I have an issue that after pushing the applications, both scdf server and skipper, fails to start due to authentication error. This is related to the internal scdf user (deployer user) which stop/start that tasks/apps.
The user that set in the yml file is a space developer and org manager.
Is was created with cf command - ( cf create-user ).
Trying to login manually with this user succeed only with
"cf auth [user] [pwd] --origin uaa"
However trying to login with
"cf login -u [user] -p [pwd] fails.
How can I set scdf to authenticated it's deployment internal user with cf auth and not cf login as this is the authentication method seems to be applied?
Will appreciate any assistance here
When setting my organisation credentials the issue solved. This hints that skipper authentication implementation applied with "cf login -user" ... since this is how i login to cf.
However deploying skipper server with personal credentials is not allowed.
My skipper yaml configuration related to this issue are:
*JBP_CONFIG_SPRING_AUTO_RECONFIGURATION: '{enabled: false}'
SPRING_CLOUD_SKIPPER_SERVER_PLATFORM_CLOUDFOUNDRY_ACCOUNTS[default]_CONNECTION_ORG: org1 SPRING_CLOUD_SKIPPER_SERVER_PLATFORM_CLOUDFOUNDRY_ACCOUNTS[default]_CONNECTION_SKIP_SSL_VALIDATION: false
SPRING_CLOUD_SKIPPER_SERVER_PLATFORM_CLOUDFOUNDRY_ACCOUNTS[default]_CONNECTION_SPACE: space1 SPRING_CLOUD_SKIPPER_SERVER_PLATFORM_CLOUDFOUNDRY_ACCOUNTS[default]_CONNECTION_URL: <our cf api domain> SPRING_CLOUD_SKIPPER_SERVER_PLATFORM_CLOUDFOUNDRY_ACCOUNTS[default]_CONNECTION_USERNAME: admin-user
SPRING_CLOUD_SKIPPER_SERVER_PLATFORM_CLOUDFOUNDRY_ACCOUNTS[default]_CONNECTION_PASSWORD: some-password
SPRING_CLOUD_SKIPPER_SERVER_PLATFORM_CLOUDFOUNDRY_ACCOUNTS[default]_DEPLOYMENT_DOMAIN: <domain>*
The error from skipper is: (User authentication failed)
ERROR .a.CloudFoundryPlatformAutoConfiguration : Cloud Foundry platform account [default] could not be registered: unauthorized: invalid_grant ;User authentication failed. Error creating bean with name 'deployerInitializationService' defined in class path resource [org/springframework/cloud/skipper/server/config/SkipperServerPlatformConfiguration.class]: Unsatisfied dependency expressed through method 'deployerInitializationService' parameter 1; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'cloudFoundryPlatform' defined in class path resource [org/springframework/cloud/skipper/server/autoconfigure/CloudFoundryPlatformAutoConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.cloud.skipper.domain.Platform]: Factory method 'cloudFoundryPlatform' threw exception; nested exception is org.springframework.cloud.skipper.SkipperException: unauthorized: {"error":"invalid_grant","error_description":"User authentication failed."}
currently the relevant code of both spring data flow server and skipper is not supported to login with no-default uaa.
an issue created to spring data flow. (https://github.com/spring-cloud/spring-cloud-deployer-cloudfoundry/issues/316)
There is support non-default UAA, since spring cloud data flow skipper 2.2.0.RC1 and data flow server 2.3.0.RC1.
Issue resolved.
Related
I registered dataflow with command : gcloud deployment-manager type-providers create dataflow --descriptor-url='https://dataflow.googleapis.com/$discovery/rest?version=v1b3'
When i run this script
- name: "my-topic-to-avro"
type: 'project_id/dataflow:dataflow.projects.locations.templates.launch'
properties:
projectId: project_id
gcsPath: "gs://test-create-123"
jobName: "my-topic-to-avro"
location: "europe-west1"
parameters:
inputTopic: "projects/project_id/topics/test"
outputDirectory: "gs://test-create-123/"
avroTempDirectory: "gs://test-create-123/"
In output i have this :
ERROR: (gcloud.beta.deployment-manager.deployments.update) Error in Operation [operation-1598980583c2a0ec69]: errors:
- code: RESOURCE_ERROR
location: /deployments/quick-deployment/resources/my-topic-to-avro
message: '{"ResourceType":"project_id/dataflow:dataflow.projects.locations.templates.launch","ResourceErrorCode":"401","ResourceErrorMessage":{"code":401,"message":"Request
is missing required authentication credential. Expected OAuth 2 access token,
login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.","status":"UNAUTHENTICATED","statusMessage":"Unauthorized","requestPath":"https://dataflow.googleapis.com/v1b3/projects/project_id/locations/europe-west1/templates:launch","httpMethod":"POST"}}'
I can have my token run command : gcloud auth print-access-token, but i don't know where insert my value and the schema for my yaml to insert all value to create dataflow.
Any help appreciated.
The "401 - Request is missing required authentication credential" error message that is triggered when doing a POST request to the Dataflow API is due to a missing credential. The following public reference explains in detail how to use OAuth 2.0 to access Google APIs. Please read it carefully and make sure to follow the steps as mentioned to avoid any errors.
Another place to check this is double check that the Dataflow API is enabled and try setting "GOOGLE_APPLICATION_CREDENTIALS" to point to the JSON of the service account you are using.
I found this Authentication documentation where is mentioned that you can use the Authorization header to supply an access token from the project's service account, you can also try with this method but is important t o clarify that is an example for GKE cluster.
I noticed this question was addressed in this post.
I'm creating API using Django REST framework and trying to connect my mobile app to web API. I didn't have any problems with local environment. However, after I deployed API into elastic beanstalk and tried with production url, I can never successful. API always returns 401.
I was successful in registering the user's account and token is correct and also endpoints that doesn't require authentication works as expected but I cannot authenticate the user on production environment.
Error log just say 401.
What is the cause of error possibly? Anyone who has encountered the similar issue? I have no idea how I can find the cause of this kind of error.
401 usually your authorization header is not reaching the application. It's a common problem in beanstalk you can fix this by adding this command to container_commands in config and then executing it.
container_commands:
03wsgipass:
command: 'echo "WSGIPassAuthorization On" >> ../wsgi.conf'
Hope this helps
I am extending a userstore manager ActiveDirectoryUserStoreManager for WSO2AM 2.1.0 overriding the protected String[] doGetExternalRoleListOfUser method to add roles from an external authorization service (roles are used for scope authorization).
All looks working locally, but in other environments (deployed on kubernetes) when requesting a token (code grant) I got following exception: Error occurred while accessing Java Security Manager Privilege Block
(other grant types are working with no issue)
Error occurred while issuing the access token for Client ID : ddSiloINsMx5fwp08FqqF62hcaaa, User ID null, Scope : [] and Grant Type : authorization_code More
ERROR {org.wso2.carbon.identity.oauth2.OAuth2Service} - Error occurred while issuing the access token for Client ID : ddSiloINsMx5fwp08FqqF62hcaaa, User ID null, Scope : [] and Grant Type : authorization_code
java.util.AbstractCollection.addAll(AbstractCollection.java:343)
org.wso2.carbon.apimgt.keymgt.ScopesIssuer.setScopes(ScopesIssuer.java:110)
org.wso2.carbon.apimgt.keymgt.handlers.ExtendedAuthorizationCodeGrantHandler.validateScope(ExtendedAuthorizationCodeGrantHandler.java:48)
org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer.issue(AccessTokenIssuer.java:242)
...
ERROR {org.wso2.carbon.apimgt.keymgt.issuers.RoleBasedScopesIssuer} - Error when getting the tenant's UserStoreManager or when getting roles of user
org.wso2.carbon.user.core.common.AbstractUserStoreManager.callSecure(AbstractUserStoreManager.java:177)
org.wso2.carbon.user.core.common.AbstractUserStoreManager.getRoleListOfUser(AbstractUserStoreManager.java:2586)
org.wso2.carbon.apimgt.keymgt.issuers.RoleBasedScopesIssuer.getScopes(RoleBasedScopesIssuer.java:118)
org.wso2.carbon.apimgt.keymgt.ScopesIssuer.setScopes(ScopesIssuer.java:109)
...
ERROR {org.wso2.carbon.user.core.common.AbstractUserStoreManager} - Error occurred while accessing Java Security Manager Privilege Block
Checking the source code I see there are secure calls made (callSecure), which I don't see immediate reason (though I assume there must be a security reason if someone made so much effort).
The same issue pops up whe nvalidating the token (invoking an API requiring a scope)
As it is working locally, atm I am unable to provide a working testable (repeatable) case, as soon I have one I will update the question.
Using default AD userstore manager there's no issue whatsoever, just we don't have the external roles available for authorization
There was another log entry in the wso2carbon.log (though not in the console - logs available through the carbon console)
Caused by: java.lang.NullPointerException
at org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager.getLDAPRoleListOfUser(ReadOnlyLDAPUserStoreManager.java:1928)
at org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager.doGetExternalRoleListOfUser(ReadOnlyLDAPUserStoreManager.java:2041)
at com.rd.poa.auth.roleuserstore.ExtRoleUserstore.doGetExternalRoleListOfUser(ExtRoleUserstore.java:162)
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.doGetRoleListOfUser(AbstractUserStoreManager.java:3730)
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getRoleListOfUser(AbstractUserStoreManager.java:2615)
seems users were members of groups outside the "GroupSearch" filter. Making the group search base containing all LDAP group seems to help (so far)
another needed action was stripping the FEDERATED realm from the username WSO2AM2.1.0-update12 scope roles for federated users
I'm trying to login Cloud Foundry endpoint.
But when I connect by Cloud Foundry CLI, I get a error message below:
C:\Users\abc>cf login -a https://xxx.predix-
uaa.run.aws-usw02-pr.ice.predix.io
API endpoint: https://xxx.predix-uaa.run.aws-us
w02-pr.ice.predix.io
Not logged in. Use 'cf login' to log in.
FAILED
Error performing request: Get /login: unsupported protocol scheme ""
Please help!
The issue is likely that you are not specifying your CF API endpoint url. Please contact your platform operator to confirm what it should be.
We'll improve the error message, but what seems to be happening is that the cf CLI tries to retrieve a json configuration from [api-endpoint]/v2/info, but not getting the response it expects.
It then builds a URL to the login endpoint from the "authorization_endpoint" that should be advertised in that json configuration. As that field is not in your response, it tries to access "/login" instead of e.g. "https://xxx.predix-uaa.run.aws-usw02-pr.ice.predix.io/login", causing the error.
CF endpoint urls generally start with "api.". In fact, I've never seen one starting differently.
When I publish an API in the WSO2 API Manager, the following error occurs:
Gateway Failures
Failed to Publish Environments
Production and Sandbox
Error while obtaining API information from gateway. Error while obtaining API information from gateway. Authentication failure
This could be due to an authentication failure. Please check whether username/password within <Environments> content element of root <APIGateway> element in api-manager.xml (<APIM_HOME>/repository/conf/api-manager.xml) is correct
I've had this issue.
When checking the logs I saw this:
URL context: /hrs/admihrsd/osb/documentWS/2.0.0 is already registered with the API: novakgo--hrs-admihrsd-osb-document-service:v2.0.0
The issue was someone was trying to publish a new API with the same context as another one. They should change the context and publish again, and the error is fixed. Context have to be unique.