azure-sdk-for-java
azure-sdk-for-java copied to clipboard
Azure
[BUG] Postgresql passwordless-enabled: true still expects password
Hi all
I tried to switch my Spring Boot application that uses a Postgresql DB from authentication with username & password to passwordless authentication with Azure Auth using a managed identity. I followed the guide here and created a small sample App with my existing Postgresql DB & managed identity to test the authentication & connection (successfully). However, applying these changes to my existing App, the connection does not work. The driver still expects a password. I noticed when I start the Application, that the Bean 'com.azure.spring.cloud.autoconfigure.implementation.jdbc.AzureJdbcAutoConfiguration' does not get initialised at the time, MethodSecurity from Spring Security (that also access the DB) is initialised.
Is there a conceptual mistake from my side how to setup the application or do we have a chicken-egg problem here?
Exception or Stack Trace
"com.zaxxer.hikari.pool.HikariPool","level":"ERROR","thread":"main","mdc":{},"stackTrace":"org.postgresql.util.PSQLException: The server requested password-based authentication, but no password was provided by plugin null
Code Snippet Application properties:
spring:
datasource:
azure:
passwordless-enabled: true
url: jdbc:postgresql://<server>:5432/<database>?sslmode=require
username: user-managed-identity-name
@Configuration
@EnableMethodSecurity
public class MyCustomGlobalMethodSecurityConfiguration {
@Bean
static MethodSecurityExpressionHandler methodSecurityExpressionHandler(MyRepositoryAccessFilter myRepositoryAccessFilter
}
I am using Spring Boot 3.1.1 and spring-cloud-azure-starter-jdbc-postgresql 5.8.0
The connection that the HikariPool is trying to establish, originates from the methodSecurityExpressionHandler bean, that uses the AccessFilter which has a Repository as a dependency:
2024-02-05T19:00:40.604+01:00 INFO 23308 --- [ main] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Starting...
2024-02-05T19:00:42.153+01:00 ERROR 23308 --- [ main] com.zaxxer.hikari.pool.HikariPool : HikariPool-1 - Exception during pool initialization.
org.postgresql.util.PSQLException: The server requested password-based authentication, but no password was provided by plugin null
Removing the Repository dependency would solve the issue but is not what I intend to have:
2024-02-05T18:53:49.424+01:00 INFO 23183 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'methodSecurityExpressionHandler' of type [com.myapp.CustomMethodSecurityExpressionHandler] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2024-02-05T18:53:49.448+01:00 INFO 23183 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'com.azure.spring.cloud.autoconfigure.implementation.jdbc.AzureJdbcAutoConfiguration' of type [com.azure.spring.cloud.autoconfigure.implementation.jdbc.AzureJdbcAutoConfiguration] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
Hi @jgresc Thank you for reporting this issue. We have received your submission and will take a look. We appreciate your input and will review this matter as soon as possible. Please feel free to provide any additional information or context that you think may be helpful. We'll keep you updated on the progress of our review.
We have the same problem, also assuming a chicken-egg problem here.
Use case is to wire spring security authentication and authorization against permissions coming from the Postgres database using managed identity to access the database.
Potential workaround:
Annotating the injected repository with @Lazy, e.g.
@Component
class MyComponent(
@Lazy /* lazy = potential workaround for https://github.com/Azure/azure-sdk-for-java/issues/38631 */
private val myRepo: MyRepo
)
This seems to work fine in our case, but I want to emphasize that @Lazy might not fit other use-cases.
Please consult the documentation to see if it fits your use-case: https://docs.spring.io/spring-framework/reference/core/beans/dependencies/factory-lazy-init.html
@Netyyyy We have been unable to upgrade from Spring Boot 3.1 to anything higher for months for similar reasons (same error message). Are you still interested in a repro? I am not sure it's the same cause, so I could create a new issue when/if I am able to create a minimal example.
This never happens on my local computer (as it's not running in the right environment), so it's a bit time consuming to create these repros as one has to deploy to K8s to see if it is working or not.
@fatso83 Sure and thanks for reaching out. Also wondering if you are using MI on K8s? Have you tried other services like ASA/ACA (just wondering if the issue is k8s related)?
We are running managed identities on K8s, yeah. This is typically our setup in application.yml:
spring:
datasource:
username: our-runtime-id-username
azure:
passwordless-enabled: true
credential:
managed-identity-enabled: true
client-id: ${cf.runtime.clientid} # replaced by defaultWorkloadIdentityClientId in deploy/values-<env>.yml
I don't know what ASA/ACA is, but I would not be able to try that out as I do not control the setup on the ops side. Our company is going "passwordless" (managed identity) across all apps deployed to K8S, so this is just a requirement that we need to implement.
To be able to connect to the database in the cluster from my local development computer we employ a setup like this:
spring:
datasource:
url: jdbc:postgresql://our-qa.postgres.database.azure.com:5432/my-app?authenticationPluginClassName=com.azure.identity.extensions.jdbc.postgresql.AzurePostgresqlAuthenticationPlugin
username: Azure-Web-Developers
azure:
passwordless-enabled: false
credential:
managed-identity-enabled: false
When using the "local"/non-managed config everything works fine. It's only when using managed identities the problems appear. Also seeing the same logging issues related to dependency resolvment as above when moving from 3.1.x to 3.2 or 3.3:
Bean 'spring.sql.init-org.springframework.boot.autoconfigure.sql.init.SqlInitializationProperties' of type [org.springframework.boot.autoconfigure.sql.init.SqlInitializationProperties] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [jobRegistryBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.
Bean 'dataSourceScriptDatabaseInitializer' of type [org.springframework.boot.autoconfigure.sql.init.SqlDataSourceScriptDatabaseInitializer] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [jobRegistryBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.
Bean 'org.springframework.boot.autoconfigure.batch.BatchAutoConfiguration$DataSourceInitializerConfiguration' of type [org.springframework.boot.autoconfigure.batch.BatchAutoConfiguration$DataSourceInitializerConfiguration] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [jobRegistryBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.
Bean 'spring.batch-org.springframework.boot.autoconfigure.batch.BatchProperties' of type [org.springframework.boot.autoconfigure.batch.BatchProperties] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [jobRegistryBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.
etc, etc.
No idea what has happened between 3.1 and 3.2 that causes this, nor how to solve it/debug it.
EDIT: I'll look into this guide from Baeldung eventually and see if I can grok something.
Classes that implement the BeanPostProcessor interface are instantiated on startup, as part of the special startup phase of the ApplicationContext, before any other beans.
I added the @Lazy annotation everywhere where Repository was used, to no avail. Still getting [com.azure.spring.cloud.autoconfigure.implementation.jdbc.AzureJdbcAutoConfiguration] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
| Jun 28, 2024 @ 17:10:55.860 | ERROR | Application run failed
| Jun 28, 2024 @ 17:10:55.750 | WARN | Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.boot.autoconfigure.batch.BatchAutoConfiguration$SpringBootBatchConfiguration': Unsatisfied dependency expressed through constructor parameter 2: Error creating bean with name 'transactionManager' defined in class path resource [org/springframework/boot/autoconfigure/orm/jpa/HibernateJpaConfiguration.class]: Error creating bean with name 'batchDataSourceInitializer' defined in class path resource [org/springframework/boot/autoconfigure/batch/BatchAutoConfiguration$DataSourceInitializerConfiguration.class]: Failed to instantiate [org.springframework.boot.autoconfigure.batch.BatchDataSourceScriptDatabaseInitializer]: Factory method 'batchDataSourceInitializer' threw exception with message: Failed to determine DatabaseDriver
| Jun 28, 2024 @ 17:10:54.464 | WARN | HikariPool-1 - idleTimeout has been set but has no effect because the pool is operating as a fixed size pool.
| Jun 28, 2024 @ 17:10:54.447 | WARN | Bean 'spring.batch-org.springframework.boot.autoconfigure.batch.BatchProperties' of type [org.springframework.boot.autoconfigure.batch.BatchProperties] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [jobRegistryBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.
| Jun 28, 2024 @ 17:10:54.439 | WARN | Bean 'org.springframework.boot.autoconfigure.batch.BatchAutoConfiguration$DataSourceInitializerConfiguration' of type [org.springframework.boot.autoconfigure.batch.BatchAutoConfiguration$DataSourceInitializerConfiguration] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [jobRegistryBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.
| Jun 28, 2024 @ 17:10:54.427 | WARN | Bean 'dataSourceScriptDatabaseInitializer' of type [org.springframework.boot.autoconfigure.sql.init.SqlDataSourceScriptDatabaseInitializer] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [jobRegistryBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.
| Jun 28, 2024 @ 17:10:54.412 | WARN | Bean 'spring.sql.init-org.springframework.boot.autoconfigure.sql.init.SqlInitializationProperties' of type [org.springframework.boot.autoconfigure.sql.init.SqlInitializationProperties] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [jobRegistryBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.
| Jun 28, 2024 @ 17:10:54.397 | WARN | Bean 'org.springframework.boot.autoconfigure.sql.init.DataSourceInitializationConfiguration' of type [org.springframework.boot.autoconfigure.sql.init.DataSourceInitializationConfiguration] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [jobRegistryBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.
| Jun 28, 2024 @ 17:10:54.374 | WARN | Bean 'platformTransactionManagerCustomizers' of type [org.springframework.boot.autoconfigure.transaction.TransactionManagerCustomizers] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [jobRegistryBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.
| Jun 28, 2024 @ 17:10:54.371 | WARN | Bean 'spring.transaction-org.springframework.boot.autoconfigure.transaction.TransactionProperties' of type [org.springframework.boot.autoconfigure.transaction.TransactionProperties] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [jobRegistryBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.
| Jun 28, 2024 @ 17:10:54.365 | WARN | Bean 'transactionExecutionListeners' of type [org.springframework.boot.autoconfigure.transaction.ExecutionListenersTransactionManagerCustomizer] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [jobRegistryBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.
| Jun 28, 2024 @ 17:10:54.361 | WARN | Bean 'org.springframework.boot.autoconfigure.transaction.TransactionManagerCustomizationAutoConfiguration' of type [org.springframework.boot.autoconfigure.transaction.TransactionManagerCustomizationAutoConfiguration] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [jobRegistryBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.
| Jun 28, 2024 @ 17:10:54.350 | WARN | Bean 'org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaConfiguration' of type [org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaConfiguration] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [jobRegistryBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.
| Jun 28, 2024 @ 17:10:54.343 | WARN | Bean 'hikariPoolDataSourceMetadataProvider' of type [org.springframework.boot.autoconfigure.jdbc.metadata.DataSourcePoolMetadataProvidersConfiguration$HikariPoolDataSourceMetadataProviderConfiguration$$Lambda$800/0x00007f880f5ae2e8] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [jobRegistryBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.
| Jun 28, 2024 @ 17:10:54.340 | WARN | Bean 'org.springframework.boot.autoconfigure.jdbc.metadata.DataSourcePoolMetadataProvidersConfiguration$HikariPoolDataSourceMetadataProviderConfiguration' of type [org.springframework.boot.autoconfigure.jdbc.metadata.DataSourcePoolMetadataProvidersConfiguration$HikariPoolDataSourceMetadataProviderConfiguration] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [jobRegistryBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.
| Jun 28, 2024 @ 17:10:54.334 | WARN | Bean 'spring.jpa.hibernate-org.springframework.boot.autoconfigure.orm.jpa.HibernateProperties' of type [org.springframework.boot.autoconfigure.orm.jpa.HibernateProperties] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [jobRegistryBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.
| Jun 28, 2024 @ 17:10:54.323 | WARN | Bean 'spring.jpa-org.springframework.boot.autoconfigure.orm.jpa.JpaProperties' of type [org.springframework.boot.autoconfigure.orm.jpa.JpaProperties] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [jobRegistryBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.
| Jun 28, 2024 @ 17:10:54.290 | WARN | Bean 'dataSource' of type [com.zaxxer.hikari.HikariDataSource] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [jobRegistryBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.
| Jun 28, 2024 @ 17:10:54.258 | WARN | Bean 'jdbcConnectionDetails' of type [org.springframework.boot.autoconfigure.jdbc.PropertiesJdbcConnectionDetails] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [jobRegistryBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.
| Jun 28, 2024 @ 17:10:54.252 | WARN | Bean 'org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration$PooledDataSourceConfiguration' of type [org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration$PooledDataSourceConfiguration] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [jobRegistryBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.
| Jun 28, 2024 @ 17:10:54.245 | WARN | Bean 'spring.datasource-org.springframework.boot.autoconfigure.jdbc.DataSourceProperties' of type [org.springframework.boot.autoconfigure.jdbc.DataSourceProperties] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [jobRegistryBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.
| Jun 28, 2024 @ 17:10:54.231 | WARN | Bean 'org.springframework.boot.autoconfigure.jdbc.DataSourceConfiguration$Hikari' of type [org.springframework.boot.autoconfigure.jdbc.DataSourceConfiguration$Hikari] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [jobRegistryBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.
| Jun 28, 2024 @ 17:10:54.197 | WARN | Bean 'springCloudAzureGlobalProperties' of type [com.azure.spring.cloud.autoconfigure.implementation.context.properties.AzureGlobalProperties] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor [azurePasswordlessKafkaPropertiesBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies.
| Jun 28, 2024 @ 17:10:54.131 | WARN | Bean 'springTokenCredentialProviderContextProvider' of type [com.azure.spring.cloud.autoconfigure.implementation.jdbc.SpringTokenCredentialProviderContextProvider] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor []? Check the corresponding BeanPostProcessor declaration and its dependencies.
| Jun 28, 2024 @ 17:10:54.127 | WARN | Bean 'com.azure.spring.cloud.autoconfigure.implementation.jdbc.AzureJdbcAutoConfiguration' of type [com.azure.spring.cloud.autoconfigure.implementation.jdbc.AzureJdbcAutoConfiguration] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor []? Check the corresponding BeanPostProcessor declaration and its dependencies.