After changed password of user "admin", i can't login to device manager.
Welcome screen it turning and then tell me that there is an error :
[2017-10-23 10:11:41,401] [IoT-Core] ERROR {org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl} - Invalid OAuth Token : Invalid access token
[2017-10-23 10:11:41,401] [IoT-Core] ERROR {org.wso2.carbon.apimgt.rest.api.util.impl.WebAppAuthenticatorImpl} - Authentication failed. Please check your username/password
[2017-10-23 10:11:41,401] [IoT-Core] WARN {org.apache.cxf.phase.PhaseInterceptorChain} - Interceptor for {http://store.api.rest.apimgt.carbon.wso2.org/}SwaggerJsonApi has thrown exception, unwinding now
org.apache.cxf.interceptor.security.AuthenticationException: Unauthenticated request
It seems to have a fix (https://github.com/wso2/product-iots/issues/1033) but how can i fix it in 3.1.0?
Edit : I've changed db from H2 to mysql and now i can't change admin password in device management console.
i cant add user anymore too.
error in user management :
DataTables warning: table id=user-grid - Ajax error. For more information about this error, please see http://datatables.net/tn/7
error when i try to change admin password showed in browser:
900908Resource
forbidden Access failure for API:
/api/device-mgt/v1.0/users/1.0.0, version: 1.0.0 status: (900908) -
Resource forbidden
Backed to H2 DB for this part, still no luck. When admin password changed, device manager in not accessible for super admin.
Edit2 :
I've found a trick.
Backed to H2 for user management, i've created another user with all roles.
Then i've changed admin password to "disable" it.
It works, my new admin have all roles.
But when admin password is changed, access to store is forbidden.
this article says it fixed : https://wso2.org/jira/browse/EMM-1295
I've rechanged admin pass, no message. Maybe i made a mistake.
Thanks.
Regards,
Alex.
After searches, i found this :
https://docs.wso2.com/display/IoTS310/Changing+the+Super+Administrator+Username+and+Password
Tested and OK.
YOu have to change password on the webinterface carbon.
And follow the instruction on link above.
Related
I am using keycloak operator to install keycloak and i have configured keycloak to use external database (RDS instance). ==> (externalDatabase: true)
The keycloak instances are up and running without any issues.
When i tried to login to the keycloak UI with master realm credentials it is telling that the credentials are invalid, though the credentials are correct.
I am getting the credentials using the following command.
kubectl get secret credential-test -o go-template='{{range $k,$v := .data}}{{printf "%s: " $k}}{{if not $v}}{{$v}}{{else}}{{$v | base64decode}}{{end}}{{"\n"}}{{end}}'
The following is the log from the instance.
07:40:48,172 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=566f4e3e-c0f1-4304-bca2-686321d88b87, ipAddress=10.242.3.61, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=https://test123.net/auth/admin/master/console/, code_id=5561bc9e-e2b9-41e3-836d-37add6e74c1c, username=admin, authSessionParentId=5561bc9e-e2b9-41e3-836d-37add6e74c1c, authSessionTabId=Oq-orhggRE4
Any advice or suggestion is highly appreciated.
I had this, or a similar issue as well when setting up the operator.
It appears that the external database that supposedly stores the admin username and password isn't updated when a new secret is generated if, say, the CRD for the Keycloak instance is deleted along with the secret. The steps I went through to fix it was to:
Delete the CRD.
Delete the database.
Recreate the database.
Recreate the CRD.
That way, the database should have no reason to accept the new credentials.
There is probably a better solution. But I could not find it in the docs so far.
I'm having a few problems getting this JIRA commandline to work:
C:\tools\atlassian-cli-7.8.0>jira.bat --debug --verbose --options
basicAuthentication --server "https://jira01.COMPANY.com" --user
FIRST.LAST#COMPANY.COM --password PASSWORD --action getServerInfo
It connects to the JIRA server, but gives this error:
org.swift.common.cli.CliClient$RemoteDisallowedException: User
'FIRST.LAST#COMPANY.COM' is not allowed to log in at this point in
time perhaps due to CAPTCHA requirements or too many failed login
requests.
This error always occurs despite the fact:
JIRA Web > Profile > Username is what I'm using to log in.
JIRA Web >
Profile > Groups is jira-software-users
The password provided to the
commandline is indeed the one that works when I login via the web.
I
have tried this both with and without --options basicAuthentication
This occurs regardless of how many times I successfully log out / log
in to the JIRA web UI.
Whenever I go to JIRA Web > Profile > Change
Password, it says: "Too many incorrect login attempts: Please log out
and log in again to access this function." (This also occurs
regardless of how many times I successfully log out / log in to the
JIRA web UI.)
A CAPTCHA is never shown on the JIRA Web UI's login.
NOTE: When we login to JIRA web ui, our company appears to defer to
federated authentication via "https://login.microsoftonline.com" into
which we provide the credentials we're providing the script, which
then takes us into JIRA.
Questions:
How to get the commandline tool / jira server to accept the same credentials the jira web ui does?
Is this a permissions issue or something involving the password federation?
Suggestions for how to get this to work?
How to get it to actually clear the "too many incorrect logins" issue?
Cheers & Thanks!
-Roberto
Full trace of command is:
URL requested:
https://jira01.COMPANY.com/rest/org.swift.jira.cli/latest/validatelicense
Request type: GET Content type: application/json options:
basicauthentication URL requested:
https://jira01.COMPANY.com/rest/auth/1/session Request type: POST
Content type: application/json Using basic authentication. Request
property X-Atlassian-Token, value: [no-check] Request property
Content-Language, value: [en-US] Request property Content-Type, value:
[application/json] json: {} Problem determination - response: 403:
null Problem determination - response url:
https://jira01.COMPANY.com/rest/auth/1/session Problem determination -
request url: https://jira01.COMPANY.com/rest/auth/1/session Problem
determination - response data:
Forbidden (403)
...
Remote error: User 'FIRST.LAST#COMPANY.COM' is not allowed to log in
at this point in time perhaps due to CAPTCHA requirements or too many
failed login requests. Go to the user interface and login to clear the
problem.
org.swift.common.cli.CliClient$RemoteDisallowedException: User
'FIRST.LAST#COMPANY.com' is not allowed to log in at this point in
time perhaps due to CAPTCHA requirements or too many failed login
requests. Go to the user interface and login to clear the problem. at
org.swift.jira.cli.helpers.AuthenticationHelper.login(AuthenticationHelper.java:196)
at
org.swift.jira.cli.helpers.AuthenticationHelper.login(AuthenticationHelper.java:157)
at
org.swift.common.cli.helpers.DefaultAuthenticationHelper.handleCookies(DefaultAuthenticationHelper.java:124)
at
org.swift.jira.cli.JiraClient.getAuthenticationHelper(JiraClient.java:185)
at
org.swift.jira.cli.JiraClient.getAuthenticationHelper(JiraClient.java:107)
at
org.swift.common.cli.helpers.DefaultRequestHelper.setConnectionProperties(DefaultRequestHelper.java:1043)
at
org.swift.common.cli.helpers.DefaultRequestHelper.setConnectionProperties(DefaultRequestHelper.java:1030)
at
org.swift.common.cli.helpers.DefaultRequestHelper.makeRequestWithUrlConnection(DefaultRequestHelper.java:724)
at
org.swift.common.cli.helpers.DefaultRequestHelper.makeUrlRequest(DefaultRequestHelper.java:690)
at
org.swift.common.cli.helpers.DefaultRequestHelper.makeRequest(DefaultRequestHelper.java:660)
at
org.swift.common.cli.helpers.DefaultRequestHelper.makeStandardRequest(DefaultRequestHelper.java:648)
at
org.swift.common.cli.helpers.AppfireRequestHelper.getServerInfo(AppfireRequestHelper.java:118)
at
org.swift.jira.cli.JiraClient.getRemoteServerInfo(JiraClient.java:2493)
at org.swift.jira.cli.JiraClient.getServerInfo(JiraClient.java:2455)
at org.swift.jira.cli.JiraClient.handleRequest(JiraClient.java:840) at
org.swift.common.cli.DefaultRemoteClient.process(DefaultRemoteClient.java:729)
at org.swift.common.cli.CliClient.doWork(CliClient.java:674) at
org.swift.common.cli.CliClient.doWork(CliClient.java:631) at
org.swift.jira.cli.JiraClient.main(JiraClient.java:166)
I managed to get this working by creating an API token and using that as the password. You can create an API token by visiting the https://id.atlassian.com/ site and selecting the API tokens on the left pane.
I hope this helps.
I am getting permission denied issue in 1.9 with REST API even though added all required Roles and Permissions.
Its working for guest users and getting the JSON result.
I can take customers via url api/rest/products?limit=1 without any authentication if i enabled Guest permission.
Same time its working with oAuth for a valid admin used.
But if i disabled guest permissions its not working for a valid admin user, showing the permission denied message.
When i check the access log, i can see like below
exception 'Mage_Api2_Exception' with message 'Access denied' in /var/www/html/app/code/core/Mage/Api2/Model/Server.php:217
Stack trace: #0 var/www/html/app/code/core/Mage/Api2/Model/Server.php(106): Mage_Api2_Model_Server->_allow(Object(Mage_Api2_Model_Request), Object(Mage_Api2_Model_Auth_User_Guest))
#1 /var/www/html/api.php(73): Mage_Api2_Model_Server->run()
is it because each API request via oAuth treats in Guest mode ?
How are you testing? Are you absolutely sure that you are indeed running an authorised request when disabling guest permission?
Maybe you can do some step-by-step debug in the class method _allow of Mage_Api2_Model_Server.
I'm trying to use wso2 APPM (vers 1.10.0) with an external ldap as authentication without real success.
I'll try to be as factual as possible to let it be testable:
I've unzip the wso2appm zip file under linux
I've setup the java_home var
I've start the wso2server.sh ==> no problem displayed in the log, at this step I must precise I'm using the default database of wso2.
Then logging to carbon gui, and adding a new userstore management setting up to a read-only external ldap.
after few seconds, the ldap users appears in the user list.
then selecting me in the list and adding the internal/store role.
opening the store url, and trying to login with the login / password of my user
Then having a message to inform me that the user has not the store profile.
If I log into carbon with my ldap user, it's working.
The same use case with the API looks fine to log into the store.
Any fix or ideas are welcome.
BR,
jfv
By the looks of it I suspect your issue is, the privileges are not set correctly for your ldap user store roles. Please make sure that you have assigned the internal/subscriber role to the relevant user in your permission tree. You can find more details about this at JIRA ticket [1]
[1] https://wso2.org/jira/browse/APPM-279
Cheers,
Pubudu
Hi and thank your for your answer,
first: I've checked this morning the solution you've proposed, and there is no change.
In a second time, I've tryied to add all privileges without more success
but if I create a new user manually, this one can login.
The following error in the log are shown when I try to login with an ldap user.
[2016-05-09 07:48:54,272] INFO - ReadOnlyLDAPUserStoreManager LDAP connection created successfully in read-only mode
[2016-05-09 07:48:54,283] INFO - UserStoreDeploymentManager Realm configuration of tenant:-1234 modified with /opt/wso2appm/repository/deployment/server/userstores/orange_com.xml
[2016-05-09 07:50:18,187] WARN - CarbonAuthenticationUtil Failed Administrator login attempt 'admin[-1234]' at [2016-05-09 07:50:18,187+0200]
[2016-05-09 07:50:18,189] WARN - AuthenticationHandler Illegal access attempt at [2016-05-09 07:50:18,0188] from IP address 10.199.210.37 while trying to authenticate access to service RemoteAuthorizationManagerService
[2016-05-09 07:50:18,189] ERROR - AUDIT_LOG Illegal access attempt at [2016-05-09 07:50:18,0188] from IP address 10.199.210.37 while trying to authenticate access to service RemoteAuthorizationManagerService
[2016-05-09 07:50:18,221] WARN - acs:jag User jaav7491 does not have permission to access the store application. Make sure the user has the store role.
the login is "jaav7491"
Thank you for your ideas,
BR,
jfv
I configure IS and AM with SAML SSO as described in official documentation.
SSO login for AM console function well, I can log in as admin using unique credendital as defined in IS.
When I try to login to publisher or store, login is redirected to IS SamlSSO page as expected, but when I insert uid/pwd, browser is redirected to publisher login page asking for user credentials. AM carbon log report this WARN and ERROR:
TID: [0] [AM] [2014-05-07 17:27:28,171] WARN {org.wso2.carbon.server.admin.module.handler.AuthenticationHandler} -
Illegal access attempt at [2014-05-07 17:27:28,0171] from IP address 192.168.50.60 :
Service is RemoteAuthorizationManagerService
{org.wso2.carbon.server.admin.module.handler.AuthenticationHandler}
TID: [0] [AM] [2014-05-07 17:27:28,172] ERROR {org.apache.axis2.engine.AxisEngine} -
Access Denied. Please login first. {org.apache.axis2.engine.AxisEngine} org.apache.axis2.AxisFault: Access Denied. Please login first.
at org.wso2.carbon.server.admin.module.handler.AuthenticationHandler.authenticate(AuthenticationHandler.java:97)
any suggestion on how to solve this?
Giovanni,
I made contact with WSO2 as I had the same problem and they directed me to https://wso2.org/jira/browse/APIMANAGER-2118
It appears that there maybe a bug in the priority of the SAMLSSOAuthentication and Basic Authentication. I followed the points in the above link and modified the APIMHOME/repository/conf/security/authenticators.xml and changed the priority for SAMLSSO from 10 to 0
I am now able to move between store/publisher and also carbon for API Manager, Identity Server also BAM.
Hope this helps
Carl.