rmiccoli
commented
9 months ago Ciao,
potresti inviare/copiare il file .env?
Closed bl000m closed 9 months ago
rmiccoli
commented
9 months ago Ciao,
potresti inviare/copiare il file .env?
bl000m
commented
9 months ago Ciao, certo e grazie !
# _______MARIADB_______
MYSQL_ROOT_PASSWORD=***
MYSQL_DATABASE=iam_db_rock8
MARIADB_ROOT_HOST=%
# _______INDIGO IAM_______
# _______VAR TO BE MANUALLY SET_______
# The host where the MariaDB/MySQL daemon is running
# => curl ifconfig.me/ip
# => or floating IP if on openstack
IAM_DB_HOST=134.158.231.31
# The IAM service will list for requests on this host
# => IAM_HOST=$(host $IAM_DB_HOST | awk '{print $NF}' | sed 's/\.$//')
IAM_HOST=ccmapa.in2p3.fr
# The path to the JSON keystore that holds the keys IAM will use to sign and
# verify token signatures
IAM_KEY_STORE_LOCATION=file:///keystore.jwks
# not clear
# Sets the directory that contains the local resources that should be exposed
IAM_LOCAL_RESOURCES_LOCATION=file:///indigo-iam/local-resources
# _______OTHERS_______
IAM_JAVA_OPTS=-Dspring.profiles.active=prod,oidc,saml,registration
# The IAM service webapp will bind on this port
IAM_PORT=8080
# The IAM web application base URL
IAM_BASE_URL=https://${IAM_HOST}/iam
# The OpenID Connect issuer configured for this IAM instance.
# This must be equal to IAM_BASE_URL
IAM_ISSUER=https://${IAM_HOST}/iam
# HTTP caching header setting public key lifetime (in seconds).
# The recommended lifetime according to the WLCG profile* is 6 hours
IAM_JWK_CACHE_LIFETIME=21600
# IAM will look for trust anchors in this directory. These trust anchors are
# needed for TLS operations where the IAM acts as a client (i.e., to
# authenticate to remote SAML Identity providers)
IAM_X509_TRUST_ANCHORS_DIR=/etc/pki/tls/certs/
# How frequently (in seconds) should trust anchors be refreshed
IAM_X509_TRUST_ANCHORS_REFRESH=14400
# Use forwarded headers from reverse proxy. Set this to native when deploying the
# service behind a reverse proxy
IAM_FORWARD_HEADERS_STRATEGY=none
## Tomcat embedded container settings
# Enables the tomcat access log
IAM_TOMCAT_ACCESS_LOG_ENABLED=false
# Directory where the tomcat access log will be written (when enabled)
IAM_TOMCAT_ACCESS_LOG_DIRECTORY=/tmp
## Actuator endpoint settings
# Sets the username of the user allowed to have privileged access to actuator
# endpoints
IAM_ACTUATOR_USER_USERNAME=user
# Sets the password of the user allowed to have privileged access to actuator
# endpoints
IAM_ACTUATOR_USER_PASSWORD=***
## Local resources configuration
# Enables the serving of resources from the local file system
IAM_LOCAL_RESOURCES_ENABLE=false
# The name of the organization managed by this IAM instance
IAM_ORGANISATION_NAME=indigo-DR8
# String displayed into the brower top bar when accessing the IAM dashboard
IAM_TOPBAR_TITLE="INDIGO IAM for ${IAM_ORGANISATION_NAME}"
## Token content settings
# Include authentication claims in issued access tokens
IAM_ACCESS_TOKEN_INCLUDE_AUTHN_INFO=false
# Includes the scope in issued access tokens
IAM_ACCESS_TOKEN_INCLUDE_SCOPE=false
# Includes the nbf claim in issued access tokens
IAM_ACCESS_TOKEN_INCLUDE_NBF=false
# The database port
IAM_DB_PORT=3306
# The database name
IAM_DB_NAME=${MYSQL_DATABASE}
# The database username
IAM_DB_USERNAME=root
# The database password
IAM_DB_PASSWORD=${MYSQL_ROOT_PASSWORD}
## Database connection pool options
# Maximum number of active connections to the database
IAM_DB_MAX_ACTIVE=50
# Maximum number of idle connections in the pool
IAM_DB_MAX_IDLE=5
# Initial size of the database connection pool
IAM_DB_INITIAL_SIZE=8
# Should idle connections in the pool be tested?
IAM_DB_TEST_WHILE_IDLE=true
# Should connections in the pool be tested when borrowed?
IAM_DB_TEST_ON_BORROW=true
# Which SQL query should be used to test connections?
IAM_DB_VALIDATION_QUERY=SELECT 1
# Time between database connection pool eviction runs (in msec)
IAM_DB_TIME_BETWEEN_EVICTION_RUNS_MILLIS=5000
# The minimum amount of time a connection may be idle in the pool
# before it is considered for eviction (in msec)
IAM_DB_MIN_EVICTABLE_IDLE_TIME_MILLIS=60000
# Public identifier for client application
IAM_CLIENT_ID=client
# Client application's own password
IAM_CLIENT_SECRET=***
# Default scopes allowed to the client application (optional)
IAM_CLIENT_SCOPES=openid profile email
# The Google OAuth client id
# IAM_GOOGLE_CLIENT_ID=898301167301-af02j7jnnt36pbmfg5vlkh7sons4abht.apps.googleusercontent.com
# The OAuth client secret
# IAM_GOOGLE_CLIENT_SECRET=***
# not used so far
###SAML THINGS
# The SAML entity ID for this IAM instance
IAM_SAML_ENTITY_ID=
# Text shown in the SAML login button on the IAM login page
IAM_SAML_LOGIN_BUTTON_TEXT=Sign in with SAML
## SAML keystore settings
# The keystore holding certificates and keys used for SAML crypto
IAM_SAML_KEYSTORE=
# The SAML keystore password
IAM_SAML_KEYSTORE_PASSWORD=
# The identifier of the key that should be used to sign requests/assertions
IAM_SAML_KEY_ID=
# The password of the SAML key that will be used to sign requests/assertions
IAM_SAML_KEY_PASSWORD=
## Metadata settings
# a URL pointing to the SAML federation or IdP metadata
IAM_SAML_IDP_METADATA=
# Metadata refresh period (in seconds)
IAM_SAML_METADATA_LOOKUP_SERVICE_REFRESH_PERIOD_SEC=600
# Should signature validity checks be enforced on metadata?
IAM_SAML_METADATA_REQUIRE_VALID_SIGNATURE=false
# Trust only IdPs that have SIRTFI compliance
IAM_SAML_METADATA_REQUIRE_SIRTFI=false
# Comma-separated IDP entity ID whitelist. When empty
# all IdPs included in the metadata are whitelisted
IAM_SAML_IDP_ENTITY_ID_WHITELIST=
## Assertion validity settings
# Maxixum allowed assertion time (in seconds)
IAM_SAML_MAX_ASSERTION_TIME=3000
# Maximum authentication age (in seconds)
IAM_SAML_MAX_AUTHENTICATION_AGE=86400
## Other settings
# List of attribute aliases that are looked up in assertion to identify the
# user authenticated with SAML
IAM_SAML_ID_RESOLVERS=eduPersonUniqueId,eduPersonTargetedId,eduPersonPrincipalName
## SMTP mail server settings
# SMTP server hostname
IAM_MAIL_HOST=localhost
# SMTP server port
IAM_MAIL_PORT=25
# SMTP server username
IAM_MAIL_USERNAME=
# SMTP server password
IAM_MAIL_PASSWORD=
## IAM notification settings
# Should the notification server be disabled?
# When set to true, notifications are not sent to the mail server (but
# printed to the logs)
IAM_NOTIFICATION_DISABLE=false
# The email address used as the sender in IAM email notifications
IAM_NOTIFICATION_FROM=indigo@localhost
# The email address used as the recipient in IAM email notifications
IAM_NOTIFICATION_ADMIN_ADDRESS=indigo-alerts@localhost
# Notification policy for account requests. The default value is notify-address
# meaning that notifications just arrive to the email address
# specified above. Set to notify-admins if you want to notify
# all IAM admins or to notify-address-and-admins to combine the two behaviors
IAM_NOTIFICATION_ADMIN_NOTIFICATION_POLICY=notify-address
# Notification policy for group requests. Default value notifies both
# admins and group managers. Set to notify-gms if you want to notify only group managers
IAM_NOTIFICATION_GROUP_MANAGER_NOTIFICATION_POLICY=notify-gms-and-admins
# Time interval, in milliseconds, between two consecutive runs of IAM notification
# dispatch task
IAM_NOTIFICATION_TASK_DELAY=30000
# Retention of delivered messages, in days
IAM_NOTIFICATION_CLEANUP_AGE=30ciao, se avete bisogno di altro contesto per identificare il problema non esitate a chiedermelo. Vi scrivo dal centro di calcolo dell'in2p3 di Lione, dove un'installazione su VM é andata a buon fine ma non riesco a replicarla in un network docker isolato per automatizzare la creazione dell'istanza IAM e testarla su app. Sembra che il comportamento sia differente, oppure c'é qualche modifica da apportare al setting in relazione alla doc.
Ho escluso che il problema provenga dal keystore.jwks, ma ve lo mando per conferma.
Se nella console esamino il contenuto del container appena creato (il poco tempo prima che si fermi e restart) e verifico se il file keystore.jwks esiste alla posizione dove lo vogliamo e cat il suo contenuto con docker exec iam-login-service cat /keystore.jwks
ho la conferma che il keystore.jwks è stato ben montato nel container al path specificato nell 'env=> IAM_KEY_STORE_LOCATION=file:///keystore.jwks. Ecco il contenuto:
{
"keys": [
{
"p": "46vmsWN4yF-Gb8HAYK07aPzKl5TbmWtkL4c62ercy6nDfJG_hOTxFB9vBiI3OLJUKi11EqHMkHn6vFtd1HK8eQ",
"kty": "RSA",
"q": "5PRrpFMIj526y22My-MFOWJwto19AM2NyXQiqsB24j_Ez-LG5xD1nq9vozZws1kX--XmXyXrh6I4HoqRysTVPw",
"d": "Uv-j4oI4dXYN3UWIGmA7NjS0RN6-QWwQiHPUCajMI5seKi5WbpFqhtfpJUpeLQvxzUtySP4WXqOipOthhE_U7H4zeKF31QBbV77sEboRzeQOQB8jXi0YVb3y8i07byzmzGHEzQvJiOF08nUHDbz_94bRPjHyaVVnlMDbHOnjd6E",
"e": "AQAB",
"kid": "rsa1",
"qi": "np_tHiz9FV2HR-Iz4Mjifwlec4avDbG8mmKszK6A0Qcxht47p-DbE3XDFTLKbG_dgXFDvwvS4Oz0gkK-aWJjjw",
"dp": "MAqE-md4BCgMESb8Nio3wBaflU7G69-6W0EYzQT_JEalRnLmy98Xc9ySK-QqbN9MXT4MVysnJFFo9Df_W6X-WQ",
"dq": "UbsbDe8COFpjCymRQFtLSx_kApbhj77RJaAKnA_WoI-JD3jx7hx0we_4lzfg5XUhha-dHEwqFyIGjIiE4PCA-w",
"n": "y555CNsOqK9JHJvoxRssZIFustjzVTcLVQEsf513PEUXVmLJjuGEdWVUl0qleTTxz1STUF3UnXymDzLotdwYRjKm8R1jdquJfkcCJxLMxzxQg44a9evWCaBJ0BgcAfCNVlG3zjQ2V_WyGc63HP0F2abIVQQeRArbJpy484WxDsc"
}
]
}docker stats il service iam-login-service prende progressivamente più MEM% fino a restart, quindi immagino leaksCos'altro posso verificare per capire da dove si origina il problema? Spero in un vostro aiuto. Grazie
bl000m
commented
9 months ago @rmiccoli scusa se incalzo ma sono in blocco, potresti solo darmi un feedback per orientarmi in una direzione o l'altra? Al momento l'istanza Indigo IAM funziona solo su una VM e non riusciamo a replicarla. In parallelo è in sviluppo un portale che dovrà connettersi all'istanza Indigo IAM di test per l'autentificazione. Dunque una cosa blocca l'altra...
bl000m
commented
9 months ago ho risolto. Bisogna fare attenzione a non passare le seguenti variabili d'ambiente se non inizializzate al service indigo-iam, perché non è forse previsto un check e certe variabili se inizializzate a NULL / o settate senza essere utilizzate fanno cortocircuitare il software:
# The SAML entity ID for this IAM instance
IAM_SAML_ENTITY_ID=
# Text shown in the SAML login button on the IAM login page
IAM_SAML_LOGIN_BUTTON_TEXT=Sign in with SAML
## SAML keystore settings
# The keystore holding certificates and keys used for SAML crypto
IAM_SAML_KEYSTORE=
# The SAML keystore password
IAM_SAML_KEYSTORE_PASSWORD=
# The identifier of the key that should be used to sign requests/assertions
IAM_SAML_KEY_ID=
# The password of the SAML key that will be used to sign requests/assertions
IAM_SAML_KEY_PASSWORD=
## Metadata settings
# a URL pointing to the SAML federation or IdP metadata
IAM_SAML_IDP_METADATA=
# Metadata refresh period (in seconds)
IAM_SAML_METADATA_LOOKUP_SERVICE_REFRESH_PERIOD_SEC=600
# Should signature validity checks be enforced on metadata?
IAM_SAML_METADATA_REQUIRE_VALID_SIGNATURE=false
# Trust only IdPs that have SIRTFI compliance
IAM_SAML_METADATA_REQUIRE_SIRTFI=false
# Comma-separated IDP entity ID whitelist. When empty
# all IdPs included in the metadata are whitelisted
IAM_SAML_IDP_ENTITY_ID_WHITELIST=
## Assertion validity settings
# Maxixum allowed assertion time (in seconds)
IAM_SAML_MAX_ASSERTION_TIME=3000
# Maximum authentication age (in seconds)
IAM_SAML_MAX_AUTHENTICATION_AGE=86400
## Other settings
# List of attribute aliases that are looked up in assertion to identify the
# user authenticated with SAML
IAM_SAML_ID_RESOLVERS=eduPersonUniqueId,eduPersonTargetedId,eduPersonPrincipalName
## SMTP mail server settings
# SMTP server hostname
IAM_MAIL_HOST=localhost
# SMTP server port
IAM_MAIL_PORT=25
# SMTP server username
IAM_MAIL_USERNAME=
# SMTP server password
IAM_MAIL_PASSWORD=
## IAM notification settings
# Should the notification server be disabled?
# When set to true, notifications are not sent to the mail server (but
# printed to the logs)
IAM_NOTIFICATION_DISABLE=false
# The email address used as the sender in IAM email notifications
IAM_NOTIFICATION_FROM=indigo@localhost
# The email address used as the recipient in IAM email notifications
IAM_NOTIFICATION_ADMIN_ADDRESS=indigo-alerts@localhost
# Notification policy for account requests. The default value is notify-address
# meaning that notifications just arrive to the email address
# specified above. Set to notify-admins if you want to notify
# all IAM admins or to notify-address-and-admins to combine the two behaviors
IAM_NOTIFICATION_ADMIN_NOTIFICATION_POLICY=notify-address
# Notification policy for group requests. Default value notifies both
# admins and group managers. Set to notify-gms if you want to notify only group managers
IAM_NOTIFICATION_GROUP_MANAGER_NOTIFICATION_POLICY=notify-gms-and-admins
# Time interval, in milliseconds, between two consecutive runs of IAM notification
# dispatch task
IAM_NOTIFICATION_TASK_DELAY=30000
# Retention of delivered messages, in days
IAM_NOTIFICATION_CLEANUP_AGE=30@bl000m Grazie mille per aver condiviso la soluzione :)
Buongiorno, dopo avere docker-compose up il service iam passa in restart continuo e nei logs non ritrovo errori:
di seguito la configurazione del service nel docker-compose.
A cosa potrebbe essere dovuto il problema? Grazie per il vostro aiuto