Closed strohbert closed 3 years ago
Hey @strohbert! Nice reading that you have been giving Kalix a go.
Are you using the docker-compose.yml file to run the example? It automatically sets up all the authorization and orchestration rules necessary for the Echo Consumer to lookup and access the Echo Provider. The setting up is performed using the Cloud Configurator, which is a custom-made system meant to make it easier to configure local clouds. It is only meant to exist until an official solution for making such convenient configurations becomes available. It requires a configuration file to work. An example can be seen here.
The reason I believe missing authorization and orchestration rules to be the issue is that you get a ServiceNotFoundException
, which is typical when proper rules are not configured. I hope this helps!
Hi @emanuelpalm! I'm working together with @strohbert trying to get this example to work and understand it. Thanks for your support! We were trying to simply start the two systems (echo provider and consumer) by running the respective jars and then got the error. From your post I understand that this is not going to work, since the cloud configurator system is supposed to do all the hard work setting up the AH rules such that provider and consumer are able to find each other. However, I'm still having trouble to understand that configurator system.
@awoSYS @strohbert I assume you tried the cloud-standalone
example project first? Did that work out for you?
The difference between the standalone and cloud examples is that the former consists solely of the two systems (i.e. Java applications) provided in the example. The latter provides three systems (echo provider, echo consumer and configurator), and assumes that you have three more running (a Service Registry system, an Authorization system and an Orchestrator system). The reason for the increased complexity of the second example is that the extra systems allows for the echo consumer and provider to dynamically find each other and exchange messages, without prior knowledge about each other IP addresses or other details.
All systems part of the same local cloud (a cluster of systems all managed by the same operator) must have X.509 certificates issued by the same cloud certificate holder. All certificates must conform to the Eclipse Arrowhead certificate profile (which is not yet published/formalized, but a brief description of its current implementation can be read here).
If dynamic service discovery is desired (as in the echo-cloud example), all systems in the local cloud must know the IP address of the Service Registry system, and the port (and other details) through which its Service Discovery service can be reached. The service registry, authorization and orchestrator systems must, of course, all be running. In addition to knowing the IP address of the Service Registry system, there must be authorization rules and orchestration rules setup in the Authorization and Orchestrator systems. This is what the configurator system in the example does. It registers the rules necessary for dynamic service resolution between the echo consumer and provider.
The documentation situation currently leaves quite a lot to be desired. The official one is here. I have written quite some documentation for the Kalix library here. Important sections to read are [1] and [2].
Just tell me if you have any more questions. I'll try to answer as soon as time permits.
Thanks @emanuelpalm for that much information!
I understand that the standalone example is only supposed to show how the setup would look like with producer and consumer being wired via hardcoded addresses. I ran it and it worked:
The cloud example also seems to work now:
(Our earlier problems were most likely caused Linux-Windows character encoding incompatibility --> Checking out the repo on Windows made the commands in docker-compose.yml unreadable for the Linux containers).
However, I've got a couple of questions left:
https://localhost:8443
) just never stops loading, no error screen or so. Do you have any idea, what might be wrong?2021-06-21 13:30:50 INFO Created service entry echo_provider/kalix-example-provider-service
2021-06-21 13:30:51 INFO Created service entry echo_consumer/kalix-example-consumer-dummy
2021-06-21 13:30:54 INFO Created authorization rule CfConsumptionRule{consumer='echo_consumer', services=[kalix-example-provider-service], providers=[echo_provider]}
2021-06-21 13:30:56 INFO Created orchestration rules [CfConsumptionRule{consumer='echo_consumer', services=[kalix-example-provider-service], providers=[echo_provider]}]
Thanks for your support!
Nice that you are making progress!
sysop.p12
certificates from the browser, add them again and make sure that the arrowhead.eu
certificate is trusted to identify websites. If that doesn't work, it may help if you also the add the truststore.p12
to the browser.echo-standalone
example. The other way is called token authorization and requires service consumers to include a token with every request that has been issued by an Authorization system. This is the method used in the echo-cloud
example. The second method requires that the Authorization system knows what systems are allowed to consume what services. The configurator in the echo-cloud
example creates such authorization rules.echo-cloud
example.echo_provider
and echo_consumer
systems are designed to immediately try to contact each other (and not retry if they fail), all of their authorization and orchestration rules must exist before they start. For this reason, the configurator registers them before they get the chance to themselves. Kalix will likely be made to handle this more gracefully in the future.Any more questions? Did I miss anything?
Thanks @emanuelpalm, your explanations already helped me a lot understanding what's going on! If you're not yet exhausted of my asking though, I'd be happy about even more input from you!
I didn't manage to open the swagger UIs, neither using Chromium, nor Firefox. I'll skip that for now.
About the configurator system:
se.arkalix.util.config
) not part of the Kalix library? Even though in a productive scenario there is the opportunity to manually configure such rules via any sort of UI, isn't it always a good idea to automate this, as you've done it in this example?About security and authorization:
secure
approaches, each system has to have a certificate, that is derived from the local cloud certificate, right?AccessPolicy.token()
or AccessPolicy.cloud()
is being used (apart from specifying this once in the provider code). The actual authorization mechanisms performed when a consumer knoks at the provider's door, are completely transparent to the developer.arrowhead.eu
). Does that mean, all systems trust each other system that has an identity derived from arrowhead.eu
, regardless of the company and cloud certificates further down the trust chain?Sorry for the amount of text! Feel free to ignore what you don't fancy to answer ;) And thanks for your support again!
secure
mode) is used. Yes.I hope this helped!
Thanks @emanuelpalm, I understand ArKalix and the AHFW much better now!!
@awoSYS No problem! If you believe your questions to be answered at this point. Please close this issue. Thank you!
@strohbert imho you can close this issue.
We posted this issue in the slack (https://arrowhead-dev.slack.com/archives/CBBMWTZNZ/p1621001024046300) but did not get any response. Therefore I opened an issue here directly in the repo.
We are trying to start up the kalix echo-cloud example (https://github.com/arrowhead-f/arrowhead-kalix-examples/tree/master/echo-cloud). We can successfully run the provider, but the cloud (?!) fails on finding and providing the service (see exception below). We are running version 4.2.0 of arrowhead (https://github.com/arrowhead-f/core-java-spring) and we did not alter the kalix example in any way. The registration of both, the provider and the consumer seems to work just fine as the entries in the database suggest. We are using certificates based on the testcloud2.aitia.arrowhead.eu and the provider starts flawlessly but the consumer fails on sending the request (line 83 of EchoConsumer.java
.flatMap(consumer -> consumer.send(new HttpConsumerRequest()
). We are also unsure about the lineINFO: HTTP/JSON cloud plugin resolved orchestration service at /127.0.0.1:8441
- as we expect something likelocalhost:8441
as endpoint.Any suggestions or hint, what might be the problem?