RBAC: Error in maintaining connection between kafka-ui and keycloak behind AWS NLB (HTTP ERROR 500 Connection reset:) #4388
Comments
kivadratik-1
added
status/triage
|
Hello there kivadratik-1! 👋 Thank you and congratulations 🎉 for opening your very first issue in this project! 💖 In case you want to claim this issue, please comment down below! We will try to get back to you as soon as we can. 👀 |
|
@kivadratik-1 can you elaborate on why kafka-ui should send keepalive packets at all in a non-keepalive session scenario? And why has it occur every 350s? I doubt an authentication session should elapse this long. |
|
It's hard to say, I haven't investigated your code in detail, but judging by the behavior of ui, I assume that when the token expires, ui tries to go get a new token (or refresh) through the same tcp session it opened during the last attempt and receives rst from nlb, as a result ui gives 500. Actually we tried to fix this behavior and locally made a patch that helped us to overcome this problem. Will send you pr |
Yes, kafka-ui uses spring-boot-security for authentification purpose and follows described behavior. |
|
@mike-kolt I believe my comments won't help much as I won't be able to do anything with your PR (see #4255) :) |
Issue submitter TODO list
master-labeled docker image and the issue still persists thereDescribe the bug (actual behavior)
The problem occurs when installing kafka-ui with RBAC(keycloak). Most likely due to java web client does not send keepalive packets to maintain tcp connection, and without this AWS loadbalancer with timeout 350s silently closes the tcp connection. The web client in kafka-ui only learns about this when it tries to send a packet again after 350 seconds and got Connection reset:
Similar behavior is described for java web clients Reactor Netty Reference Guide in which option(ChannelOption.SO_KEEPALIVE, true) must be set. But unfortunately in the kafka-ui client implementation this option is not present
Expected behavior
No response
Your installation details
Steps to reproduce
Set up using the scheme kafka-ui(RBAC-oauth2) <--> AWS NLB <--> keycloak
Screenshots
No response
Logs
ERROR [reactor-http-nio-4] o.s.b.a.w.r.e.AbstractErrorWebExceptionHandler: [ххх-ххх] 500 Server Error for HTTP GET "/login/oauth2/code/keycloak?state=ххх kafka-ui org.springframework.web.reactive.function.client.WebClientRequestException: Connection reset
Additional context
No response
The text was updated successfully, but these errors were encountered: