Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug]: pulsarctl 3.1 branch can't work with client credentials error #1266

Closed
ericsyh opened this issue Nov 26, 2023 · 9 comments · Fixed by apache/pulsar-client-go#1244
Closed

[bug]: pulsarctl 3.1 branch can't work with client credentials error #1266

ericsyh opened this issue Nov 26, 2023 · 9 comments · Fixed by apache/pulsar-client-go#1244
Labels
type/bug

Comments

@ericsyh
Copy link
Member

ericsyh commented Nov 26, 2023

Background

I tested and found that pulsarctl 3.1 branch release can't work now which will get error like

pulsarctl topics list public/default
[✖]  client error: could not get client credentials: open : no such file or directory

But I the pulsarctl 3.0 branch works well and won't get this client credentials error.

How to reproduce

I upgraded the pulsarctl on local Mac laptop the version is

Release Version: 3.1.0.2
Git Commit Hash: cb9b6f620364a7cea19325ae2c82523d08265520
Git Branch: HEAD
UTC Build Time: 2023-08-30 09:48:42
Go Version: go version go1.18.10 linux/amd64

Then run any kind of regular commands will get the client crediential error

pulsarctl tenants list
[✖]  client error: could not get client credentials: open : no such file or directory
@ericsyh
Copy link
Member Author

ericsyh commented Nov 26, 2023

@tuteng @zymap @mattisonchao Could you help check this issue?

@ciiiii
Copy link
Member

ciiiii commented Dec 4, 2023

encountered same error

@peica
Copy link

peica commented Dec 23, 2023

change to Release Version: v2.10.5.11-5ce22c is working.

@balticore
Copy link

Same here, when using latest version and client_credentials it fails with error:

client error: authentication failed using client credentials: could not exchange client credentials: AADSTS90014: The required field 'scope' is missing from the credential. Ensure that you have all the necessary parameters for the login request.

However, when downgrading to v2.10.5.11-5ce22c it works without issues.

Not that using service account admin credentials works fine with both version, but we need to use client_credentials to scope operations to particular namespaces and topics.

@zymap
Copy link
Member

zymap commented Feb 20, 2024

@balticore According to the error, do you have the scope in the client credential file?

@Nikolajls
Copy link

As I'm wokring with @balticore I'll ad more details since we've encountered this again with multiple people after updating to 3.1+

This is with latest 3.3.0.5

qa_clients.json:

{
    "type": "client_credentials",
    "client_id": "My random guid",
    "client_secret": "VERYSECRETGOESHERE",
    "issuer_url": "https://login.microsoftonline.com/TenantId/v2.0",
    "scope": "api://PulsarIdentityGuid/.default"
}
pulsarctl context set "sn-qa-clients" `
	--admin-service-url "https://adminserviceurl `
	--issuer-endpoint "https://login.microsoftonline.com/TENANTID/v2.0" `
	--audience "api://PulsarIdentityGuid" `
	--scope "api://PulsarIdentityGuid/.default" `
	--key-file "file://qa_clients.json"

Oauth2 activate and a last-message id
image

@balticore
Copy link

As @Nikolajls mentioned yes scope is part of the parameters and exactly same command works with version v2.10.5.11-5ce22c

@Nikolajls Nikolajls mentioned this issue Jul 11, 2024
Merged
1 task
@RobertIndie
Copy link
Member

@Nikolajls From my understanding, the issue that apache/pulsar-client-go#1244 fixes is not the same as this one, right? They are not the same errors.

@Nikolajls
Copy link

@RobertIndie

The fix i proposed in that PR would make at least @balticore 's comment work( and we have multiple colleagues getting the same issue)

You're correct that the initial error from @ericsyh I've not seen, but when I debugged through Pulsarctl code all the way through pulsar admin, pulsar auth and the the code I modified in the PR i saw that would fix the "required field scope is missing" issue, that it seems multiple people are experincing.

The call chain sort of is:

pulsarctl/pkg/cmdutils/config.go

Line 204 in ddb962b

adminClient, err := admin.New(&config)

https://github.com/apache/pulsar-client-go/blob/df6a15c8548271f521d9615871899bd8d8678ed1/pulsaradmin/pkg/admin/admin.go#L68

https://github.com/apache/pulsar-client-go/blob/0ac542cb90ab5e4c4319c760c1a25a3d39182f54/pulsaradmin/pkg/admin/auth/provider.go#L75

https://github.com/apache/pulsar-client-go/blob/0ac542cb90ab5e4c4319c760c1a25a3d39182f54/pulsaradmin/pkg/admin/auth/oauth2.go#L76

https://github.com/apache/pulsar-client-go/blob/0ac542cb90ab5e4c4319c760c1a25a3d39182f54/pulsaradmin/pkg/admin/auth/oauth2.go#L84C22-L84C53

My change would then make so the scope is read from the actual oauth2 config key file.
https://github.com/apache/pulsar-client-go/pull/1244/files#diff-4b3210cc326df5fdf66b95b8b7a6d4721ab73fbf43b4aa05d324b046d9fa321eR70

It could also be modified to work by changing so:
NewAuthenticationOAuth2WithDefaultFlow has a possiblity of parsing in the scope from the config that is used by the context, but currently it only supports the issuer and the keyfile.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
No milestone
7 participants
@peica @Nikolajls @ericsyh @RobertIndie @zymap @ciiiii @balticore