|
Re: Spring OAuth not retrieving scopes from UAA
Madhura Bhave
I suspect that the client did not get updated with the uaa.admin scope. Can you check the database to see if the client has that scope? It would be in the oauth_client_details table. If it hasn't been updated, you can add override: true in the client configuration in uaa.yml and restart the UAA.
toggle quoted message
Show quoted text
On Jun 28, 2016, at 8:34 PM, Bryan Perino <Bryan.Perino(a)gmail.com> wrote: |
|
|
|
Re: How to listen to space deletion events?
Piotr Przybylski <piotrp@...>
Hi Nicholas,
toggle quoted message
Show quoted text
what happens to applications if the recursive flag is not passed ? Will delete fail if there are apps in the space ? or will delete succeed ? in the latter case, what is the state of these applications ? Piotr Piotr Przybylski | IBM Bluemix From: Nicholas Calugar <ncalugar(a)pivotal.io> To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org> Date: 06/28/2016 06:07 PM Subject: [cf-dev] Re: Re: Re: Re: Re: Re: How to listen to space deletion events? Hi Piotr, Yes, that is correct, deleting recursively will delete service instances and apps. Thanks, Nick On Tue, Jun 28, 2016 at 2:45 PM, Piotr Przybylski <piotrp(a)us.ibm.com>
wrote: Hi Nicholas, is that behavior influenced by the 'recursive' flag on the Space DELETE request? Also, does the CC stop and delete applications in the deleted space ? How is that influenced by the 'recursive' flag ? Thank you, Piotr Piotr Przybylski, IBM Bluemix Inactive hide details for Nicholas Calugar ---06/28/2016 11:51:33 AM---Hi Padma, Apologies for the delay. In the case of a spacNicholas Calugar ---06/28/2016 11:51:33 AM---Hi Padma, Apologies for the delay. In the case of a space with a service instance, if From: Nicholas Calugar <ncalugar(a)pivotal.io> To: "Discussions about Cloud Foundry projects and the system overall." < cf-dev(a)lists.cloudfoundry.org> Date: 06/28/2016 11:51 AM Subject: [cf-dev] Re: Re: Re: Re: How to listen to space deletion events? Hi Padma, Apologies for the delay. In the case of a space with a service instance, if the space is deleted, the Cloud Controller sends a deprovision request to the service broker. The broker is responsible for properly handling the deprovision, what other cleanup do you have in mind? -Nick On Sun, Jun 19, 2016 at 4:42 PM, Padmashree B <padmashree.b(a)sap.com> wrote: Hi, Any suggestion on this? Thanks, Padma -- Nicholas Calugar Product Manager - Cloud Foundry API Pivotal Software, Inc. -- Nicholas Calugar Product Manager - Cloud Foundry API Pivotal Software, Inc. |
|
|
|
Concerns on the "unique_id" in the service metadata
Ponraj E
Hi Colleagues,
I have some concerns on the unique_id in the service metadata. 1. In the api docs http://apidocs.cloudfoundry.org/237/services/retrieve_a_particular_service.html it says unique_id -A "guid" that identifies the service with the broker. And if one visits the catalog-metadata link here: http://docs.cloudfoundry.org/services/catalog-metadata.html -see Example Cloud Controller Response Body-here the unique_id values seem to take string containing characters and numbers (not only guid). So there is a little bit of confusion as to what the unique_id value type is. The documentation of the apidocs can be updated for better clarity. 2. Secondly, in the space summary retrieval :http://apidocs.cloudfoundry.org/237/spaces/get_space_summary.html ,the unique_id is not part of the service details metadata that's been returned. Any particular reason why? Thanks for the help. Regards, Ponraj |
|
|
|
Re: How shoulld I debug a blobstore error?
Eyal Shalev
Hello amit,
Regarding your above post, I have followed those instructions exactly in my cluster besides the fact that I called my SYSTEM_DOMAIN "sysdomain" to make it more easily searchable in logs later (I have had to read a lot of log files to debug errors. "sys" is not a good string to grep for as it truns up too many times...) My stub configuration is as such: properties: domain: 10.60.18.186.xip.io system_domain: sysdomain.10.60.18.186.xip.io system_domain_organization: sysdomainorg.10.60.18.186.xip.io app_domains: - appsdomain.10.60.18.186.xip.io However, the problem looks like a problem in the instructions. When I follow your new instructions I immeditaly get a 404 which I did not get beforehand: ubuntu(a)cf-installer:~/cloudfoundry-stubs$ cf api api.sysdomain.api.10.60.18.186.xip.io --skip-ssl-validation Setting api endpoint to api.sysdomain.api.10.60.18.186.xip.io... FAILED Server error, status code: 404, error code: 0, message: What more I have read the instructions on using the API which are linked from in your documentation ( http://docs.cloudfoundry.org/cf-cli/getting-started.html and https://github.com/cloudfoundry/cli ). They do not give explicit instructions about which node is the api node, but when I look at the example, it says nothing about accessing it through the system domain. Also when I used "cf api api.10.60.18.186.xip.io" on the global domain (as in the doc example) I did not get a 404 Please copy-paste above, to see that there is no 404 on the original cli command. So It does not seem plausible that the problem is as you describe it. |
|
|
|
Re: Spring OAuth not retrieving scopes from UAA
Bryan Perino
I must be doing something wrong. I added some scopes that belong to the user to the client definition, but they won't show up on the authorization page.
http://i.imgur.com/iSSpsNz.png Here is the updated YML https://gist.github.com/bryantp/2bfc4538f36f28ba285fda84c59b89f8#file-uaa-yml-L11 Line 62 has the user with the scopes uaa.user and uaa.admin, so uaa.admin should show up in the authorization page right? |
|
|
|
Re: How to listen to space deletion events?
Nicholas Calugar
Hi Piotr,
toggle quoted message
Show quoted text
Yes, that is correct, deleting recursively will delete service instances and apps. Thanks, Nick On Tue, Jun 28, 2016 at 2:45 PM, Piotr Przybylski <piotrp(a)us.ibm.com> wrote:
Hi Nicholas, --
Nicholas Calugar Product Manager - Cloud Foundry API Pivotal Software, Inc. |
|
|
|
Re: Emitting service instance logs to dopplr
Dr Nic Williams <drnicwilliams@...>
Mike, sorry didn't mean to infer the broker is a cf app. Your example is what I'm asking about. I haven't played with dropsonde clients yet; will investigate. Thanks!
_____________________________ From: Mike Youngstrom <youngm(a)gmail.com> Sent: Wednesday, June 29, 2016 7:33 AM Subject: [cf-dev] Re: Re: Emitting service instance logs to dopplr To: Discussions about Cloud Foundry projects and the system overall. <cf-dev(a)lists.cloudfoundry.org> I'm not sure I understand you're question. We have several brokers that write to loggregator. We just use the app guid passed in when binding and log messages using a dropsonde client library for the platform we are using. This wouldn't work if your broker is also a CF app is that your case? Mike On Tue, Jun 28, 2016 at 3:10 PM, Dr Nic Williams <drnicwilliams(a)gmail.com> wrote: If not via dopplr, can you please share "state of the art" for how are your service brokers exposing backend logs to end users? Nic On Tue, Jun 28, 2016 at 9:41 AM +1000, "Dr Nic Williams" <drnicwilliams(a)gmail.com> wrote: Has anyone implemented (and has some sample code/OSS project) for a service broker implementation to emit logs/events back into dopplr for each service binding's app? Nic |
|
|
|
Re: How to listen to space deletion events?
Piotr Przybylski <piotrp@...>
Hi Nicholas,
toggle quoted message
Show quoted text
is that behavior influenced by the 'recursive' flag on the Space DELETE request? Also, does the CC stop and delete applications in the deleted space ? How is that influenced by the 'recursive' flag ? Thank you, Piotr Piotr Przybylski, IBM Bluemix From: Nicholas Calugar <ncalugar(a)pivotal.io> To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org> Date: 06/28/2016 11:51 AM Subject: [cf-dev] Re: Re: Re: Re: How to listen to space deletion events? Hi Padma, Apologies for the delay. In the case of a space with a service instance, if the space is deleted, the Cloud Controller sends a deprovision request to the service broker. The broker is responsible for properly handling the deprovision, what other cleanup do you have in mind? -Nick On Sun, Jun 19, 2016 at 4:42 PM, Padmashree B <padmashree.b(a)sap.com> wrote:
Hi, Any suggestion on this? Thanks, Padma -- Nicholas Calugar Product Manager - Cloud Foundry API Pivotal Software, Inc. |
|
|
|
Re: Emitting service instance logs to dopplr
Mike Youngstrom <youngm@...>
I'm not sure I understand you're question. We have several brokers that
write to loggregator. We just use the app guid passed in when binding and log messages using a dropsonde client library for the platform we are using. This wouldn't work if your broker is also a CF app is that your case? Mike On Tue, Jun 28, 2016 at 3:10 PM, Dr Nic Williams <drnicwilliams(a)gmail.com> wrote: If not via dopplr, can you please share "state of the art" for how are |
|
|
|
Re: Emitting service instance logs to dopplr
Dr Nic Williams <drnicwilliams@...>
If not via dopplr, can you please share "state of the art" for how are your service brokers exposing backend logs to end users?
toggle quoted message
Show quoted text
Nic On Tue, Jun 28, 2016 at 9:41 AM +1000, "Dr Nic Williams" <drnicwilliams(a)gmail.com> wrote:
Has anyone implemented (and has some sample code/OSS project) for a service broker implementation to emit logs/events back into dopplr for each service binding's app? Nic |
|
|
|
Re: How shoulld I debug a blobstore error?
Amit Kumar Gupta
Hi Eyal,
toggle quoted message
Show quoted text
Some background info on routes, domains, the system domain, and apps domains. Cloud Foundry deployments include a component called the gorouter. It essentially holds a routing table (actually a trie) in memory that maps routes to IPs and ports. So "foo.mysystemdomain.com" might map to some collection of IPs and ports, and "bar.myappsdomain.com" can map to other IPs and ports. All publicly routable things in cloud foundry typically have a route registered on their behalf with the gorouter. This includes system components, like cloud controller, as well as all (routable) apps pushed to the CF platform by developers. The gorouter doesn't have a notion of domain ownership, but a platform operator might want to make sure that an app developer doesn't try to claim the same route as the Cloud Controller. And since CF is designed for multitenancy, one organization might have their own custom app domain, and may want to make sure other organizations can't use the same app domain for their application routes. A typical pattern to deal with this is to have all system components (CC, UAA, etc.) that need to register routes to do so using routes that use a special "system domain" that will not be accessible to user applications. "domains" are owned by "organizations" in the cloud controller view of the world, so typically a "dummy" system organization is created to own the system domain, and this prevents it from being used by any other orgs that users create. In practice, this "dummy" org is not a dummy, and actually used for applications, e.g. if your Cloud Foundry installation has a custom user portal, e.g. https://console.run.pivotal.io. Separate from system components, users' applications also need routes. By default, they will be given a route of the form ${app_name}.${default_shared_app_domain}. While it's technically possible to use the same domain for the apps domain and system domain, it's not recommended, because then random users could push an app called "api" for example, and the gorouter would balance traffic intended for the CC between the CC and this random app. If you search http://docs.cloudfoundry.org/deploying/aws/cf-stub.html for "system_domain" you can see editing instructions that recommend how to set system domain and apps domains. In your case, I would recommend: system_domain: sys.10.60.18.186.xip.io app_domains: - apps.10.60.18.186.xip.io If you update your stub thusly, you then need to regenerate your manifest and redeploy to make sure this has all been updated across the board. The fact that your output shows "login.sysdomain.10.60.18.186.xip.io" and " api.10.60.18.186.xip.io" suggest there's something inconsistent about how the system domain is being used throughout your manifest. If you follow the above recommendations, you would use cf api api.sys.api.10.60.18.186.xip.io --skip-ssl-validation Best, Amit <http://docs.cloudfoundry.org/deploying/aws/cf-stub.html> On Tue, Jun 28, 2016 at 1:31 PM, Eyal Shalev <eshalev(a)cisco.com> wrote:
For lack of guidance I went ahead and changed all three occurances. |
|
|
|
Re: How shoulld I debug a blobstore error?
Eyal Shalev
For lack of guidance I went ahead and changed all three occurances.
I still get a 404. But it seems to happen later on: cf api api.10.60.18.186.xip.io --skip-ssl-validation Setting api endpoint to api.10.60.18.186.xip.io... OK API endpoint: https://api.10.60.18.186.xip.io (API version: 2.56.0) Not logged in. Use 'cf login' to log in. cf login -v --skip-ssl-validation API endpoint: https://api.10.60.18.186.xip.io REQUEST: [2016-06-28T20:28:17Z] GET /v2/info HTTP/1.1 Host: api.10.60.18.186.xip.io Accept: application/json Content-Type: application/json User-Agent: go-cli 6.19.0+b29b4e0 / linux RESPONSE: [2016-06-28T20:28:17Z] HTTP/1.1 200 OK Content-Length: 580 Content-Type: application/json;charset=utf-8 Date: Tue, 28 Jun 2016 20:28:23 GMT Server: nginx X-Content-Type-Options: nosniff X-Vcap-Request-Id: 1444e97c-1562-46d4-6820-fe06d920e947 X-Vcap-Request-Id: 1444e97c-1562-46d4-6820-fe06d920e947::b7301932-6078-4334-82ff-46fa76d0032c {"name":"","build":"","support":"http://support.cloudfoundry.com","version":0,"description":"","authorization_endpoint":"http://login.sysdomain.10.60.18.186.xip.io","token_endpoint":"https://uaa.10.60.18.186.xip.io","min_cli_version":null,"min_recommended_cli_version":null,"api_version":"2.56.0","app_ssh_endpoint":"ssh.sysdomain.10.60.18.186.xip.io:2222","app_ssh_host_key_fingerprint":null,"app_ssh_oauth_client":"ssh-proxy","logging_endpoint":"wss://loggregator.sysdomain.10.60.18.186.xip.io:4443","doppler_logging_endpoint":"wss://doppler.sysdomain.10.60.18.186.xip.io:4443"} REQUEST: [2016-06-28T20:28:17Z] GET /login HTTP/1.1 Host: login.sysdomain.10.60.18.186.xip.io Accept: application/json Content-Type: application/json User-Agent: go-cli 6.19.0+b29b4e0 / linux RESPONSE: [2016-06-28T20:28:17Z] HTTP/1.1 404 Not Found Content-Length: 124 Cache-Control: no-store Content-Language: en-US Content-Type: application/json;charset=UTF-8 Date: Tue, 28 Jun 2016 20:28:24 GMT Server: Apache-Coyote/1.1 X-Vcap-Request-Id: a43cdd2a-1c0f-4f8d-7439-8174c88c7fde {"passwd":"https://console.10.60.18.186.xip.io/password_resets/new","signup":"https://console.10.60.18.186.xip.io/register"} API endpoint: https://api.10.60.18.186.xip.io (API version: 2.56.0) Not logged in. Use 'cf login' to log in. FAILED Server error, status code: 404, error code: , message: |
|
|
|
Re: How to listen to space deletion events?
Nicholas Calugar
Hi Padma,
toggle quoted message
Show quoted text
Apologies for the delay. In the case of a space with a service instance, if the space is deleted, the Cloud Controller sends a deprovision request to the service broker. The broker is responsible for properly handling the deprovision, what other cleanup do you have in mind? -Nick On Sun, Jun 19, 2016 at 4:42 PM, Padmashree B <padmashree.b(a)sap.com> wrote:
Hi, --
Nicholas Calugar Product Manager - Cloud Foundry API Pivotal Software, Inc. |
|
|
|
Re: UAA Multi-Tenant Hierarchical Groups
Sree Tummidi
Hello Brian,
UAA supports hierarchical groups in any given Identity Zone (aka UAA Tenant) The Groups in a given UAA Identity Zone are unique. Please refer to the documentation here : http://docs.cloudfoundry.org/api/uaa/#add-member The Type in your case will be 'GROUP' Thanks, Sree Tummidi Sr. Product Manager Identity - Pivotal Cloud Foundry On Tue, Jun 28, 2016 at 9:16 AM, Bryan Perino <Bryan.Perino(a)gmail.com> wrote: Hello All, |
|
|
|
Re: Spring OAuth not retrieving scopes from UAA
Madhura Bhave
Ok, so the oauth-client that is registered with the UAA for this
application (app) only has the openid scope. If you want this client to be able to request other scopes on behalf of the user you would need to add them to the list of scopes on this client in the uaa.yml. This is where you would add them: https://gist.github.com/bryantp/2bfc4538f36f28ba285fda84c59b89f8#file-uaa-yml-L17 On Tue, Jun 28, 2016 at 9:13 AM, Bryan Perino <Bryan.Perino(a)gmail.com> wrote: It's a custom client that I wrote (Just a Spring Application). Here is the |
|
|
|
UAA Multi-Tenant Hierarchical Groups
Bryan Perino
Hello All,
Does UAA support Multi-Tenant Hierarchical groups? By this I mean can I have a GroupParent -> GroupChild relationship? The documentation mentioned that the groupName is unique per UAA as well, so I would have to have some sort of prefix for a tenant. Each tenant would want to model their groups based on their organization's internal structure. So, I could have coke.GroupParent -> coke.groupChild, or something like that. Is there out of the box support for this in UAA? Thank you for any guidance. |
|
|
|
Re: Spring OAuth not retrieving scopes from UAA
Bryan Perino
It's a custom client that I wrote (Just a Spring Application). Here is the YAML file that configures the client:
https://gist.github.com/bryantp/82111bbcbc0db8be701b389fd0f490e9 |
|
|
|
Buildpack creators and maintainers wanted!
Danny Rosen
The CF Buildpacks team will be conducting user research in July and would
like to speak to community members who have experience: - Creating new buildpacks - Maintaining buildpacks bits - Managing buildpacks within a CF environment If you're interested in providing your opinion and are open to a 30 minute conversation please fill out this short form <https://goo.gl/YCzALr>. Thanks! -Cloud Foundry Buildpacks team |
|
|
|
Re: How shoulld I debug a blobstore error?
Eyal Shalev
PS with regards to above comment the login.10.60.18.186.xip.io literal appears not only under the route_registrar, but also here (should it be changed as well?):
login: authorities: oauth.login,scim.write,clients.read,notifications.write,critical_notifications.write,emails.write,scim.userids,password.write authorized-grant-types: authorization_code,client_credentials,refresh_token autoapprove: true override: true redirect-uri: https://login.10.60.18.186.xip.io |
|
|
|
Re: Retrieve __VCAP__ID from instance_ID
Vinod A
I did CF push and push is successful but the app is not starting and in the logs I see the errors the I pasted.
API endpoint: https://api.ng.bluemix.net (API version: 2.44.0) User: vinod_app(a)in.ibm.com Not sure if its supported or now. Can I verify using a quick test ?. Thanks, Vinod |
|
|
