Problem of integration krakend with keycloak - authentication

I have keycloak bitnami chart and krakend deployed in in k8s. Also I have a test api, and I want being authenticated before access it. I'm able to get valid jwt token from keycloak, but when I'm trying to access my api through krakend, it returns 401 error
Any help is really appreciated.
Software versions:
keycloak: 16.1.1
crakend: 2.0.4
{
"$schema": "https://www.krakend.io/schema/v3.json",
"version": 3,
"timeout": "3000ms",
"cache_ttl": "300s",
"output_encoding": "json",
"port": 8080,
"endpoints": [
{
"endpoint": "/mock/parents/{id}",
"method": "GET",
"input_headers": [
"Authorization"
],
"extra_config": {
"auth/validator": {
"alg": "RS256",
"jwk-url": "http://keycloak-headless:8080/auth/realms/master/protocol/openid-connect/certs",
"disable_jwk_security": true,
"roles_key_is_nested": true,
"roles_key": "realm_access.roles",
"roles": ["test-app-parent"],
"operation_debug": true
}
},
"output_encoding": "json",
"concurrent_calls": 1,
"backend": [
{
"url_pattern": "/parents/{id}",
"encoding": "json",
"sd": "static",
"extra_config": {},
"host": [
"http://testapp-service:8400"
],
"disable_host_sanitize": false,
"blacklist": [
"super_secret_field"
]
},
{
"url_pattern": "/siblings/{id}",
"encoding": "json",
"sd": "static",
"extra_config": {},
"host": [
"http://testapp-service:8400"
],
"blacklist": [
"sibling_id"
],
"group": "extra_info",
"disable_host_sanitize": false
},
{
"url_pattern": "/parents/{id}/children",
"encoding": "json",
"sd": "static",
"extra_config": {},
"host": [
"http://testapp-service:8400"
],
"disable_host_sanitize": false,
"mapping": {
"content": "cars"
},
"whitelist": [
"content"
]
}
]
},
{
"endpoint": "/mock/bogus-new-api/{path}",
"method": "GET",
"extra_config": {
"auth/validator": {
"alg": "RS256",
"jwk-url": "http://keycloak-headless:8080/auth/realms/master/protocol/openid-connect/certs",
"disable_jwk_security": true
},
"github.com/devopsfaith/krakend/proxy": {
"static": {
"data": {
"new_field_a": 123,
"new_field_b": [
"arr1",
"arr2"
],
"new_field_c": {
"obj": "obj1"
}
},
"strategy": "always"
}
}
},
"output_encoding": "json",
"concurrent_calls": 1,
"backend": [
{
"url_pattern": "/not-finished-yet",
"encoding": "json",
"sd": "static",
"extra_config": {},
"host": [
"nothing-here"
],
"disable_host_sanitize": false
}
]
}
]
}


Oh my God this made me go insane.
In one of the last version updates they changed jwk-url to jwk_url.
https://github.com/krakendio/krakend-ce/issues/495#issuecomment-1138397005
After I fixed that it worked for me.


It worked for me after I changed
"jwk_url": "http://KEYCLOAK-SERVICE-NAME:8080/auth/realms/master/protocol/openid-connect/certs" to "jwk_url": "http://host.docker.internal:8080/auth/realms/master/protocol/openid-connect/certs"

Related

GKE - Automatic replacement of Instance Group Template

Current Situation: We're having a Kubernetes Cluster in Google (GKE). There is an instance group that refers an instance template defining the VMs.
Problem: Some days ago we had a spontaneous outage. I could find out that our instance group referred a new instance template, that was missing some access rights leading to that outage. Changing the instance template back to the original one solved the issue.
What I'm still wondering: We did neither change the template for the instance group nor did we create the instance template that was used.
I'm the only person managing the cluster, so I'm pretty sure that this happened automatically. How could this happen?
Searching for a reason:
I was researching on that topic but I could not find any related issues. I discovered three logs that might be interesting, but I cannot find a reason for that.
gke-<MY_PROJECT>-default-pool-4f1a9017 is the new instance template created.
All three logs are direct subsequent logs:
Log1 - ERROR - beta.compute.instanceGroupManagers.insert:
{
"protoPayload": {
"#type": "type.googleapis.com/google.cloud.audit.AuditLog",
"status": {
"code": 6,
"message": "The resource 'projects/<MY_PROJECT>/zones/<MY_ZONE>/instanceGroupManagers/gke-<MY_PROJECT>-default-pool-19b04905-grp' already exists"
},
"authenticationInfo": {
"principalEmail": "service-<ID>#container-engine-robot.iam.gserviceaccount.com"
},
"requestMetadata": {
"callerIp": "<IP_V6>",
"callerSuppliedUserAgent": "google-api-go-client/0.5 GoogleContainerEngine/v1",
"requestAttributes": {
"time": "<TIMESTAMP>",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "compute.googleapis.com",
"methodName": "beta.compute.instanceGroupManagers.insert",
"authorizationInfo": [
{
"permission": "compute.instanceGroupManagers.create",
"granted": true,
"resourceAttributes": {
"service": "compute",
"name": "projects/<MY_PROJECT>/zones/<MY_ZONE>/instanceGroupManagers/gke-<MY_PROJECT>-default-pool-19b04905-grp",
"type": "compute.instanceGroupManagers"
}
},
{
"permission": "compute.instances.create",
"granted": true,
"resourceAttributes": {
"service": "compute",
"name": "projects/<MY_PROJECT>/zones/<MY_ZONE>/instances/gke-<MY_PROJECT>-default-pool-4f1a9017-0000",
"type": "compute.instances"
}
},
{
"permission": "compute.disks.create",
"granted": true,
"resourceAttributes": {
"service": "compute",
"name": "projects/<MY_PROJECT>/zones/<MY_ZONE>/disks/gke-<MY_PROJECT>-default-pool-4f1a9017-0000",
"type": "compute.disks"
}
},
{
"permission": "compute.disks.setLabels",
"granted": true,
"resourceAttributes": {
"service": "compute",
"name": "projects/<MY_PROJECT>/zones/<MY_ZONE>/disks/gke-<MY_PROJECT>-default-pool-4f1a9017-0000",
"type": "compute.disks"
}
},
{
"permission": "compute.subnetworks.use",
"granted": true,
"resourceAttributes": {
"service": "compute",
"name": "projects/<MY_PROJECT>/regions/<MY_REGION>/subnetworks/default",
"type": "compute.subnetworks"
}
},
{
"permission": "compute.subnetworks.useExternalIp",
"granted": true,
"resourceAttributes": {
"service": "compute",
"name": "projects/<MY_PROJECT>/regions/<MY_REGION>/subnetworks/default",
"type": "compute.subnetworks"
}
},
{
"permission": "compute.instances.setMetadata",
"granted": true,
"resourceAttributes": {
"service": "compute",
"name": "projects/<MY_PROJECT>/zones/<MY_ZONE>/instances/gke-<MY_PROJECT>-default-pool-4f1a9017-0000",
"type": "compute.instances"
}
},
{
"permission": "compute.instances.setTags",
"granted": true,
"resourceAttributes": {
"service": "compute",
"name": "projects/<MY_PROJECT>/zones/<MY_ZONE>/instances/gke-<MY_PROJECT>-default-pool-4f1a9017-0000",
"type": "compute.instances"
}
},
{
"permission": "compute.instances.setLabels",
"granted": true,
"resourceAttributes": {
"service": "compute",
"name": "projects/<MY_PROJECT>/zones/<MY_ZONE>/instances/gke-<MY_PROJECT>-default-pool-4f1a9017-0000",
"type": "compute.instances"
}
}
],
"resourceName": "projects/<MY_PROJECT>/zones/<MY_ZONE>/instanceGroupManagers/gke-<MY_PROJECT>-default-pool-19b04905-grp",
"request": {
"name": "gke-<MY_PROJECT>-default-pool-19b04905-grp",
"instanceTemplate": "https://www.googleapis.com/compute/v1/projects/<MY_PROJECT>/global/instanceTemplates/<INSTANCE_TEMPLATE_ID>",
"#type": "type.googleapis.com/compute.instanceGroupManagers.insert",
"targetSize": "0",
"baseInstanceName": "gke-<MY_PROJECT>-default-pool-4f1a9017"
},
"response": {
"#type": "type.googleapis.com/error",
"error": {
"message": "The resource 'projects/<MY_PROJECT>/zones/<MY_ZONE>/instanceGroupManagers/gke-<MY_PROJECT>-default-pool-19b04905-grp' already exists",
"errors": [
{
"reason": "alreadyExists",
"domain": "global",
"message": "The resource 'projects/<MY_PROJECT>/zones/<MY_ZONE>/instanceGroupManagers/gke-<MY_PROJECT>-default-pool-19b04905-grp' already exists"
}
],
"code": 409
}
},
"resourceLocation": {
"currentLocations": [
"<MY_ZONE>"
]
}
},
"insertId": "<INSERT_ID>",
"resource": {
"type": "gce_instance_group_manager",
"labels": {
"instance_group_manager_name": "gke-<MY_PROJECT>-default-pool-19b04905-grp",
"project_id": "<MY_PROJECT>",
"location": "<MY_ZONE>",
"instance_group_manager_id": "<INSTANCE_GROUP_MANAGER_ID>"
}
},
"timestamp": "<TIMESTAMP>",
"severity": "ERROR",
"logName": "projects/<MY_PROJECT>/logs/cloudaudit.googleapis.com%2Factivity",
"receiveTimestamp": "<TIMESTAMP>"
}
Log2 - NOTICE - v1.compute.instanceGroupManagers.setInstanceTemplate
{
"protoPayload": {
"#type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "service-<ID>#container-engine-robot.iam.gserviceaccount.com"
},
"requestMetadata": {
"callerIp": "<IP_V6>",
"callerSuppliedUserAgent": "google-api-go-client/0.5 GoogleContainerEngine/v1",
"requestAttributes": {
"time": "<TIMESTAMP>",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "compute.googleapis.com",
"methodName": "v1.compute.instanceGroupManagers.setInstanceTemplate",
"authorizationInfo": [
{
"permission": "compute.instanceGroupManagers.update",
"granted": true,
"resourceAttributes": {
"service": "compute",
"name": "projects/<MY_PROJECT>/zones/<MY_ZONE>/instanceGroupManagers/gke-<MY_PROJECT>-default-pool-19b04905-grp",
"type": "compute.instanceGroupManagers"
}
},
{
"permission": "compute.instances.create",
"granted": true,
"resourceAttributes": {
"service": "compute",
"name": "projects/<MY_PROJECT>/zones/<MY_ZONE>/instances/gke-<MY_PROJECT>-default-pool-19b04905-0000",
"type": "compute.instances"
}
},
{
"permission": "compute.disks.create",
"granted": true,
"resourceAttributes": {
"service": "compute",
"name": "projects/<MY_PROJECT>/zones/<MY_ZONE>/disks/gke-<MY_PROJECT>-default-pool-19b04905-0000",
"type": "compute.disks"
}
},
{
"permission": "compute.disks.setLabels",
"granted": true,
"resourceAttributes": {
"service": "compute",
"name": "projects/<MY_PROJECT>/zones/<MY_ZONE>/disks/gke-<MY_PROJECT>-default-pool-19b04905-0000",
"type": "compute.disks"
}
},
{
"permission": "compute.subnetworks.use",
"granted": true,
"resourceAttributes": {
"service": "compute",
"name": "projects/<MY_PROJECT>/regions/<MY_REGION>/subnetworks/default",
"type": "compute.subnetworks"
}
},
{
"permission": "compute.subnetworks.useExternalIp",
"granted": true,
"resourceAttributes": {
"service": "compute",
"name": "projects/<MY_PROJECT>/regions/<MY_REGION>/subnetworks/default",
"type": "compute.subnetworks"
}
},
{
"permission": "compute.instances.setMetadata",
"granted": true,
"resourceAttributes": {
"service": "compute",
"name": "projects/<MY_PROJECT>/zones/<MY_ZONE>/instances/gke-<MY_PROJECT>-default-pool-19b04905-0000",
"type": "compute.instances"
}
},
{
"permission": "compute.instances.setTags",
"granted": true,
"resourceAttributes": {
"service": "compute",
"name": "projects/<MY_PROJECT>/zones/<MY_ZONE>/instances/gke-<MY_PROJECT>-default-pool-19b04905-0000",
"type": "compute.instances"
}
},
{
"permission": "compute.instances.setLabels",
"granted": true,
"resourceAttributes": {
"service": "compute",
"name": "projects/<MY_PROJECT>/zones/<MY_ZONE>/instances/gke-<MY_PROJECT>-default-pool-19b04905-0000",
"type": "compute.instances"
}
}
],
"resourceName": "projects/<MY_PROJECT>/zones/<MY_ZONE>/instanceGroupManagers/gke-<MY_PROJECT>-default-pool-19b04905-grp",
"request": {
"instanceTemplate": "https://www.googleapis.com/compute/v1/projects/<MY_PROJECT>/global/instanceTemplates/<INSTANCE_TEMPLATE_ID>",
"#type": "type.googleapis.com/compute.instanceGroupManagers.setInstanceTemplate"
},
"response": {
"targetId": "8142394286096021440",
"#type": "type.googleapis.com/operation",
"id": "<OPERATION_ID2>",
"insertTime": "<TIMESTAMP>",
"operationType": "compute.instanceGroupManagers.setInstanceTemplate",
"targetLink": "https://www.googleapis.com/compute/v1/projects/<MY_PROJECT>/zones/<MY_ZONE>/instanceGroupManagers/gke-<MY_PROJECT>-default-pool-19b04905-grp",
"zone": "https://www.googleapis.com/compute/v1/projects/<MY_PROJECT>/zones/<MY_ZONE>",
"name": "<OPERATION_ID>",
"progress": "0",
"selfLink": "https://www.googleapis.com/compute/v1/projects/<MY_PROJECT>/zones/<MY_ZONE>/operations/<OPERATION_ID>",
"status": "RUNNING",
"user": "service-<ID>#container-engine-robot.iam.gserviceaccount.com",
"selfLinkWithId": "https://www.googleapis.com/compute/v1/projects/<MY_PROJECT>/zones/<MY_ZONE>/operations/<OPERATION_ID2>",
"startTime": "<TIMESTAMP>"
},
"resourceLocation": {
"currentLocations": [
"<MY_ZONE>"
]
}
},
"insertId": "<INSERT_ID>",
"resource": {
"type": "gce_instance_group_manager",
"labels": {
"instance_group_manager_name": "gke-<MY_PROJECT>-default-pool-19b04905-grp",
"location": "<MY_ZONE>",
"project_id": "<MY_PROJECT>",
"instance_group_manager_id": "<INSTANCE_GROUP_MANAGER_ID>"
}
},
"timestamp": "<TIMESTAMP>",
"severity": "NOTICE",
"logName": "projects/<MY_PROJECT>/logs/cloudaudit.googleapis.com%2Factivity",
"operation": {
"id": "<OPERATION_ID>",
"producer": "compute.googleapis.com",
"first": true
},
"receiveTimestamp": "<TIMESTAMP>"
}
Log3 - NOTICE - v1.compute.instanceGroupManagers.setInstanceTemplate
{
"protoPayload": {
"#type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "service-<ID>#container-engine-robot.iam.gserviceaccount.com"
},
"requestMetadata": {
"callerIp": "<IP_V6>",
"callerSuppliedUserAgent": "google-api-go-client/0.5 GoogleContainerEngine/v1"
},
"serviceName": "compute.googleapis.com",
"methodName": "v1.compute.instanceGroupManagers.setInstanceTemplate",
"resourceName": "projects/<MY_PROJECT>/zones/<MY_ZONE>/instanceGroupManagers/gke-<MY_PROJECT>-default-pool-19b04905-grp",
"request": {
"#type": "type.googleapis.com/compute.instanceGroupManagers.setInstanceTemplate"
}
},
"insertId": "<INSERT_ID>",
"resource": {
"type": "gce_instance_group_manager",
"labels": {
"project_id": "<MY_PROJECT>",
"instance_group_manager_name": "gke-<MY_PROJECT>-default-pool-19b04905-grp",
"instance_group_manager_id": "<INSTANCE_GROUP_MANAGER_ID>",
"location": "<MY_ZONE>"
}
},
"timestamp": "<TIMESTAMP>",
"severity": "NOTICE",
"logName": "projects/<MY_PROJECT>/logs/cloudaudit.googleapis.com%2Factivity",
"operation": {
"id": "<OPERATION_ID>",
"producer": "compute.googleapis.com",
"last": true
},
"receiveTimestamp": "<TIMESTAMP>"
}

Create Delivery Plan styling rules using Azure Devops REST Apis

I am trying to create Delivery plan in the Azure Devops project using Azure Devops REST Apis. I have used following method to create the same.
https://learn.microsoft.com/en-us/rest/api/azure/devops/work/plans/create?view=azure-devops-rest-6.0
POST https://dev.azure.com/{organization}/{project}/_apis/work/plans?api-version=6.0
and I am sending following data in the request body properties
{
"properties": {
"teamBacklogMappings": [
{
"teamId": "09d57738-697f-4433-abdd-b80a2bc6337b",
"categoryReferenceName": "Microsoft.RequirementCategory"
},
{
"teamId": "5df45eec-4108-474a-8d93-bc09c0b9037e",
"categoryReferenceName": "Microsoft.RequirementCategory"
},
{
"teamId": "e8ed402b-68e7-4140-96f2-07790a08788b",
"categoryReferenceName": "Microsoft.RequirementCategory"
},
{
"teamId": "14425694-efa5-454e-811c-e9e03d79198f",
"categoryReferenceName": "Microsoft.RequirementCategory"
},
{
"teamId": "b02690e9-1f48-421a-a918-3b23cc9a1b73",
"categoryReferenceName": "Microsoft.RequirementCategory"
}
],
"cardSettings": {
"fields": {
"showId": true,
"showAssignedTo": true,
"assignedToDisplayFormat": "avatarOnly",
"showState": true,
"showTags": true,
"showParent": false,
"showEmptyFields": true,
"showChildRollup": true,
"additionalFields": null,
"coreFields": [
{
"referenceName": "System.AssignedTo",
"displayName": "Assigned To",
"fieldType": "string",
"isIdentity": true
},
{
"referenceName": "System.Id",
"displayName": "ID",
"fieldType": "integer",
"isIdentity": false
},
{
"referenceName": "System.State",
"displayName": "State",
"fieldType": "string",
"isIdentity": false
},
{
"referenceName": "System.Tags",
"displayName": "Tags",
"fieldType": "plainText",
"isIdentity": false
}
]
}
},
"markers": [],
"styleSettings": [
{
"name": "BLOCKER",
"isEnabled": "True",
"filter": "[System.Tags] CONTAINS 'BLOCKER'",
"clauses": [
{
"fieldName": "System.Tags",
"logicalOperator": "AND",
"operator": "CONTAINS",
"value": "BLOCKER"
}
],
"settings": {
"background-color": "#E60017",
"title-color": "#000000"
}
},
{
"name": "New",
"isEnabled": "True",
"filter": "[System.State] = 'New'",
"clauses": [
{
"fieldName": "System.State",
"logicalOperator": "AND",
"operator": "=",
"value": "New"
}
],
"settings": {
"background-color": "#AAAAAA",
"title-color": "#000000"
}
},
{
"name": "Dev Completed",
"isEnabled": "True",
"filter": "[System.State] = 'Development Completed'",
"clauses": [
{
"fieldName": "System.State",
"logicalOperator": "AND",
"operator": "=",
"value": "Development Completed"
}
],
"settings": {
"background-color": "#D7E587",
"title-color": "#000000"
}
},
{
"name": "Deployed to QA",
"isEnabled": "True",
"filter": "[System.State] = 'Deployed to QA (SIT)'",
"clauses": [
{
"fieldName": "System.State",
"logicalOperator": "AND",
"operator": "=",
"value": "Deployed to QA (SIT)"
}
],
"settings": {
"background-color": "#C3D84C",
"title-color": "#000000"
}
},
{
"name": "Deployed to UAT",
"isEnabled": "True",
"filter": "[System.State] = 'Deployed to UAT'",
"clauses": [
{
"fieldName": "System.State",
"logicalOperator": "AND",
"operator": "=",
"value": "Deployed to UAT"
}
],
"settings": {
"background-color": "#60AF49",
"title-color": "#000000"
}
},
{
"name": "Deployed to PROD",
"isEnabled": "True",
"filter": "[System.State] = 'Completed'",
"clauses": [
{
"fieldName": "System.State",
"logicalOperator": "AND",
"operator": "=",
"value": "Completed"
}
],
"settings": {
"background-color": "#00643A",
"title-color": "#000000"
}
}
],
"tagStyleSettings": []
}
}
However Styling rules are not getting created in the project.

Got this done by using Update for the Delivery plan immediately after creating the same. Update it with same properties though you will have to add revision property to the request body.
https://learn.microsoft.com/en-us/rest/api/azure/devops/work/plans/update?view=azure-devops-rest-6.0
https://dev.azure.com/{organization}/{project}/_apis/work/plans/{id}?api-version=6.0

Create Delivery Plan doesn't accept style settings, from the UI you can notice this:
Just get the plan id and the response from the Create API and then use them in the Update API, this is the only way.

Function App with VNet Integration Failing Deployment When Setting WEBSITE_CONTENTAZUREFILECONNECTIONSTRING to Storage Behind Firewall

The following ARM template deploys: Virtual Network, Network Security Group, Storage Account, App Service Plan, Function App
When the settings for WEBSITE_CONTENTAZUREFILECONNECTIONSTRING and WEBSITE_CONTENTSHARE are omitted (commented out) the deployment succeeds but the function app configuration shows a warning.
When enabling the two settings, the deployment fails with a 403 Forbidden message.
New-AzResourceGroupDeployment : 17:04:05 - The deployment '20201209-170356' failed with error(s). Showing 1 out of 1 error(s).
Status Message: There was a conflict. The remote server returned an error: (403) Forbidden. (Code: BadRequest)
- There was a conflict. The remote server returned an error: (403) Forbidden. (Code:)
- (Code:BadRequest)
- (Code:)
CorrelationId: ec11767b-9f8f-4722-acca-e751e5c1bbe8
I have tried numerous settings on the NSG, adding service tags, allowing IPs associated with the function app. I have also tried allowing IPRules on the storage account firewall. The only setting that worked was to entirely disable the storage account firewall with 'Allow access from all networks', which is not an acceptable setting for the network.
The ARM template to demonstrate the error:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
},
"variables": {
"vnetName": "vnet1a",
"addressPrefixVnet": "10.17.0.0/20",
"addressPrefixSubnet": "10.17.4.0/24",
"nsgName_sb_functionapp": "[concat(variables('vnetName'), '-sb-functionapp-nsg')]",
"storageAccountName": "[concat(uniquestring(resourceGroup().id), 'sa1a')]",
"appServicePlanName": "[concat(uniquestring(resourceGroup().id), 'asp1a')]",
"functionAppName": "[concat(uniquestring(resourceGroup().id), 'asp1a')]"
},
"resources": [
{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2019-11-01",
"name": "[variables('nsgName_sb_functionapp')]",
"location": "[resourceGroup().location]",
"tags": {
"Purpose": "Function App"
},
"properties": {
"securityRules": []
}
},
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2019-11-01",
"name": "[variables('vnetName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName_sb_functionapp'))]"
],
"tags": {
"Purpose": "Debug Function App and Storage Account Connectivity"
},
"properties": {
"addressSpace": {
"addressPrefixes": [
"[variables('addressPrefixVnet')]"
]
},
"subnets": [
{
"name": "sb-functionapp",
"properties": {
"addressPrefix": "[variables('addressPrefixSubnet')]",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName_sb_functionapp'))]"
},
"serviceEndpoints": [
{
"service": "Microsoft.Storage",
"locations": [
"*"
]
}
],
"delegations": [
{
"name": "delegation",
"properties": {
"serviceName": "Microsoft.Web/serverFarms"
}
}
],
"privateEndpointNetworkPolicies": "Enabled",
"privateLinkServiceNetworkPolicies": "Enabled"
}
}
],
"enableDdosProtection": false,
"enableVmProtection": false
}
},
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-04-01",
"name": "[variables('storageAccountName')]",
"location": "[resourceGroup().location]",
"tags": {
"Purpose": "Debug Function App and Storage Account Connectivity"
},
"kind": "StorageV2",
"sku": {
"name": "Standard_GRS",
"tier": "Standard"
},
"properties": {
"networkAcls": {
"defaultAction": "Deny",
"bypass": "AzureServices",
"supportsHttpsTrafficOnly": true,
"ipRules": [],
"encryption": {
"keySource": "Microsoft.Storage",
"services": {
"file": {
"enabled": true
},
"blob": {
"enabled": true
}
}
},
"accessTier": "Hot",
"virtualNetworkRules": [
{
"id": "[concat(resourceId('Microsoft.Network/virtualNetworks', variables('vnetName')), '/subnets/sb-functionapp')]",
"ignoreMissingVNetServiceEndpoint": false
}
]
}
}
},
{
"type": "Microsoft.Web/serverfarms",
"apiVersion": "2018-02-01",
"name": "[variables('appServicePlanName')]",
"location": "[resourceGroup().location]",
"tags": {
"Purpose": "Debug Function App and Storage Account Connectivity"
},
"sku": {
"name": "EP1",
"tier": "ElasticPremium",
"size": "EP1",
"family": "EP",
"capacity": 1
},
"kind": "elastic",
"properties": {
"perSiteScaling": false,
"maximumElasticWorkerCount": 20,
"isSpot": false,
"reserved": false,
"isXenon": false,
"hyperV": false,
"targetWorkerCount": 0,
"targetWorkerSizeId": 0
}
},
{
"type": "Microsoft.Web/sites",
"apiVersion": "2018-11-01",
"name": "[variables('functionAppName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
],
"tags": {
"Purpose": "Debug Function App and Storage Account Connectivity"
},
"kind": "functionapp",
"properties": {
"enabled": true,
"hostNameSslStates": [
{
"name": "[concat(variables('functionAppName'), '.azurewebsites.net')]",
"sslState": "Disabled",
"hostType": "Standard"
},
{
"name": "[concat(variables('functionAppName'), '.scm.azurewebsites.net')]",
"sslState": "Disabled",
"hostType": "Repository"
}
],
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]",
"reserved": false,
"isXenon": false,
"hyperV": false,
"scmSiteAlsoStopped": false,
"clientAffinityEnabled": true,
"clientCertEnabled": false,
"hostNamesDisabled": false,
"containerSize": 1536,
"dailyMemoryTimeQuota": 0,
"httpsOnly": true,
"redundancyMode": "None",
"siteConfig": {
"appSettings": [
{
"name": "FUNCTIONS_EXTENSION_VERSION",
"value": "~1"
},
{
"name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING",
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-04-01').keys[0].value)]"
},
{
"name": "WEBSITE_CONTENTSHARE",
"value": "[variables('functionAppName')]"
},
{
"name": "WEBSITE_DNS_SERVER",
"value": "168.63.129.16"
},
{
"name": "WEBSITE_VNET_ROUTE_ALL",
"value": "1"
}
]
}
},
"resources": [
{
"type": "networkConfig",
"apiVersion": "2018-11-01",
"name": "virtualNetwork",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('functionAppName'))]"
],
"properties": {
"subnetResourceId": "[concat(resourceId('Microsoft.Network/virtualNetworks', variables('vnetName')), '/subnets/sb-functionapp')]",
"swiftSupported": true
}
}
]
},
{
"type": "Microsoft.Web/sites/config",
"apiVersion": "2018-11-01",
"name": "[concat(variables('functionAppName'), '/web')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('functionAppName'))]"
],
"tags": {
"Purpose": "Debug Function App and Storage Account Connectivity"
},
"properties": {
"numberOfWorkers": 1,
"defaultDocuments": [
"Default.htm",
"Default.html",
"Default.asp",
"index.htm",
"index.html",
"iisstart.htm",
"default.aspx",
"index.php"
],
"netFrameworkVersion": "v4.0",
"phpVersion": "5.6",
"requestTracingEnabled": false,
"remoteDebuggingEnabled": false,
"remoteDebuggingVersion": "VS2019",
"httpLoggingEnabled": false,
"logsDirectorySizeLimit": 35,
"detailedErrorLoggingEnabled": false,
"publishingUsername": "[concat('$', variables('functionAppName'))]",
"scmType": "VSTSRM",
"use32BitWorkerProcess": true,
"webSocketsEnabled": false,
"alwaysOn": false,
"managedPipelineMode": "Integrated",
"virtualApplications": [
{
"virtualPath": "/",
"physicalPath": "site\\wwwroot",
"preloadEnabled": true
}
],
"loadBalancing": "LeastRequests",
"experiments": {
"rampUpRules": [
]
},
"autoHealEnabled": false,
"cors": {
"allowedOrigins": [],
"supportCredentials": false
},
"localMySqlEnabled": false,
"ipSecurityRestrictions": [],
"scmIpSecurityRestrictions": [
{
"ipAddress": "Any",
"action": "Allow",
"priority": 1,
"name": "Allow all",
"description": "Allow all access"
}
],
"scmIpSecurityRestrictionsUseMain": false,
"http20Enabled": false,
"minTlsVersion": "1.2",
"ftpsState": "AllAllowed",
"reservedInstanceCount": 1
}
}
]
}
Command to deploy to existing resource group:
New-AzResourceGroupDeployment -Name (Get-Date).ToString('yyyyMMdd-HHmmss') -ResourceGroupName 'Test-FunctionApp-Storage-VNet' -TemplateFile .\DebugFunctionApp.json -Verbose
I have seen the question/answer at Function App Deployment Failed - The remote server returned an error: (403) Forbidden but it doesn't solve the problem I see.

The solution is to add another setting named WEBSITE_CONTENTOVERVNET and to set the value to "1".
The updated appSettings section looks like:
"siteConfig": {
"appSettings": [
{
"name": "FUNCTIONS_EXTENSION_VERSION",
"value": "~1"
},
{
"name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING",
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-04-01').keys[0].value)]"
},
{
"name": "WEBSITE_CONTENTOVERVNET",
"value": "1"
},
{
"name": "WEBSITE_CONTENTSHARE",
"value": "[variables('functionAppName')]"
},
{
"name": "WEBSITE_DNS_SERVER",
"value": "168.63.129.16"
},
{
"name": "WEBSITE_VNET_ROUTE_ALL",
"value": "1"
}
]
}
The setting is document at https://learn.microsoft.com/en-us/azure/azure-functions/functions-app-settings#website_contentovervnet
For Premium plans only. A value of 1 enables your function app to scale when you have your storage account restricted to a virtual network. You should enable this setting when restricting your storage account to a virtual network.

LoopbackJS - Tokens for user invites

I'm using loopback as the API server for my application. I'm building a social like network, where it's required to invite users via email. In order to associate the invitee with the inviter, I want the inviter to create a 'request token' associated with his userId, which then is sent via email in a format like this: domain.com/register?token=XXXXXX
The built-in Access Token model seems perfect for this purpose as a base model used so the idea is to create a new model "RequestToken" inheriting from the AccessToken model, however, the new model is then used for authentication purposes as well, which I don't want.
Following are my config files. It's worth mentioning that the below seen "Customer" model is extending Loopbacks "User" Model.
/server/model-config.json:
"_meta": {
"sources": [
"loopback/common/models",
"loopback/server/models",
"../common/models",
"./models"
],
"mixins": [
"loopback/common/mixins",
"loopback/server/mixins",
"../node_modules/loopback-ds-timestamp-mixin",
"../common/mixins",
"./mixins"
]
},
"User": {
"dataSource": "db",
"public": false
},
"AccessToken": {
"dataSource": "db",
"public": false,
"relations": {
"user": {
"type": "belongsTo",
"model": "Customer",
"foreignKey": "userId"
}
}
},
"ACL": {
"dataSource": "db",
"public": false
},
"RoleMapping": {
"dataSource": "db",
"public": false,
"options": {
"strictObjectIDCoercion": true
}
},
"Role": {
"dataSource": "db",
"public": false
},
"Email": {
"dataSource": "mail",
"public": false
},
"Customer": {
"dataSource": "db",
"public": true
},
"Friend": {
"dataSource": "db",
"public": true
},
"Memory": {
"dataSource": "db",
"public": true
},
"RequestToken": {
"dataSource": "db",
"public": true
}
}
Under "Customer" I've also tried to include:
"relations": {
"accessTokens": {
"type": "hasMany",
"model": "AccessToken",
"foreignKey": "userId",
"options": {
"disableInclude": true
}
}
}
common/customer.json
{
"name": "Customer",
"base": "User",
"idInjection": true,
"options": {
"validateUpsert": true
},
"mixins": {
"TimeStamp": true
},
"properties": {
"firstName": {
"type": "string",
"required": true
},
"lastName": {
"type": "string",
"required": true
},
"dob": {
"type": "date"
},
"country": {
"type": "string"
}
},
"validations": [],
"relations": {
"accessTokens": {
"type": "hasMany",
"model": "AccessToken",
"foreignKey": "userId",
"options": {
"disableInclude": true
}
},
"requestTokens": {
"type": "hasMany",
"model": "RequestToken",
"foreignKey": "userId",
"options": {
"disableInclude": true
}
}
},
"acls": [
{
"accessType": "EXECUTE",
"principalType": "ROLE",
"principalId": "$owner",
"permission": "ALLOW"
},
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "DENY"
}
],
"methods": {}
}
common/request-token.json
{
"name": "RequestToken",
"base": "AccessToken",
"idInjection": true,
"options": {
"validateUpsert": true
},
"properties": {},
"validations": [],
"relations": {
"user": {
"type": "belongsTo",
"model": "Customer",
"foreignKey": "ownerId"
}
},
"acls": [],
"methods": {}
}
Summary:
How can I create a new "RequestToken" model, extending Loopbacks "AccessToken" model, but keep using the built-in AccessToken model for authentication etc.? Is it possible at all? As soon as I take the line '"base": "AccessToken"' out of the request-token.json file, all authentication method work again.
Thanks a lot in advance!

It seems I found a solution for this. Within server.js I needed to tell the app to use the AccessToken model.
server.js
...
app.use(loopback.token({
model: app.models.accessToken,
}));
...
I've added it just after
const app = loopback();
The docs refer to it to use it for authentication via cookies in the LB2 docs.
https://loopback.io/doc/en/lb2/Making-authenticated-requests.html
I'm using Loopback3. Within the LB3 docs, they do not mention this way anymore, so if there is another solution, happy to change the accepted answer.
Cheers

RabbitMQ configuration script

I've a rabbit configuration file and it contains a JSON. As far as I know by using that I can configure the RabbitMQ but I couldn't figure out where I have to put that file or how to run it.
{
"rabbit_version": "3.5.6",
"users": [{
"name": "guest",
"password_hash": "GAd/n+dflOQhAEnqkF6y2V0TMrU=",
"tags": "administrator"
}
],
"vhosts": [{
"name": "/"
}
],
"permissions": [{
"user": "guest",
"vhost": "/",
"configure": ".*",
"write": ".*",
"read": ".*"
}
],
"parameters": [],
"policies": [],
"queues": [{
"name": "stream.service.postpaid",
"vhost": "/",
"durable": true,
"auto_delete": false,
"arguments": {}
}, {
"name": "stream.smart.dl.postpaid",
"vhost": "/",
"durable": true,
"auto_delete": false,
"arguments": {}
}, {
"name": "stream.smart.postpaid",
"vhost": "/",
"durable": true,
"auto_delete": false,
"arguments": {
"x-max-length": 100000,
"x-dead-letter-exchange": "decoder.dl.sn",
"x-message-ttl": 60000
}
}
],
"exchanges": [{
"name": "decoder.sn",
"vhost": "/",
"type": "topic",
"durable": true,
"auto_delete": false,
"internal": false,
"arguments": {}
}, {
"name": "decoder.dl.sn",
"vhost": "/",
"type": "topic",
"durable": true,
"auto_delete": false,
"internal": false,
"arguments": {}
}
],
"bindings": [{
"source": "decoder.dl.sn",
"vhost": "/",
"destination": "stream.smart.dl.postpaid",
"destination_type": "queue",
"routing_key": "SMART.POSTPAID",
"arguments": {}
}, {
"source": "decoder.sn",
"vhost": "/",
"destination": "stream.service.postpaid",
"destination_type": "queue",
"routing_key": "SERVICE.POSTPAID",
"arguments": {}
}, {
"source": "decoder.sn",
"vhost": "/",
"destination": "stream.smart.postpaid",
"destination_type": "queue",
"routing_key": "SMART.POSTPAID",
"arguments": {}
}
]
}

Just find it out.
we can use web interface to import file or following command by using shell
rabbitmqadmin -q import rabbit.config