search

cloudfoundry-incubator / admin-ui

Need new main contributor - An application for viewing Cloud Foundry metrics and operations data.
Apache License 2.0
71 stars 44 forks source link

Insufficient scope for user admin #155

Closed chrisrana closed 8 years ago

chrisrana commented 8 years ago

I installed admin_ui successfully as nosh release and then ran bosh run errand register_admin_ui I am getting Insufficient scope for user admin error admin log "Login without proper group for user" Then I ran manually following command also S

uaac target http://uaa.10.244.0.34.xip.io uaac token client get admin -s admin-secret uaac client update admin --authorities "uaac client get admin | \ awk '/:/{e=0}/authorities:/{e=1;if(e==1){$1="";print}}' scim.write" uaac token client get admin -s admin-secret

uaac group add admin_ui.admin uaac member add admin_ui.admin admin

uaac client add admin_ui_client \ --authorities clients.write,cloud_controller.admin,cloud_controller.read,cloud_controller.write,doppler.firehose,openid,scim.read,scim.write \ --authorized_grant_types authorization_code,client_credentials,refresh_token \ --autoapprove true \ --scope admin_ui.admin,admin_ui.user,openid \ -s admin_ui_secret

Still same error I am getting

Errand Job output

Acting as user 'admin' on deployment 'cf-devtest3' on 'vms-installdev2'

Director task 24 Started unknown Started unknown > Binding deployment. Done (00:00:00)

Started preparing deployment Started preparing deployment > Binding releases. Done (00:00:00) Started preparing deployment > Binding existing deployment. Done (00:00:00) Started preparing deployment > Binding resource pools. Done (00:00:00) Started preparing deployment > Binding stemcells. Done (00:00:00) Started preparing deployment > Binding templates. Done (00:00:00) Started preparing deployment > Binding properties. Done (00:00:00) Started preparing deployment > Binding unallocated VMs. Done (00:00:00) Started preparing deployment > Binding instance networks. Done (00:00:00)

Started preparing package compilation > Finding packages to compile. Done (00:00:00)

Started preparing dns > Binding DNS. Done (00:00:00)

Started creating bound missing vms > medium/0. Done (00:01:51)

Started binding instance vms > register_admin_ui/0. Done (00:00:00)

Started updating job register_admin_ui > register_admin_ui/0. Done (00:00:14)

Started running errand > register_admin_ui/0. Done (00:00:04)

Started fetching logs for register_admin_ui/0 > Finding and packing log files. Done (00:00:01)

Started deleting errand instances register_admin_ui > 2b0b75a2-cf36-4399-acd7-c7818c1c6aaa. Done (00:00:17)

Task 24 done

Started 2016-03-23 10:58:50 UTC Finished 2016-03-23 11:01:22 UTC Duration 00:02:32

[stdout] $PATH /var/vcap/packages/uaac/bin:/var/vcap/packages/ruby/bin:/usr/sbin:/usr/bin:/sbin:/bin Getting admin client token Adding scim.write scope to admin client scope: uaa.none client_id: admin authorized_grant_types: client_credentials authorities: password.write clients.read clients.write scim.write scim.read uaa.admin clients.secret

Successfully fetched token via client credentials grant. Target: http://uaa.devtest3.io Context: admin, from client admin

Creating admin_ui_client client scope: admin_ui.admin openid admin_ui.user client_id: admin_ui_client authorized_grant_types: refresh_token client_credentials authorization_code authorities: cloud_controller.write openid scim.read cloud_controller.read cloud_controller.admin id: admin_ui_client Adding group: admin_ui.admin id: 47dc2087-e4f8-4a31-ae92-d34aee246dbc schemas: urn:scim:schemas:core:1.0 meta version: 0 created: 2016-03-23T11:01:03.447Z lastmodified: 2016-03-23T11:01:03.448Z displayname: admin_ui.admin Adding group: admin_ui.user id: 000d3a74-9112-48ee-a07f-3411742abc62 schemas: urn:scim:schemas:core:1.0 meta version: 0 created: 2016-03-23T11:01:03.942Z lastmodified: 2016-03-23T11:01:03.942Z displayname: admin_ui.user Done

[stderr] None

Errand `register_admin_ui' completed successfully (exit code 0)

rboykin commented 8 years ago

Realize the admin user's definition is "recreated" every time the UAA component is restarted.

Try a different user than admin with the uaac member add admin_ui.admin and then try to login to the admin ui with that user.

chrisrana commented 8 years ago

you mean creating new user using following command.Please confirm uaac token client get admin uaac user add new_user -p password uaac member add admin_ui.admin admin uaac member add uaa.admin new_user uaac member add scim.read new_user uaac member add scim.write new_user

But in actual production how to automate this process.Do by default bosh vm/adminui has uaac installed or do i need to install uaac client in adminui vm and create user ?

rboykin commented 8 years ago

I would likely do the following: cf create-user new_user uaac member add admin_ui.admin new_user

In terms of automation that question is better asked here https://github.com/cloudfoundry-community/admin-ui-boshrelease

chrisrana commented 8 years ago

Admin UI errand job runs UAAC command.Where this UAAC is installed? I searched in it in cloud controller and admin ui vm i didn't find it. I can install uaac client but curious know how errand job is running uaac command.

rboykin commented 8 years ago

cf-uaac is a ruby gem. After installing ruby, you can enter "gem install cf-uaac" and then you can run uaac. Also possible with rbenv you might need to do "rbenv rehash" prior to uaac being available.

chrisrana commented 8 years ago

What about "bosh run errand register_admin_ui" How this gets UAAC without installing ? I dont want to install uaac I want to use UAAC which errand job uses

rboykin commented 8 years ago

I suggest you ask within https://github.com/cloudfoundry-community/admin-ui-boshrelease if you are interested about "bosh run errand register_admin_ui". UAA does have an API for access which bosh can use.