[Help Request] Role cannot be empty when authentication with the PLAIN mechanism

[KamenRiderKuuga]

Problem

When authentication with the PLAIN mechanism, got the error msg: Role cannot be empty

To Reproduce

The producer code:

package org.example;

import org.apache.kafka.clients.producer.KafkaProducer;
import org.apache.kafka.clients.producer.ProducerConfig;
import org.apache.kafka.clients.producer.ProducerRecord;
import org.apache.kafka.common.serialization.IntegerSerializer;
import org.apache.kafka.common.serialization.StringSerializer;

import java.util.Properties;

public class Main {
    public static void main(String[] args) {
        Properties props = new Properties();
        props.put(ProducerConfig.BOOTSTRAP_SERVERS_CONFIG, "127.0.0.1:" + 9092);
        props.put(ProducerConfig.KEY_SERIALIZER_CLASS_CONFIG, IntegerSerializer.class);
        props.put(ProducerConfig.VALUE_SERIALIZER_CLASS_CONFIG, StringSerializer.class);

        String jaasTemplate = "org.apache.kafka.common.security.plain.PlainLoginModule "
                + "required username=\"%s\" password=\"%s\";";
        String jaasCfg = String.format(jaasTemplate, "public/default", "token:" + "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkYXRhIjpbXSwiaWF0IjoxNjg3NjMwMjY5LCJleHAiOjE4NDU0NzUxOTksImF1ZCI6IiIsImlzcyI6IiIsInN1YiI6IiJ9.bVKykCNNg4eh3FiiUf69ZkGkyMSN_OrAOJUHS9bP5fg");
        props.put("sasl.jaas.config", jaasCfg);
        props.put("security.protocol", "SASL_PLAINTEXT");
        props.put("sasl.mechanism", "PLAIN");
        var producer = new KafkaProducer<>(props);
        producer.send(new ProducerRecord<>("test", "kop-demo"));
    }
}

Screenshots

Configurations

I'm using a standalone broker. (streamnative/sn-pulsar:2.10.2.4)

There are all the configurations under the conf folder:
standalone.conf
client.conf
proxy.conf
broker.conf(if needed)

PS

The code I can produce messages:

from pulsar import Client, AuthenticationToken

# create an authentication token object with the token string
auth = AuthenticationToken('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkYXRhIjpbXSwiaWF0IjoxNjg3NjMwMjY5LCJleHAiOjE4NDU0NzUxOTksImF1ZCI6IiIsImlzcyI6IiIsInN1YiI6IiJ9.bVKykCNNg4eh3FiiUf69ZkGkyMSN_OrAOJUHS9bP5fg')

# create a pulsar client with the authentication token object
client = Client('pulsar://127.0.0.1:6650', authentication=auth)

producer = client.create_producer(
    topic='persistent://public/default/test',
)

producer.send('demo-msg'.encode('utf-8'))
client.close()

[BewareMyPower]

I see you set up a Pulsar proxy, KoP might not work well with the proxy.

Could you also upload the logs from broker? It seems that we cannot get much useful info from the logs. Maybe you can try connecting to KoP directly first.

[BewareMyPower]

I just rechecked again, it's expected that the token you used did not work.

The "sub" field is the role, which is empty.

I generated a token following the guide here and you can see the "sub" field is "test_user"

I think the issue is at the Pulsar side. It seems that Pulsar can work with an empty role when authorizationEnabled is false

[KamenRiderKuuga]

Nice catch! Fast and accurate!

I did overlook this point, did not carefully compare the guide and the "sub" field in the token I generated myself, and I think I can use the token in the native pulsar client because I configured anonymousUserRole=admin in the standalone.conf file.

I think I should raise an issue about the "sub" field in the token to pulsar, because they don't seem to describe what rules need to be followed when generating token by self

A great help, thanks!