Thanks Per-Ivar. Could you create an issue in GitHub because it is easier to track it there and there is more visibility on it there? Would you be able to create a test case that reproduces this? It would save a lot of time.
On Thu, 24 Apr 2025 at 11:37, Per-Ivar Bakke <[email protected]> wrote: > > Hi > > We have tried to enable Basic Authentication for the Pekko Management > endpoints following the instructions provided in Enabling Basic > Authentication. So far, we have only tested this by sending requests (using > curl) towards the /alive, /ready and /bootstrap/seed-nodes endpoints. > > For all requests, the basic authenticator (myUserPassAuthenticator) is > invoked: > > When correct user credentials are provided, the expected '200 OK' response is > returned. > When incorrect credentials are provided, the expected '401 Unauthorized' > response is returned. > However, if no credentials are provided (i.e. no Authorization header in > request), we still receive a '200 OK' response. Debugging the Basic > Authenticator function, we can see that the function returns the expected > Optional.empty() also in this case (i.e. same as in 2 above). > > The above indicates to us that the Authentication is done first and that the > issue is that said management endpoints allow anonymous access. > > However, we cannot find any documentation on how to disallow anonymous access > for the above management endpoints. The only reference we can find is the > documentation for authenticateBasicAsync. But, that does not explain how we > (as Pekko users) may protect existing management endpoints created by > management extensions (health-check, bootstrap and cluster-management). Any > additional advice (Java code example preferred) regarding how to solve this? > > We find a solution to the above, how can we configure the internal HTTP > client used in the bootstrap management extension (or any other internal > clients used by Pekko; like for Discovery maybe) to use the appropriate > credentials? > > Finally, we also intend to enable TLS following the instructions provided in > Enabling TLS/SSL (HTTPS) for Cluster HTTP Management. The certificate will > most likely be issued by untrusted CA. Hence, in addition to providing the > credentials mentioned above, we suspect we will also need to set up a trust > store for all internal Pekko clients (bootstrap, etc.). Is this described > anywhere or at all possible? > > > Best regards, > Per-Ivar Bakke --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
