Getting an error when configuring the created API

[Ashi1993]

Description

We observe an error in the console when trying to configure the created API before publishing. We tried configuring schema validation, policies, endpoints and got the same error in the console even thought the configurations saving is successful. We have added the WSO2 IS 7 as the custom key manager.

[2024-10-08 14:55:01,336] ERROR - APIProviderImpl Error while updating resource to scope attachment in Key Manager wso2IS
org.wso2.carbon.apimgt.api.APIManagementException: Failed to create role: Internal/subscriber

Steps to Reproduce

Setup IS 7 as a key manager. Create an API. Cinfigure endpoint.

Affected Component

APIM

Version

4.4.0-Alpha

Environment Details (with versions)

No response

Relevant Log Output

[2024-10-08 14:55:01,336] ERROR - APIProviderImpl Error while updating resource to scope attachment in Key Manager wso2IS
org.wso2.carbon.apimgt.api.APIManagementException: Failed to create role: Internal/subscriber
    at org.wso2.carbon.apimgt.impl.AbstractKeyManager.handleException_aroundBody12(AbstractKeyManager.java:274) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
    at org.wso2.carbon.apimgt.impl.AbstractKeyManager.handleException(AbstractKeyManager.java:1) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
    at org.wso2.is7.client.WSO2IS7KeyManager.createWSO2IS7Role(WSO2IS7KeyManager.java:1058) ~[wso2is7.key.manager_2.0.3.jar:?]
    at org.wso2.is7.client.WSO2IS7KeyManager.createWSO2IS7RoleToScopeBindings(WSO2IS7KeyManager.java:968) ~[wso2is7.key.manager_2.0.3.jar:?]
    at org.wso2.is7.client.WSO2IS7KeyManager.registerWSO2IS7Scopes(WSO2IS7KeyManager.java:874) ~[wso2is7.key.manager_2.0.3.jar:?]
    at org.wso2.is7.client.WSO2IS7KeyManager.updateResourceScopes(WSO2IS7KeyManager.java:1214) ~[wso2is7.key.manager_2.0.3.jar:?]
    at org.wso2.carbon.apimgt.impl.APIProviderImpl.updateAPIResources_aroundBody84(APIProviderImpl.java:1289) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
    at org.wso2.carbon.apimgt.impl.APIProviderImpl.updateAPIResources(APIProviderImpl.java:1) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
    at org.wso2.carbon.apimgt.impl.APIProviderImpl.updateAPI_aroundBody82(APIProviderImpl.java:1237) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
    at org.wso2.carbon.apimgt.impl.APIProviderImpl.updateAPI(APIProviderImpl.java:1) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
    at org.wso2.carbon.apimgt.impl.APIProviderImpl.updateAPI_aroundBody66(APIProviderImpl.java:1095) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
    at org.wso2.carbon.apimgt.impl.APIProviderImpl.updateAPI(APIProviderImpl.java:1) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
    at org.wso2.carbon.apimgt.impl.UserAwareAPIProvider.updateAPI(UserAwareAPIProvider.java:1) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
    at org.wso2.carbon.apimgt.rest.api.publisher.v1.common.mappings.PublisherCommonUtils.updateApi(PublisherCommonUtils.java:198) ~[org.wso2.carbon.apimgt.rest.api.publisher.v1.common_9.30.10.jar:?]
    at org.wso2.carbon.apimgt.rest.api.publisher.v1.impl.ApisApiServiceImpl.updateAPI(ApisApiServiceImpl.java:747) ~[?:?]
    at org.wso2.carbon.apimgt.rest.api.publisher.v1.ApisApi.updateAPI(ApisApi.java:1716) ~[?:?]
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) ~[?:?]
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
    at java.lang.reflect.Method.invoke(Method.java:568) ~[?:?]
    at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:179) ~[?:?]
    at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96) ~[?:?]
    at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:201) ~[?:?]
    at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:104) ~[?:?]
    at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59) ~[?:?]
    at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96) ~[?:?]
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) ~[?:?]
    at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) ~[?:?]
    at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:265) ~[?:?]
    at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) ~[?:?]
    at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) ~[?:?]
    at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) ~[?:?]
    at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:225) ~[?:?]
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:304) ~[?:?]
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPut(AbstractHTTPServlet.java:234) ~[?:?]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:558) ~[tomcat-servlet-api_9.0.94.wso2v1.jar:?]
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:279) ~[?:?]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:199) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:119) ~[org.wso2.carbon.identity.context.rewrite.valve_1.8.41.jar:?]
    at org.wso2.carbon.identity.context.rewrite.valve.OrganizationContextRewriteValve.invoke(OrganizationContextRewriteValve.java:115) ~[org.wso2.carbon.identity.context.rewrite.valve_1.8.41.jar:?]
    at org.wso2.carbon.tomcat.ext.valves.SameSiteCookieValve.invoke(SameSiteCookieValve.java:38) ~[org.wso2.carbon.tomcat.ext_4.9.27.alpha.jar:?]
    at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:167) ~[org.wso2.carbon.identity.authz.valve_1.8.41.jar:?]
    at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:118) ~[org.wso2.carbon.identity.auth.valve_1.8.41.jar:?]
    at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:114) ~[org.wso2.carbon.tomcat.ext_4.9.27.alpha.jar:?]
    at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:49) ~[org.wso2.carbon.tomcat.ext_4.9.27.alpha.jar:?]
    at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:75) ~[org.wso2.carbon.tomcat.ext_4.9.27.alpha.jar:?]
    at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:152) ~[org.wso2.carbon.tomcat.ext_4.9.27.alpha.jar:?]
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:660) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:63) ~[org.wso2.carbon.tomcat.ext_4.9.27.alpha.jar:?]
    at org.wso2.carbon.tomcat.ext.valves.RequestCorrelationIdValve.invoke(RequestCorrelationIdValve.java:137) ~[org.wso2.carbon.tomcat.ext_4.9.27.alpha.jar:?]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:383) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:936) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1791) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat_9.0.94.wso2v1.jar:?]
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) ~[tomcat_9.0.94.wso2v1.jar:?]
    at java.lang.Thread.run(Thread.java:833) ~[?:?]
Caused by: org.wso2.carbon.apimgt.impl.kmclient.KeyManagerClientException: Received status code: 400 Reason:
    at org.wso2.carbon.apimgt.impl.kmclient.KMClientErrorDecoder.decode_aroundBody0(KMClientErrorDecoder.java:42) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
    at org.wso2.carbon.apimgt.impl.kmclient.KMClientErrorDecoder.decode(KMClientErrorDecoder.java:1) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
    at feign.InvocationContext.decodeError(InvocationContext.java:126) ~[io.github.openfeign.feign-core_13.2.1.jar:?]
    at feign.InvocationContext.proceed(InvocationContext.java:72) ~[io.github.openfeign.feign-core_13.2.1.jar:?]
    at feign.ResponseHandler.handleResponse(ResponseHandler.java:63) ~[io.github.openfeign.feign-core_13.2.1.jar:?]
    at feign.SynchronousMethodHandler.executeAndDecode(SynchronousMethodHandler.java:114) ~[io.github.openfeign.feign-core_13.2.1.jar:?]
    at feign.SynchronousMethodHandler.invoke(SynchronousMethodHandler.java:70) ~[io.github.openfeign.feign-core_13.2.1.jar:?]
    at feign.ReflectiveFeign$FeignInvocationHandler.invoke(ReflectiveFeign.java:99) ~[io.github.openfeign.feign-core_13.2.1.jar:?]
    at jdk.proxy39.$Proxy480.createRole(Unknown Source) ~[?:?]
    at org.wso2.is7.client.WSO2IS7KeyManager.createWSO2IS7Role(WSO2IS7KeyManager.java:1056) ~[wso2is7.key.manager_2.0.3.jar:?]
    ... 67 more

Related Issues

No response

Suggested Labels

No response

[senthuran16]

@Ashi1993 are you attaching any roles to any resource of an API created in APIM? Could you please share those details?

[Ashi1993]

Hi @senthuran16,

We have added below to the swagger file we are publishing.

   x-scopes-bindings:
      accounts: Internal/subscriber

Regards, Ashirwada

[Ashi1993]

Please find the swagger file we are deploying [1]

[1]https://github.com/wso2/financial-services-accelerator/blob/main/financial-services-accelerator/accelerators/fs-apim/repository/resources/apis/Accounts/account-info-swagger.yaml

[senthuran16]

Hi @Ashi1993 ,

It looks like IS7 doesn't support roles that have / in their name, therefore Internal/subscriber is not being accepted. Confirmed this via IS7 Role Creation REST API, and the UI as well. I will check with the IS team and provide an update on this.

[Ashi1993]

Hi @senthuran16,

We are kind of blocked due to this issue. Can you please prioritize this?

Regards, Ashirwada

[senthuran16]

Hi @Ashi1993 ,

Got to know from the IS team that, they are treating the old Internal/ roles as normal roles in IS7. I.e, Internal/subscriber role in APIM should be created as subscriber in IS7. The IS7 migration client also does the same [1]

Currently based on our IS7 KM connector implementation, we have tested PRIMARY/ roles, and those are saved as normal roles in IS7. I.e, PRIMARY/myrole - which is shown as myrole in APIM carbon console, will be created as myrole in IS7.

If we simply rename Internal/rolename as rolename, and create a role in IS7, how it would collide with PRIMARY/ roles (as of our current implementation) is a problem. I'm waiting for a call with @SujanSanjula96 to understand how PRIMARY/ roles are handled in migration cases; he is stuck in a customer issue a.t.m.

I will update you once we arrive at a solution, apologies for the delay.

[1] https://github.com/wso2-enterprise/identity-migration-resources/blob/master/components/org.wso2.is.migration/migration-service/src/main/java/org/wso2/carbon/is/migration/service/v700/migrator/ConsoleRoleMigrator.java#L131

[senthuran16]

Hi all,

We had a call and decided to handle roles as follows:

• PRIMARY roles in APIM (eg: manager):
  • Create the role system_primary_manager in IS7.
  • We won't create any user groups or assign roles to them.
  • Note: IS7 migration client would additionally do the following:
    • A primary user group called manager will be created in IS7.
    • system_primary_manager will be assigned to primary user group manager .
• Internal roles in APIM (eg: Internal/publisher):
  • Create the role publisher in IS7.
• APPLICATION roles are not supported.

I implemented this in the IS7KM connector, and tested the connector with Internal/ roles - it's working as expected. However PRIMARY roles are giving an error, since IS7 doesn't allow creating roles that start with the name system_ externally. I'm checking this with the IS team, and we'll request a patch to handle this if required.