DN}"
          managerPassword: "${LDAP_MANAGER_PASSWORD}"
        search:
          enabled: true
          base: "${LDAP_SEARCH_BASE}"
        groups:
          enabled: true
          base: "${LDAP_GROUPS_BASE}"
          filter: '(member=*)'

akhq:
  security:
    default-group: no-roles
    rest:
      enabled: true
      url: http://auth-service/akhq-auth

  # ...
@tchiotludo
Copy link
Owner

seems correct or don't spot the issue.
Maybe @twobeeb ?

@twobeeb
Copy link
Contributor

twobeeb commented Jan 18, 2022
edited
Loading

Yes ! @christofluethi
Short version
topics-filter-regexp > topicsFilterRegexp and so on.

Long version
The kebab to camel case conversion doesn't work unless you are specifically using Micronaut Configuration API (for AKHQ yaml config files for instance)
AKHQ Documentation is invalid. My mistake, I'm very sorry for the mislead, I will submit a PR tonight.
Test case : https://github.com/tchiotludo/akhq/blob/dev/src/test/java/org/akhq/modules/RestApiClaimProviderTest.java
My implementation is available here : https://github.com/michelin/ns4kafka/blob/master/api/src/main/java/com/michelin/ns4kafka/controllers/AkhqClaimProviderController.java

@christofluethi
Copy link
Contributor Author

Thanks @twobeeb that worked. Created a PR, feel free to merge PR #985 or do your own.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tchiotludo @christofluethi @twobeeb