Date
1 - 7 of 7
Deploying UAA in cloud.gov does not work as intended
|
Shetty, Viraj S [CTR]
Thanks Sree. I appreciate your input and will look into these links further.
|
|
|
|
Sree Tummidi
Hi Viraj, Using the UAA bosh release is the best way to achieve the needed enterprise grade operational features around High Availability, Disaster Recovery, Backup and restore, Logging , Monitoring etc. If UAA is planned to be used for securing applications, vendors like Pivotal and others the OSS community have built a service layer using the open service broker interface. You can find more details here Thanks, Sree TummidiSr. Manager, Product Management Pivotal Cloud Foundry Thanks Jesse. Right now i am learning UAA but the evntual goal is to get it up and running at an enterprise level supporting many applications. As you suggest, we would need a robust way of administering this with backups and stuff. Is bosh-deploy the best way to do this ? And, Is it supported on Windows ? Curently we manage all cloudfoundry apps using cf client or aws cli on windows. Wondering if the same is possible for bosh-deploy. |
|
|
|
Shetty, Viraj S [CTR]
Thanks Jesse. Right now i am learning UAA but the evntual goal is to get it up and running at an enterprise level supporting many applications. As you suggest, we would need a robust way of administering this with backups and stuff. Is bosh-deploy the best way to do this ? And, Is it supported on Windows ? Curently we manage all cloudfoundry apps using cf client or aws cli on windows. Wondering if the same is possible for bosh-deploy.
|
|
|
|
Jesse T. Alford
I'd like to suggest that if you're trying to provide a service to apps on Cloud Foundry with UAA, you might want to bosh-deploy UAA. Deploying it to Cloud Foundry is possible, but (and folks from the UAA team, feel free to correct me if I'm wrong here) not nearly as thoroughly tested/integrated/documented. I figured out what the problem was. The clients attribute that I inserted in the uaa.yml was in the wrong place. It should have been directly beneath the oauth attribute. I had to also uncomment the section on JWT tokens. Once these were done, I was able to use the secret that I created for the admin user and now UAAC is working fine. |
|
|
|
Shetty, Viraj S [CTR]
I figured out what the problem was. The clients attribute that I inserted in the uaa.yml was in the wrong place. It should have been directly beneath the oauth attribute. I had to also uncomment the section on JWT tokens. Once these were done, I was able to use the secret that I created for the admin user and now UAAC is working fine.
Thanks ! Viraj |
|
|
|
Shetty, Viraj S [CTR]
Adding more to the above ..
I was able to go to my deployed UAA login cloudfoundry welcome screen, was able to create/register a user and also was able to log in using the user. However, using UAAC has been a problem because I have not been adble to operate as an 'admin' user. The default admin user password does not work and so I am not able to do any administration. Any help is appreciated. Viraj |
|
|
|
Shetty, Viraj S [CTR]
I are trying to deploy UAA to cloud.gov (based on cloud foundry). Intention is to use that as the Identity management for all applications deployed in cloud.gov. I followed the steps laid out in
https://docs.cloudfoundry.org/concepts/architecture/uaa.html#cf I was able to get the code, build it and deploy locally. Both below works fine uaac target http://localhost:8080/uaa uaac token client get admin -s adminsecret Then, I followed the steps to deploy in cloud.gov. I created a manifest file as below applications:
- name: fdic-uaa
memory: 1024M
disk_quota: 512M
instances: 1
buildpacks:
- java_buildpack
routes:
- route: fdic-uaa-d.app.cloud.gov
env:
SPRING_PROFILES_ACTIVE: default
UAA_URL: https://fdic-uaa-d.app.cloud.gov
LOGIN_URL: https://fdic-uaa-d.app.cloud.gov I followed the steps laid out in "Deploy UAA to Cloud Foundry". After a few updates to uaa.yml file (uncomment SAML Key Configuration and added "encryption" field), i was able to deploy to cloud foundry without errors. Now when i enter the following command its okay (though it gives some error Unknown key: Max-Age = 86400) uaac target fdic-uaa-d.app.cloud.gov But on retrieving the token, i get the error "Bad Credentials" uaac token client get admin -s adminsecret error response:
{
"error": "unauthorized",
"error_description": "Bad credentials"
}
attempt to get token failed
The logs gave the following error 2018-12-14T16:12:41.55-0500 [APP/PROC/WEB/0] OUT [2018-12-14 21:12:41.557] cloudfoundry-identity-server - ???? [http-nio-8080-exec-3] .... DEBUG --
- ClientDetailsAuthenticationProvider: User 'admin' not found
2018-12-14T16:12:41.55-0500 [APP/PROC/WEB/0] OUT [2018-12-14 21:12:41.557] cloudfoundry-identity-server - ???? [http-nio-8080-exec-3] .... INFO --
- Audit: PrincipalAuthenticationFailure ('null'): principal=admin, origin=[167.176.6.240], identityZoneId=[uaa]
2018-12-14T16:12:41.55-0500 [APP/PROC/WEB/0] OUT [2018-12-14 21:12:41.557] cloudfoundry-identity-server - ???? [http-nio-8080-exec-3] .... INFO --
- Audit: ClientAuthenticationFailure ('Bad credentials'): principal=admin, origin=[remoteAddress=167.176.6.240, clientId=admin], identityZoneId=[uaa]
2018-12-14T16:12:41.55-0500 [APP/PROC/WEB/0] OUT [2018-12-14 21:12:41.558] cloudfoundry-identity-server - ???? [http-nio-8080-exec-3] .... DEBUG --
- ClientBasicAuthenticationFilter: Authentication request for failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
I also tried to add a clients section in the uaa.yml file and still get an error. clients:
admin:
secret: <some secret>
authorized-grant-types: client_credentials
scope: uaa.none
authorities: uaa.admin,clients.admin,clients.read,clients.write,clients.secret
Any assistance will be helpful. Is there a reliable documentation on how to deploy UAA int ocloudfoundry ? I am not sure if I need to set some other atrributes in the uaa.yml |
|
|