wso2 / api-manager

All issues, tasks, improvements and new features of WSO2 API Manager
Apache License 2.0
34 stars 8 forks source link

Getting an error when configuring the created API #3310

Open Ashi1993 opened 1 month ago

Ashi1993 commented 1 month ago

Description

We observe an error in the console when trying to configure the created API before publishing. We tried configuring schema validation, policies, endpoints and got the same error in the console even thought the configurations saving is successful. We have added the WSO2 IS 7 as the custom key manager.

[2024-10-08 14:55:01,336] ERROR - APIProviderImpl Error while updating resource to scope attachment in Key Manager wso2IS
org.wso2.carbon.apimgt.api.APIManagementException: Failed to create role: Internal/subscriber

Steps to Reproduce

Setup IS 7 as a key manager. Create an API. Cinfigure endpoint.

Affected Component

APIM

Version

4.4.0-Alpha

Environment Details (with versions)

No response

Relevant Log Output

[2024-10-08 14:55:01,336] ERROR - APIProviderImpl Error while updating resource to scope attachment in Key Manager wso2IS
org.wso2.carbon.apimgt.api.APIManagementException: Failed to create role: Internal/subscriber
    at org.wso2.carbon.apimgt.impl.AbstractKeyManager.handleException_aroundBody12(AbstractKeyManager.java:274) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
    at org.wso2.carbon.apimgt.impl.AbstractKeyManager.handleException(AbstractKeyManager.java:1) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
    at org.wso2.is7.client.WSO2IS7KeyManager.createWSO2IS7Role(WSO2IS7KeyManager.java:1058) ~[wso2is7.key.manager_2.0.3.jar:?]
    at org.wso2.is7.client.WSO2IS7KeyManager.createWSO2IS7RoleToScopeBindings(WSO2IS7KeyManager.java:968) ~[wso2is7.key.manager_2.0.3.jar:?]
    at org.wso2.is7.client.WSO2IS7KeyManager.registerWSO2IS7Scopes(WSO2IS7KeyManager.java:874) ~[wso2is7.key.manager_2.0.3.jar:?]
    at org.wso2.is7.client.WSO2IS7KeyManager.updateResourceScopes(WSO2IS7KeyManager.java:1214) ~[wso2is7.key.manager_2.0.3.jar:?]
    at org.wso2.carbon.apimgt.impl.APIProviderImpl.updateAPIResources_aroundBody84(APIProviderImpl.java:1289) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
    at org.wso2.carbon.apimgt.impl.APIProviderImpl.updateAPIResources(APIProviderImpl.java:1) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
    at org.wso2.carbon.apimgt.impl.APIProviderImpl.updateAPI_aroundBody82(APIProviderImpl.java:1237) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
    at org.wso2.carbon.apimgt.impl.APIProviderImpl.updateAPI(APIProviderImpl.java:1) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
    at org.wso2.carbon.apimgt.impl.APIProviderImpl.updateAPI_aroundBody66(APIProviderImpl.java:1095) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
    at org.wso2.carbon.apimgt.impl.APIProviderImpl.updateAPI(APIProviderImpl.java:1) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
    at org.wso2.carbon.apimgt.impl.UserAwareAPIProvider.updateAPI(UserAwareAPIProvider.java:1) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
    at org.wso2.carbon.apimgt.rest.api.publisher.v1.common.mappings.PublisherCommonUtils.updateApi(PublisherCommonUtils.java:198) ~[org.wso2.carbon.apimgt.rest.api.publisher.v1.common_9.30.10.jar:?]
    at org.wso2.carbon.apimgt.rest.api.publisher.v1.impl.ApisApiServiceImpl.updateAPI(ApisApiServiceImpl.java:747) ~[?:?]
    at org.wso2.carbon.apimgt.rest.api.publisher.v1.ApisApi.updateAPI(ApisApi.java:1716) ~[?:?]
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) ~[?:?]
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
    at java.lang.reflect.Method.invoke(Method.java:568) ~[?:?]
    at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:179) ~[?:?]
    at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96) ~[?:?]
    at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:201) ~[?:?]
    at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:104) ~[?:?]
    at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59) ~[?:?]
    at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96) ~[?:?]
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) ~[?:?]
    at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) ~[?:?]
    at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:265) ~[?:?]
    at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) ~[?:?]
    at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) ~[?:?]
    at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) ~[?:?]
    at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:225) ~[?:?]
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:304) ~[?:?]
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPut(AbstractHTTPServlet.java:234) ~[?:?]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:558) ~[tomcat-servlet-api_9.0.94.wso2v1.jar:?]
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:279) ~[?:?]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:199) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:119) ~[org.wso2.carbon.identity.context.rewrite.valve_1.8.41.jar:?]
    at org.wso2.carbon.identity.context.rewrite.valve.OrganizationContextRewriteValve.invoke(OrganizationContextRewriteValve.java:115) ~[org.wso2.carbon.identity.context.rewrite.valve_1.8.41.jar:?]
    at org.wso2.carbon.tomcat.ext.valves.SameSiteCookieValve.invoke(SameSiteCookieValve.java:38) ~[org.wso2.carbon.tomcat.ext_4.9.27.alpha.jar:?]
    at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:167) ~[org.wso2.carbon.identity.authz.valve_1.8.41.jar:?]
    at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:118) ~[org.wso2.carbon.identity.auth.valve_1.8.41.jar:?]
    at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:114) ~[org.wso2.carbon.tomcat.ext_4.9.27.alpha.jar:?]
    at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:49) ~[org.wso2.carbon.tomcat.ext_4.9.27.alpha.jar:?]
    at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:75) ~[org.wso2.carbon.tomcat.ext_4.9.27.alpha.jar:?]
    at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:152) ~[org.wso2.carbon.tomcat.ext_4.9.27.alpha.jar:?]
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:660) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:63) ~[org.wso2.carbon.tomcat.ext_4.9.27.alpha.jar:?]
    at org.wso2.carbon.tomcat.ext.valves.RequestCorrelationIdValve.invoke(RequestCorrelationIdValve.java:137) ~[org.wso2.carbon.tomcat.ext_4.9.27.alpha.jar:?]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:383) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:936) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1791) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) ~[tomcat_9.0.94.wso2v1.jar:?]
    at java.lang.Thread.run(Thread.java:833) ~[?:?]
Caused by: org.wso2.carbon.apimgt.impl.kmclient.KeyManagerClientException: Received status code: 400 Reason:
    at org.wso2.carbon.apimgt.impl.kmclient.KMClientErrorDecoder.decode_aroundBody0(KMClientErrorDecoder.java:42) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
    at org.wso2.carbon.apimgt.impl.kmclient.KMClientErrorDecoder.decode(KMClientErrorDecoder.java:1) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
    at feign.InvocationContext.decodeError(InvocationContext.java:126) ~[io.github.openfeign.feign-core_13.2.1.jar:?]
    at feign.InvocationContext.proceed(InvocationContext.java:72) ~[io.github.openfeign.feign-core_13.2.1.jar:?]
    at feign.ResponseHandler.handleResponse(ResponseHandler.java:63) ~[io.github.openfeign.feign-core_13.2.1.jar:?]
    at feign.SynchronousMethodHandler.executeAndDecode(SynchronousMethodHandler.java:114) ~[io.github.openfeign.feign-core_13.2.1.jar:?]
    at feign.SynchronousMethodHandler.invoke(SynchronousMethodHandler.java:70) ~[io.github.openfeign.feign-core_13.2.1.jar:?]
    at feign.ReflectiveFeign$FeignInvocationHandler.invoke(ReflectiveFeign.java:99) ~[io.github.openfeign.feign-core_13.2.1.jar:?]
    at jdk.proxy39.$Proxy480.createRole(Unknown Source) ~[?:?]
    at org.wso2.is7.client.WSO2IS7KeyManager.createWSO2IS7Role(WSO2IS7KeyManager.java:1056) ~[wso2is7.key.manager_2.0.3.jar:?]
    ... 67 more

Related Issues

No response

Suggested Labels

No response

senthuran16 commented 4 weeks ago

@Ashi1993 are you attaching any roles to any resource of an API created in APIM? Could you please share those details?

Ashi1993 commented 4 weeks ago

Hi @senthuran16,

We have added below to the swagger file we are publishing.

   x-scopes-bindings:
      accounts: Internal/subscriber

Regards, Ashirwada

Ashi1993 commented 4 weeks ago

Please find the swagger file we are deploying [1]

[1]https://github.com/wso2/financial-services-accelerator/blob/main/financial-services-accelerator/accelerators/fs-apim/repository/resources/apis/Accounts/account-info-swagger.yaml

senthuran16 commented 3 weeks ago

Hi @Ashi1993 ,

It looks like IS7 doesn't support roles that have / in their name, therefore Internal/subscriber is not being accepted. Confirmed this via IS7 Role Creation REST API, and the UI as well. I will check with the IS team and provide an update on this.

Ashi1993 commented 3 weeks ago

Hi @senthuran16,

We are kind of blocked due to this issue. Can you please prioritize this?

Regards, Ashirwada

senthuran16 commented 3 weeks ago

Hi @Ashi1993 ,

Got to know from the IS team that, they are treating the old Internal/ roles as normal roles in IS7. I.e, Internal/subscriber role in APIM should be created as subscriber in IS7. The IS7 migration client also does the same [1]

Currently based on our IS7 KM connector implementation, we have tested PRIMARY/ roles, and those are saved as normal roles in IS7. I.e, PRIMARY/myrole - which is shown as myrole in APIM carbon console, will be created as myrole in IS7.

If we simply rename Internal/rolename as rolename, and create a role in IS7, how it would collide with PRIMARY/ roles (as of our current implementation) is a problem. I'm waiting for a call with @SujanSanjula96 to understand how PRIMARY/ roles are handled in migration cases; he is stuck in a customer issue a.t.m.

I will update you once we arrive at a solution, apologies for the delay.

[1] https://github.com/wso2-enterprise/identity-migration-resources/blob/master/components/org.wso2.is.migration/migration-service/src/main/java/org/wso2/carbon/is/migration/service/v700/migrator/ConsoleRoleMigrator.java#L131

senthuran16 commented 2 weeks ago

Hi all,

We had a call and decided to handle roles as follows:

I implemented this in the IS7KM connector, and tested the connector with Internal/ roles - it's working as expected. However PRIMARY roles are giving an error, since IS7 doesn't allow creating roles that start with the name system_ externally. I'm checking this with the IS team, and we'll request a patch to handle this if required.