Disable default OIDC tenant when authentication is disabled (#8000)

See https://groups.google.com/g/quarkus-dev/c/isGqZvY829g/m/BNerQvSRAQAJ This property is a runtime property and it is likely to be more correct to set it to false, when authentication is not enabled. Incidentally, this allows to get rid of the OIDC warning when Nessie starts.
projectnessie · Jan 29, 2024 · 4b0d2c8 · 4b0d2c8
1 parent bec6ee0
commit 4b0d2c8
Show file tree

Hide file tree

Showing 5 changed files with 11 additions and 5 deletions.
diff --git a/helm/nessie/templates/deployment.yaml b/helm/nessie/templates/deployment.yaml
@@ -172,8 +172,8 @@ spec:
               value: {{ .Values.authentication.oidcClientId }}
             {{- end }}
             {{- else }}
-            - name: QUARKUS_LOG_CATEGORY__IO_QUARKUS_OIDC__LEVEL
-              value: "ERROR"
+            - name: QUARKUS_OIDC_TENANT_ENABLED
+              value: "false"
             {{- end }}
 
             {{- if .Values.authorization.enabled }}

diff --git a/servers/quarkus-server/src/main/resources/application.properties b/servers/quarkus-server/src/main/resources/application.properties
@@ -170,11 +170,11 @@ quarkus.http.body.handle-file-uploads=false
 #quarkus.oidc.client-id=
 nessie.server.authentication.enabled=false
 nessie.server.authentication.anonymous-paths=/q/health/live,/q/health/live/,/q/health/ready,/q/health/ready/
-# to be overwritten by end user when enabling OpenID validation
-quarkus.oidc.auth-server-url=http://127.255.0.0:0/auth/realms/unset/
 quarkus.http.auth.basic=false
-# OIDC-enabled is a build-time property (cannot be overwritten at run-time), MUST be true
+# OIDC-enabled is a build-time property (cannot be overwritten at run-time), MUST be true.
+# However, we can overwrite the tenant-enabled property at run-time.
 quarkus.oidc.enabled=true
+quarkus.oidc.tenant-enabled=${nessie.server.authentication.enabled}
 
 ## Quarkus swagger settings
 # fixed at buildtime

diff --git a/servers/quarkus-server/src/test/java/org/projectnessie/server/TestBasicAuthentication.java b/servers/quarkus-server/src/test/java/org/projectnessie/server/TestBasicAuthentication.java
@@ -62,6 +62,8 @@ public Map<String, String> getConfigOverrides() {
       return ImmutableMap.<String, String>builder()
           .putAll(super.getConfigOverrides())
           .put("quarkus.http.auth.basic", "true")
+          // Need a dummy URL to satisfy the Quarkus OIDC extension.
+          .put("quarkus.oidc.auth-server-url", "http://127.255.0.0:0/auth/realms/unset/")
           .build();
     }
   }

diff --git a/...us-server/src/test/java/org/projectnessie/server/TestQuarkusEventsEnabledAuthEnabled.java b/...us-server/src/test/java/org/projectnessie/server/TestQuarkusEventsEnabledAuthEnabled.java
@@ -45,6 +45,8 @@ public Map<String, String> getConfigOverrides() {
           .putAll(super.getConfigOverrides())
           .put("nessie.version.store.type", IN_MEMORY.name())
           .put("quarkus.http.auth.basic", "true")
+          // Need a dummy URL to satisfy the Quarkus OIDC extension.
+          .put("quarkus.oidc.auth-server-url", "http://127.255.0.0:0/auth/realms/unset/")
           .putAll(AuthenticationEnabledProfile.AUTH_CONFIG_OVERRIDES)
           .putAll(AuthenticationEnabledProfile.SECURITY_CONFIG)
           .build();

diff --git a/.../src/testFixtures/java/org/projectnessie/server/authz/NessieAuthorizationTestProfile.java b/.../src/testFixtures/java/org/projectnessie/server/authz/NessieAuthorizationTestProfile.java
@@ -78,6 +78,8 @@ public Map<String, String> getConfigOverrides() {
         .putAll(super.getConfigOverrides())
         .putAll(AUTHZ_RULES)
         .put("nessie.server.authorization.enabled", "true")
+        // Need a dummy URL to satisfy the Quarkus OIDC extension.
+        .put("quarkus.oidc.auth-server-url", "http://127.255.0.0:0/auth/realms/unset/")
         .build();
   }
 }