Authorisation with keycloak

[Malcolm Illingworth]

Hi,

I'm pretty new to using Project Nessie. I've got a Nessie instance deployed in kubernetes, and I'm trying to authorise the instance using a keycloak instance within the same cluster. I'm connecting via a spark client. If I switch off authorisation in nessie, everything works fine. If I switch authorisation on and pass a bad token, I see a clear authorisation error, and the keystone instance logs the bad access token. But if I pass a valid token with authorisation on, Keystone doesn't appear to be getting called, and the authorisation appears to fail more or less silently with nothing obvious in the nessie logs. Any suggestions on where to start debugging? 

On the nessie server side, I've set the following:

```

authentication:
  enabled: true
  oidcAuthServerUrl: **REDACTED**
  oidcClientId: astroflow
  oidcClientSecret:
    valueFrom:
      secretKeyRef:
        name: client-secret
        key: client_secret
authorization:
  enabled: true
  rules:
    allow_all: true

```

In the spark client, I'm setting the following properties:

```

.config("spark.jars.packages","org.apache.iceberg:iceberg-spark-runtime-3.5_2.12:1.8.1,org.projectnessie.nessie-integrations:nessie-spark-extensions-3.5_2.12:0.103.3") \

.config("spark.sql.catalog.nessie.uri", nessie_api_url) \
.config("spark.sql.catalog.nessie.ref", nessie_ref) \
.config("spark.sql.catalog.nessie.authentication.type", "BEARER") \
.config("spark.sql.catalog.nessie.authentication.token", NESSIE_BEARER_TOKEN) \

.config("spark.sql.catalog.nessie.catalog-impl", "org.apache.iceberg.nessie.NessieCatalog")\
 .config("spark.sql.catalog.nessie.warehouse", full_path_to_warehouse) \
 .config("spark.sql.catalog.nessie", "org.apache.iceberg.spark.SparkCatalog") \

```

I get the following error back in the Spark client:

```

org.projectnessie.client.rest.NessieNotAuthorizedException: Unauthorized (HTTP/401): got empty response body from server Additionally, the client-side error below was caught while decoding the HTTP response: org.apache.iceberg.shaded.com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot deserialize value of type `org.projectnessie.error.ImmutableNessieError` from [Unavailable value] (token `JsonToken.NOT_AVAILABLE`)

```

The only relevant error I can see in the nessie logs is the following:

```

2026-01-28 17:18:18,238 INFO  [io.qua.htt.access-log] (vert.x-eventloop-thread-46) 172.17.245.16 - - [28/Jan/2026:17:18:18 +0000] "GET /api/v1/config HTTP/1.1" 401 -
2026-01-28 17:18:18,274 INFO  [io.qua.htt.access-log] (vert.x-eventloop-thread-46) 172.17.245.16 - - [28/Jan/2026:17:18:18 +0000] "GET /api/v1/trees/tree/main?fetch=MINIMAL HTTP/1.1" 401 -
2026-01-29 15:44:33,388 WARN  [org.pro.ser.dis.CacheInvalidationSender] (vert.x-eventloop-thread-2) Failed to resolve service names: io.vertx.core.dns.DnsException: DNS query error occurred: NXDOMAIN: type 3, name error

```

Many thanks,

Malcolm

[Dmitri Bourlatchkov]

Hi Malcolm,

Let's continue this discussion in Zulip: #general > authorisation with keycloak and kubernetes

Cheers,

Dmitri.

--
You received this message because you are subscribed to the Google Groups "projectnessie" group.
To unsubscribe from this group and stop receiving emails from it, send an email to projectnessi...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/projectnessie/ab9196cd-20d1-41e5-a3bc-cfe706be1dc2n%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Dmitri Bourlatchkov

Senior Staff Software Engineer, Dremio

Dremio.com / Follow Us on LinkedIn / Get Started

The Agentic Lakehouse

The only lakehouse built for agents, managed by agents