Header-auth not working properly

[hyde404]

Hello,

I would like to use header-auth config as an "authorizer".
The service is deployed on k8s and uses a oauth2-proxy container as a sidecar to log users with openAM.
We are able to login through oauth2 process and we get headers we want like X-Forwarded-Groups and X-Forwarded-Email.
To make sure these headers are forwarded, I added a "middleman" container which logs headers from oauth2.

So it looks like that
oauth2-proxy <----> middleman container <-----> akhq

This is what I log from the middleman :

{
	'Host': 'akhq.smt-int01.smt.mt.mycompany.com', 
	'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36', 
	'Accept': 'application/json, text/plain, */*', 
	'Accept-Encoding': 'gzip, deflate, br', 
	'Accept-Language': 'fr-FR,fr;q=0.9', 
	'Cookie': '_ga=GA1.2.86470029.1643888228; _gid=GA1.2.1245042040.1643888228; _oauth2_proxy=<SOME COOKIE>, 
	'Referer': 'https://akhq.test-int.smt.mt.mycompany.com/ui/int/topic', 
	'Sec-Ch-Ua': '" Not;A Brand";v="99", 
	"Google Chrome";v="97", 
	"Chromium";v="97"', 
	'Sec-Ch-Ua-Mobile': '?0', 
	'Sec-Ch-Ua-Platform': '"Windows"', 
	'Sec-Fetch-Dest': 'empty', 
	'Sec-Fetch-Mode': 'cors', 
	'Sec-Fetch-Site': 'same-origin', 
	'X-Forwarded-Email': '[email protected]', 
	'X-Forwarded-For': '10.111.136.135, 10.144.201.118', 
	'X-Forwarded-Groups': 'fed_identite@app_3625,fed_identite@imbrique,rid@rid_moa_sid,rid@@admins,rid@rid_moe_rid,fed_identite@app_5356,fed_identite@frsid', 
	'X-Forwarded-Port': '443', 
	'X-Forwarded-Proto': 'https'
}

And this is the piece of config I use in akhq

akhq:
  connections:
    ass:
      properties:
        bootstrap.servers: <BROKERS URL>
        security.protocol: SSL
    dev:
      properties:
        bootstrap.servers: <BROKERS URL>
        security.protocol: SSL
    int:
      properties:
        bootstrap.servers: <BROKERS URL>
        sasl.jaas.config: org.apache.kafka.common.security.scram.ScramLoginModule required username=<USERNAME> password=<PASSWORD>;
        sasl.mechanism: SCRAM-SHA-512
        security.protocol: SASL_SSL
    sandbox:
      properties:
        bootstrap.servers: <BROKERS URL>
        security.protocol: SSL
  security:
    default-group: test-topic-reader
    groups:
      test-admin:
        attributes:
          connects-filter-regexp:
          - .*
          consumer-groups-filter-regexp:
          - .*
          topics-filter-regexp:
          - .*
        name: test-admin
        roles:
        - topic/read
        - topic/insert
        - topic/delete
        - topic/config/update
        - node/read
        - node/config/update
        - topic/data/read
        - topic/data/insert
        - topic/data/delete
        - group/read
        - group/delete
        - group/offsets/update
        - registry/read
        - registry/insert
        - registry/update
        - registry/delete
        - registry/version/delete
        - acls/read
        - connect/read
        - connect/insert
        - connect/update
        - connect/delete
        - connect/state/update
      test-no-role:
        name: test-no-role
        roles: []
      test-topic-reader:
        attributes:
          topics-filter-regexp:
          - .*
        name: test-topic-reader
        roles:
        - topic/read
    header-auth:
      default-group: test-topic-reader
      groups:
      - groups:
        - test-admin
        name: fed_identite@app_3625
      groups-header: X-Forwarded-Groups
      groups-header-separator: ','
      ip-patterns:
      - 0.0.0.0
      user-header: X-Forwarded-Email
      users:
      - groups:
        - test-admin
        username: [email protected]

For some reason I don't get, the role applied for all user tested will be test-topic-reader.
When I try with [email protected], it is also test-topic-reader role which is applied...

I tried to activate debug trace as suggested in https://akhq.io/docs/debug.html#debugging-authentication, but I still don't see any related issue.

Could you please assist me with this ?

Thank you !

[tchiotludo]

Difficult to see the issue like that.

• If you don't know the ip-patterns remove it please
• Please enable auth and send back the log please
• Maybe also set the micronaut.server.netty.log-level configuration to TRACE and enable more log with curl -i -X POST -H "Content-Type: application/json" -d '{ "configuredLevel": "TRACE" }' http://localhost:28081/loggers/io.netty

I've the feeling it's a case issue on header

[hyde404]

Thank you @tchiotludo for your answer !

I rather decided to keep it simple and use this config instead (with default roles and removing ip-patterns too):

...
    security:
      default-group: reader
      header-auth:
        user-header: X-Forwarded-Email 
        groups-header: X-Forwarded-Groups 
        groups-header-separator: ','
        default-group: reader
        groups:
          - name: fed_identite@app_3625
            groups:
              - admin
        users:
          - username: [email protected]
            groups:
              - admin
. . .

I activated logs too, but changed nothing at all ...

curl -i -X POST -H "Content-Type: application/json" \
>        -d '{ "configuredLevel": "TRACE" }' \
>        http://<POD_IP>:28081/loggers/io.micronaut.security
HTTP/1.1 200 OK
Content-Length: 0
date: Fri, 4 Feb 2022 10:47:17 GMT
connection: keep-alive

curl -i -X POST -H "Content-Type: application/json" \
       -d '{ "configuredLevel": "TRACE" }' \
       http://<POD_IP>:28081/loggers/org.akhq.configs
HTTP/1.1 200 OK
Content-Length: 0
date: Fri, 4 Feb 2022 10:47:30 GMT
connection: keep-alive

curl -i -X POST -H "Content-Type: application/json" -d '{ "configuredLevel": "TRACE" }' http://<POD_IP>:28081/loggers/io.netty
HTTP/1.1 200 OK
Content-Length: 0
date: Fri, 4 Feb 2022 10:47:43 GMT
connection: keep-alive

and have no logs coming...

2022-02-04 10:45:42,213 INFO  main       i.m.c.e.DefaultEnvironment Established active environments: [k8s, cloud, ec2, secrets]
2022-02-04 10:45:43,102 INFO  main       i.m.runtime.Micronaut      Startup completed in 1749ms. Server Running: http://akhq-848d545c8-bbzsx:8080

However, I activated performance logs afterwards and had logs regarding performance

curl -i -X POST -H "Content-Type: application/json" \
>        -d '{ "configuredLevel": "TRACE" }' \
>        http://<POD_IP>:28081/loggers/org.akhq
HTTP/1.1 200 OK
Content-Length: 0
date: Fri, 4 Feb 2022 10:59:42 GMT
connection: keep-alive

when accessing the dashboard, I'm still getting reader role, since it is the default role.

[hyde404]

Ok, I decided to go one step further and inject directly headers x-akhq-user and x-akhq-group just to make sure it wasn't something truncated on the way.
So according to header-auth doc, I changed header-auth config a little bit.

This is the config I get :

### on /app/application.yml
akhq:
  micronaut:
    application:
      name: akhq
    server:
      netty:
        logLevel: TRACE
  server:
    access-log:
      enabled: true
      name: org.akhq.log.access


### on /app/application-secrets.yml
akhq:
  connections:
    ass01:
      properties:
        bootstrap.servers: <SOME BROKER ENDPOINTS>
        security.protocol: SSL
    dev01:
      properties:
        bootstrap.servers: <SOME BROKER ENDPOINTS>
        security.protocol: SSL
  security:
    default-group: ro-roles
    header-auth:
      default-group: ro-roles
      groups:
      - groups:
        - admin
        name: ops
      groups-header: x-akhq-group
      groups-header-separator: ','
      user-header: x-akhq-user
      users:
      - groups:
        - admin
        username: chris

users and groups are correct and, if I'm not mistaken, should let requests pass.

I tried to inject through my middleman container and the my browser directly, but I get the same result (no roles).
And for a reason, I don't have any logs about it ...

Could you please give me some insights ?

Thank you

[hyde404]

I figured it out, I had to explicitly add

  micronaut:
    security:
      enabled: true

And I noticed it when I tried to set basic auth instead.
Sorry for bothering.

Please, can you mark this discussion as resolved ?

[tchiotludo]

Glad to know 👍