Connection closed error with image tag 3.0.2

[bhavyaravilla]

Describe the bug
I am currently using Pulsar with image tag v2.11.0. I am trying to upgrade it to use image v3.0.2 to fix the zookeeper certificate reload issue. But I am getting the below error when I deploy using the image tag v3.0.2. I have downloaded the latest pulsar helm charts from the main.

Error when trying to produce or consume messages

2024-01-12T14:08:14,177+0000 [pulsar-client-io-1-3] ERROR org.apache.pulsar.client.impl.ClientCnx - [id: 0x3f3194a1, L:/10.4.28.3:35442 - R:pre-devops-pulsar-upgrade-proxy.pulsar.svc.cluster.local/172.20.141.255:6651] Close connection because received internal-server error {"errorMsg":"org.apache.pulsar.client.api.PulsarClientException: Connection already closed","reqId":2440157358230427765, "remote":"pre-devops-pulsar-upgrade-proxy.pulsar.svc.cluster.local/172.20.141.255:6651", "local":"/10.4.28.3:35442"}

Please help with which image tag should be used here. I saw the support for version 3.0.0 is available already in the main which means image version 3.0.2 should be deployable

[bhavyaravilla]

Found this error in broker as well

2024-01-15T13:43:36,638+0000 [pulsar-io-4-1] WARN  org.apache.pulsar.broker.authorization.AuthorizationService - [/10.4.38.117:54580] Illegal combination of role [broker-admin] and originalPrincipal [admin]: cannot specify originalPrincipal when connecting without valid proxy role.
2024-01-15T13:43:36,641+0000 [pulsar-io-4-1] INFO  org.apache.pulsar.broker.service.ServerCnx - Closed connection from /10.4.38.117:54580

[lhotari]

@bhavyaravilla this is a security improvement made in apache/pulsar#19455 . @michaeljmarshall Do you have a chance to check how this could be supported in Apache Pulsar Helm chart?

[lhotari]

Attempt to fix this gap with PR #430 .

[lhotari]

workaround:
Configure proxyRoles: 'proxy-admin' under the broker.configData key as follows:

broker:
  configData:
    proxyRoles: 'proxy-admin'

Alternatively append --set broker.configData.proxyRoles=proxy-admin to the helm install/upgrade command line.

[Loahrs]

I am also currently encountering this issue with a "fresh" pulsar deployment from the helm chart. My error message contains a different role, but it's probably the same issue:

2024-01-16T10:18:00,153+0000 [pulsar-io-4-2] WARN org.apache.pulsar.broker.authorization.AuthorizationService - [/10.224.1.10:45766] Illegal combination of role [proxy-admin] and originalPrincipal [admin]: cannot specify originalPrincipal when connecting without valid proxy role.

My client tries to connect via "pulsar+ssl" and uses the "admin"-Token for authentication. The client shows following error:

2024-01-16 12:14:34.600 INFO  [23564] D:\a\pulsar-client-cpp\pulsar-client-cpp\lib\ClientConnection:190 | [<none> -> pulsar+ssl://<proxy-url>:6651] Create ClientConnection, timeout=10000
2024-01-16 12:14:34.602 INFO  [23564] D:\a\pulsar-client-cpp\pulsar-client-cpp\lib\ConnectionPool:114 | Created connection for pulsar+ssl://<proxy-url>:6651-0
2024-01-16 12:14:34.617 INFO  [31320] D:\a\pulsar-client-cpp\pulsar-client-cpp\lib\ClientConnection:404 | [192.168.178.20:61304 -> <proxy-url>:6651] Connected to broker
2024-01-16 12:14:34.682 ERROR [31320] D:\a\pulsar-client-cpp\pulsar-client-cpp\lib\ClientConnection:1572 | [192.168.178.20:61304 -> <proxy-url>:6651] Failed partition-metadata lookup req_id: 1 error: Retryable msg: org.apache.pulsar.client.api.PulsarClientException: Connection already closed
2024-01-16 12:14:34.682 INFO  [31320] D:\a\pulsar-client-cpp\pulsar-client-cpp\lib\ClientConnection:1325 | [192.168.178.20:61304 -> <proxy-url>:6651] Connection disconnected (refCnt: 2)
2024-01-16 12:14:34.682 INFO  [31320] D:\a\pulsar-client-cpp\pulsar-client-cpp\lib\ConnectionPool:129 | Remove connection for pulsar+ssl://<proxy-url>:6651-0
2024-01-16 12:14:34.682 INFO  [31320] D:\a\pulsar-client-cpp\pulsar-client-cpp\lib\RetryableOperation:114 | Reschedule get-partition-metadata-persistent://<my-tenant>/<namespace>/task-submitted for 100 ms, remaining time: 29900 ms

If I understand correctly, this will be solved by adding:

broker.configData:
    proxyRoles: 'proxy-admin'

to the .yaml file, run a helm upgrade pulsar apache/pulsar -f pulsar.yaml and probably restarting the pods?

[lhotari]

If I understand correctly, this will be solved by adding:\n\nbroker.configData:\n proxyRoles: 'proxy-admin'\nto the .yaml file, run a helm upgrade pulsar apache/pulsar -f pulsar.yaml and probably restarting the pods?

@Loahrs Exactly

[Loahrs]

If I understand correctly, this will be solved by adding:\n\nbroker.configData:\n proxyRoles: 'proxy-admin'\nto the .yaml file, run a helm upgrade pulsar apache/pulsar -f pulsar.yaml and probably restarting the pods?

@Loahrs Exactly

Thank you so much!

After setting the entry for broker.configData in my .yaml and running the helm upgrade I deleted the broker-pods (so that kubernetes recreates them with the newest settings).

Now I see a different kind of error in my proxy-logs:

2024-01-16T12:13:55,394+0000 [pulsar-proxy-io-2-4] INFO org.apache.pulsar.proxy.server.ProxyConnection - [/10.224.1.30:10697] New connection opened
2024-01-16T12:13:55,476+0000 [pulsar-proxy-io-2-4] INFO org.apache.pulsar.proxy.server.ProxyConnection - [/10.224.1.30:10697] complete connection, init proxy handler. authenticated with token role admin, hasProxyToBrokerUrl: false
2024-01-16T12:13:55,511+0000 [pulsar-proxy-io-2-3] INFO org.apache.pulsar.client.impl.ConnectionPool - [[id: 0x73eeed53, L:/10.224.1.10:60466 - R:pulsar-broker.pulsar.svc.cluster.local/10.224.1.2:6651]] Connected to server
2024-01-16T12:13:55,531+0000 [pulsar-proxy-io-2-3] WARN org.apache.pulsar.client.impl.ClientCnx - [id: 0x73eeed53, L:/10.224.1.10:60466 - R:pulsar-broker.pulsar.svc.cluster.local/10.224.1.2:6651] Received error from server: Invalid roles.
2024-01-16T12:13:55,531+0000 [pulsar-proxy-io-2-3] WARN org.apache.pulsar.client.impl.ClientCnx - [id: 0x73eeed53, L:/10.224.1.10:60466 - R:pulsar-broker.pulsar.svc.cluster.local/10.224.1.2:6651] Received unknown request id from server: -1
2024-01-16T12:13:55,531+0000 [pulsar-proxy-io-2-3] INFO org.apache.pulsar.client.impl.ClientCnx - [id: 0x73eeed53, L:/10.224.1.10:60466 ! R:pulsar-broker.pulsar.svc.cluster.local/10.224.1.2:6651] Disconnected
2024-01-16T12:13:55,531+0000 [pulsar-proxy-io-2-3] WARN org.apache.pulsar.client.impl.ConnectionPool - [[id: 0x73eeed53, L:/10.224.1.10:60466 ! R:pulsar-broker.pulsar.svc.cluster.local/10.224.1.2:6651]] Connection handshake failed: org.apache.pulsar.client.api.PulsarClientException: Connection already closed

It's showing a succesful authentication attempt (thanks to the new config-entry). But then the server responds with a Received error from server: Invalid roles.

Sorry to further bother you with that, but do you have any ideas about that? Are there other configs to add to fix this issue?

I could provide my yaml if that helps, but I mostly just followed the official instructions for the helm chart and made no other changes.

[lhotari]

After setting the entry for broker.configData in my .yaml and running the helm upgrade I deleted the broker-pods (so that kubernetes recreates them with the newest settings).

I replied to #431 (comment)
The syntax needs to be valid yaml.

[lhotari]

If I understand correctly, this will be solved by adding:

broker.configData:
    proxyRoles: 'proxy-admin'

Sorry @Loahrs , this was not the correct syntax. It's explained in #431 (comment)

[lhotari]

I updated the workaround instructions to reduce confusion, #427 (comment).