I want to configure Openshift authentication through Request Header. I have tried modifying the master-config.yaml file as mentioned at Request Header but it's giving certificate errors so I need help on how to bypass error or how to get the certificates supported by Openshift. I updated only following stanza.
identityProviders:
- challenge: true
login: true
mappingMethod: claim
name: my_request_header_provider
provider:
apiVersion: v1
kind: RequestHeaderIdentityProvider
challengeURL: https://host:port/api/user/oauth/authorize?${query}
loginURL: https://host:port/api/user/oauth/authorize?${query}
headers:
- x-auth-token
I have used following command to restart the openshift
openshift start master --config=/etc/origin/master/reqheadauthconfig/master-config.yaml
Getting following errors
Warning: oauthConfig.identityProvider[0].provider.clientCA: Invalid value: "": if no clientCA is set, no request verification is done, and any request directly against the OAuth server can impersonate any identity from this provider, master start will continue.
Invalid MasterConfig /etc/origin/master/reqheadauthconfig/master-config.yaml
etcdClientInfo.urls: Required value
kubeletClientInfo.port: Required value
kubernetesMasterConfig.proxyClientInfo.certFile: Invalid value: "/etc/origin/master/reqheadauthconfig/master.proxy-client.crt": could not read file: stat /etc/origin/master/reqheadauthconfig/master.proxy-client.crt: no such file or directory
kubernetesMasterConfig.proxyClientInfo.keyFile: Invalid value: "/etc/origin/master/reqheadauthconfig/master.proxy-client.key": could not read file: stat /etc/origin/master/reqheadauthconfig/master.proxy-client.key: no such file or directory
masterClients.openShiftLoopbackKubeConfig: Invalid value: "/etc/origin/master/reqheadauthconfig/openshift-master.kubeconfig": could not read file: stat /etc/origin/master/reqheadauthconfig/openshift-master.kubeconfig: no such file or directory
oauthConfig.masterCA: Invalid value: "/etc/origin/master/reqheadauthconfig/ca.crt": could not read file: stat /etc/origin/master/reqheadauthconfig/ca.crt: no such file or directory
serviceAccountConfig.privateKeyFile: Invalid value: "/etc/origin/master/reqheadauthconfig/serviceaccounts.private.key": could not read file: stat /etc/origin/master/reqheadauthconfig/serviceaccounts.private.key: no such file or directory
serviceAccountConfig.publicKeyFiles[0]: Invalid value: "/etc/origin/master/reqheadauthconfig/serviceaccounts.public.key": could not read file: stat /etc/origin/master/reqheadauthconfig/serviceaccounts.public.key: no such file or directory
serviceAccountConfig.masterCA: Invalid value: "/etc/origin/master/reqheadauthconfig/ca-bundle.crt": could not read file: stat /etc/origin/master/reqheadauthconfig/ca-bundle.crt: no such file or directory
servingInfo.certFile: Invalid value: "/etc/origin/master/reqheadauthconfig/master.server.crt": could not read file: stat /etc/origin/master/reqheadauthconfig/master.server.crt: no such file or directory
servingInfo.keyFile: Invalid value: "/etc/origin/master/reqheadauthconfig/master.server.key": could not read file: stat /etc/origin/master/reqheadauthconfig/master.server.key: no such file or directory
servingInfo.clientCA: Invalid value: "/etc/origin/master/reqheadauthconfig/ca.crt": could not read file: stat /etc/origin/master/reqheadauthconfig/ca.crt: no such file or directory
controllerConfig.serviceServingCert.signer.certFile: Invalid value: "/etc/origin/master/reqheadauthconfig/service-signer.crt": could not read file: stat /etc/origin/master/reqheadauthconfig/service-signer.crt: no such file or directory
controllerConfig.serviceServingCert.signer.keyFile: Invalid value: "/etc/origin/master/reqheadauthconfig/service-signer.key": could not read file: stat /etc/origin/master/reqheadauthconfig/service-signer.key: no such file or directory
aggregatorConfig.proxyClientInfo.certFile: Invalid value: "/etc/origin/master/reqheadauthconfig/aggregator-front-proxy.crt": could not read file: stat /etc/origin/master/reqheadauthconfig/aggregator-front-proxy.crt: no such file or directory
aggregatorConfig.proxyClientInfo.keyFile: Invalid value: "/etc/origin/master/reqheadauthconfig/aggregator-front-proxy.key": could not read file: stat /etc/origin/master/reqheadauthconfig/aggregator-front-proxy.key: no such file or directory
2 things I have to share with you here.
for the provider.clientCA error: ClientCA is required for RequestHeader identity provider since OpenShift api need it to verify clients which pass request with "x-auth-token" http header.
For all the files with "no such file or directory" error: I think you just make a copy for /etc/origin/master/master-config.yaml, but all files is in relative path format, so the error comes here.
Related
Kubernetes View not working, only show path to cert for active context and message in the toolbar that indicate unknown cluster
I tried set path to config file, but without successful
LOGS:
2020-01-07 12:07:53,303 [15549238] WARN - lij.kubernetes.model.ModelData - Unable to read OpenAPI specification from C:\Users\ondra\.kube\config\admin.conf
com.google.gson.JsonSyntaxException: java.lang.IllegalStateException: Expected BEGIN_OBJECT but was STRING at line 1 column 1 path $
at com.google.gson.internal.bind.ReflectiveTypeAdapterFactory$Adapter.read(ReflectiveTypeAdapterFactory.java:226)
at com.google.gson.Gson.fromJson(Gson.java:927)
at com.google.gson.Gson.fromJson(Gson.java:865)
But that config file is originaly generated from Kubernetes
I found problem. Kubernetes admin.conf file have relative paths to certs (e.g. ..\certs...) I changed to absolute path and it showed informations, but apears unauthorized
I implemented a REST api in django with django-rest-framework,on localhost working fine with successful results.
When pushing this up to an existing AWS elastic beanstalk instance, I received:
{
"detail": "Authentication credentials were not provided."
}
For solution I followed this question : Authorization Credentials Stripped
But when I push mycode on aws EB I am getting this error :
Pipeline failed with error "Service:AmazonRDS, is not authorized to perform: rds:DescribeDBEngineVersions"
I tried lots of solutions but every time I am getting this error.
Note: I am using python3.6
I got the answer of my problem.
I set the RDS policy and create new custom_wsgi.config file on .ebextensions directory and write command :
files:
"/etc/httpd/conf.d/wsgihacks.conf":
mode: "000644"
owner: root
group: root
content: |
WSGIPassAuthorization On
I've created a new Phoenix web application on OSX and I'm trying to get SSL working on localhost. To do that, I read and performed the steps of this article. So now I have a server.key, server.crt and server.csr files. The files are not binary and are in readable form. I placed those files in the priv folder as the Phoenix docs suggested.
My config file looks like this:
config :{{name}}, {{name}}.Endpoint,
http: [port: 4000],
debug_errors: true,
code_reloader: true,
cache_static_lookup: false,
check_origin: false,
watchers: [node: ["node_modules/brunch/bin/brunch", "watch", "--stdin"]],
https: [port: 4043,
otp_app: :{{name}},
keyfile: System.get_env("server.key"),
certfile: System.get_env("server.crt"),
# OPTIONAL Key for intermediate certificates
# cacertfile: System.get_env("INTERMEDIATE_CERTFILE_PATH")
]
When I run mix phoenix.server I'm getting the following error:
** (Mix) Could not start application {{name}}: {{name}}.start(:normal, []) returned an error: shutdown: failed to start child: {{name}}.Endpoint
** (EXIT) shutdown: failed to start child: Phoenix.Endpoint.Server
** (EXIT) shutdown: failed to start child: {:ranch_listener_sup, {{name}}.Endpoint.HTTPS}
** (EXIT) shutdown: failed to start child: :ranch_acceptors_sup
** (EXIT) an exception was raised:
** (MatchError) no match of right hand side value: {:error, {:options, {:certfile, nil}}}
(ranch) src/ranch_acceptors_sup.erl:30: :ranch_acceptors_sup.init/1
(stdlib) supervisor.erl:243: :supervisor.init/1
(stdlib) gen_server.erl:306: :gen_server.init_it/6
(stdlib) proc_lib.erl:237: :proc_lib.init_p_do_apply/3
What am I doing wrong? I'm a Phoenix newbie and the project I'm working on requires SSL on localhost to prevent cross-domain issues.
It seems phoenix is not able to find your certificates.
To overcome this problem, you can either provide an absolute path or can take advantage of otp_app to use a relative path where phoenix can search for the certificates. If you provide otp_app, phoenix will look in your application root for certificates.
If you want to provide an absolute path you can do something like that:
keyfile: Path.expand("../../../some/path/to/ssl/cer.key", __DIR__),
certfile: Path.expand("../../../some/path/to/ssl/cer.crt", __DIR__)
If you want to take advantage of otp_app, create two env variable say KEY_HOME and CERT_HOME. Go to console and fire these two commands. You should add them to your bashrc file later.
export KEY_HOME=priv/ssl/server.key
export CERT_HOME=priv/ssl/server.crt
you must include priv directory here
Now your config looks like this
https: [port: 443,
otp_app: :hello_phoenix,
keyfile: System.get_env("KEY_HOME"),
certfile: System.get_env("CERT_HOME")
]
Don't forget to copy your files in priv/ssl.
I am trying to run Google oAuth Service Account by specifying keyfilelocation as below:
$client_id = 'xccsssds-ib5c5qmr7n34aifss95ue7qouplh7v3r.apps.googleusercontent.com'; //Client ID
$service_account_name = 'sdfdsfsxxxxxxxxxsdfdsf-ib5c5qmr7n34aifss95ue7qouplh7v3r#developer.gserviceaccount.com'; //Email Address
$key_file_location = 'My Cloud Project-e2a5b459dfd9.p12'; //key.p12
But my server is throwing error like:
file_get_contents(My Cloud Project-e2a5b459dfd9.p12): failed to open stream: No such file or directory in XXXXXXXXXX
Uncaught exception 'Google_Auth_Exception' with message 'Unable to parse the p12 file. Is this a .p12 file? Is the password correct? OpenSSL error: '
Path of the p12 file correct and gave file permissions correctly but it was throwing this error.
The error:(occurring in the prod env)
request.CRITICAL: PDOException: SQLSTATE[28000] [1045] Access denied for user 'root'#'localhost' (using password: YES) (uncaught exception) at /srv/inta/current/vendor/doctrine-dbal/lib/Doctrine/DBAL/Driver/PDOConnection.php line 36 [] []
What I've tried so far
The weird thing is that I actually have access using the root user, and the provided password. Logging in as root via the console works great.
I'm using the following parameters.yml file located in app/config/
parameters:
database_driver: pdo_mysql
database_host: localhost
database_port: ~
database_name: int_apartments
database_user: root
database_password: pw goes here
mailer_transport: smtp
mailer_host: localhost
mailer_user: ~
mailer_password: ~
locale: en
secret: ThisTokenIsNotSoSecretChangeIt
As you can see, it is quite standard with only the name of the db, user and password changed.
In my config.yml located in app/config (the relevant portions)
imports:
- { resource: security.yml }
- { resource: parameters.yml }
...
doctrine:
dbal:
driver: %database_driver%
host: %database_host%
port: %database_port%
dbname: %database_name%
user: %database_user%
password: %database_password%
charset: UTF8
dbname: int_apartments
orm:
auto_generate_proxy_classes: %kernel.debug%
auto_mapping: true
mappings:
StofDoctrineExtensionsBundle: false
Now, I wanted to start at "step 1" and verify that the parameters.yml file is actually being imported, so I changed the host to "localhos" or the user to "tom" or whatever and the error message located in app/logs/prod.log stays exact as is - the location doesn't change and the user doesn't change.
So I checked my config_prod.yml located in app/config
imports:
- { resource: config.yml }
#doctrine:
# metadata_cache_driver: apc
# result_cache_driver: apc
# query_cache_driver: apc
monolog:
handlers:
main:
type: fingers_crossed
action_level: error
handler: nested
nested:
type: stream
path: %kernel.logs_dir%/%kernel.environment%.log
level: debug
...and everything seems standard!
Summary of what's going on
So here is the quick version.
Authentication error exists for root#localhost
Verified my authentication creditials by logging in as that user via the console
Want to check if the parameters.yml file is being loaded
Changed some values - none affected the error message
(small)Edit:
What I actually want to do is to connect to the DB as a completely different user with a different password. Even when I enter different credentials into my parameters.yml file, doctrine still spits out the "root#localhost" error.
Ideas?
Silly mistake, seems due to a bad user/group/owner configuration on the server.
the app/cache directory is owned by "root", but when I run
app/console cache:clear --env=prod --no-debug
I am running as another user (not root). So there were issues in clearing the cache and doctrine seems to have been using a very old configuration located in the cache files.
Lessons learned:
Always try running as root (as a last resort)
Use a properly configured web server to avoid ownership issues
I solved my problem by renaming the prod folder i uploaded to prod_old because the system could not delete the folder for some reason.