|
Re: KubeCF 2.5.0 Is Out
Dieu Cao
Congrats KubeCF team!
-Dieu
From: cf-dev@... <cf-dev@...> on behalf of Krannich, Bernd via lists.cloudfoundry.org <bernd.krannich=sap.com@...>
Sent: Thursday, September 24, 2020 6:34 AM To: cf-dev@... <cf-dev@...> Subject: Re: [cf-dev] KubeCF 2.5.0 Is Out Congrats to the KubeCF team!
Cheers, Bernd
From: <cf-dev@...> on behalf of Chip Childers <cchilders@...>
On Thu, Sep 24, 2020 8:07 AM, Simon D Moser smoser@... wrote:
|
|||||||||||
|
|
|||||||||||
|
Stratos 4.1.0
Richard Cox
Hi All,
It gives me great pleasure to announce Stratos 4.1.0
Highlights include...
Full release notes are available from -
https://github.com/cloudfoundry/stratos/blob/master/CHANGELOG.md#410
We welcome your feedback, comments and bug reports. Please feel free to raise them in github (https://github.com/cloudfoundry/stratos) or reach out directly to us in slack (#stratos)
Regards,
Richard Cox
on behalf of the Stratos team |
|||||||||||
|
|
|||||||||||
|
Re: KubeCF 2.5.0 Is Out
Krannich, Bernd
Congrats to the KubeCF team!
Cheers, Bernd
From: <cf-dev@...> on behalf of Chip Childers <cchilders@...>
On Thu, Sep 24, 2020 8:07 AM, Simon D Moser
smoser@... wrote:
|
|||||||||||
|
|
|||||||||||
|
Re: KubeCF 2.5.0 Is Out
Chip Childers <cchilders@...>
On Thu, Sep 24, 2020 8:07 AM, Simon D Moser smoser@... wrote: Awesome! Great Job team - and we have container 2 container networking now in KubeCF, which is really great! Go CF Community! |
|||||||||||
|
|
|||||||||||
|
Re: KubeCF 2.5.0 Is Out
Simon D Moser
Awesome! Great Job
team - and we have container 2 container networking now in KubeCF, which
is really great! Go CF Community!
Mit freundlichen Grüßen / Kind regards Simon Moser Senior Technical Staff Member / IBM Master Inventor Bluemix Application Platform Lead Architect Dept. C727, IBM Research & Development Boeblingen ------------------------------------------------------------------------------------------------------------------------------------------- IBM Deutschland Research & Development GmbH Schoenaicher Str. 220 71032 Boeblingen Phone: +49-7031-16-4304 Fax: +49-7031-16-4890 E-Mail: smoser@... ------------------------------------------------------------------------------------------------------------------------------------------- Vorsitzender des Aufsichtsrats: Gregor Pillen Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 ******* ITIL has led people to think in siloes ("go fix change management"). Project Management has led people to think in finite units of work instead of streams of product. Both are fundamental dysfunctions of the framework model, not failures of execution. ⁃ Rob England From: "Jaime Gomes" <jaime.gomes@...> To: cf-dev@... Date: 24/09/2020 10:03 Subject: [EXTERNAL] [cf-dev] KubeCF 2.5.0 Is Out Sent by: cf-dev@... Hey, I am proud to announce another important milestone for KubeCF - the release of v2.5.0.This release reflects the intensive work integrating Eirini and the C2C networking support. So, I am inviting everyone to check first therelease notes, take it for a spin and share the experience through the Slack channel (#kubecf-dev), where the team is promptly replying to any question from the community, and on Github, for bugs and features requests. Thanks to everyone for the work and participation. KubeCF |
|||||||||||
|
|
|||||||||||
|
KubeCF 2.5.0 Is Out
Hey, I am proud to announce another important milestone for KubeCF - the release of v2.5.0. This release reflects the intensive work integrating Eirini and the C2C networking support. So, I am inviting everyone to check first the release notes, take it for a spin and share the experience through the Slack channel (#kubecf-dev), where the team is promptly replying to any question from the community, and on Github, for bugs and features requests. Thanks to everyone for the work and participation. |
|||||||||||
|
|
|||||||||||
|
Community awards nomination form - Respond by Monday!
Chip Childers <cchilders@...>
|
|||||||||||
|
|
|||||||||||
|
Re: Cloud Foundry Summit Europe 2020 CFP Co-Chair Voting Form
Chip Childers <cchilders@...>
On Wed, Sep 23, 2020 4:09 PM, Chip Childers cchilders@... wrote:
|
|||||||||||
|
|
|||||||||||
|
Re: Cloud Foundry Summit Europe 2020 CFP Co-Chair Voting Form
Chip Childers <cchilders@...>
On Wed, Sep 2, 2020 2:58 PM, Paige O'Connor poconnor@... wrote:
|
|||||||||||
|
|
|||||||||||
|
Cloud Foundry Summit Europe Virtual Schedule is Now Live!
Chip Childers <cchilders@...>
|
|||||||||||
|
|
|||||||||||
|
Re: UAA api /introspect does not seem to be workign as expected
#uaa
Shetty, Viraj S [CTR]
Jeremy,
Thanks for your help ! I found what the problem was. I ran a local copy of the UAA on my laptop, pointing to the cloud database and ran your testcases; it all worked as expected ! I was able to use the /introspect endpoint with the bearer token. So, I started comparing the differences in the uaa.yml file (default and our yaml) and found that the problem was the setting in my uaa.yml file which excluded authorities in the tokens. claims:
exclude:
- authorities
The default uaa.yml had this commented and I just uncommented it while deploying our UAA When I removed this setting, I am able to use the /introspect with the bearer token. I could also see that the token for the client introspect-test now has the authorities set as below. Looks like the UAA code is looking at "authorities" claim and not the "scope" claim. Is that expected ? "authorities": [
"uaa.resource"
],
"scope": [
"uaa.resource"
],
I am just wondering why that option (exclude authorities) is there in the first place and if removing that option affects anything else. Thanks, Viraj |
|||||||||||
|
|
|||||||||||
|
Re: TLS for everything
caitlyny@...
Hi Jon,
I provided an update for #2 within the issue on Github. Caitlyn |
|||||||||||
|
|
|||||||||||
|
Re: TLS for everything
Jon Price
Hi David,
Done – Issue 906.
I too have been involved in several conversations over the past several years about this, back in 2015 we had a meeting with Dieu Cao (Hi Dieu!) and the former chief security officer a Pivotal, Justin Smith about this and I also did a talk at the 2015 CF Summit about using IPsec.
It’s exciting to see how close we are getting to securing every endpoint, only a few more thousand lines of PEM text in the deployment manifest and we are done!
-- Jon Price
From: cf-dev@... <cf-dev@...>
On Behalf Of David McClure
Sent: Tuesday, September 15, 2020 4:36 PM To: cf-dev@... Subject: Re: [cf-dev] TLS for everything
Hi everyone,
Glad to see this conversation happening. I've been involved in several conversations about this over the years but I'm not sure what public artifacts exist about these efforts. Historically, it has been a challenge to organize so-called "cross-cutting efforts" that require the involvement of many different teams and it may be especially challenging now that much of the community has shifted its focus to developing cf-for-k8s.
That said, here's a thought: perhaps we can approach this feature request and other "cross-cutting" features for cf-for-vms with the following strategy going forward:
Jon, would you like to do the honors as the thread starter here?
From:
cf-dev@... <cf-dev@...> on behalf of Miki Mokrysz via lists.cloudfoundry.org <miki.mokrysz=digital.cabinet-office.gov.uk@...>
+1 on desiring everything to be encrypted on the network.
We’re under the impression that Silk (apps.internal) traffic between cells is also unencrypted.
|
|||||||||||
|
|
|||||||||||
|
Re: UAA api /introspect does not seem to be workign as expected
#uaa
Hi Jeremy,
Thanks for that testcase. I followed your testcase on our UAA Server except with one change; since we are setup with MFA, I used the uaac token sso to get Marissas token. The UAA app version is 74.24.0 and the UAAC version is 4.2.0. You can see I got the access denied error that I received with Postman. I attached snippet of the log errors. Also, I upgraded to UAA 74.24.0 by downloading source from https://github.com/cloudfoundry/uaa/archive/v74.24.0.zip and compiling it using gradle. I am wondering if I am doing something incorrect during installation. Next I will try with a brand new intallation and see if that works. ----- Command entered ----- COMMAND> uaac version
UAA client 4.2.0
COMMAND> uaac info
Unknown key: Max-Age = 86400
app
version: 74.24.0
{truncated}
COMMAND> uaac token client get admin
Client secret: ************************
Successfully fetched token via client credentials grant.
Target: https://*****************
Context: admin, from client admin
COMMAND> uaac client add introspect-test --scope uaa.none --authorized_grant_types client_credentials --authorities uaa.resource
New client secret: ***************
Verify new client secret: ***************
scope: uaa.none
client_id: introspect-test
resource_ids: none
authorized_grant_types: client_credentials
autoapprove:
authorities: uaa.resource
name: introspect-test
required_user_groups:
lastmodified: 1600268652000
id: introspect-test
PS C:\Users\vshetty\source\repos\pservices-cyberark-api\bin> uaac user add marissa --given_name marissa --family_name koala
--emails marisa@...
Password: *****
Verify password: *****
user account successfully added
COMMAND> uaac token sso get seswt-uaa-cli
Client secret:
Passcode (from https://********/passcode): ******
Successfully fetched token via owner passcode grant.
Target: https://***************
Context: marissa, from client seswt-uaa-cli
COMMAND> uaac context marissa
{ captured Marissa's token }
COMMAND> uaac token client get introspect-test
Client secret: ***************
{ double checked that the token has the uaa.resource scope }
Successfully fetched token via client credentials grant.
Target: https://**************
Context: introspect-test, from client introspect-test
# MARISSA-TOKEN is actual token
COMMAND> uaac curl --trace /introspect -X POST -d "token=MARISSA-TOKEN"
POST https://*****/introspect
REQUEST BODY: "token=MARISSA-TOKEN"
403 Forbidden
RESPONSE HEADERS:
Date: Wed, 16 Sep 2020 15:18:29 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
Cache-Control: no-store
Pragma: no-cache
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Content-Type-Options: nosniff
X-Vcap-Request-Id: 86dbda61-e43d-43e9-650f-2150836c4ea0
X-Xss-Protection: 1; mode=block
X-Frame-Options: DENY
RESPONSE BODY:
{
"error": "access_denied",
"error_description": "Access is denied"
} --- Log file contents --- 2020-09-16T11:55:55.44-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.448] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- JdbcTemplate: Executing prepared SQL query
2020-09-16T11:55:55.44-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.448] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- JdbcTemplate: Executing prepared SQL statement [select id,version,created,lastmodified,name,subdomain,description,config,active from identity_zone where subdomain=? and active = ?]
2020-09-16T11:55:55.44-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.449] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- DataSourceUtils: Fetching JDBC Connection from DataSource
2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.451] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- StatementCreatorUtils: Setting SQL statement parameter value: column index 1, parameter value [], value class [java.lang.String], SQL type unknown
2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.451] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- StatementCreatorUtils: Setting SQL statement parameter value: column index 2, parameter value [true], value class [java.lang.Boolean], SQL type unknown
2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.458] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 7 of 20 in additional filter chain; firing Filter: 'DisableIdTokenResponseTypeFilter'
2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.458] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- DisableIdTokenResponseTypeFilter: Processing id_token disable filter
2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.458] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- DisableIdTokenResponseTypeFilter: pre id_token disable:false pathinfo:null request_uri:/introspect response_type:null
2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.458] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- DisableIdTokenResponseTypeFilter: post id_token disable:false pathinfo:null request_uri:/introspect response_type:null
2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.458] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 8 of 20 in additional filter chain; firing Filter: 'HttpsEnforcementFilter'
2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- SecurityFilterChainPostProcessor$HttpsEnforcementFilter: Filter chain 'introspectSecurity' processing request POST /introspect
2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 9 of 20 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 10 of 20 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 11 of 20 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 12 of 20 in additional filter chain; firing Filter: 'OAuth2AuthenticationProcessingFilter'
2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- SESSION_LOGGER: No session found by id: Caching result for getSession(false) for this HttpServletRequest.
2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.462] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- JdbcTemplate: Executing prepared SQL query
2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.463] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- JdbcTemplate: Executing prepared SQL statement [select client_id, client_secret, resource_ids, scope, authorized_grant_types, web_server_redirect_uri, authorities, access_token_validity, refresh_token_validity, additional_information, autoapprove, lastmodified, required_user_groups from oauth_client_details where client_id = ? and identity_zone_id = ?]
2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.463] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- DataSourceUtils: Fetching JDBC Connection from DataSource
2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.464] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- StatementCreatorUtils: Setting SQL statement parameter value: column index 1, parameter value [introspect-test], value class [java.lang.String], SQL type unknown
2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.464] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- StatementCreatorUtils: Setting SQL statement parameter value: column index 2, parameter value [uaa], value class [java.lang.String], SQL type unknown
2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- OAuth2AuthenticationProcessingFilter: Authentication success: org.cloudfoundry.identity.uaa.oauth.UaaOauth2Authentication@37a34f31: Principal: introspect-test; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=************, tokenType=BearertokenValue=; Granted Authorities: password.write, scim.userids, scim.me, openid, oauth.approvals, uaa.offline_token, profile, roles, user_attributes, uaa.user
2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 13 of 20 in additional filter chain; firing Filter: 'IdentityZoneSwitchingFilter'
2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 14 of 20 in additional filter chain; firing Filter: 'DisableUserManagementSecurityFilter'
2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 15 of 20 in additional filter chain; firing Filter: 'DisableInternalUserManagementFilter'
2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 16 of 20 in additional filter chain; firing Filter: 'ClientBasicAuthenticationFilter'
2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 17 of 20 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 18 of 20 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 19 of 20 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.467] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterSecurityInterceptor: Secure object: FilterInvocation: URL: /introspect; Attributes: [#oauth2.throwOnError(hasAuthority('uaa.resource'))]
2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.467] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterSecurityInterceptor: Previously Authenticated: org.cloudfoundry.identity.uaa.oauth.UaaOauth2Authentication@37a34f31: Principal: introspect-test; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=**************, tokenType=BearertokenValue=; Granted Authorities: password.write, scim.userids, scim.me, openid, oauth.approvals, uaa.offline_token, profile, roles, user_attributes, uaa.user
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.499] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- AffirmativeBased: Voter: org.springframework.security.web.access.expression.WebExpressionVoter@17088b23, returned: -1
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.500] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- ReloadableResourceBundleMessageSource: Loading properties [messages.properties]
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.503] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- ReloadableResourceBundleMessageSource: No properties file found for [classpath:messages_en] - neither plain properties nor XML
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.504] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- ReloadableResourceBundleMessageSource: No properties file found for [classpath:messages_en_US] - neither plain properties nor XML
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.505] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- DefaultListableBeanFactory: Returning cached instance of singleton bean 'scimUserBootstrap'
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.505] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- DefaultListableBeanFactory: Returning cached instance of singleton bean 'delegatingApplicationListener'
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.505] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- ExceptionTranslationFilter: Access is denied (user is not anonymous); delegating to AccessDeniedHandler
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT org.springframework.security.access.AccessDeniedException: Access is denied
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.3.2.RELEASE.jar:5.3.2.RELEASE]
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.3.2.RELEASE.jar:5.3.2.RELEASE]
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123) ~[spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90) ~[spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118) [spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158) [spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChai
|
|||||||||||
|
|
|||||||||||
|
Re: Topics or presentations? CAB call: Wednesday, Sept. 16th @ 8AM PT / 11AM ET / 4PM CET
GOOD NEWS EVERYONE! We have a couple of presentations for tomorrow:
TT -- Troy Topnik
Senior Product Manager,
SUSE Cloud Application Platform
troy.topnik@...
|
|||||||||||
|
|
|||||||||||
|
Re: TLS for everything
David McClure
Hi everyone,
Glad to see this conversation happening. I've been involved in several conversations about this over the years but I'm not sure what public artifacts exist about these efforts. Historically, it has been a challenge to organize so-called "cross-cutting efforts"
that require the involvement of many different teams and it may be especially challenging now that much of the community has shifted its focus to developing cf-for-k8s.
That said, here's a thought: perhaps we can approach this feature request and other "cross-cutting" features for cf-for-vms with the following strategy going forward:
Jon, would you like to do the honors as the thread starter here?
From: cf-dev@... <cf-dev@...> on behalf of Miki Mokrysz via lists.cloudfoundry.org <miki.mokrysz=digital.cabinet-office.gov.uk@...>
Sent: Tuesday, September 15, 2020 11:41 AM To: cf-dev@... <cf-dev@...> Subject: Re: [cf-dev] TLS for everything +1 on desiring everything to be encrypted on the network.
On Tuesday, 15 September 2020, Peter Burkholder via lists.cloudfoundry.org <peter.burkholder=gsa.gov@...> wrote:
|
|||||||||||
|
|
|||||||||||
|
Re: UAA api /introspect does not seem to be workign as expected
#uaa
Jeremy Morony
Hi Viraj,
I couldn't replicate the issue you've described. While logs are always helpful, more helpful would be a small set up replicating the issue. For example, this is what I did to replicate your issue using the UAA in development:
uaac target http://localhost:8080/uaa
uaac token client get admin
uaac client add introspect-test --scope uaa.none --authorized_grant_types client_credentials --authorities uaa.resource
uaac token owner get cf marissa -p koala --scope uaa.user
uaac contexts #extract marissa's access token
uaac token client get introspect-test
uaac curl --trace /introspect -X POST -d "token=marissas-access-token"
200
RESPONSE HEADERS:
<snip>
RESPONSE BODY:
{
"active": true // other claims omitted
}From: cf-dev@... <cf-dev@...> on behalf of Shetty, Viraj S [CTR] via lists.cloudfoundry.org <vshetty=fdic.gov@...>
Sent: Friday, September 11, 2020 12:44 PM To: cf-dev@... <cf-dev@...> Subject: Re: [cf-dev] UAA api /introspect does not seem to be workign as expected #uaa Jeremy,
I upgraded to the latest UAA version 74.24.0 and I still see the same issue. Is there something I can provide from logs that might help ? Thanks, Viraj |
|||||||||||
|
|
|||||||||||
|
Re: TLS for everything
Miki Mokrysz <miki.mokrysz@...>
+1 on desiring everything to be encrypted on the network. On Tuesday, 15 September 2020, Peter Burkholder via lists.cloudfoundry.org <peter.burkholder=gsa.gov@...> wrote:
|
|||||||||||
|
|
|||||||||||
|
Re: TLS for everything
Peter Burkholder
We may run into similar requirements for cloud.gov, so TLS everywhere would be A+. On Tue, Sep 15, 2020 at 1:45 PM Jon Price <jon.price@...> wrote:
-- - Peter Burkholder | cloud.gov compliance & security please use cloud-gov-compliance@... for cloud.gov matters |
|||||||||||
|
|
|||||||||||
|
TLS for everything
Jon Price
Hi everyone,
There has been a lot of excellent progress in securing all CF traffic with TLS and as far as I can tell there are only a few things that are still unencrypted. Is there a timeline or any plans for these last few things? 1) routing-api - still using both TLS and non-TLS in the cf-deployment. The http endpoint is what is registered in the router. Is there a reason for still enabling both? 2) metrics-discovery-registrar-windows - not using nats-tls hostname, falling back to 4222
3) route_registrar - not using nats-tls
4) gorouter - not using nats-tls We have a requirement that all traffic on the network is encrypted and I would really love to stop running IPsec. :) Jon Price Intel Corp. |
|||||||||||
|
|
