search

cloudfoundry / routing-release

This is the BOSH release for cloud foundry routers
Apache License 2.0
43 stars 106 forks source link

Unable to deploy/configure TCP routers due to UAA issue #105

Closed nsharmacovs closed 6 years ago

nsharmacovs commented 6 years ago

I followed https://docs.cloudfoundry.org/adminguide/enabling-tcp-routing.html#pre-deploy to configure / install TCP routers .

Version of UAA is 17 Version or routing release is 0.170.0 https://github.com/cloudfoundry/routing-release

I have installed TCP_router component and routing-api component. When we try to start routing-api component,,we are getting errors from UAA .



[2018-04-23 16:21:26.979] uaa - 20460 [http-nio-8080-exec-10] .... DEBUG --- SecurityContextPersistenceFilter: SecurityContextHolder now cleared, as request processing completed
[2018-04-23 16:18:49.648] uaa - 20460 [http-nio-8080-exec-11] .... DEBUG --- AntPathRequestMatcher: Checking match of request : '/.well-known/openid-configuration'; against '/saml/SingleLogout/**'
[2018-04-23 16:18:49.648] uaa - 20460 [http-nio-8080-exec-11] .... DEBUG --- AntPathRequestMatcher: Checking match of request : '/.well-known/openid-configuration'; against '/saml/discovery/**'
[2018-04-23 16:18:49.648] uaa - 20460 [http-nio-8080-exec-11] .... DEBUG --- FilterChainProxy: /.well-known/openid-configuration has no matching filters
[2018-04-23 16:18:49.648] uaa - 20460 [http-nio-8080-exec-11] .... DEBUG --- FilterChainProxy: /.well-known/openid-configuration at position 15 of 25 in additional filter chain; firing Filter: 'RequestCac
heAwareFilter'
[2018-04-23 16:18:49.648] uaa - 20460 [http-nio-8080-exec-11] .... DEBUG --- FilterChainProxy: /.well-known/openid-configuration at position 16 of 25 in additional filter chain; firing Filter: 'SecurityCo
ntextHolderAwareRequestFilter'
[2018-04-23 16:18:49.648] uaa - 20460 [http-nio-8080-exec-11] .... DEBUG --- FilterChainProxy: /.well-known/openid-configuration at position 17 of 25 in additional filter chain; firing Filter: 'SessionMan
agementFilter'
[2018-04-23 16:18:49.648] uaa - 20460 [http-nio-8080-exec-11] .... DEBUG --- FilterChainProxy: /.well-known/openid-configuration at position 18 of 25 in additional filter chain; firing Filter: 'ExceptionT
ranslationFilter'
[2018-04-23 16:18:49.648] uaa - 20460 [http-nio-8080-exec-11] .... DEBUG --- FilterChainProxy: /.well-known/openid-configuration at position 19 of 25 in additional filter chain; firing Filter: 'OAuth2Clie
ntContextFilter'
[2018-04-23 16:18:49.648] uaa - 20460 [http-nio-8080-exec-11] .... DEBUG --- FixHttpsSchemeRequest: Request X-Forwarded-Proto https
[2018-04-23 16:18:49.649] uaa - 20460 [http-nio-8080-exec-11] .... DEBUG --- FilterChainProxy: /.well-known/openid-configuration at position 20 of 25 in additional filter chain; firing Filter: 'FilterSecu
rityInterceptor'
[2018-04-23 16:18:49.649] uaa - 20460 [http-nio-8080-exec-11] .... DEBUG --- FilterSecurityInterceptor: Secure object: FilterInvocation: URL: /.well-known/openid-configuration; Attributes: [IS_AUTHENTICAT
ED_FULLY]
[2018-04-23 16:18:49.649] uaa - 20460 [http-nio-8080-exec-11] .... DEBUG --- ExceptionTranslationFilter: Authentication exception occurred; redirecting to authentication entry point
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
        at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:379)
        at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:223)
        at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124)
        at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.oauth2.client.filter.OAuth2ClientContextFilter.doFilter(OAuth2ClientContextFilter.java:60)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:115)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:169)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:208)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:185)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.cloudfoundry.identity.uaa.provider.saml.idp.IdpMetadataGeneratorFilter.doFilter(IdpMetadataGeneratorFilter.java:86)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:121)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.cloudfoundry.identity.uaa.security.web.HttpsHeaderFilter.doFilter(HttpsHeaderFilter.java:37)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.cloudfoundry.identity.uaa.security.web.SecurityFilterChainPostProcessor$UaaLoggingFilter.doFilter(SecurityFilterChainPostProcessor.java:253)
        at org.cloudfoundry.identity.uaa.security.web.SecurityFilterChainPostProcessor$HttpsEnforcementFilter.doFilter(SecurityFilterChainPostProcessor.java:196)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.cloudfoundry.identity.uaa.oauth.DisableIdTokenResponseTypeFilter.doFilterInternal(DisableIdTokenResponseTypeFilter.java:87)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.cloudfoundry.identity.uaa.zone.IdentityZoneResolvingFilter.doFilterInternal(IdentityZoneResolvingFilter.java:67)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.cloudfoundry.identity.uaa.security.web.CorsFilter.doFilterInternal(CorsFilter.java:222)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.cloudfoundry.identity.uaa.authentication.UTF8ConversionFilter.doFilter(UTF8ConversionFilter.java:56)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
        at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:676)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1099)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:670)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1520)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1476)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:745)
[2018-04-23 16:18:49.649] uaa - 20460 [http-nio-8080-exec-11] .... DEBUG --- FixHttpsSchemeRequest: Request X-Forwarded-Proto https
[2018-04-23 16:18:49.649] uaa - 20460 [http-nio-8080-exec-11] .... DEBUG --- FixHttpsSchemeRequest: Request X-Forwarded-Proto https
[2018-04-23 16:18:49.649] uaa - 20460 [http-nio-8080-exec-11] .... DEBUG --- FixHttpsSchemeRequest: Request X-Forwarded-Proto https
[2018-04-23 16:18:49.649] uaa - 20460 [http-nio-8080-exec-11] .... DEBUG --- HttpSessionRequestCache: DefaultSavedRequest added to Session: DefaultSavedRequest[https://uaa.x.x/.well-known/openid-configuration] ```

Errors in routing-api servers are .

[2018-04-23 16:26:00+0000] {"timestamp":"1524500760.852908373","source":"routing-api","message":"routing-api.failed-debug-server","log_level":2,"data":{"debug_address":"127.0.0.1:17002","error":"listen tcp 127.0.0.1:17002: bind: address already in use"}}
[2018-04-23 16:26:00+0000] {"timestamp":"1524500760.852982998","source":"routing-api","message":"routing-api.database","log_level":1,"data":{"host":"ccdb-rnd.c3z1rkbvtqhv.us-east-1.rds.amazonaws.com","port":3306}}
[2018-04-23 16:26:00+0000] {"timestamp":"1524500760.864001036","source":"routing-api","message":"routing-api.api-server.uaa-client.started-fetching-openId-metadata","log_level":1,"data":{"endpoint":"https://uaa.covisintrnd.com:443/.well-known/openid-configuration","session":"1.2"}}
[2018-04-23 16:26:00+0000] {"timestamp":"1524500760.920266151","source":"routing-api","message":"routing-api.api-server.uaa-client.finished-fetching-openId-metatdata","log_level":1,"data":{"session":"1.2","status-code":302}}
[2018-04-23 16:26:00+0000] {"timestamp":"1524500760.920295238","source":"routing-api","message":"routing-api.api-server.Failed to get issuer configuration from UAA","log_level":2,"data":{"error":"status code: 302, body: ","session":"1"}}

Below are the configuration which were created as part of deployment 

Client IDs
``` uaac client get routing_api_client
  scope: uaa.none
  client_id: routing_api_client
  resource_ids: none
  authorized_grant_types: refresh_token authorization_code
  autoapprove:
  authorities: routing.router_groups.read routing.routes.write routing.routes.read
  name: routing_api_client
  lastmodified: 1524254006000
uaac client get tcp_emitter
  scope: uaa.none
  client_id: tcp_emitter
  resource_ids: none
  authorized_grant_types: refresh_token client_credentials
  autoapprove:
  authorities: routing.routes.write routing.routes.read
  name: tcp_emitter
  lastmodified: 1524158241000
uaac client get gorouter
  scope: cloud_controller_service_permissions.read openid
  client_id: gorouter
  resource_ids: none
  authorized_grant_types: refresh_token client_credentials
  autoapprove:
  authorities: clients.read route.admin clients.write routing.routes.read route.advertise clients.admin
  lastmodified: 1524251821000
uaac client get tcp_router
  scope: uaa.none
  client_id: tcp_router
  resource_ids: none
  authorized_grant_types: refresh_token client_credentials
  autoapprove:
  authorities: routing.routes.read
  name: tcp_router
  lastmodified: 1524158284000  ```

tcp_router.yml
oauth:
  token_endpoint: uaa.x.x
  client_name: "tcp_router"
  client_secret: XXXXX
  port: 443
  skip_ssl_validation: false

  ca_certs: "/var/vcap/jobs/tcp_router/config/certs/uaa/ca.crt"

routing_api:
  uri: http://routing-api.service.cf.internal
  port: 3000
  auth_disabled: false

haproxy_pid_file: "/var/vcap/sys/run/tcp_router/haproxy.pid"
isolation_segments: []```

routing-api.yml

log_guid: "routing_api"
max_ttl: 120s
system_domain: x.x
metron_config:
  address: "localhost"
  port: 3457
metrics_reporting_interval: 30s
statsd_endpoint: localhost:8125
oauth:
  token_endpoint: uaa.x.x
  port: 443
  skip_ssl_validation: false

  ca_certs: "/var/vcap/jobs/routing-api/config/certs/uaa/ca.crt"

debug_address: 127.0.0.1:17002
statsd_client_flush_interval: 300ms
router_groups:
- name: default-tcp
  reservable_ports: 1024-1123
  type: tcp

uuid: 538f8c5a-90f1-4ee8-8e13-723bd916bdaa
admin_port: 15897

consul_cluster:
  servers: http://127.0.0.1:8500
  lock_ttl: 10s
  retry_interval: 5s

sqldb:
  host: x.x.x.x
  port: 3306
  type: mysql
  schema: routingapi
  username: xxxx
  password: xxxxxx

locket:
  locket_address:
  locket_ca_cert_file: "/var/vcap/jobs/routing-api/config/certs/locket/ca.crt"
  locket_client_cert_file: "/var/vcap/jobs/routing-api/config/certs/locket/client.crt"
  locket_client_key_file: "/var/vcap/jobs/routing-api/config/certs/locket/client.key"

skip_consul_lock: false```
cf-gitbot commented 6 years ago

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/157006785

The labels on this github issue will be updated when the story is started.

jhamon commented 6 years ago

Hi @nsharmacovs. For security reasons related to how the router does verification of oauth tokens the routing-release has a dependency on the UAA's /.well-known/openid-configuration endpoint. This endpoint is not present in UAA v17.

Please upgrade your UAA release. I believe UAA v17 was the last UAA release before this endpoint was added, since it looks like the feature went into the code about one week after v17 was cut in Sept 2016.

aaronshurley commented 6 years ago

@nsharmacovs did the above suggestion resolve your issue? If so, we'll close this out.

Thanks!

nsharmacovs commented 6 years ago

Please close the issue .I am good .Thanks a lot .