request help: apisix plugin authz-keycloak fail

[liyang1518]

Issue description

router info：
{
"uris": [
"/*"
],
"name": "router",
"plugins": {
"authz-keycloak": {
"audience": "spring-client",
"cache_ttl_seconds": 86400,
"grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
"http_method_as_scope": false,
"keepalive": true,
"keepalive_pool": 5,
"keepalive_timeout": 60000,
"lazy_load_paths": false,
"policy_enforcement_mode": "ENFORCING",
"ssl_verify": true,
"timeout": 3000,
"token_endpoint": "http://127.0.0.1:8090/auth/realms/spring/protocol/openid-connect/token"
}
},
"upstream_id": "368495760469131974",
"status": 1
}
upstream info
{"nodes":[{"host":"192.168.3.101","port":8081,"weight":10},{"host":"192.168.3.101","port":8082,"weight":10}],"timeout":{"connect":6,"read":6,"send":6},"type":"roundrobin","scheme":"http","pass_host":"pass","name":"gateway"}

apisix sevice ip ：192.168.2.67

request：
GET http://192.168.2.67:9080/products
GET /products HTTP/1.1
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJYRkttc0JQLUgtX2twdUNCVXFvTk1kcUlWc3RZT1FDbzVBUzR2bVdULUFVIn0.eyJleHAiOjE2MjkxOTQ3ODMsImlhdCI6MTYyOTE5NDQ4MywianRpIjoiNTE3ZTg1Y2MtZjBjNi00M2NjLTk1M2YtYTU5NzQ3N2ExYTI3IiwiaXNzIjoiaHR0cDovLzE5Mi4xNjguMi42Nzo4MDgwL2F1dGgvcmVhbG1zL3NwcmluZyIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI2NGUyYTQzYS0wODc3LTQ4ZDUtOTNhOS1iMDQ1MTU0MzA3OWIiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJzcHJpbmctY2xpZW50Iiwic2Vzc2lvbl9zdGF0ZSI6IjU1MjU3NDhlLTkzMzgtNDAyOC1hZDYzLTdkNTUxNTI3MWFlOCIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsic3ByaW5nLXJvbGUiLCJkZWZhdWx0LXJvbGVzLXNwcmluZyIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwic2lkIjoiNTUyNTc0OGUtOTMzOC00MDI4LWFkNjMtN2Q1NTE1MjcxYWU4IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhZG1pbiJ9.GGh5JYppeTOeMVblk3br4A6f4kvn51u0kvFXLJuBknvHm9aPnlWY6JisXZaWSKcQgqTworpXZc1K5Qify7Go0B30MJpJRbuHQh3fCPbPxG1obqVYzQQNgTHeel936shG8BrdWy5D-w-eYfnQfUY-6jV5R0Yg1lAvk41sv_K2P8dltmRHxazFnh5vUeCTpRpaSbeA7SWig6dcdBaD3cHI-mhscKar16QFQNfzuPN5JWuItgl2I1btLq26y6F1xyr8Bg1jGzv1Si9YZBUn6QnsNmKcTO9q9Exk0IMxjtaVLXX2lvCKCc_i4kBsAtyjU-GH-pAAZi1RC0nhd9psP8X8ng
User-Agent: PostmanRuntime/7.26.8
Accept: /
Cache-Control: no-cache
Postman-Token: 111b752e-0821-4a03-837a-14aff5e11209
Host: 192.168.2.67:9080
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
HTTP/1.1 500 Internal Server Error
Date: Tue, 17 Aug 2021 10:01:26 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 553
Connection: close
ETag: "611b237b-229"
Server: APISIX/2.6

<title>500 Internal Server Error</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style>

An error occurred.

You can report issue to APISIX

Faithfully yours, APISIX.

Environment

• apisix version (cmd: apisix version):
• OS (cmd: uname -a):
• OpenResty / Nginx version (cmd: nginx -V or openresty -V):
• etcd version, if have (cmd: run curl http://127.0.0.1:9090/v1/server_info to get the info from server-info API):
• apisix-dashboard version, if have:
• luarocks version, if the issue is about installation (cmd: luarocks --version):

curl http://127.0.0.1:9000/v1/server_info

<title>Apache APISIX Dashboard</title> <script> window.routerBase = "/"; </script> <script> //! umi version: 3.4.2 </script> Out-of-the-box mid-stage front/design solution!

<style> html, body, #root { height: 100%; margin: 0; padding: 0; } #root { background-repeat: no-repeat; background-size: 100% auto; } .page-loading-warp { display: flex; align-items: center; justify-content: center; padding: 98px; } .ant-spin { position: absolute; display: none; -webkit-box-sizing: border-box; box-sizing: border-box; margin: 0; padding: 0; color: rgba(0, 0, 0, 0.65); color: #1890ff; font-size: 14px; font-variant: tabular-nums; line-height: 1.5; text-align: center; vertical-align: middle; list-style: none; opacity: 0; -webkit-transition: -webkit-transform 0.3s cubic-bezier(0.78, 0.14, 0.15, 0.86); transition: -webkit-transform 0.3s cubic-bezier(0.78, 0.14, 0.15, 0.86); transition: transform 0.3s cubic-bezier(0.78, 0.14, 0.15, 0.86); transition: transform 0.3s cubic-bezier(0.78, 0.14, 0.15, 0.86), -webkit-transform 0.3s cubic-bezier(0.78, 0.14, 0.15, 0.86); -webkit-font-feature-settings: "tnum"; font-feature-settings: "tnum"; }

    .ant-spin-spinning {
      position: static;
      display: inline-block;
      opacity: 1;
    }

    .ant-spin-dot {
      position: relative;
      display: inline-block;
      width: 20px;
      height: 20px;
      font-size: 20px;
    }

    .ant-spin-dot-item {
      position: absolute;
      display: block;
      width: 9px;
      height: 9px;
      background-color: #1890ff;
      border-radius: 100%;
      -webkit-transform: scale(0.75);
      -ms-transform: scale(0.75);
      transform: scale(0.75);
      -webkit-transform-origin: 50% 50%;
      -ms-transform-origin: 50% 50%;
      transform-origin: 50% 50%;
      opacity: 0.3;
      -webkit-animation: antSpinMove 1s infinite linear alternate;
      animation: antSpinMove 1s infinite linear alternate;
    }

    .ant-spin-dot-item:nth-child(1) {
      top: 0;
      left: 0;
    }

    .ant-spin-dot-item:nth-child(2) {
      top: 0;
      right: 0;
      -webkit-animation-delay: 0.4s;
      animation-delay: 0.4s;
    }

    .ant-spin-dot-item:nth-child(3) {
      right: 0;
      bottom: 0;
      -webkit-animation-delay: 0.8s;
      animation-delay: 0.8s;
    }

    .ant-spin-dot-item:nth-child(4) {
      bottom: 0;
      left: 0;
      -webkit-animation-delay: 1.2s;
      animation-delay: 1.2s;
    }

    .ant-spin-dot-spin {
      -webkit-transform: rotate(45deg);
      -ms-transform: rotate(45deg);
      transform: rotate(45deg);
      -webkit-animation: antRotate 1.2s infinite linear;
      animation: antRotate 1.2s infinite linear;
    }

    .ant-spin-lg .ant-spin-dot {
      width: 32px;
      height: 32px;
      font-size: 32px;
    }

    .ant-spin-lg .ant-spin-dot i {
      width: 14px;
      height: 14px;
    }

    @media all and (-ms-high-contrast: none), (-ms-high-contrast: active) {
      .ant-spin-blur {
        background: #fff;
        opacity: 0.5;
      }
    }

    @-webkit-keyframes antSpinMove {
      to {
        opacity: 1;
      }
    }

    @keyframes antSpinMove {
      to {
        opacity: 1;
      }
    }

    @-webkit-keyframes antRotate {
      to {
        -webkit-transform: rotate(405deg);
        transform: rotate(405deg);
      }
    }

    @keyframes antRotate {
      to {
        -webkit-transform: rotate(405deg);
        transform: rotate(405deg);
      }
    }
  </style>
  <div
    style="
      display: flex;
      justify-content: center;
      align-items: center;
      flex-direction: column;
      min-height: 420px;
      height: 100%;
    "
  >
    <div class="page-loading-warp">
      <div class="ant-spin ant-spin-lg ant-spin-spinning">
        <span class="ant-spin-dot ant-spin-dot-spin"
          ><i class="ant-spin-dot-item"></i><i class="ant-spin-dot-item"></i
          ><i class="ant-spin-dot-item"></i><i class="ant-spin-dot-item"></i
        ></span>
      </div>
    </div>
    <div
      style="display: flex; justify-content: center; align-items: center"
    >
      <img src="/favicon.png" width="32" style="margin-right: 8px" />
      Apache APISIX Dashboard
    </div>
  </div>
</div>

<script src="/umi.426feac3.js"></script>

[root@Keycloak ~]#

[tzssangglass]

It cloud be a bug.

apisix/apisix/plugins/authz-keycloak.lua

Lines 567 to 591 in b0246c8

	local permission
	if conf.lazy_load_paths then
	-- Ensure service account access token.
	local sa_access_token, err = authz_keycloak_ensure_sa_access_token(conf)
	if err then
	return 500, err
	end
	-- Resolve URI to resource(s).
	permission, err = authz_keycloak_resolve_resource(conf, ctx.var.request_uri,
	sa_access_token)
	-- Check result.
	if permission == nil then
	-- No result back from resource registration endpoint.
	return 500, err
	end
	else
	-- Use statically configured permissions.
	permission = conf.permissions
	end
	-- Return 403 if permission is empty and enforcement mode is "ENFORCING".
	if #permission == 0 and conf.policy_enforcement_mode == "ENFORCING" then

conf.lazy_load_paths = false and conf.permissions = nil, permission has no initialization, still nil.

[liyang1518]

It cloud be a bug.

apisix/apisix/plugins/authz-keycloak.lua

Lines 567 to 591 in b0246c8

	local permission
	if conf.lazy_load_paths then
	-- Ensure service account access token.
	local sa_access_token, err = authz_keycloak_ensure_sa_access_token(conf)
	if err then
	return 500, err
	end
	-- Resolve URI to resource(s).
	permission, err = authz_keycloak_resolve_resource(conf, ctx.var.request_uri,
	sa_access_token)
	-- Check result.
	if permission == nil then
	-- No result back from resource registration endpoint.
	return 500, err
	end
	else
	-- Use statically configured permissions.
	permission = conf.permissions
	end
	-- Return 403 if permission is empty and enforcement mode is "ENFORCING".
	if #permission == 0 and conf.policy_enforcement_mode == "ENFORCING" then

conf.lazy_load_paths = false, permission has no initialization, still nil.

I think so too，How can I view the debug log about authz-keycloak.lua？such as : log.debug("Resource registration endpoint: ", resource_registration_endpoint)

[tzssangglass]

You need to configure the conf.permissions.

[tzssangglass]

How can I view the debug log about authz-keycloak.lua？such as : log.debug("Resource registration endpoint: ", resource_registration_endpoint)

1. advanced-debug-mode

2. change-the-log-level

[liyang1518]

fix it