search

opentdf / platform

Persistent data centric security that extends owner control wherever data travels
BSD 3-Clause Clear License
19 stars 11 forks source link

Encrypt Failure: Unable to retrieve public key from KAS #704

Closed cakeholeDC closed 6 months ago

cakeholeDC commented 7 months ago

As of APR 29 2024 otdfctl encrypt fails with the following error message:

otdfctl encrypt plaintext.txt -o encrypted
{"time":"2024-04-29T11:05:12.640013-07:00","level":"DEBUG","msg":"LoadConfig: file and key not provided, using default file","config file":""}
{"time":"2024-04-29T11:05:12.936563-07:00","level":"DEBUG","msg":"getting new access token"}
{"time":"2024-04-29T11:05:12.936615-07:00","level":"DEBUG","msg":"Building DPoP Proof"}
 ERROR    Failed to encrypt: unable to retrieve public key from KAS at [http://localhost:8080]: error making request to KAS: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing: dial tcp [::1]:8080: connect: connection refused

Path to recreate: Spin up local opentdf/platform following the instructions on the main branch (0e59213e127e8b6a0b071a04f3ce380907fe494e):

  1. Kas Keys
  2. Postgres & Keycloak
  3. Bootstrap Keycloak
  4. Start the platform
otdfctl auth client-credentials --client-id opentdf --client-secret secret

echo "Hello World!" > plaintext.txt

otdfctl encrypt plaintext.txt -o encrypted

The otdfctl encrypt function worked as expected with a previous iteration of the opentdf platform. And if we roll back to a commit from last week and re-deploy the platform, the encrypt function begins to work again as expected

# opentdf/platform repo
git checkout f9e9d7288c1f63fdc1ffb0916fdb9ae4c390cee8

Follow README steps to run platform locally. ‼️ Note, the process is different on this commit

  1. docker-compose up
  2. OpenTDF Config
  3. Provision Keycloak
  4. Kas Keys
  5. Start the Platform
elizabethhealy commented 7 months ago

If you are using the docker run command from the "Running the Platform Locally" section of the readme, you may need to add a flag to publish the container port to the host ex:

docker run --network opentdf_platform -p "127.0.0.1:8080:8080" \
      -v "$(pwd)/kas-keys/:/keys/" \
      -v "$(pwd)/opentdf.yaml:/home/nonroot/.opentdf/opentdf.yaml" \
      -it registry.opentdf.io/platform:nightly start
b-long commented 7 months ago

👍 Building on top of the (linked ☝️ ) PR from @elizabethhealy , I proposed https://github.com/opentdf/platform/pull/713

strantalis commented 7 months ago

@cakeholeDC Is this resolved?

Rajan251 commented 7 months ago

If you are using the docker run command from the "Running the Platform Locally" section of the readme, you may need to add a flag to publish the container port to the host ex:

docker run --network opentdf_platform -p "127.0.0.1:8080:8080" \
      -v "$(pwd)/kas-keys/:/keys/" \
      -v "$(pwd)/opentdf.yaml:/home/nonroot/.opentdf/opentdf.yaml" \
      -it registry.opentdf.io/platform:nightly start

when i run this command on my terminal i got this error message 

docker run --network opentdf_platform -p "127.0.0.1:8080:8080" \
      -v "$(pwd)/kas-keys/:/keys/" \
      -v "$(pwd)/opentdf.yaml:/home/nonroot/.opentdf/opentdf.yaml" \
      -it registry.opentdf.io/platform:nightly start
2024/05/07 10:13:23 INFO starting opentdf services
2024/05/07 10:13:23 INFO loading configuration
2024/05/07 10:13:23 INFO starting logger
time=2024-05-07T10:13:23.137Z level=DEBUG msg="config loaded" config="&{DB:{Host:opentdfdb Port:5432 Database:opentdf User                        :postgres Password:changeme RunMigrations:true SSLMode:prefer Schema:opentdf VerifyConnection:true MigrationsFS:<nil>} OPA                        :{Path:./opentdf-opa.yaml Embedded:true Logger:<nil>} Server:{Auth:{Enabled:true PublicRoutes:[] AuthNConfig:{EnforceDPoP:                        false Issuer:http://keycloak:8888/auth/realms/opentdf Audience:http://localhost:8080 OIDCConfiguration:{Issuer: Authorizat                        ionEndpoint: TokenEndpoint: JwksURI: ResponseTypesSupported:[] SubjectTypesSupported:[] IDTokenSigningAlgValuesSupported:[                        ] RequireRequestURIRegistration:false} Policy:{Default: RoleClaim: RoleMap:map[] Csv: Model:} CacheRefresh:15m}} GRPC:{Ref                        lectionEnabled:true} CryptoProvider:{Type:standard HSMConfig:{Enabled:false ModulePath: PIN: SlotID:0 SlotLabel: Keys:map[                        ]} StandardConfig:{RSAKeys:map[123:{PrivateKeyPath:/keys/kas-private.pem PublicKeyPath:/keys/kas-cert.pem} 456:{PrivateKey                        Path:/keys/kas-private.pem PublicKeyPath:/keys/kas-cert.pem}] ECKeys:map[123:{PrivateKeyPath:/keys/kas-ec-private.pem Publ                        icKeyPath:/keys/kas-ec-cert.pem}]}} TLS:{Enabled:false Cert: Key:} WellKnownConfigRegister:<nil> Port:8080 Host:} Logger:{                        Level:debug Output:stdout Type:text} Services:map[authorization:{Enabled:true Remote:{Endpoint:} ExtraProps:map[client:tdf                        -entity-resolution legacy:true realm:opentdf secret:secret url:http://localhost:8888]} health:{Enabled:true Remote:{Endpoi                        nt:} ExtraProps:map[]} kas:{Enabled:true Remote:{Endpoint:} ExtraProps:map[]} policy:{Enabled:true Remote:{Endpoint:} Extr                        aProps:map[]} wellknown:{Enabled:true Remote:{Endpoint:} ExtraProps:map[]}]}"
time=2024-05-07T10:13:23.138Z level=INFO msg="starting opa engine"
time=2024-05-07T10:13:23.138Z level=DEBUG msg="plugging in plugins"
time=2024-05-07T10:13:23.146Z level=INFO msg="Starting bundle loader." plugin=bundle name=test
time=2024-05-07T10:13:23.146Z level=INFO msg="Starting decision logger." plugin=decision_logs
time=2024-05-07T10:13:23.147Z level=DEBUG msg="Download starting."
time=2024-05-07T10:13:23.156Z level=DEBUG msg="Download in progress."
time=2024-05-07T10:13:23.156Z level=DEBUG msg="Bundle activation in progress (). Opening storage transaction." name=test p                        lugin=bundle
time=2024-05-07T10:13:23.157Z level=DEBUG msg="Opened storage transaction (3)." plugin=bundle name=test
time=2024-05-07T10:13:23.160Z level=DEBUG msg="Closing storage transaction (3)." name=test plugin=bundle
time=2024-05-07T10:13:23.160Z level=INFO msg="Bundle loaded and activated successfully." name=test plugin=bundle
time=2024-05-07T10:13:23.160Z level=INFO msg="init opentdf server"
time=2024-05-07T10:13:23.160Z level=WARN msg="config Auth.EnforceDPoP is false. DPoP will not be enforced."
time=2024-05-07T10:13:23.161Z level=DEBUG msg="discovering openid configuration" issuer=http://keycloak:8888/auth/realms/o                        pentdf
time=2024-05-07T10:13:23.162Z level=ERROR msg="issue creating opentdf server" error="failed to create authentication inter                        ceptor: Get \"http://keycloak:8888/auth/realms/opentdf/.well-known/openid-configuration\": dial tcp 172.20.0.2:8888: conne                        ct: connection refused"
time=2024-05-07T10:13:23.162Z level=INFO msg="Stopping bundle loader." name=test plugin=bundle
time=2024-05-07T10:13:23.162Z level=DEBUG msg="Waiting 1m20.884188994s before next download/retry."
time=2024-05-07T10:13:23.162Z level=INFO msg="Stopping decision logger." plugin=decision_logs
Error: issue creating opentdf server: failed to create authentication interceptor: Get "http://keycloak:8888/auth/realms/o                        pentdf/.well-known/openid-configuration": dial tcp 172.20.0.2:8888: connect: connection refused
time=2024-05-07T10:13:23.163Z level=ERROR msg="issue starting opentdf" error="issue creating opentdf server: failed to cre                        ate authentication interceptor: Get \"http://keycloak:8888/auth/realms/opentdf/.well-known/openid-configuration\": dial tc                        p 172.20.0.2:8888: connect: connection refused"
cakeholeDC commented 6 months ago

fix(documentation): Add flag to run command in instructions for "Running the Platform Locally" #709

@strantalis Yes, this was resolved with PR https://github.com/opentdf/platform/pull/709 - the solution is the same as what @Rajan251 pointed to.

I will close this issue.