Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When activating the identity-auth profile, the health and readiness probes fail with status code 401 #18568

Closed
romansmirnov opened this issue May 16, 2024 · 0 comments · Fixed by #18569
Closed

When activating the identity-auth profile, the health and readiness probes fail with status code 401 #18568

romansmirnov opened this issue May 16, 2024 · 0 comments · Fixed by #18569
Assignees
@romansmirnov
Labels
component/zeebe Related to the Zeebe component/team kind/bug Categorizes an issue or PR as a bug version:8.6.0-alpha2 Marks an issue as being completely or in parts released in 8.6.0-alpha2

Comments

@romansmirnov
Copy link
Member

romansmirnov commented May 16, 2024
edited

Describe the bug

With version 8.6.0-alpha1, the readiness probe may fail with a 401. In a nutshell, the security fail chain defined for the REST API is applied when processing the readiness probe request:

https://github.com/camunda/zeebe/blob/c3110d98798853f0b471a7a6bcc22a66f70e4d71/dist/src/main/java/io/camunda/zeebe/shared/security/SecurityConfiguration.java#L42-L63

Instead, it should apply the Management security filter chain that permits all incoming requests on the management port:

https://github.com/camunda/zeebe/blob/c3110d98798853f0b471a7a6bcc22a66f70e4d71/dist/src/main/java/io/camunda/zeebe/shared/security/SecurityConfiguration.java#L84-L96

However, there might be situations where the readiness probe request does not fail with a 401, and the expected Management security filter chain is applied. Why? It depends on the order in which the beans are loaded, initiated, and registered. Sometimes, they are applied in the "right" order so that the expected security filter chain is applied on the readiness probe request.

To Reproduce

  1. Download the camunda-zeebe-8.6.0-alpha1 distribution
  2. Activate the profiles identity-auth by adding it to the config/application.yaml
spring:
  profiles:
    active: identity-auth
  1. Start the standalone gateway by executing bin/gateway.sh
  2. Execute the readiness probe http://localhost:9600/actuator/health/readiness

Expected behavior

The readiness probe succeeds with the status code 200.

Log/Stacktrace

When the beans are loaded, initiated, and registered in the "right" order, the following is logged:

Overriding bean definition for bean 'springSecurityFilterChain' with a different definition: replacing [Root bean: class [null]; scope=;
abstract=false; lazyInit=null; autowireMode=3; dependencyCheck=0; autowireCandidate=true; primary=false;
factoryBeanName=org.springframework.boot.actuate.autoconfigure.web.servlet.ServletManagementChildContextConfiguration$ServletManagementContextSecurityConfiguration;
factoryMethodName=springSecurityFilterChain; initMethodNames=null; destroyMethodNames=[(inferred)]; defined in class path resource
[org/springframework/boot/actuate/autoconfigure/web/servlet/ServletManagementChildContextConfiguration$ServletManagementContextSecurityConfiguration.class]]
with [Root bean: class [null]; scope=; abstract=false; lazyInit=null; autowireMode=3; dependencyCheck=0; autowireCandidate=true;
primary=false; factoryBeanName=org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration;
factoryMethodName=springSecurityFilterChain; initMethodNames=null; destroyMethodNames=[(inferred)]; defined in class path
resource [org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.class]]

Meaning, the ServletManagementChildContextConfiguration$ServletManagementContextSecurityConfiguration.class loads the springSecurityFilterChain from the application context and registers it in its management context. Afterward, the management security filter chain is initiated and registered with the WebSecurityConfiguration, which defines a bean called springSecurityFilterChain and overrides it in the management context's registry. That way, the "correct" springSecurityFilterChain is applied when executing the readiness probe request.

If the override happens in the other order, the wrong springSecurityFilterChain is applied.

Hints

Environment:

  • Zeebe Version: 8.6.0-alpha1
  • Configuration: Activate the profiles identity-auth
@romansmirnov romansmirnov added kind/bug Categorizes an issue or PR as a bug component/zeebe Related to the Zeebe component/team labels May 16, 2024
@romansmirnov romansmirnov self-assigned this May 16, 2024
@romansmirnov romansmirnov mentioned this issue May 16, 2024
Merged
github-merge-queue bot pushed a commit that referenced this issue May 16, 2024
@romansmirnov
fix: configure management security filter chain (#18569)
8a2e0fc 
## Description

This PR ensures that all actuator endpoints are accessible and do not
return the status code 401. The same applies to the `BrokerHealthRoutes`
(`ready`, `startup`, and `health`). Therefore, it defines a security
filter chain `managementSecurity` only applied when one of the defined
`requestMatchers` matches. If none of the `requestMatchers` match, then
the default `restGatewaySecurity` security filter chain is applied,
requiring proper authentication.

## Related issues

closes #18568
@romansmirnov romansmirnov mentioned this issue May 23, 2024
Closed
6 tasks
@mihail-ca mihail-ca mentioned this issue May 23, 2024
Merged
github-merge-queue bot pushed a commit that referenced this issue May 27, 2024
@ralfpuchert
fix: POST backups endpoint fails with 403 (#18766)
d0c38ef 
fix: POST backups endpoint fails with 403

Added `SecurityFilterChain` for actuator endpoints, that disables CSRF
protection
Related issue: #18568
Spring documentation:
https://docs.spring.io/spring-boot/reference/actuator/endpoints.html#actuator.endpoints.security

Closes #18588
@korthout korthout added the version:8.6.0-alpha2 Marks an issue as being completely or in parts released in 8.6.0-alpha2 label Jun 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@romansmirnov romansmirnov

Labels
component/zeebe Related to the Zeebe component/team kind/bug Categorizes an issue or PR as a bug version:8.6.0-alpha2 Marks an issue as being completely or in parts released in 8.6.0-alpha2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: configure management security filter chain camunda/camunda
2 participants
@romansmirnov @korthout