search

ravanrijn / styx

Styx the open source Cloud Foundry console
MIT License
26 stars 10 forks source link

example kratos UAA client for BOSH manifest? #17

Closed grenzr closed 10 years ago

grenzr commented 10 years ago

Hi guys, was just wondering if you might be able to let me know an example UAA client for kratos (instead of cf client), as I am experiencing 401 errors when hitting:

15:11:12.922 [http-bio-61205-exec-7] WARN   org.springframework.web.client.RestTemplate  - GET request for "http://api.xxx.com/v2/users/fb33453e-691f-4f1f-8234-ffb49ced6983?inline-relations-depth=0" resulted in 401 (Unauthorized); invoking error handler
15:11:12.928 [http-bio-61205-exec-7] ERROR  com.github.kratos.http.HttpClient org.springframework.web.client.HttpClientErrorException: 401 Unauthorized
    at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:88)
    at org.springframework.web.client.RestTemplate.handleResponseError(RestTemplate.java:537)
 - Unable to retrieve result.
15:11:12.929 [http-bio-61205-exec-7] DEBUG  org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver  - Resolving exception from handler [public java.lang.Object com.github.kratos.controller.RootController.index(java.lang.String)]: com.github.kratos.http.HttpClientException
15:11:12.930 [http-bio-61205-exec-7] DEBUG  org.springframework.beans.factory.support.DefaultListableBeanFactory  - Returning cached instance of singleton bean 'exceptionController'
15:11:12.930 [http-bio-61205-exec-7] DEBUG  org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver  - Invoking @ExceptionHandler method: public org.springframework.http.ResponseEntity<com.github.styx.domain.ServiceError> com.github.styx.controller.ExceptionController.handleException(java.lang.Exception)
15:11:12.951 [http-bio-61205-exec-7] ERROR  com.github.styx.controller.ExceptionController com.github.kratos.http.HttpClientException: null
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
 -

Heres mine currently:

    clients:
      cf:
        override: true
        authorized-grant-types: client_credentials,password,implicit,refresh_token
        authorities: uaa.none
        scope: cloud_controller.read,cloud_controller.write,openid,password.write,cloud_controller.admin,scim.read,scim.write
        access-token-validity: 7200
        refresh-token-validity: 1209600
      kratos:
        override: true
        authorized-grant-types: client_credentials,password,implicit,refresh_token
        authorities: clients.read,clients.write,clients.secret,password.write,scim.read
        scope: cloud_controller.read,cloud_controller.write,openid,password.write,cloud_controller.admin,scim.read,scim.write,openid
        access-token-validity: 7200
        refresh-token-validity: 1209600   
        secret: <%= common_password %>

I tried using above kratos client and default 'cf' client with no secret, both result in the above-mentioned 401 error.

The cloud controller logs show this:

{"timestamp":1380641987.5068674,"message":"Invalid bearer token: #<CF::UAA::InvalidAudience: invalid audience: [\"none\"]> [\"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/cf-uaa-lib-1.3.
7/lib/uaa/token_coder.rb:185:in `decode'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/lib/vcap/uaa_util.rb:44:in `decode_token_with_key'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/lib/vcap/u
aa_util.rb:35:in `decode_token_with_asymmetric_key'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/lib/vcap/uaa_util.rb:17:in `decode_token'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/lib/clou
d_controller.rb:77:in `decode_token'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/lib/cloud_controller.rb:47:in `block in <class:Controller>'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendo
r/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:1541:in `call'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:1541:in `block in compile!'\
", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:987:in `[]'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/g
ems/sinatra-1.4.3/lib/sinatra/base.rb:987:in `block in process_route'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:985:in `catch'\", \"/var/vcap/pa
ckages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:985:in `process_route'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/si
natra-1.4.3/lib/sinatra/base.rb:941:in `block in filter!'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:941:in `each'\", \"/var/vcap/packages/cloud_
controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:941:in `filter!'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sin
atra/base.rb:1058:in `block in dispatch!'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:1041:in `block in invoke'\", \"/var/vcap/packages/cloud_cont
roller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:1041:in `catch'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/
base.rb:1041:in `invoke'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:1056:in `dispatch!'\", \"/var/vcap/packages/cloud_controller_ng/cloud_control
ler_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:882:in `block in call!'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:1041:in
 `block in invoke'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:1041:in `catch'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/ven
dor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:1041:in `invoke'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:882:in `call!'\", \"/var
/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:870:in `call'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rac
k-protection-1.5.0/lib/rack/protection/xss_header.rb:18:in `call'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-protection-1.5.0/lib/rack/protection/path_traversal.rb:16:in `cal
l'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-protection-1.5.0/lib/rack/protection/json_csrf.rb:18:in `call'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/v
endor/bundle/ruby/1.9.1/gems/rack-protection-1.5.0/lib/rack/protection/base.rb:49:in `call'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-protection-1.5.0/lib/rack/protection/ba
se.rb:49:in `call'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-protection-1.5.0/lib/rack/protection/frame_options.rb:31:in `call'\", \"/var/vcap/packages/cloud_controller_ng/c
loud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/nulllogger.rb:9:in `call'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/head.rb:11:in `call'\
", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:175:in `call'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1
/gems/sinatra-1.4.3/lib/sinatra/base.rb:1949:in `call'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/builder.rb:138:in `call'\", \"/var/vcap/packages/cloud_contro
ller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/urlmap.rb:65:in `block in call'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/urlmap
.rb:50:in `each'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/urlmap.rb:50:in `call'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundl
e/ruby/1.9.1/gems/rack-1.5.2/lib/rack/commonlogger.rb:33:in `call'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:212:in `call'\", \"/var/vcap/packag
es/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/builder.rb:138:in `call'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/thin-1.5.1/lib/thi
n/connection.rb:81:in `block in pre_process'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/thin-1.5.1/lib/thin/connection.rb:79:in `catch'\", \"/var/vcap/packages/cloud_controller_ng
/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/thin-1.5.1/lib/thin/connection.rb:79:in `pre_process'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/eventmachine-1.0.3/lib/eventmac
hine.rb:1037:in `call'\", \"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/eventmachine-1.0.3/lib/eventmachine.rb:1037:in `block in spawn_threadpool'\"]","log_level":"warn","source":"cc.ap
i","data":{"request_guid":"1d221cf2-a1ee-4f6e-b8d7-e5a5be377d89"},"thread_id":33932400,"fiber_id":48479720,"process_id":23615,"file":"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/lib/cloud_controller.rb","lineno":83,
"method":"rescue in decode_token"}
{"timestamp":1380641987.508356,"message":"dispatch VCAP::CloudController::UsersController get /v2/users/:guid","log_level":"debug","source":"cc.api","data":{"request_guid":"1d221cf2-a1ee-4f6e-b8d7-e5a5be377d89"},"thread_id":339324
00,"fiber_id":48479720,"process_id":23615,"file":"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/lib/cloud_controller/rest_controller/routes.rb","lineno":12,"method":"block in define_route"}
{"timestamp":1380641987.5089386,"message":"parse_params: {\"inline-relations-depth\"=>\"0\"}","log_level":"debug","source":"cc.api","data":{"request_guid":"1d221cf2-a1ee-4f6e-b8d7-e5a5be377d89"},"thread_id":33932400,"fiber_id":484
79720,"process_id":23615,"file":"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/lib/cloud_controller/rest_controller/base.rb","lineno":59,"method":"parse_params"}
{"timestamp":1380641987.5094707,"message":"dispatch: read","log_level":"debug","source":"cc.api","data":{"request_guid":"1d221cf2-a1ee-4f6e-b8d7-e5a5be377d89"},"thread_id":33932400,"fiber_id":48479720,"process_id":23615,"file":"/v
ar/vcap/packages/cloud_controller_ng/cloud_controller_ng/lib/cloud_controller/rest_controller/base.rb","lineno":96,"method":"dispatch"}
{"timestamp":1380641987.5103846,"message":"Request failed with response code: 401 error code: 1000 error: Invalid Auth Token","log_level":"debug","source":"cc.api","data":{"request_guid":"1d221cf2-a1ee-4f6e-b8d7-e5a5be377d89"},"th
read_id":33932400,"fiber_id":48479720,"process_id":23615,"file":"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/lib/sinatra/vcap.rb","lineno":66,"method":"block in registered"}
ramonskie commented 10 years ago

i have the following settings hope this helps you :)

uaa:
    client:
      autoapprove:
        - cf
        - vmc
        - my
        - micro
        - support-signon
        - login
        - styx
     styx:
        override: true
        id: styx
        scope:  scim.write,scim.read,openid,cloud_controller.read,cloud_controller.write,password.write,cloud_controller.admin
        secret: styxsecret
        authorities: scim.write,scim.read,openid,cloud_controller.read,cloud_controller.write,password.write,uaa.admin,uaa.none,cloud_controller.admin
        authorized-grant-types: authorization_code,client_credentials,password,implicit
        access-token-validity: 1209600
        refresh-token-validity: 1209600
grenzr commented 10 years ago

Thats it - working now - thanks very much :)

ramonskie commented 10 years ago

your problem was the autoapprove option i guess