spring kerberos missing negotiated request

I have a spring security based kerberos authentication which has been working fine, however, suddenly it started missing the negotiated request (the 2nd request from client after spring initiated the NEGOTIATE).

1st state:

somehow, instead of sending two requests from client, spring only received the first request, followed by a call to /favicon, which instead should be same endpoint if it’s working.

I have then added /favicon to the permitAll() list, which then resulted in 2nd state.

2nd state:

only single request reached to spring MVC

Lesson learnt here, it could never log too much during debuging/troubleshooting

It took me really a great mount of time to figure this out, but in short, it’s due to the HTTP header from client after KDC/TGT’s encrypted message suddenly become larger (likely KDC/TGT has sent more data) than tomact default threshold.

The changes:

The working result:

docker non-root with NFS mount

there are two steps in switch docker to non root and mount with NFS. however, there are several knowns issues with the switch as well

1. switch to non root

//in dockerfile

//add the group and user
RUN groupadd -g $GID <groupname> && useradd -lms /bin/bash -g $GID -u $UID <username>

//switch to non root
USER <username>

the group id and user is needed in order to mount the NFS or any existing directory for the existing user (the non root user). otherwise, it’s not needed if mount is not needed.

there is an issue with large group id and user id,

https://github.com/moby/moby/issues/5419

https://stackoverflow.com/questions/73351423/docker-build-hangs-when-adding-user-with-a-large-value-of-user-id-uid

the solution is to disable the logging, which otherwise would explode the lastlog and faillog in docker, which took more than 200GB in our case for a super large user id (9 digit).

2. then to mount the NFS, if its existing directory, the file/folder permissions would copied over to the container (now with same user/group id)

How to deal with high user id in a dockerfile

https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user

https://github.com/golang/go/issues/13548

spring kafka error handling

with spring, there is a default retryTemplate bundled with kafka consumer, which would retry 3 times for all exceptions encountered.

To customize the retry policy, this could be configured in the `containerFactory`

//this is deprecated in newer version of spring in favor of error handler
factory.setRetryTemplate(....);

spring failed to configure a datasource: url attribute is not specified

encountering the said exception again lately with a introduction of a local library, the solution is to exclude the auto config:

@SpringBootAppplication(exclude={
     DataSourceAutoConfiguration.class
})

pass in null parameter from jdbctemplate

i have a query where some of the parameter is optional, something like

String PERMS = """
  select .....
  where ...
  and (:app is null or a.app=:app)
""";

this query and corresponding DAO method works fine when the parameter is not null, however would fail for both jdbctemplate or namedJdbcTemplate.

Turned out the trick is two folded:

1. from the sql side, tell the dbms and its driver what’s the type of the optional parameter

String PERMS = """
  select .....
  where ...
  and (:app::text is null or a.app=:app)
""";

2. with namedjdbcTemplate, pass in the type (0) to the jdbc driver

MapSqlParamterSource params = ..
params.addValue("app", null, Types.NULL)

netflix dgs graphql with nginx

when dgs is running behind a reverse proxy, the graphiql is not working:

Expected behavior

When dgs is accessed directly, the graphiql is working.

When dgs is accessed from reverse proxy, the graphiql should work as well.

Actual behavior

When dgs is accessed from reverse proxy, the graphiql stopped working.

Steps to reproduce

1. set up nginx as a reverse proxy, point /data to the backend dgs service (assume it’s dataprovider)
2. access graphiql from http://<nginx_server>/data/graphiql

Note: A test case would be highly appreciated, but we understand that’s not always possible

Some RCA

The issue is due to in graphiql, its trying to fetch the graphql path as absolute path:

this would assume the graphql is at the root, which won’t be true with an existence of reverse proxy.

Possible Solution

The solution is to change that path to a relative path as ./graphql.

Isuse:

https://github.com/Netflix/dgs-framework/issues/1203

The fix is to point dgs graphiql at the relative path instead of root:

PR: https://github.com/Netflix/dgs-framework/pull/1204

With MR: #1204, and bump dgs version to 5.2.1, it’s now working both w/ and w/o reverse proxy.

w/

w/o

kotlin on intellij

i was trying to run the netflix dgs framework on intellij, somehow it complained “unresolved references” even the referenced is already on the classpath (configured in gradle).

Turns out this is something with intellij. Did a invalid cache and restart, it worked.

cname vs a record

cname:

A Canonical Name or CNAME record is a type of DNS record that maps an alias name to a true or canonical domain name. CNAME records are typically used to map a subdomain such as www or mail to the domain hosting that subdomain’s content.

https://support.google.com/a/answer/112037?hl=en#zippy=%2Cset-up-cname-records-now

vs a record

An A record maps a domain name to the IP address (Version 4) of the computer hosting the domain. An A record uses a domain name to find the IP address of a computer connected to the internet

https://support.dnsimple.com/articles/a-record/

the difference, in a nutshell, being, cname normally is an alias mapping to a single server. while A record should map to a list of servers, which could be load balanced.

vim commands

to show line number

:set number

to update line feed

:set ff=unix

autojump on WSL (ubuntu)

after installing autojump, zsh is complaing a parse error

this is because somehow the line feed is messed up, maybe during git checkout of the autojump repo.

To fix it, vi the two scripts above, change to unix and reload.

:set ff=unix