close
The Wayback Machine - https://web.archive.org/web/20221013154429/https://github.com/apache/kafka/pull/12651
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KAFKA-14212: Enhanced HttpAccessTokenRetriever to retrieve error mess… #12651

Merged
merged 2 commits into from Sep 20, 2022
Merged

KAFKA-14212: Enhanced HttpAccessTokenRetriever to retrieve error mess… #12651

merged 2 commits into from Sep 20, 2022

Conversation

smjn
Copy link
Contributor

@smjn smjn commented Sep 16, 2022

https://issues.apache.org/jira/browse/KAFKA-14212

  • Currently HttpAccessTokenRetriever client side class does not retrieve error response from the token e/p. As a result, seemingly trivial config issues could take a lot of time to diagnose and fix. For example, client could be sending invalid client secret, id or scope.
  • This PR aims to remedy the situation by retrieving the error response, if present and logging as well as appending to any exceptions thrown.
  • New unit tests have also been added.

Sample Output

The o/p is generated using bin/kafka-console-producer

Invalid clientId

.
.
[2022-09-16 14:51:45,769] WARN handleOutput - error response code: 401, response body: null, error response body: {"errorCode":"invalid_client","errorSummary":"Invalid value for 'client_id' parameter.","errorLink":"invalid_client","errorId":"oaecGwvnlkhTce-YfueXeZVkQ","errorCauses":[]} (org.apache.kafka.common.security.oauthbearer.secured.HttpAccessTokenRetriever)
org.apache.kafka.common.KafkaException: Failed to construct kafka producer
	at org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:462)
	at org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:290)
	at org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:317)
	at org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:302)
	at kafka.tools.ConsoleProducer$.main(ConsoleProducer.scala:44)
	at kafka.tools.ConsoleProducer.main(ConsoleProducer.scala)
Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: org.apache.kafka.common.KafkaException: org.apache.kafka.common.security.oauthbearer.secured.UnretryableException: java.io.IOException: The response code 401 and error response {"invalid_client" - "Invalid value for 'client_id' parameter."} was encountered reading the token endpoint response; will not attempt further retries
.
.

Invalid client_secret

.
.
[2022-09-16 14:53:02,990] WARN handleOutput - error response code: 401, response body: null, error response body: {"error":"invalid_client","error_description":"The client secret supplied for a confidential client is invalid."} (org.apache.kafka.common.security.oauthbearer.secured.HttpAccessTokenRetriever)
org.apache.kafka.common.KafkaException: Failed to construct kafka producer
	at org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:462)
	at org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:290)
	at org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:317)
	at org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:302)
	at kafka.tools.ConsoleProducer$.main(ConsoleProducer.scala:44)
	at kafka.tools.ConsoleProducer.main(ConsoleProducer.scala)
Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: org.apache.kafka.common.KafkaException: org.apache.kafka.common.security.oauthbearer.secured.UnretryableException: java.io.IOException: The response code 401 and error response {"invalid_client" - "The client secret supplied for a confidential client is invalid."} was encountered reading the token endpoint response; will not attempt further retries
.
.

Invalid scope

.
.
[2022-09-16 14:54:05,536] WARN handleOutput - error response code: 400, response body: null, error response body: {"error":"invalid_scope","error_description":"One or more scopes are not configured for the authorization server resource."} (org.apache.kafka.common.security.oauthbearer.secured.HttpAccessTokenRetriever)
org.apache.kafka.common.KafkaException: Failed to construct kafka producer
	at org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:462)
	at org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:290)
	at org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:317)
	at org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:302)
	at kafka.tools.ConsoleProducer$.main(ConsoleProducer.scala:44)
	at kafka.tools.ConsoleProducer.main(ConsoleProducer.scala)
Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: org.apache.kafka.common.KafkaException: org.apache.kafka.common.security.oauthbearer.secured.UnretryableException: java.io.IOException: The response code 400 and error response {"invalid_scope" - "One or more scopes are not configured for the authorization server resource."} was encountered reading the token endpoint response; will not attempt further retries
.
.

Missing scope

.
.
[2022-09-16 14:54:47,630] WARN handleOutput - error response code: 400, response body: null, error response body: {"error":"invalid_scope","error_description":"The authorization server resource does not have any configured default scopes, 'scope' must be provided."} (org.apache.kafka.common.security.oauthbearer.secured.HttpAccessTokenRetriever)
org.apache.kafka.common.KafkaException: Failed to construct kafka producer
	at org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:462)
	at org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:290)
	at org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:317)
	at org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:302)
	at kafka.tools.ConsoleProducer$.main(ConsoleProducer.scala:44)
	at kafka.tools.ConsoleProducer.main(ConsoleProducer.scala)
Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: org.apache.kafka.common.KafkaException: org.apache.kafka.common.security.oauthbearer.secured.UnretryableException: java.io.IOException: The response code 400 and error response {"invalid_scope" - "The authorization server resource does not have any configured default scopes, 'scope' must be provided."} was encountered reading the token endpoint response; will not attempt further retries
	at org.apache.kafka.common.security.oauthbearer.secured.HttpAccessTokenRetriever.retrieve(HttpAccessTokenRetriever.java:180)
.
.

omkreddy
omkreddy approved these changes Sep 20, 2022
View changes
Copy link
Contributor

@omkreddy omkreddy left a comment

LGTM, Thanks for the PR

@omkreddy omkreddy merged commit f8e0a6d into apache:trunk Sep 20, 2022
1 of 9 checks passed
@kirktrue
Copy link
Contributor

kirktrue commented Sep 20, 2022

Nice work, @smjn! Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@omkreddy omkreddy

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@smjn @kirktrue @omkreddy