Align configuration with Kafka Operator #36
Conversation
…g change) Previous attribute defaulted to `false`, the new one defaults to `true`. Signed-off-by: Marko Strukelj <marko.strukelj@gmail.com>
…n.type` (Breaking change) Previous attribute defaulted to `false`, the new one defaults to `true`. Signed-off-by: Marko Strukelj <marko.strukelj@gmail.com>
|
I know this is still 0.x stuff, but I don't think it's necessary to make breaking changes. I think it would be better to deprecate |
…log a warning if used. Signed-off-by: Marko Strukelj <marko.strukelj@gmail.com>
|
@tombentley I made the change as you suggested. Old config options are still in place, working as they used to, but marked as deprecated, and a warning is logged if they are used. |
examples/consumer/src/main/java/io/strimzi/examples/consumer/ExampleConsumer.java
Show resolved
Hide resolved
examples/consumer/src/main/java/io/strimzi/examples/consumer/ExampleConsumer.java
Show resolved
Hide resolved
examples/producer/src/main/java/io/strimzi/examples/producer/ExampleProducer.java
Show resolved
Hide resolved
...-client/src/main/java/io/strimzi/kafka/oauth/client/JaasClientOauthLoginCallbackHandler.java
Outdated
Show resolved
Hide resolved
...ver/src/main/java/io/strimzi/kafka/oauth/server/JaasServerOauthValidatorCallbackHandler.java
Outdated
Show resolved
Hide resolved
…o util class Signed-off-by: Marko Strukelj <marko.strukelj@gmail.com>
| throw new RuntimeException("Custom username claim (OAUTH_USERNAME_CLAIM) not available, when tokens are configured as opaque (OAUTH_TOKENS_NOT_JWT)"); | ||
| isJwt = isAccessTokenJwt(config, log, null); | ||
| if (!isJwt && usernameClaim != null) { | ||
| throw new RuntimeException("Custom username claim (OAUTH_USERNAME_CLAIM) not available, when tokens are configured as opaque (OAUTH_ACCESS_TOKEN_IS_JWT=false)"); |
There was a problem hiding this comment.
Should we have a more specific exception type for this?
There was a problem hiding this comment.
We don't handle this exception anywhere. Any exception thrown here is caught by Kafka Broker and results in broker shutting down.
I don't think there is some Kafka runtime exception that should be used here? If that were the case we should replace with it all occurrences of RuntimeException inside configure() method.
There was a problem hiding this comment.
I'm just thinking that if your Kafka broker shuts down in these circumstances it's slightly nicer to see OauthConfigurationException in the logs than RuntimeException.
There was a problem hiding this comment.
That's very subjective. I personally don't see that as added value. But since it would require changing all RuntimeException throw statements in configure(), if we really want that, I prefer we make a new PR just for that and keep this one focused on configuration alignment. Maybe create a JIRA for the other one if you think we really should introduce a new exception.
| if (legacy != null) { | ||
| log.warn("OAUTH_TOKENS_NOT_JWT is deprecated. Use OAUTH_ACCESS_TOKEN_IS_JWT (with reverse meaning) instead."); | ||
| if (config.getValue(Config.OAUTH_ACCESS_TOKEN_IS_JWT) != null) { | ||
| throw new RuntimeException((errorPrefix != null ? errorPrefix : "") + "Can't use both OAUTH_ACCESS_TOKEN_IS_JWT and OAUTH_TOKENS_NOT_JWT"); |
There was a problem hiding this comment.
More specific exception type, maybe? Wdyt?
There was a problem hiding this comment.
Same answer as above.
| if (legacy != null) { | ||
| System.out.println("[WARN] OAUTH_TOKENS_NOT_JWT is deprecated. Use OAUTH_ACCESS_TOKEN_IS_JWT (with reverse meaning) instead."); | ||
| } | ||
| return legacy != null ? !Config.isTrue(legacy) : |
There was a problem hiding this comment.
Is it really correct that the legacy option is prefered over the new one? Shouldn't it be the other way around? Or does it have some other reason?
There was a problem hiding this comment.
This is just the ExampleConsumer CLI client - not something anyone will use for more than learning, how to use it on the client. Validation performed by it is more for the user experience than for validation.
Actual validation happens later in the workflow. If both old and new options are present, then the exception is thrown, because it's treated as a misconfiguration.
It happens in OAuth client library that actually handles this config under the hood and throws an exception.
So, if both options are present then the exception will be thrown, just a little later in the code flow.
| if (legacy != null) { | ||
| System.out.println("[WARN] OAUTH_TOKENS_NOT_JWT is deprecated. Use OAUTH_ACCESS_TOKEN_IS_JWT (with reverse meaning) instead."); | ||
| } | ||
| return legacy != null ? !Config.isTrue(legacy) : |
There was a problem hiding this comment.
Same as above. Is it really correct that the legacy option is prefered over the new one? Shouldn't it be the other way around? Or does it have some other reason?
| } | ||
| } | ||
|
|
||
| return legacy != null ? !Config.isTrue(legacy) : |
There was a problem hiding this comment.
Same as above ... Is it really correct that the legacy option is prefered over the new one? Shouldn't it be the other way around? Or does it have some other reason?
There was a problem hiding this comment.
This code won't be reached if both are present. See previous lines
| throw new RuntimeException("OAuth validator configuration error: can't use both OAUTH_CHECK_ACCESS_TOKEN_TYPE and OAUTH_VALIDATION_SKIP_TYPE_CHECK"); | ||
| } | ||
| } | ||
| return legacy != null ? !Config.isTrue(legacy) : |
There was a problem hiding this comment.
Same as above ... Is it really correct that the legacy option is prefered over the new one? Shouldn't it be the other way around? Or does it have some other reason?
There was a problem hiding this comment.
Same answer - this code won't be reached if both are present.
| @@ -128,7 +131,7 @@ public boolean getValueAsBoolean(String key, boolean fallback) { | |||
| } | |||
| } | |||
|
|
|||
| private boolean isTrue(String result) { | |||
| public static boolean isTrue(String result) { | |||
There was a problem hiding this comment.
of course this was already here but why we are supporting all these possible values and not just "true/false"?
There was a problem hiding this comment.
The only reason would be usability / user experience. Some people may in some situation prefer 'y' over 'true', or '0' over 'false'. It will be a string in input in any case, and needs to be converted to boolean somehow. This code here makes it both versatile, and specific - as we can always point to the algorithm with a url.
@ppatierno Do you see some negatives of this choice?
There was a problem hiding this comment.
in general, I don't like to give too much freedom to users :-)
Anyway I can live with it.
There was a problem hiding this comment.
Nice PR. I left some comments, but mostly LGTM. Do we need some CHANGELOG.md or RELEASE_NOTES.md to add the deprecations there so that we remember to mention them in the release?
It would be nice to mention these deprecations yes. Funny we don't have CHANGELOG.md yet or RELEASE_NOTES.md. We had no place to put the mention of the new features until now :)
We also have to be careful in strimzi-kafka-operator to not pull in the next release without an accompanying strimzi-kafka-operator PR that rewires to these new properties, so that users won't see deprecation messages in the log. I have the code ready, just didn't open the PR yet.
Yeah, so I think the point of my comment was should add it here in this PR? Or should we merge it without it. :-)
I think we can do the release soon if you want - up to you. |
|
Ok, I can add CHANGELOG.md, and put in it the changes for the previous releases as well. I'm not in a hurry with the release I think - 0.17.0 train has left for this one so I don't see any hurry. |
This PR introduces changes with regards to configuration:
oauth.tokens.not.jwtis now calledoauth.access.token.is.jwtand has a reverse meaningoauth.validation.skip.type.checkis now calledoauth.check.access.token.typeand has a reverse meaningHaving a reverse meaning for both these configuration parameters means that the default value is
truewhereas before it wasfalse, and when setting them explicitly you usually want to set them tofalserather thantrueas it was the case before.The old configuration parameter names still work with the old semantics, but have been marked @Deprecated and will be removed in future versions. A Warning is logged if the old parameter names are used.