search

spring-cloud / spring-cloud-dataflow

A microservices-based Streaming and Batch data processing in Cloud Foundry and Kubernetes
https://dataflow.spring.io
Apache License 2.0
1.09k stars 579 forks source link

OAuth setup for skipper server #4584

Open tommparekh opened 3 years ago

tommparekh commented 3 years ago

I am following documentation here to setup OAuth authentication for my SCDF and skipper server. Both, data flow and skipper servers are deployed on open source cloud foundry.

identity-provider-azure

Here is a text from the link that is confusing: App registration is where OAuth clients are created to get used by OAuth applications. At minimum, you need to create two clients, one for the Data Flow and Skipper servers and one for the Data Flow shell, as these two have slightly different configurations. Server applications can be considered to be trusted applications while shell is not trusted (because users can see its full configuration).

As SCDF dashboard is a UI application, OAuth setup will be using authorization flow. The documentation suggest to use the same setup of SCDF OAuth client, to setup Skipper server. However, skipper server is not accessible using UI but appears to be more of a system to system communication (data flow server - skipper). So should we use the same OAuth client as data flow server?

For your reference, I am also seeing below error with current setup (skipper OAuth setup matching data flow server)

09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.web.client.HttpClientErrorException.create(HttpClientErrorException.java:105)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:184)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.cloud.skipper.client.SkipperClientResponseErrorHandler.handleError(SkipperClientResponseErrorHandler.java:78)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.web.client.ResponseErrorHandler.handleError(ResponseErrorHandler.java:63)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:780)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:738)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.cloud.dataflow.server.stream.SkipperStreamDeployer.environmentInfo(SkipperStreamDeployer.java:554)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.cloud.dataflow.server.controller.AboutController.getAboutResource(AboutController.java:158)
09:36:05.566: [APP/PROC/WEB.0]  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
09:36:05.566: [APP/PROC/WEB.0]  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:105)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1040)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898)
09:36:05.566: [APP/PROC/WEB.0]  at javax.servlet.http.HttpServlet.service(HttpServlet.java:626)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)
09:36:05.566: [APP/PROC/WEB.0]  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
09:36:05.566: [APP/PROC/WEB.0]  at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
09:36:05.566: [APP/PROC/WEB.0]  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.web.filter.ForwardedHeaderFilter.doFilterInternal(ForwardedHeaderFilter.java:149)
09:36:05.566: [APP/PROC/WEB.0]  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:320)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:126)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:155)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter.doFilterInternal(DefaultLogoutPageGeneratingFilter.java:52)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter.doFilterInternal(OAuth2AuthorizationRequestRedirectFilter.java:160)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
09:36:05.566: [APP/PROC/WEB.0]  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
09:36:05.566: [APP/PROC/WEB.0]  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
09:36:05.566: [APP/PROC/WEB.0]  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
09:36:05.566: [APP/PROC/WEB.0]  at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:93)
09:36:05.566: [APP/PROC/WEB.0]  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
09:36:05.566: [APP/PROC/WEB.0]  at org.cloudfoundry.router.ClientCertificateMapper.doFilter(ClientCertificateMapper.java:79)
09:36:05.566: [APP/PROC/WEB.0]  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
09:36:05.566: [APP/PROC/WEB.0]  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
09:36:05.566: [APP/PROC/WEB.0]  at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
09:36:05.567: [APP/PROC/WEB.0]  at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
09:36:05.567: [APP/PROC/WEB.0]  at java.lang.Thread.run(Thread.java:748)

Thanks, Mihir

tommparekh commented 3 years ago

If I remove OAuth setup from skipper server (just HTTPS config), then I can log on to data flow server dashboard using OAuth. However, I continue to see application status as undeployed (while those are deployed successfully). I can see all the streams I created but seeing as undeployed.

Not sure if this is an issue? In data flow config, I have already mapped all the roles correctly (view and others).

tommparekh commented 3 years ago

image