|
Re: TLS for everything
Jon Price
Hi David,
Done – Issue 906.
I too have been involved in several conversations over the past several years about this, back in 2015 we had a meeting with Dieu Cao (Hi Dieu!) and the former chief security officer a Pivotal, Justin Smith about this and I also did a talk at the 2015 CF Summit about using IPsec.
It’s exciting to see how close we are getting to securing every endpoint, only a few more thousand lines of PEM text in the deployment manifest and we are done!
-- Jon Price
From: cf-dev@... <cf-dev@...>
On Behalf Of David McClure
Sent: Tuesday, September 15, 2020 4:36 PM To: cf-dev@... Subject: Re: [cf-dev] TLS for everything
Hi everyone,
Glad to see this conversation happening. I've been involved in several conversations about this over the years but I'm not sure what public artifacts exist about these efforts. Historically, it has been a challenge to organize so-called "cross-cutting efforts" that require the involvement of many different teams and it may be especially challenging now that much of the community has shifted its focus to developing cf-for-k8s.
That said, here's a thought: perhaps we can approach this feature request and other "cross-cutting" features for cf-for-vms with the following strategy going forward:
Jon, would you like to do the honors as the thread starter here?
From:
cf-dev@... <cf-dev@...> on behalf of Miki Mokrysz via lists.cloudfoundry.org <miki.mokrysz=digital.cabinet-office.gov.uk@...>
+1 on desiring everything to be encrypted on the network.
We’re under the impression that Silk (apps.internal) traffic between cells is also unencrypted.
|
||
|
|
||
|
Re: UAA api /introspect does not seem to be workign as expected
#uaa
Hi Jeremy,
Thanks for that testcase. I followed your testcase on our UAA Server except with one change; since we are setup with MFA, I used the uaac token sso to get Marissas token. The UAA app version is 74.24.0 and the UAAC version is 4.2.0. You can see I got the access denied error that I received with Postman. I attached snippet of the log errors. Also, I upgraded to UAA 74.24.0 by downloading source from https://github.com/cloudfoundry/uaa/archive/v74.24.0.zip and compiling it using gradle. I am wondering if I am doing something incorrect during installation. Next I will try with a brand new intallation and see if that works. ----- Command entered ----- COMMAND> uaac version
UAA client 4.2.0
COMMAND> uaac info
Unknown key: Max-Age = 86400
app
version: 74.24.0
{truncated}
COMMAND> uaac token client get admin
Client secret: ************************
Successfully fetched token via client credentials grant.
Target: https://*****************
Context: admin, from client admin
COMMAND> uaac client add introspect-test --scope uaa.none --authorized_grant_types client_credentials --authorities uaa.resource
New client secret: ***************
Verify new client secret: ***************
scope: uaa.none
client_id: introspect-test
resource_ids: none
authorized_grant_types: client_credentials
autoapprove:
authorities: uaa.resource
name: introspect-test
required_user_groups:
lastmodified: 1600268652000
id: introspect-test
PS C:\Users\vshetty\source\repos\pservices-cyberark-api\bin> uaac user add marissa --given_name marissa --family_name koala
--emails marisa@...
Password: *****
Verify password: *****
user account successfully added
COMMAND> uaac token sso get seswt-uaa-cli
Client secret:
Passcode (from https://********/passcode): ******
Successfully fetched token via owner passcode grant.
Target: https://***************
Context: marissa, from client seswt-uaa-cli
COMMAND> uaac context marissa
{ captured Marissa's token }
COMMAND> uaac token client get introspect-test
Client secret: ***************
{ double checked that the token has the uaa.resource scope }
Successfully fetched token via client credentials grant.
Target: https://**************
Context: introspect-test, from client introspect-test
# MARISSA-TOKEN is actual token
COMMAND> uaac curl --trace /introspect -X POST -d "token=MARISSA-TOKEN"
POST https://*****/introspect
REQUEST BODY: "token=MARISSA-TOKEN"
403 Forbidden
RESPONSE HEADERS:
Date: Wed, 16 Sep 2020 15:18:29 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
Cache-Control: no-store
Pragma: no-cache
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Content-Type-Options: nosniff
X-Vcap-Request-Id: 86dbda61-e43d-43e9-650f-2150836c4ea0
X-Xss-Protection: 1; mode=block
X-Frame-Options: DENY
RESPONSE BODY:
{
"error": "access_denied",
"error_description": "Access is denied"
} --- Log file contents --- 2020-09-16T11:55:55.44-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.448] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- JdbcTemplate: Executing prepared SQL query
2020-09-16T11:55:55.44-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.448] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- JdbcTemplate: Executing prepared SQL statement [select id,version,created,lastmodified,name,subdomain,description,config,active from identity_zone where subdomain=? and active = ?]
2020-09-16T11:55:55.44-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.449] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- DataSourceUtils: Fetching JDBC Connection from DataSource
2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.451] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- StatementCreatorUtils: Setting SQL statement parameter value: column index 1, parameter value [], value class [java.lang.String], SQL type unknown
2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.451] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- StatementCreatorUtils: Setting SQL statement parameter value: column index 2, parameter value [true], value class [java.lang.Boolean], SQL type unknown
2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.458] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 7 of 20 in additional filter chain; firing Filter: 'DisableIdTokenResponseTypeFilter'
2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.458] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- DisableIdTokenResponseTypeFilter: Processing id_token disable filter
2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.458] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- DisableIdTokenResponseTypeFilter: pre id_token disable:false pathinfo:null request_uri:/introspect response_type:null
2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.458] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- DisableIdTokenResponseTypeFilter: post id_token disable:false pathinfo:null request_uri:/introspect response_type:null
2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.458] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 8 of 20 in additional filter chain; firing Filter: 'HttpsEnforcementFilter'
2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- SecurityFilterChainPostProcessor$HttpsEnforcementFilter: Filter chain 'introspectSecurity' processing request POST /introspect
2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 9 of 20 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 10 of 20 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 11 of 20 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 12 of 20 in additional filter chain; firing Filter: 'OAuth2AuthenticationProcessingFilter'
2020-09-16T11:55:55.45-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.459] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- SESSION_LOGGER: No session found by id: Caching result for getSession(false) for this HttpServletRequest.
2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.462] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- JdbcTemplate: Executing prepared SQL query
2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.463] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- JdbcTemplate: Executing prepared SQL statement [select client_id, client_secret, resource_ids, scope, authorized_grant_types, web_server_redirect_uri, authorities, access_token_validity, refresh_token_validity, additional_information, autoapprove, lastmodified, required_user_groups from oauth_client_details where client_id = ? and identity_zone_id = ?]
2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.463] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- DataSourceUtils: Fetching JDBC Connection from DataSource
2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.464] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- StatementCreatorUtils: Setting SQL statement parameter value: column index 1, parameter value [introspect-test], value class [java.lang.String], SQL type unknown
2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.464] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- StatementCreatorUtils: Setting SQL statement parameter value: column index 2, parameter value [uaa], value class [java.lang.String], SQL type unknown
2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- OAuth2AuthenticationProcessingFilter: Authentication success: org.cloudfoundry.identity.uaa.oauth.UaaOauth2Authentication@37a34f31: Principal: introspect-test; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=************, tokenType=BearertokenValue=; Granted Authorities: password.write, scim.userids, scim.me, openid, oauth.approvals, uaa.offline_token, profile, roles, user_attributes, uaa.user
2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 13 of 20 in additional filter chain; firing Filter: 'IdentityZoneSwitchingFilter'
2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 14 of 20 in additional filter chain; firing Filter: 'DisableUserManagementSecurityFilter'
2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 15 of 20 in additional filter chain; firing Filter: 'DisableInternalUserManagementFilter'
2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 16 of 20 in additional filter chain; firing Filter: 'ClientBasicAuthenticationFilter'
2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 17 of 20 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 18 of 20 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.466] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterChainProxy: /introspect at position 19 of 20 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.467] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterSecurityInterceptor: Secure object: FilterInvocation: URL: /introspect; Attributes: [#oauth2.throwOnError(hasAuthority('uaa.resource'))]
2020-09-16T11:55:55.46-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.467] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- FilterSecurityInterceptor: Previously Authenticated: org.cloudfoundry.identity.uaa.oauth.UaaOauth2Authentication@37a34f31: Principal: introspect-test; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=**************, tokenType=BearertokenValue=; Granted Authorities: password.write, scim.userids, scim.me, openid, oauth.approvals, uaa.offline_token, profile, roles, user_attributes, uaa.user
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.499] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- AffirmativeBased: Voter: org.springframework.security.web.access.expression.WebExpressionVoter@17088b23, returned: -1
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.500] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- ReloadableResourceBundleMessageSource: Loading properties [messages.properties]
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.503] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- ReloadableResourceBundleMessageSource: No properties file found for [classpath:messages_en] - neither plain properties nor XML
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.504] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- ReloadableResourceBundleMessageSource: No properties file found for [classpath:messages_en_US] - neither plain properties nor XML
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.505] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- DefaultListableBeanFactory: Returning cached instance of singleton bean 'scimUserBootstrap'
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.505] uaa - 40 [http-nio-8080-exec-5] .... TRACE --- DefaultListableBeanFactory: Returning cached instance of singleton bean 'delegatingApplicationListener'
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT [2020-09-16 15:55:55.505] uaa - 40 [http-nio-8080-exec-5] .... DEBUG --- ExceptionTranslationFilter: Access is denied (user is not anonymous); delegating to AccessDeniedHandler
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT org.springframework.security.access.AccessDeniedException: Access is denied
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.3.2.RELEASE.jar:5.3.2.RELEASE]
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.3.2.RELEASE.jar:5.3.2.RELEASE]
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123) ~[spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90) ~[spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118) [spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158) [spring-security-web-5.3.2.RELEASE.jar:5.3.2.RELEASE]
2020-09-16T11:55:55.50-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChai
|
||
|
|
||
|
Re: Topics or presentations? CAB call: Wednesday, Sept. 16th @ 8AM PT / 11AM ET / 4PM CET
GOOD NEWS EVERYONE! We have a couple of presentations for tomorrow:
TT -- Troy Topnik
Senior Product Manager,
SUSE Cloud Application Platform
troy.topnik@...
|
||
|
|
||
|
Re: TLS for everything
David McClure
Hi everyone,
Glad to see this conversation happening. I've been involved in several conversations about this over the years but I'm not sure what public artifacts exist about these efforts. Historically, it has been a challenge to organize so-called "cross-cutting efforts"
that require the involvement of many different teams and it may be especially challenging now that much of the community has shifted its focus to developing cf-for-k8s.
That said, here's a thought: perhaps we can approach this feature request and other "cross-cutting" features for cf-for-vms with the following strategy going forward:
Jon, would you like to do the honors as the thread starter here?
From: cf-dev@... <cf-dev@...> on behalf of Miki Mokrysz via lists.cloudfoundry.org <miki.mokrysz=digital.cabinet-office.gov.uk@...>
Sent: Tuesday, September 15, 2020 11:41 AM To: cf-dev@... <cf-dev@...> Subject: Re: [cf-dev] TLS for everything +1 on desiring everything to be encrypted on the network.
On Tuesday, 15 September 2020, Peter Burkholder via lists.cloudfoundry.org <peter.burkholder=gsa.gov@...> wrote:
|
||
|
|
||
|
Re: UAA api /introspect does not seem to be workign as expected
#uaa
Jeremy Morony
Hi Viraj,
I couldn't replicate the issue you've described. While logs are always helpful, more helpful would be a small set up replicating the issue. For example, this is what I did to replicate your issue using the UAA in development:
uaac target http://localhost:8080/uaa
uaac token client get admin
uaac client add introspect-test --scope uaa.none --authorized_grant_types client_credentials --authorities uaa.resource
uaac token owner get cf marissa -p koala --scope uaa.user
uaac contexts #extract marissa's access token
uaac token client get introspect-test
uaac curl --trace /introspect -X POST -d "token=marissas-access-token"
200
RESPONSE HEADERS:
<snip>
RESPONSE BODY:
{
"active": true // other claims omitted
}From: cf-dev@... <cf-dev@...> on behalf of Shetty, Viraj S [CTR] via lists.cloudfoundry.org <vshetty=fdic.gov@...>
Sent: Friday, September 11, 2020 12:44 PM To: cf-dev@... <cf-dev@...> Subject: Re: [cf-dev] UAA api /introspect does not seem to be workign as expected #uaa Jeremy,
I upgraded to the latest UAA version 74.24.0 and I still see the same issue. Is there something I can provide from logs that might help ? Thanks, Viraj |
||
|
|
||
|
Re: TLS for everything
Miki Mokrysz <miki.mokrysz@...>
+1 on desiring everything to be encrypted on the network. On Tuesday, 15 September 2020, Peter Burkholder via lists.cloudfoundry.org <peter.burkholder=gsa.gov@...> wrote:
|
||
|
|
||
|
Re: TLS for everything
Peter Burkholder
We may run into similar requirements for cloud.gov, so TLS everywhere would be A+. On Tue, Sep 15, 2020 at 1:45 PM Jon Price <jon.price@...> wrote:
-- - Peter Burkholder | cloud.gov compliance & security please use cloud-gov-compliance@... for cloud.gov matters |
||
|
|
||
|
TLS for everything
Jon Price
Hi everyone,
There has been a lot of excellent progress in securing all CF traffic with TLS and as far as I can tell there are only a few things that are still unencrypted. Is there a timeline or any plans for these last few things? 1) routing-api - still using both TLS and non-TLS in the cf-deployment. The http endpoint is what is registered in the router. Is there a reason for still enabling both? 2) metrics-discovery-registrar-windows - not using nats-tls hostname, falling back to 4222
3) route_registrar - not using nats-tls
4) gorouter - not using nats-tls We have a requirement that all traffic on the network is encrypted and I would really love to stop running IPsec. :) Jon Price Intel Corp. |
||
|
|
||
|
Topics or presentations? CAB call: Wednesday, Sept. 16th @ 8AM PT / 11AM ET / 4PM CET
As of right now, we don't have any topics for discussion or presentations scheduled for the next CAB call.
I'll keep polling project people informally on Slack, but if you have a topic you would like to discuss or a presentation of interest to the Cloud Foundry community, please respond on this thread or reach out to me directly. Thanks, TT Chat room: go to slack.cloudfoundry.org and then join the #cab channel Here are the meeting details for Wednesday: Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/757994996 Or iPhone one-tap : US: +16468769923,,757994996# or +16699006833,,757994996# Or Telephone: Dial(for higher quality, dial a number based on your current location): US: +1 646 876 9923 or +1 669 900 6833 or +1 408 638 0968 Meeting ID: 757 994 996 International numbers available: https://zoom.us/zoomconference?m=BbM_MZowkH08pdKycQk10at13V5cLneM Agenda doc: https://docs.google.com/document/d/1SCOlAquyUmNM-AQnekCOXiwhLs6gveTxAcduvDcW_xI -- Troy Topnik
Senior Product Manager,
SUSE Cloud Application Platform
troy.topnik@...
|
||
|
|
||
|
CF K8s Networking office hours this week on Wednesday
Shannon Coen
Hello CF friends,
Members of the CF K8s Networking team will be on zoom this Wednesday from 10-10:30am PDT hosting office hours for the project. We welcome questions related to routing, load balancing, and security of traffic for applications and platform APIs in all data paths;
ingress, east-west, and egress. We'll also be happy to share what we're working on and where we're headed.
The zoom link can be found on the CFF community calendar at https://www.cloudfoundry.org/community-calendar/
Feel free to add topics to the agenda in advance: https://docs.google.com/document/d/196mRMMJuTMNIszBUSGA77yzjxNVDaeWz0ypOB5kYIaY/edit?usp=sharing
Hoping you all are healthy and staying safe,
Manager, Product Management scoen@... 875 Howard Street 5th Floor, San Francisco CA 94103 Mobile: +1.415.640.0272  |
||
|
|
||
|
Re: CF Application Runtime PMC: Diego Project Lead Call for Nominations
Hi, everyone,
VMware is nominating Amin Jamali for the Diego project lead in the Application Runtime PMC.
Amin has worked at Pivotal and VMware as a core contributor to Cloud Foundry since 2015. Since December 2018, he has been an engineer on the Diego team, and prior to that has worked on many other components of the CF App Runtime, including BOSH-Windows,
Garden-Windows, and Buildpacks. Amin has an engineering background and previously has helped various startups build and deliver software solutions.
Please send any other nominations directly to me or in reply to this message no later than 11:59 PM PDT on Friday, September 25, 2020.
Thanks,
Eric MalmFrom: cf-dev@... <cf-dev@...> on behalf of Eric Malm via lists.cloudfoundry.org <emalm=vmware.com@...>
Sent: Friday, September 11, 2020 3:24 PM To: cf-dev@... <cf-dev@...> Subject: [cf-dev] CF Application Runtime PMC: Diego Project Lead Call for Nominations
Hi, everyone,
Josh Collins is stepping down from his role as the Diego project lead, as he is currently focused primarily on activities with the CF CLI team.
The Diego team now has an opening for its project lead. Project leads must be nominated by a Cloud Foundry Foundation member. Please send nominations directly to me or in reply to this message no later than 11:59 PM PDT on Friday, September 25, 2020.
Also, if you have any questions about the role or the nomination process, as described in the CFF governance documents (https://www.cloudfoundry.org/governance/cff_development_operations_policy/), please let me know.
Thanks,
Eric Malm, CF Application Runtime PMC Lead |
||
|
|
||
|
Re: CF Application Runtime PMC: UAA Project Lead Call for Nominations
Hi, everyone,
VMware is nominating Jeremy Morony for the UAA Project Lead in the Application Runtime PMC.
Jeremy is a software engineer and manager at VMware who has been working with the UAA team since February 2019. He has 20 years of programming, facilitation, coaching, and mentoring experience at both startups and larger companies.
Please send any other nominations directly to me or in reply to this message no later than 11:59 PM PDT on Friday, September 25, 2020.
Thanks,
Eric MalmFrom: cf-dev@... <cf-dev@...> on behalf of Eric Malm via lists.cloudfoundry.org <emalm=vmware.com@...>
Sent: Friday, September 11, 2020 3:22 PM To: cf-dev@... <cf-dev@...> Subject: [cf-dev] CF Application Runtime PMC: UAA Project Lead Call for Nominations
Hi, everyone,
Pablo Schuhmacher, the Project Lead for the UAA team within the Application Runtime PMC, is stepping down from the project, as he is now focusing on product management responsibilities inside of VMware. We thank him for his service.
The UAA team, based in San Francisco, now has an opening for its project lead. Project leads must be nominated by a Cloud Foundry Foundation member. Please send nominations directly to me or in reply to this message no later than 11:59 PM PDT on Friday,
September 25, 2020.
Also, if you have any questions about the role or the nomination process, as described in the CFF governance documents (https://www.cloudfoundry.org/governance/cff_development_operations_policy/), please let me know.
Thanks,
Eric Malm, CF Application Runtime PMC Lead |
||
|
|
||
|
CF Application Runtime PMC: Diego Project Lead Call for Nominations
Hi, everyone,
Josh Collins is stepping down from his role as the Diego project lead, as he is currently focused primarily on activities with the CF CLI team.
The Diego team now has an opening for its project lead. Project leads must be nominated by a Cloud Foundry Foundation member. Please send nominations directly to me or in reply to this message no later than 11:59 PM PDT on Friday, September 25, 2020.
Also, if you have any questions about the role or the nomination process, as described in the CFF governance documents (https://www.cloudfoundry.org/governance/cff_development_operations_policy/), please let me know.
Thanks,
Eric Malm, CF Application Runtime PMC Lead |
||
|
|
||
|
CF Application Runtime PMC: UAA Project Lead Call for Nominations
Hi, everyone,
Pablo Schuhmacher, the Project Lead for the UAA team within the Application Runtime PMC, is stepping down from the project, as he is now focusing on product management responsibilities inside of VMware. We thank him for his service.
The UAA team, based in San Francisco, now has an opening for its project lead. Project leads must be nominated by a Cloud Foundry Foundation member. Please send nominations directly to me or in reply to this message no later than 11:59 PM PDT on Friday,
September 25, 2020.
Also, if you have any questions about the role or the nomination process, as described in the CFF governance documents (https://www.cloudfoundry.org/governance/cff_development_operations_policy/), please let me know.
Thanks,
Eric Malm, CF Application Runtime PMC Lead |
||
|
|
||
|
Re: UAA api /introspect does not seem to be workign as expected
#uaa
Shetty, Viraj S [CTR]
Jeremy,
I upgraded to the latest UAA version 74.24.0 and I still see the same issue. Is there something I can provide from logs that might help ? Thanks, Viraj |
||
|
|
||
|
Re: UAA api /introspect does not seem to be workign as expected
#uaa
Shetty, Viraj S [CTR]
Hi Jeremy,
Thanks for taklng the time to respond. Really appreciate it. I have double checked this many times. From Postman, I saw the request that is being sent and checked the bearer token to see the token scopes. The token contains the following (i added uaa.admin just as a test later) "scope": [
"uaa.resource",
"uaa.admin"
], "grant_type": "client_credentials",
The request looks all fine. Is there any configuration needed at the endpoints? I see the following configuration for /introspect from resource-endpoints.xml <http name="introspectSecurity" pattern="/introspect" create-session="stateless"
entry-point-ref="basicAuthenticationEntryPoint"
authentication-manager-ref="clientAuthenticationManager" use-expressions="true"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/**" access="hasAuthority('uaa.resource')"/>
<anonymous enabled="false"/>
<custom-filter ref="oauthWithoutResourceAuthenticationFilter" position="PRE_AUTH_FILTER"/>
<custom-filter ref="clientAuthenticationFilter" position="BASIC_AUTH_FILTER"/>
<expression-handler ref="oauthWebExpressionHandler"/>
<access-denied-handler ref="oauthAccessDeniedHandler"/>
<csrf disabled="true"/>
</http>
As per the API docs for 74.14.0,
Thanks, Viraj |
||
|
|
||
|
Re: UAA api /introspect does not seem to be workign as expected
#uaa
Jeremy Morony
Hi Viraj,
From the details provided it looks like the call to /introspect might be using the user's token in the authorize header instead of a client token.
A successful curl request looks like:
curl -X POST http://uaa.example.com/instropect - H "Authorization: bearer client-token" -d "token=user-token"
Hope this helps. Jeremy.
From: cf-dev@... <cf-dev@...> on behalf of Shetty, Viraj S [CTR] via lists.cloudfoundry.org <vshetty=fdic.gov@...>
Sent: Thursday, September 10, 2020 2:58 PM To: cf-dev@... <cf-dev@...> Subject: Re: [cf-dev] UAA api /introspect does not seem to be workign as expected #uaa I increased the logging for the UAA and found this exception. The error message is "User is not anonymous". Any idea what this could mean?
09-10T17:34:55.74-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.742] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- FilterSecurityInterceptor: Secure object: FilterInvocation: URL: /introspect; Attributes: [#oauth2.throwOnError(hasAuthority('uaa.resource'))]
2020-09-10T17:34:55.74-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.743] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- FilterSecurityInterceptor: Previously Authenticated: org.cloudfoundry.identity.uaa.oauth.UaaOauth2Authentication@2e8b9cef: Principal:
7dafcb10-ca4b-4470-ae97-f632553a180d; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=167.176.6.240, tokenType=BearertokenValue=<TOKEN>; Granted Authorities: password.write, scim.userids, scim.me, openid, oauth.approvals, uaa.offline_token,
profile, roles, user_attributes, uaa.user
2020-09-10T17:34:55.74-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.744] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- AffirmativeBased: Voter: org.springframework.security.web.access.expression.WebExpressionVoter@3ac662ba, returned: -1
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.746] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- ExceptionTranslationFilter: Access is denied (user is not anonymous); delegating to AccessDeniedHandler
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT org.springframework.security.access.AccessDeniedException: Access is denied
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.2.1.RELEASE.jar:5.2.1.RELEASE]
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.2.1.RELEASE.jar:5.2.1.RELEASE]
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.servletapi.SecurityCo
|
||
|
|
||
|
Re: UAA api /introspect does not seem to be workign as expected
#uaa
I increased the logging for the UAA and found this exception. The error message is "User is not anonymous". Any idea what this could mean?
09-10T17:34:55.74-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.742] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- FilterSecurityInterceptor: Secure object: FilterInvocation: URL: /introspect; Attributes: [#oauth2.throwOnError(hasAuthority('uaa.resource'))]
2020-09-10T17:34:55.74-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.744] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- AffirmativeBased: Voter: org.springframework.security.web.access.expression.WebExpressionVoter@3ac662ba, returned: -1
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT [2020-09-10 21:34:55.746] uaa - 25 [http-nio-8080-exec-9] .... DEBUG --- ExceptionTranslationFilter: Access is denied (user is not anonymous); delegating to AccessDeniedHandler
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT org.springframework.security.access.AccessDeniedException: Access is denied
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.2.1.RELEASE.jar:5.2.1.RELEASE]
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.2.1.RELEASE.jar:5.2.1.RELEASE]
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.2.1.RELEASE.jar:5.2.1.RELEASE]
2020-09-10T17:34:55.75-0400 [APP/PROC/WEB/0] OUT at org.springframework.security.web.servletapi.SecurityCo |
||
|
|
||
|
UAA api /introspect does not seem to be workign as expected
#uaa
Shetty, Viraj S [CTR]
Hi All,
We are using UAA version 74.14.0 We have a UAA installation for our internal applications in cloudfoundry environment. We have been having a problem in verifying the oauth token (JWT token) using the /introspect token, but cannot seem to see the reason. I tried a test using postman. 1. created a client with authority uaa.resource. See properties below. It has the uaa.resource authority. scope: uaa.none
resource_ids: none
authorized_grant_types: client_credentials
autoapprove:
access_token_validity: 300
authorities: uaa.resource
2. Generate a token for a user to test verification. 3. Using postman, I tried to call /introspect api with the "Authorization: Basic ..." (this is deprecated). But this call worked fine and I was able to see the token in returned json. 4. Using postman, I tried to call /introspect api with the "Authorization: Bearer {token}". This call failed with an error {
"error": "access_denied",
"error_description": "Access is denied"
}
I checked the bearer token and made sure that the scope has uaa.resource in there "scope": [ "uaa.resource" ], It looks like the /introspect call succeeds with "Authorization: basic .." but not "Authorization: bearer ..". Let me know what I am missing. I followed the API docs and I dont think I am missing any other authorithy for the client. Any help is appreciated. Thanks, Viraj |
||
|
|
||
|
Re: CF Application Runtime PMC: Release Integration Project Lead Call for Nominations
Hi, everyone,
VMware is nominating Paul Warren for the Release Integration project lead in the Application Runtime PMC.
Paul has worked on Cloud Foundry since 2015, serving as an engineer on UAA, the anchor on Volume Services and, most recently, as an engineer on Release Integration.
Prior to joining VMware, Paul has spent 20 years serving in various roles from Engineer to Architect to Product Manager across DellEMC, EMC, Documentum, and SSA, primarily focused on developers and developer tooling.
Please send any other nominations directly to me or in reply to this message no later than 11:59 PM PDT on Tuesday, September 22, 2020.
Thanks,
Eric MalmFrom: cf-dev@... <cf-dev@...> on behalf of Eric Malm via lists.cloudfoundry.org <emalm=vmware.com@...>
Sent: Tuesday, September 8, 2020 3:47 PM To: cf-dev@... <cf-dev@...> Subject: [cf-dev] CF Application Runtime PMC: Release Integration Project Lead Call for Nominations
Hi, everyone,
Saikiran Yerram, the lead for the Release Integration project within the Application Runtime PMC, is stepping down. We thank him for his tremendous service in leading the cf-for-k8s and cf-deployment projects over the past year and a half.
The Release Integration team, based in San Francisco, now has an opening for its project lead. Project leads must be nominated by a Cloud Foundry Foundation member. Please send nominations directly to me or in reply to this message no later than 11:59
PM PDT on Tuesday, September 22, 2020.
Also, if you have any questions about the role or the nomination process, as described in the CFF governance documents (https://www.cloudfoundry.org/governance/cff_development_operations_policy/), please let me know.
Thanks,
Eric Malm, CF Application Runtime PMC Lead |
||
|
|