search

rakutentech / kafka-firehose-nozzle

Forward logs from the Cloud Foundry Firehose to Apache Kafka
MIT License
13 stars 8 forks source link

Failed to construct nozzle consumer: Failed To Fetch Token #26

Open webbbret opened 5 years ago

webbbret commented 5 years ago

Kafka Version: 2.1.0 CF Version: 6.41.0+dd4c76cdd.2018-11-28 Go Version: go1.10.3 linux/amd64 OS: RHEL 7

I have confirmed that the username and password in the toml file will authenticate against the UAA endpoint, however, I am getting the following errors

[ERROR] Failed to construct nozzle consumer: failed to fetch token: Received a status code 401 Unauthorized

Followed by:

2019-01-02T17:26:53.628-08:00 [APP/PROC/WEB/2] [OUT] Exit status 2 2019-01-02T17:26:53.631-08:00 [CELL/SSHD/2] [OUT] Exit status 0

Note that I have Username and Password in the .toml file and do not have UAA_PASSWORD in the manifest. I have tried adding to manifest, but got the same results. Is there something I am not configuring correctly? Many thanks in advance for your help.

giner commented 5 years ago

nozzle client has to be given doppler.firehose authority, e.g.

uaa:
  clients:
...
    kafka-nozzle:
      authorities: oauth.login,doppler.firehose
      authorized-grant-types: client_credentials
      override: true
      secret: SUPERSECRET
...
webbbret commented 5 years ago

After creating a new Admin User (kafka-nozzle) with uaac client, and assigning the oauth.login, uaa.admin and doppler.firehose roles, I was finally able to get a token using the following command:

uaac token owner get cf kafka-nozzle -s "" -p MyPasswordHere

If I paste the token into my .toml file, I can get the nozzle to work, however, when I put the user and password into the .toml file without the token, I am unable to get a token and get the following error:

[ERROR] Failed to construct nozzle consumer: failed to fetch token: Received a status code 401 Unauthorized

Obviously, pasting the token will not be a permanent solution, as it will expire. So finding out how to get the token using the supplied credentials is critical. If you can provide any insight, it would be greatly appreciated. Cheers!

webbbret commented 5 years ago

Turns out that a user was not needed at all. Instead, a client is required. After reading the source, I determined that the code wants a client_id and secret, of which a user does not have... only a client. After I created a client using the following:

uaac client create kafka-nozzle --authorized_grant_types client_credentials --authorities oauth.login,doppler.firehose --secret SomeSecretPwd

and set the username and password accordingly in the .toml file, all was well with the world! Cheers...hope this helps someone.