2.11-RC boot version list api response 403

[ar-bella-jeong]

Description: I'm using springcloud/spring-cloud-dataflow-server:2.11.0-RC1 to test dataflow in k8s 1.27. I also use keycloak to use oauth, but when I try to add application, boot app versions are not displayed. so I checked /schema/versions api responses '403'. I supposed that spring security setting in dataflow doens't have not only role of the api, but also isn't set in permit-all-paths.

Release versions: spring-cloud-dataflow-server:2.11.0-RC1

Steps to reproduce:

• set oauth setting with keycloak
• login is succeed, but /schema/versions api responses '403'.
• boot version list is not displayed

[onobc]

Hi @ar-bella-jeong ,

A few questions for you if you don't mind.

1. Did this work in previous version of Dataflow?
2. How are you installing Dataflow into K8s?
3. Which k8s runtime are you using (local Kind/Minikube/etc.. or actual runtime)?

Thanks

[ar-bella-jeong]

Hi @onobc

I answered you asked that as below.

1. Did this work in previous version of Dataflow? Yes.It worked well.

2.. How are you installing Dataflow into K8s? For previous version, I used bitnami helm package. but now in case of 2.11.0-RC1, I made k8s manifests.

3. Which k8s runtime are you using (local Kind/Minikube/etc.. or actual runtime)? I'm using eks.

As I said, this issue is about the permission problem of /schema/versions which is new api for boot3 compability. now, I added the api into spring.cloud.dataflow.security.authorization.permit-all-paths prop so that showing boot versions in new application page. it works well.

As a result, I think we need to set the role or add into permit-all-paths for the api.

Thanks.

[corneil]

/schema/versions is a new controller. The security role definition needs to be added to the default list.