Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Additional username/password login required even after SSO login using pac4j #15436

Open
Subhashini2610 opened this issue Nov 27, 2023 · 4 comments
Open

Additional username/password login required even after SSO login using pac4j #15436

Subhashini2610 opened this issue Nov 27, 2023 · 4 comments
Labels
Uncategorized problem report

Comments

@Subhashini2610
Copy link

Description

Please include as much detailed information about the problem as possible.
I am trying to install Druid on K8s cluster using Helm chart. I need to add the SSO (Open ID connect) on to the router. For this, I am using pac4j.
However, even after the SSO, I am prompted with a username/password dialog box as can be seen in the screenshot. I do not want to have two login sessions. The SSO login must be the one which identifies the user and assigns the necessary roles. Please help here!!!

Screenshot 2023-11-27 at 7 34 37 PM

The below are the configurations on the router:

2023-11-27T13:56:25+0000 startup service router
Setting druid.host=10.4.0.28 in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.authenticator.BasicMetadataAuthenticator.skipOnFailure=false in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.indexer.logs.type=file in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.authorizer.BasicMetadataAuthorizer.enableCacheNotifications=true in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.authenticator.pac4j.type=pac4j in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.authenticatorChain=["pac4j"] in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.authenticator.BasicMetadataAuthenticator.initialAdminPassword=xxxxxxxxxx in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.authorizer.BasicMetadataAuthorizer.initialAdminRole=admin in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.escalator.internalClientUsername=druid_system in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.extensions.loadList=["druid-basic-security", "druid-pac4j", "druid-multi-stage-query", "druid-stats", "druid-datasketches", "druid-kafka-indexing-service", "druid-protobuf-extensions", "druid-parquet-extensions", "druid-orc-extensions", "druid-azure-extensions", "druid-histogram", "druid-datasketches", "druid-lookups-cached-global", "postgresql-metadata-storage", "statsd-emitter"] in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.authenticator.BasicMetadataAuthenticator.type=basic in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.azure.key=xxxxx in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.enablePlaintextPort=true in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.pac4j.oidc.clientID=xxxxxx in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.escalator.authorizerName=BasicMetadataAuthorizer in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.pac4j.cookiePassphrase=xxxxx in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.pac4j.oidc.oidcClaim=sub in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.pac4j.oidc.clientSecret=xxxxx in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.metadata.storage.type=postgresql in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.emitter.http.recipientBaseUrl=http://druid_exporter_url/:druid_exporter_port/druid in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.authenticator.BasicMetadataAuthenticator.initialInternalClientPassword=xxxxxxx in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.azure.container=deepstorage in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.metadata.storage.connector.connectURI=jdbc:postgresql://dipeopensource.postgres.database.azure.com:5432/druid in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.authenticator.BasicMetadataAuthenticator.credentialsValidator.type=metadata in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.authorizer.allowAll.type=allowAll in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.storage.type=azure in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.pac4j.oidc.discoveryURI=https://xxxxxxxx.net/v1/.well-known/openid-configuration in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.authorizer.BasicMetadataAuthorizer.roleProvider.type=context in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.metadata.storage.connector.user=druid_user in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.escalator.internalClientPassword=xxxxxxx in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.authenticator.pac4j.authorizerName=BasicMetadataAuthorizer in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.router.managementProxy.enabled=true in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.indexer.logs.directory=/opt/data/indexing-logs in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.zk.service.host=druid-zookeeper-headless:2181 in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.authorizer.BasicMetadataAuthorizer.type=basic in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.escalator.type=basic in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.emitter=noop in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.authenticator.BasicMetadataAuthenticator.authorizerName=allowAll in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.metadata.storage.connector.password=xxxxxxxxx in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.emitter.logging.logLevel=debug in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.metadata.postgres.ssl.sslMode=require in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.authorizers=["BasicMetadataAuthorizer", "allowAll"] in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.azure.account=dipedevdsstorage in /tmp/conf/druid/cluster/query/router/runtime.properties
@itsautfullday
Copy link

Hi can you please show your druid router properties? It could be likely your basicAuthenticator is added before the pac4j authenticator in druid.auth.authenticatorChain. This would cause the pac4j auth to happen before the basic authenticator flow.

@Subhashini2610
Copy link
Author

Subhashini2610 commented Nov 29, 2023
edited
Loading

@itsautfullday Druid router properties are already attached in the question :). The authenticator chain has only pac4j in it.

@itsautfullday
Copy link

I was able to reproduce this issue when my BasciMetaDataAuth is existing in config.properties, to prevent double login I had to add druid.auth.authenticatorChain=["pac4j","MyBasicMetadataAuthenticator"]. This causes router status to return 403 the entire time. I havent been able to move beyond that. If you find any workaround to using basic auth and pac4j auth Kindly update here as even I am looking for the same.

@Subhashini2610
Copy link
Author

@itsautfullday I am still facing this issue and we have learnt to live with dual login now!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Uncategorized problem report
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@itsautfullday @Subhashini2610