Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"bearertokenauth" extension Always return "401 Unauthorized" via HTTP connection #24656

Closed
tangx opened this issue Jul 28, 2023 · 8 comments
Closed
Assignees
Labels
bug Something isn't working extension/bearertokenauth

Comments

@tangx
Copy link

tangx commented Jul 28, 2023

Component(s)

extension/bearertokenauth

What happened?

Description

When set bearertokenauth

it always returns "401 Unauthorized" via HTTP(S) Connection.

HOSTNAME=localhost.with-token.http SERVER_INFO=http://127.0.0.1:55681 go run .
2023/07/28 18:16:48 Waiting for connection...
2023/07/28 18:16:48 Doing really hard work (1 / 10)
2023/07/28 18:16:49 Doing really hard work (2 / 10)
2023/07/28 18:16:50 Doing really hard work (3 / 10)
2023/07/28 18:16:51 Doing really hard work (4 / 10)
2023/07/28 18:16:52 Doing really hard work (5 / 10)
2023/07/28 18:16:53 Doing really hard work (6 / 10)
2023/07/28 18:16:53 traces export: failed to send to http://127.0.0.1:55681/v1/traces: 401 Unauthorized
2023/07/28 18:16:54 Doing really hard work (7 / 10)
2023/07/28 18:16:55 Doing really hard work (8 / 10)
2023/07/28 18:16:56 Doing really hard work (9 / 10)
2023/07/28 18:16:57 Doing really hard work (10 / 10)
2023/07/28 18:16:58 Done!
2023/07/28 18:16:58 traces export: failed to send to http://127.0.0.1:55681/v1/traces: 401 Unauthorized
2023/07/28 18:16:58 traces export: failed to send to http://127.0.0.1:55681/v1/traces: 401 Unauthorized

but it works via gRPC Connection

HOSTNAME=localhost.with-token.grpc SERVER_INFO=grpc://127.0.0.1:55680 go run .
2023/07/28 18:14:55 Waiting for connection...
2023/07/28 18:14:55 Doing really hard work (1 / 10)
2023/07/28 18:14:56 Doing really hard work (2 / 10)
2023/07/28 18:14:57 Doing really hard work (3 / 10)
2023/07/28 18:14:58 Doing really hard work (4 / 10)
2023/07/28 18:14:59 Doing really hard work (5 / 10)
2023/07/28 18:15:00 Doing really hard work (6 / 10)
2023/07/28 18:15:01 Doing really hard work (7 / 10)
2023/07/28 18:15:02 Doing really hard work (8 / 10)
2023/07/28 18:15:03 Doing really hard work (9 / 10)
2023/07/28 18:15:04 Doing really hard work (10 / 10)
2023/07/28 18:15:05 Done!

Steps to Reproduce

OTel-Collector-Contrib Config

My Go file

// 创建 OTEL 的 GRPC 连接器
func grpcExpoter(ctx context.Context, SERVER_ADDR string) (*otlptrace.Exporter, error) {
	addr := strings.TrimLeft(SERVER_ADDR, "grpc://")

	conn, err := grpc.DialContext(ctx, addr,
		// Note the use of insecure transport here. TLS is recommended in production.
		grpc.WithTransportCredentials(insecure.NewCredentials()),
		grpc.WithBlock(),
		// grpc.WithTimeout(5*time.Second),
	)

	if err != nil {
		return nil, fmt.Errorf("failed to create gRPC connection to collector: %w", err)
	}

	// Set up a trace exporter
	traceExporter, err := otlptracegrpc.New(
		ctx,
		otlptracegrpc.WithGRPCConn(conn),
		otlptracegrpc.WithHeaders(
			map[string]string{
				"authorization": `Bearer vyAQ21d5NCfUIXe`,
				"Authorization": `Bearer vyAQ21d5NCfUIXe`,
			},
		),
	)
	if err != nil {
		return nil, fmt.Errorf("failed to create trace exporter: %w", err)
	}
	return traceExporter, nil
}

func httpExporter(ctx context.Context, SERVER_ADDR string) (*otlptrace.Exporter, error) {

	SERVER_ADDR = strings.TrimPrefix(SERVER_ADDR, "https://")
	SERVER_ADDR = strings.TrimPrefix(SERVER_ADDR, "http://")

	opts := []otlptracehttp.Option{
		otlptracehttp.WithTimeout(5 * time.Second),
		otlptracehttp.WithEndpoint(SERVER_ADDR),
		otlptracehttp.WithInsecure(),
		otlptracehttp.WithHeaders(
			map[string]string{
				"authorization": `Bearer vyAQ21d5NCfUIXe`,
				"Authorization": `Bearer vyAQ21d5NCfUIXe`,
			},
		),
	}

	trace, err := otlptracehttp.New(ctx, opts...)

	return trace, err
}

Expected Result

Success

Actual Result

401 Unauthorized

Collector version

v0.81.0

Environment information

Environment

OS: (e.g., "Ubuntu 20.04")
Compiler(if manually compiled): (e.g., "go 14.2")

OpenTelemetry Collector configuration

extensions:
  basicauth/server:
    htpasswd: 
      # file: .htpasswd
      inline: |
        auth_user:auth_pass_123
  bearertokenauth/withscheme:
    scheme: Bearer
    token: vyAQ21d5NCfUIXe

receivers:
  otlp:
    protocols:
      grpc:
        endpoint: "0.0.0.0:55680"
        auth:
          # authenticator: basicauth/server
          authenticator: bearertokenauth/withscheme
      http:
        endpoint: "0.0.0.0:55681"
        auth:
          # authenticator: basicauth/server
          authenticator: bearertokenauth/withscheme

exporters:
  logging/detail:
    loglevel: debug
  alibabacloud_logservice/traces:
    endpoint: "cn-beijing.log.aliyuncs.com"
    project: "my-sls-project"
    logstore: "my-sls-logstore-traces"
    access_key_id: "xxxxxx"
    access_key_secret: "yyyyyy"
  alibabacloud_logservice/metrics:
    endpoint: "cn-beijing.log.aliyuncs.com"
    project: "my-sls-project"
    logstore: "my-sls-logstore-metrics"
    access_key_id: "xxxxxx"
    access_key_secret: "yyyyyy"
  alibabacloud_logservice/logs:
    endpoint: "cn-beijing.log.aliyuncs.com"
    project: "my-sls-project"
    logstore: "my-sls-logstore-logs"
    access_key_id: "xxxxxx"
    access_key_secret: "yyyyyy"

service:
  telemetry:
    logs:
      level: "debug"
  extensions: [basicauth/server, bearertokenauth/withscheme]
  pipelines:
    traces:
      receivers: [otlp]           #接收端配置为otlp。
      exporters: [alibabacloud_logservice/traces]   #发送端配置为alibabacloud_logservice/traces。
      # for debug
      # exporters: [logging/detail,alibabacloud_logservice/traces]
    metrics:
      receivers: [otlp]
      exporters: [alibabacloud_logservice/metrics]
    logs:
      receivers: [otlp]
      exporters: [alibabacloud_logservice/logs]

Log output

HOSTNAME=localhost.with-token.http SERVER_INFO=http://127.0.0.1:55681 go run .
2023/07/28 18:16:48 Waiting for connection...
2023/07/28 18:16:48 Doing really hard work (1 / 10)
2023/07/28 18:16:49 Doing really hard work (2 / 10)
2023/07/28 18:16:50 Doing really hard work (3 / 10)
2023/07/28 18:16:51 Doing really hard work (4 / 10)
2023/07/28 18:16:52 Doing really hard work (5 / 10)
2023/07/28 18:16:53 Doing really hard work (6 / 10)
2023/07/28 18:16:53 traces export: failed to send to http://127.0.0.1:55681/v1/traces: 401 Unauthorized
2023/07/28 18:16:54 Doing really hard work (7 / 10)
2023/07/28 18:16:55 Doing really hard work (8 / 10)
2023/07/28 18:16:56 Doing really hard work (9 / 10)
2023/07/28 18:16:57 Doing really hard work (10 / 10)
2023/07/28 18:16:58 Done!
2023/07/28 18:16:58 traces export: failed to send to http://127.0.0.1:55681/v1/traces: 401 Unauthorized
2023/07/28 18:16:58 traces export: failed to send to http://127.0.0.1:55681/v1/traces: 401 Unauthorized

Additional context

No response

@tangx tangx added bug Something isn't working needs triage New item requiring triage labels Jul 28, 2023
@github-actions
Copy link
Contributor

Pinging code owners:

See Adding Labels via Comments if you do not have permissions to add labels yourself.

@jpkrohling
Copy link
Member

@pavankrish123 @frzifus, are you able to take a look?

@tangx
Copy link
Author

tangx commented Jul 31, 2023

@jpkrohling,

Don't go into the extension via HTTP

It doesn't trigger the token comparing while the Token isn't matching.

make run.localhost.http
HOSTNAME=localhost.with-token.http SERVER_INFO=http://127.0.0.1:55681 go run .
2023/07/31 11:26:13 Waiting for connection...
2023/07/31 11:26:13 Doing really hard work (1 / 10)
2023/07/31 11:26:14 Doing really hard work (2 / 10)
2023/07/31 11:26:15 Doing really hard work (3 / 10)
2023/07/31 11:26:16 Doing really hard work (4 / 10)
2023/07/31 11:26:17 Doing really hard work (5 / 10)
2023/07/31 11:26:18 Doing really hard work (6 / 10)
2023/07/31 11:26:18 traces export: failed to send to http://127.0.0.1:55681/v1/traces: 401 Unauthorized
2023/07/31 11:26:19 Doing really hard work (7 / 10)
2023/07/31 11:26:20 Doing really hard work (8 / 10)
2023/07/31 11:26:21 Doing really hard work (9 / 10)
2023/07/31 11:26:22 Doing really hard work (10 / 10)
2023/07/31 11:26:23 traces export: failed to send to http://127.0.0.1:55681/v1/traces: 401 Unauthorized
2023/07/31 11:26:23 Done!
2023/07/31 11:26:23 traces export: failed to send to http://127.0.0.1:55681/v1/traces: 401 Unauthorized

everything goes as expect via gRPC.

make run.localhost.grpc
HOSTNAME=localhost.with-token.grpc SERVER_INFO=grpc://127.0.0.1:55680 go run .

2023/07/31 11:25:58 Waiting for connection...
2023/07/31 11:25:58 Doing really hard work (1 / 10)
2023/07/31 11:25:59 Doing really hard work (2 / 10)
2023/07/31 11:26:00 Doing really hard work (3 / 10)
2023/07/31 11:26:01 Doing really hard work (4 / 10)
2023/07/31 11:26:02 Doing really hard work (5 / 10)
2023/07/31 11:26:03 Doing really hard work (6 / 10)
2023/07/31 11:26:03 traces export: rpc error: code = Unknown desc = scheme or token does not match: Bearer vyAQ21d5NCfUIXe_____
2023/07/31 11:26:04 Doing really hard work (7 / 10)
2023/07/31 11:26:05 Doing really hard work (8 / 10)
2023/07/31 11:26:06 Doing really hard work (9 / 10)
2023/07/31 11:26:07 Doing really hard work (10 / 10)
2023/07/31 11:26:08 Done!
2023/07/31 11:26:08 traces export: rpc error: code = Unknown desc = scheme or token does not match: Bearer vyAQ21d5NCfUIXe_____
2023/07/31 11:26:08 traces export: rpc error: code = Unknown desc = scheme or token does not match: Bearer vyAQ21d5NCfUIXe_____

@github-actions
Copy link
Contributor

github-actions bot commented Oct 2, 2023

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.

Pinging code owners:

See Adding Labels via Comments if you do not have permissions to add labels yourself.

@jpkrohling
Copy link
Member

Sorry for taking so long to take a look at this, I've added this to my queue.

@pollosp
Copy link

pollosp commented Nov 27, 2023

Same problem here with HTTP receiver as @tangx

@nagashan
Copy link
Contributor

Same problem here with HTTP receiver.
image

Its because of We are always trying to get the authorization with the lower case from headers, But The headers from Http is received as Authorization even-though we sent in lower case.

image
image

@nagashan
Copy link
Contributor

#29992

bogdandrutu pushed a commit that referenced this issue Dec 21, 2023
…"401 Unauthorized" via HTTP connection #24656 (#29992)

Fix for extension Always return "401 Unauthorized" via HTTP connection
#24656

**Description:** We are always trying to get the `authorization` with
the lower case from headers, But The headers from Http is received as
`Authorization` capitalcase even-though we sent in lower case.

**Link to tracking Issue:**
<[24656](#24656)>

**Testing:** Tested in the local
<img width="1060" alt="Screenshot 2023-12-17 at 5 28 26 PM"
src="https://github.com/open-telemetry/opentelemetry-collector-contrib/assets/94837505/a7401d32-9ce2-4ac5-b4a4-94b43d1efcc8">
<img width="919" alt="Screenshot 2023-12-17 at 5 32 11 PM"
src="https://github.com/open-telemetry/opentelemetry-collector-contrib/assets/94837505/b7778fc1-1dee-487a-8458-669b8bf5ec2e">
<img width="890" alt="Screenshot 2023-12-17 at 5 34 12 PM"
src="https://github.com/open-telemetry/opentelemetry-collector-contrib/assets/94837505/369577d3-7ddf-45e9-be25-81e699e56e2a">

---------

Co-authored-by: Curtis Robert <crobert@splunk.com>
cparkins pushed a commit to AmadeusITGroup/opentelemetry-collector-contrib that referenced this issue Jan 10, 2024
…"401 Unauthorized" via HTTP connection open-telemetry#24656 (open-telemetry#29992)

Fix for extension Always return "401 Unauthorized" via HTTP connection
open-telemetry#24656

**Description:** We are always trying to get the `authorization` with
the lower case from headers, But The headers from Http is received as
`Authorization` capitalcase even-though we sent in lower case.

**Link to tracking Issue:**
<[24656](open-telemetry#24656)>

**Testing:** Tested in the local
<img width="1060" alt="Screenshot 2023-12-17 at 5 28 26 PM"
src="https://github.com/open-telemetry/opentelemetry-collector-contrib/assets/94837505/a7401d32-9ce2-4ac5-b4a4-94b43d1efcc8">
<img width="919" alt="Screenshot 2023-12-17 at 5 32 11 PM"
src="https://github.com/open-telemetry/opentelemetry-collector-contrib/assets/94837505/b7778fc1-1dee-487a-8458-669b8bf5ec2e">
<img width="890" alt="Screenshot 2023-12-17 at 5 34 12 PM"
src="https://github.com/open-telemetry/opentelemetry-collector-contrib/assets/94837505/369577d3-7ddf-45e9-be25-81e699e56e2a">

---------

Co-authored-by: Curtis Robert <crobert@splunk.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working extension/bearertokenauth
Projects
None yet
Development

No branches or pull requests

4 participants