quarkus-test-suite icon indicating copy to clipboard operation
quarkus-test-suite copied to clipboard

Published 20 hours ago verified publisher icon quarkus-qe

FIPS support for Infinispan-grpc-kafka module

Open gtroitsk opened this issue 1 year ago • 0 comments

To test this module on FIPS compliant machines , we must test it on OpenJDK 17 by RedHat and using PKCS12 keystore, please see RHEL ticket. Using another FIPS compliant keystore is not possible. So, for example, BCFIPS provider cannot be used because we are limited by using Docker containers and the workaround is not working. I set the configuration as does the DataGrid QE team. The problem is that the InfinispanKafkaSaslIT test fails with Kafka exception:

08:16:26,485 INFO  [app] 08:16:26,266 [Consumer clientId=consumer-test-consumer-1, groupId=test-consumer] Error connecting to node localhost:32942 (id: -1 rack: null): java.io.IOException: Channel could not be created for socket java.nio.channels.SocketChannel[closed]
08:16:26,485 INFO  [app]        at org.apache.kafka.common.network.Selector.buildAndAttachKafkaChannel(Selector.java:348)
08:16:26,485 INFO  [app]        at org.apache.kafka.common.network.Selector.registerChannel(Selector.java:329)
08:16:26,485 INFO  [app]        at org.apache.kafka.common.network.Selector.connect(Selector.java:256)
08:16:26,485 INFO  [app]        at org.apache.kafka.clients.NetworkClient.initiateConnect(NetworkClient.java:1032)
08:16:26,485 INFO  [app]        at org.apache.kafka.clients.NetworkClient.access$600(NetworkClient.java:73)
08:16:26,485 INFO  [app]        at org.apache.kafka.clients.NetworkClient$DefaultMetadataUpdater.maybeUpdate(NetworkClient.java:1203)
08:16:26,485 INFO  [app]        at org.apache.kafka.clients.NetworkClient$DefaultMetadataUpdater.maybeUpdate(NetworkClient.java:1091)
08:16:26,485 INFO  [app]        at org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:569)
08:16:26,485 INFO  [app]        at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:280)
08:16:26,485 INFO  [app]        at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:251)
08:16:26,485 INFO  [app]        at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.poll(ConsumerNetworkClient.java:242)
08:16:26,485 INFO  [app]        at org.apache.kafka.clients.consumer.internals.ConsumerNetworkClient.awaitMetadataUpdate(ConsumerNetworkClient.java:164)
08:16:26,485 INFO  [app]        at org.apache.kafka.clients.consumer.internals.AbstractCoordinator.ensureCoordinatorReady(AbstractCoordinator.java:277)
08:16:26,485 INFO  [app]        at org.apache.kafka.clients.consumer.internals.AbstractCoordinator.ensureCoordinatorReady(AbstractCoordinator.java:240)
08:16:26,485 INFO  [app]        at org.apache.kafka.clients.consumer.internals.ConsumerCoordinator.coordinatorUnknownAndUnreadySync(ConsumerCoordinator.java:499)
08:16:26,485 INFO  [app]        at org.apache.kafka.clients.consumer.internals.ConsumerCoordinator.poll(ConsumerCoordinator.java:531)
08:16:26,485 INFO  [app]        at org.apache.kafka.clients.consumer.KafkaConsumer.updateAssignmentMetadataIfNeeded(KafkaConsumer.java:1288)
08:16:26,485 INFO  [app]        at org.apache.kafka.clients.consumer.KafkaConsumer.poll(KafkaConsumer.java:1247)
08:16:26,485 INFO  [app]        at org.apache.kafka.clients.consumer.KafkaConsumer.poll(KafkaConsumer.java:1227)
08:16:26,485 INFO  [app]        at io.quarkus.ts.messaging.infinispan.grpc.kafka.quickstart.KafkaEndpoint.lambda$initialize$1(KafkaEndpoint.java:29)
08:16:26,485 INFO  [app]        at java.base/java.lang.Thread.run(Thread.java:833)
08:16:26,485 INFO  [app] Caused by: org.apache.kafka.common.KafkaException: org.apache.kafka.common.errors.SaslAuthenticationException: Failed to configure SaslClientAuthenticator
08:16:26,485 INFO  [app]        at org.apache.kafka.common.network.SaslChannelBuilder.buildChannel(SaslChannelBuilder.java:239)
08:16:26,486 INFO  [app]        at org.apache.kafka.common.network.Selector.buildAndAttachKafkaChannel(Selector.java:338)
08:16:26,486 INFO  [app]        ... 20 more
08:16:26,486 INFO  [app] Caused by: org.apache.kafka.common.errors.SaslAuthenticationException: Failed to configure SaslClientAuthenticator
08:16:26,486 INFO  [app] Caused by: org.apache.kafka.common.errors.SaslAuthenticationException: Failed to create SaslClient with mechanism PLAIN
08:16:26,486 INFO  [app] 08:16:26,266 [Consumer clientId=consumer-test-consumer-1, groupId=test-consumer] Bootstrap broker localhost:32942 (id: -1 rack: null) disconnected
08:16:47,918 INFO  [app] Service stopped (Quarkus JVM mode)

Reproducer:

git clone [email protected]:gtroitsk/quarkus-test-suite.git
cd quarkus-test-suite/messaging/infinispan-grpc-kafka/
git switch infinispan-pkcs12-fips
export JAVA_HOME="/qa/tools/opt/x86_64/openjdk17_last/"
PATH=/qa/tools/opt/x86_64/openjdk17_last/bin:$PATH
mvn clean verify -Dit.test=InfinispanKafkaSaslIT

gtroitsk avatar Aug 20 '23 18:08 gtroitsk