我正在尝试使用内存中的uaa服务将scdf2链接为默认..
尝试登录,使用admin重定向到uaa登录以询问用户, 而下一页是“去哪里”
我正在使用以下命令运行scdf:
SECURITY_OAUTH2_CLIENT_CLIENT_ID: dataflow
SECURITY_OAUTH2_CLIENT_CLIENT_SECRET: dataflow
SECURITY_OAUTH2_CLIENT_SCOPE: openid
SPRING_CLOUD_DATAFLOW_SECURITY_AUTHORIZATION_MAP_OAUTH_SCOPES: true
SECURITY_OAUTH2_CLIENT_ACCESS_TOKEN_URI: http://uaa-service:8080/uaa/oauth/token
SECURITY_OAUTH2_CLIENT_USER_AUTHORIZATION_URI: http://uaa-service:8080/uaa/oauth/authorize
SECURITY_OAUTH2_RESOURCE_USER_INFO_URI: http://uaa-service:8080/uaa/userinfo
SECURITY_OAUTH2_RESOURCE_TOKEN_INFO_URI: http://uaa-service:8080/uaa/check_token
uaa服务正在运行:
issuer:
uri: http://uaa-service:8080/uaa
login:
url: http://uaa-service:8080/uaa
entityBaseURL: http://uaa-service:8080/uaa
entityID: cloudfoundry-saml-login
saml:
nameID: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'
assertionConsumerIndex: 0
signMetaData: true
signRequest: true
socket:
connectionManagerTimeout: 10000
soTimeout: 10000
authorize:
url: http://uaa-service:8080/uaa/oauth/authorize
uaa:
# The hostname of the UAA that this login server will connect to
url: http://uaa-service:8080/uaa
token:
url: http://uaa-service:8080/uaa/oauth/token
approvals:
url: http://uaa-service:8080/uaa/approvals
login:
url: http://uaa-service:8080/uaa/authenticate
scdf2中的configmap是
management:
endpoints:
web:
base-path: /management
security:
roles: MANAGE
spring:
cloud:
dataflow:
security:
authorization:
map-oauth-scopes: true
role-mappings:
ROLE_CREATE: dataflow.create
ROLE_DEPLOY: dataflow.deploy
ROLE_DESTROY: dataflow.destoy
ROLE_MANAGE: dataflow.manage
ROLE_MODIFY: dataflow.modify
ROLE_SCHEDULE: dataflow.schedule
ROLE_VIEW: dataflow.view
enabled: true
rules:
# About
- GET /about => hasRole('ROLE_VIEW')
# Audit
- GET /audit-records => hasRole('ROLE_VIEW')
- GET /audit-records/** => hasRole('ROLE_VIEW')
# Boot Endpoints
- GET /management/** => hasRole('ROLE_MANAGE')
# Apps
- GET /apps => hasRole('ROLE_VIEW')
- GET /apps/** => hasRole('ROLE_VIEW')
- DELETE /apps/** => hasRole('ROLE_DESTROY')
- POST /apps => hasRole('ROLE_CREATE')
- POST /apps/** => hasRole('ROLE_CREATE')
- PUT /apps/** => hasRole('ROLE_MODIFY')
# Completions
- GET /completions/** => hasRole('ROLE_VIEW')
# Job Executions & Batch Job Execution Steps && Job Step Execution Progress
- GET /jobs/executions => hasRole('ROLE_VIEW')
- PUT /jobs/executions/** => hasRole('ROLE_MODIFY')
- GET /jobs/executions/** => hasRole('ROLE_VIEW')
# Batch Job Instances
- GET /jobs/instances => hasRole('ROLE_VIEW')
- GET /jobs/instances/* => hasRole('ROLE_VIEW')
# Running Applications
- GET /runtime/streams => hasRole('ROLE_VIEW')
- GET /runtime/apps => hasRole('ROLE_VIEW')
- GET /runtime/apps/** => hasRole('ROLE_VIEW')
# Stream Definitions
- GET /streams/definitions => hasRole('ROLE_VIEW')
- GET /streams/definitions/* => hasRole('ROLE_VIEW')
- GET /streams/definitions/*/related => hasRole('ROLE_VIEW')
- POST /streams/definitions => hasRole('ROLE_CREATE')
- DELETE /streams/definitions/* => hasRole('ROLE_DESTROY')
- DELETE /streams/definitions => hasRole('ROLE_DESTROY')
# Stream Deployments
- DELETE /streams/deployments/* => hasRole('ROLE_DEPLOY')
- DELETE /streams/deployments => hasRole('ROLE_DEPLOY')
- POST /streams/deployments/** => hasRole('ROLE_MODIFY')
- GET /streams/deployments/** => hasRole('ROLE_VIEW')
# Stream Validations
- GET /streams/validation/ => hasRole('ROLE_VIEW')
- GET /streams/validation/* => hasRole('ROLE_VIEW')
# Task Definitions
- POST /tasks/definitions => hasRole('ROLE_CREATE')
- DELETE /tasks/definitions/* => hasRole('ROLE_DESTROY')
- GET /tasks/definitions => hasRole('ROLE_VIEW')
- GET /tasks/definitions/* => hasRole('ROLE_VIEW')
# Task Executions
- GET /tasks/executions => hasRole('ROLE_VIEW')
- GET /tasks/executions/* => hasRole('ROLE_VIEW')
- POST /tasks/executions => hasRole('ROLE_DEPLOY')
- DELETE /tasks/executions/* => hasRole('ROLE_DESTROY')
# Task Schedules
- GET /tasks/schedules => hasRole('ROLE_VIEW')
- GET /tasks/schedules/* => hasRole('ROLE_VIEW')
- GET /tasks/schedules/instances => hasRole('ROLE_VIEW')
- GET /tasks/schedules/instances/* => hasRole('ROLE_VIEW')
- POST /tasks/schedules => hasRole('ROLE_SCHEDULE')
- DELETE /tasks/schedules/* => hasRole('ROLE_SCHEDULE')
# Task Validations
- GET /tasks/validation/ => hasRole('ROLE_VIEW')
- GET /tasks/validation/* => hasRole('ROLE_VIEW')
# Tools
- POST /tools/** => hasRole('ROLE_VIEW')
applicationProperties:
stream:
management:
metrics:
export:
prometheus:
enabled: true
endpoints:
web:
exposure:
include: 'prometheus,info,health'
spring:
cloud:
streamapp:
security:
enabled: false
grafana-info:
url: 'http://localhost:3000'
task:
platform:
kubernetes:
accounts:
default:
## AQUI PONER IVARIABLES DE JOAQUINITO PARA LAS TASK
limits:
memory: 1024Mi
cpu: 500m
datasource:
url: 'jdbc:mysql://mariadb-scdf2:3306/mysql?useMysqlMetadata=true'
driverClassName: org.mariadb.jdbc.Driver
username: root
password: ${database-password}
testOnBorrow: true
validationQuery: "SELECT 1"
uaac客户端映射操作系统
uaac user add admin -p password --emails admin@mk.com
uaac user add user -p password --emails user@mk.com
uaac group add "dataflow.view"
uaac group add "dataflow.create"
uaac group add "dataflow.manage"
uaac member add dataflow.view admin
uaac member add dataflow.create admin
uaac member add dataflow.manage admin
uaac member add dataflow.view user
uaac member add dataflow.create user
uaac member add dataflow.manage user
uaac client add dataflow \
--name dataflow \
--scope cloud_controller.read,cloud_controller.write,openid,password.write,scim.userids,dataflow.view,dataflow.create,dataflow.manage \
--authorized_grant_types password,authorization_code,client_credentials,refresh_token \
--authorities uaa.resource \
--redirect_uri http://localhost:9999/login \
--autoapprove openid \
--secret dataflow
使用“管理员”用户登录总是将网页重定向到“哪里?”
正在执行:
root@788716dfe684:/# curl -v -d"username=admin&password=password&client_id=dataflow&grant_type=password" -u "dataflow:dataflow" http://uaa-service:8080/oauth/token
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x5636f45fadd0)
* Connected to uaa-service (10.39.0.1) port 8080 (#0)
* Server auth using Basic with user 'dataflow'
> POST /oauth/token HTTP/1.1
> Host: uaa-service:8080
> Authorization: Basic ZGF0YWZsb3c6ZGF0YWZsb3c=
> User-Agent: curl/7.64.0
> Accept: */*
> Content-Length: 71
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 71 out of 71 bytes
< HTTP/1.1 200
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
< Cache-Control: no-store
< Pragma: no-cache
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Mon, 05 Aug 2019 11:35:35 GMT
<
{"access_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6ImtleS1pZC0xIiwidHlwIjoiSldUIn0.eyJqdGkiOiJlMmQwYWM3ZWUxMDY0NjQ5OWVkMzgxMjU0ZjM3OWRkYSIsInN1YiI6IjgzZTFlYmQ4LWUxYTItNGNmYi1iOThhLTllM2JkMzQ2ODEzNiIsInNjb3BlIjpbImRhdGFmbG93LnZpZXciLCJzY2ltLnVzZXJpZHMiLCJvcGVuaWQiLCJjbG91ZF9jb250cm9sbGVyLnJlYWQiLCJwYXNzd29yZC53cml0ZSIsImRhdGFmbG93Lm1hbmFnZSIsImNsb3VkX2NvbnRyb2xsZXIud3JpdGUiLCJkYXRhZmxvdy5jcmVhdGUiXSwiY2xpZW50X2lkIjoiZGF0YWZsb3ciLCJjaWQiOiJkYXRhZmxvdyIsImF6cCI6ImRhdGFmbG93IiwiZ3JhbnRfdHlwZSI6InBhc3N3b3JkIiwidXNlcl9pZCI6IjgzZTFlYmQ4LWUxYTItNGNmYi1iOThhLTllM2JkMzQ2ODEzNiIsIm9yaWdpbiI6InVhYSIsInVzZXJfbmFtZSI6ImFkbWluIiwiZW1haWwiOiJhZG1pbkBtay5jb20iLCJhdXRoX3RpbWUiOjE1NjUwMDQ5MzUsInJldl9zaWciOiJmYTRiNDU4YyIsImlhdCI6MTU2NTAwNDkzNSwiZXhwIjoxNTY1MDA4NTM1LCJpc3MiOiJodHRwOi8vdWFhLXNlcnZpY2U6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJ6aWQiOiJ1YWEiLCJhdWQiOlsic2NpbSIsImNsb3VkX2NvbnRyb2xsZXIiLCJwYXNzd29yZCIsImRhdGFmbG93Iiwib3BlbmlkIl19.ppsdR39jwhmDwR1zUmQ4Bs-qRbocRoBdK9WUL02LY-FZNGpYF4PGenyjvs5oYYaMtIODDQxVjGnsWZ3Xs3zbByYPoISkQtGQwMCrgWj9pL* Connection #0 to host uaa-service left intact
7HYPPOI8WzvZYrXARZHJDCPuJxSQ8BJ0bODPeufIzjaFx6fhdp_qV13JNnnx_eUYp_KREVnH6jNC14YcWlbyrTE2ghQm6X6KTF_jo4Bgulj4PuTlnFOTkadZ-9H_5iQ3uYc6aJheDSH-ht10kB9kpfAE6w3VVcF3QfPtmIK1fsc9gJjOkRUx78QKmyfpfjGv9heJaDZ9msTkAO8Zk7yr5snuChdBXrzU4WtQpMJ3FY0A","token_type":"bearer","expires_in":3599,"scope":"dataflow.view scim.userids openid cloud_controller.read password.write dataflow.manage cloud_controller.write dataflow.create","jti":"e2d0ac7ee10646499ed381254f379dda"}root@788716dfe684:/```
the uaa logs are :
INFO --- Audit: TokenIssuedEvent (["dataflow.view","scim.userids","openid","cloud_controller.read","password.write","dataflow.manage","cloud_controller.write","dataflow.create"]): principal=83e1ebd8-e1a2-4cfb-b98a-9e3bd3468136, origin=[client=dataflow, user=admin], identityZoneId=[uaa]
That it seems to return valid token
help, please
more detailed info aboud uaac
=========================================================================================================================================
root@bf98436ccc82:/# echo "10.42.0.1 uaa-service" >> /etc/hosts
root@bf98436ccc82:/# uaac target http://uaa-service:8080
Unknown key: Max-Age = 86400
Target: http://uaa-service:8080
=========================================================================================================================================
root@bf98436ccc82:/# uaac token client get uaa_admin -s uaa_secret
Unknown key: Max-Age = 86400
Successfully fetched token via client credentials grant.
Target: http://uaa-service:8080
Context: uaa_admin, from client uaa_admin
root@bf98436ccc82:/# uaac token decode
Note: no key given to validate token signature
jti: 8067e0122b20433ab817f684e7335d30
sub: uaa_admin
authorities: clients.read password.write clients.secret clients.write uaa.admin scim.write scim.read
scope: clients.read password.write clients.secret clients.write uaa.admin scim.write scim.read
client_id: uaa_admin
cid: uaa_admin
azp: uaa_admin
grant_type: client_credentials
rev_sig: 7216b9b8
iat: 1565017183
exp: 1565060383
iss: http://uaa-service:8080/oauth/token
zid: uaa
aud: scim uaa_admin password clients uaa
=========================================================================================================================================
root@bf98436ccc82:/# uaac user add admin -p password --emails admin@mk.com
user account successfully added
root@bf98436ccc82:/# uaac user add user -p password --emails user@mk.com
user account successfully added
=========================================================================================================================================
root@bf98436ccc82:/# uaac group add "dataflow.view"
id: 9796f596-e540-4f3b-a32c-90b1bac5d0cc
meta
version: 0
created: 2019-08-05T15:00:01.014Z
lastmodified: 2019-08-05T15:00:01.014Z
members:
schemas: urn:scim:schemas:core:1.0
displayname: dataflow.view
zoneid: uaa
root@bf98436ccc82:/# uaac group add "dataflow.create"
id: c798e762-bcae-4d1f-8eef-2f7083df2d45
meta
version: 0
created: 2019-08-05T15:00:01.495Z
lastmodified: 2019-08-05T15:00:01.495Z
members:
schemas: urn:scim:schemas:core:1.0
displayname: dataflow.create
zoneid: uaa
root@bf98436ccc82:/# uaac group add "dataflow.manage"
id: 47aeba32-db27-456c-aa12-d5492127fe1f
meta
version: 0
created: 2019-08-05T15:00:01.986Z
lastmodified: 2019-08-05T15:00:01.986Z
members:
schemas: urn:scim:schemas:core:1.0
displayname: dataflow.manage
zoneid: uaa
=========================================================================================================================================
root@bf98436ccc82:/# uaac member add dataflow.view admin
success
root@bf98436ccc82:/# uaac member add dataflow.create admin
success
root@bf98436ccc82:/# uaac member add dataflow.manage admin
success
=========================================================================================================================================
root@bf98436ccc82:/# uaac member add dataflow.view user
success
root@bf98436ccc82:/# uaac member add dataflow.create user
success
root@bf98436ccc82:/# uaac member add dataflow.manage user
success
=========================================================================================================================================
root@bf98436ccc82:/# curl -v -d"username=admin&password=password&client_id=dataflow&grant_type=client_credentials" -u "dataflow:dataflow" http://uaa-service:8080/oauth/token
* Expire in 0 ms for 1 (transfer 0x5585749b2dd0)
* Expire in 0 ms for 1 (transfer 0x5585749b2dd0)
* Expire in 0 ms for 1 (transfer 0x5585749b2dd0)
* Trying 10.42.0.1...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x5585749b2dd0)
* Connected to uaa-service (10.42.0.1) port 8080 (#0)
* Server auth using Basic with user 'dataflow'
> POST /oauth/token HTTP/1.1
> Host: uaa-service:8080
> Authorization: Basic ZGF0YWZsb3c6ZGF0YWZsb3c=
> User-Agent: curl/7.64.0
> Accept: */*
> Content-Length: 81
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 81 out of 81 bytes
< HTTP/1.1 401
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
< Cache-Control: no-store
< Pragma: no-cache
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="UAA/client", error="unauthorized", error_description="Bad credentials"
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Mon, 05 Aug 2019 15:01:07 GMT
<
* Connection #0 to host uaa-service left intact
{"error":"unauthorized","error_description":"Bad credentials"}root@bf98436ccc82:/# curl -v -d"username=admin&password=password&client_id=dataflow&grant_type=client_credentials" -u "dataflow:dataflow" http:* Expire in 0 ms for 6 (transfer 0x56045ead8dd0)
* Trying 10.42.0.1...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x56045ead8dd0)
* Connected to uaa-service (10.42.0.1) port 8080 (#0)
* Server auth using Basic with user 'dataflow'
> POST /oauth/token HTTP/1.1
> Host: uaa-service:8080
> Authorization: Basic ZGF0YWZsb3c6ZGF0YWZsb3c=
> User-Agent: curl/7.64.0
> Accept: */*
> Content-Length: 81
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 81 out of 81 bytes
< HTTP/1.1 401
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
< Cache-Control: no-store
< Pragma: no-cache
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="UAA/client", error="unauthorized", error_description="Bad credentials"
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Mon, 05 Aug 2019 15:01:16 GMT
<
* Connection #0 to host uaa-service left intact
{"error":"unauthorized","error_description":"Bad credentials"}
=========================================================================================================================================
root@bf98436ccc82:/# uaac client add dataflow \
> --name dataflow \
> --scope cloud_controller.read,cloud_controller.write,openid,password.write,scim.userids,dataflow.view,dataflow.create,dataflow.manage \
> --authorized_grant_types password,authorization_code,client_credentials,refresh_token \
> --authorities uaa.resource \
> --redirect_uri http://scdf2-data-flow-server:80 \
> --autoapprove openid \
> --secret dataflow
scope: cloud_controller.read password.write scim.userids dataflow.view dataflow.manage cloud_controller.write openid dataflow.create
client_id: dataflow
resource_ids: none
authorized_grant_types: refresh_token password client_credentials authorization_code
redirect_uri: http://scdf2-data-flow-server:80
autoapprove: openid
authorities: uaa.resource
name: dataflow
required_user_groups:
lastmodified: 1565017338175
id: dataflow
=========================================================================================================================================
root@bf98436ccc82:/# curl -v -d"username=admin&password=password&client_id=dataflow&grant_type=client_credentials" -u "dataflow:dataflow" http://uaa-service:8080/oauth/token * Expire in 0 ms for 6 (transfer 0x5632e4386dd0)
* Trying 10.42.0.1...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x5632e4386dd0)
* Connected to uaa-service (10.42.0.1) port 8080 (#0)
* Server auth using Basic with user 'dataflow'
> POST /oauth/token HTTP/1.1
> Host: uaa-service:8080
> Authorization: Basic ZGF0YWZsb3c6ZGF0YWZsb3c=
> User-Agent: curl/7.64.0
> Accept: */*
> Content-Length: 81
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 81 out of 81 bytes
< HTTP/1.1 200
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
< Cache-Control: no-store
< Pragma: no-cache
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Mon, 05 Aug 2019 15:02:21 GMT
<
* Connection #0 to host uaa-service left intact
{"access_token":"eyJhbGciOiJIUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiJlNmU3YzNiOWVkMmM0ZmI5ODQ5OWE3MmQ2N2EzMjMyYSIsInN1YiI6ImRhdGFmbG93IiwiYXV0aG9yaXRpZXMiOlsidWFhLnJlc291cmNlIl0sInNjb3BlIjpbInVhYS5yZXNvdXJjZSJdLCJjbGllbnRfaWQiOiJkYXRhZmxvdyIsImNpZCI6ImRhdGFmbG93IiwiYXpwIjoiZGF0YWZsb3ciLCJncmFudF90eXBlIjoiY2xpZW50X2NyZWRlbnRpYWxzIiwicmV2X3NpZyI6IjFkMmUwMjVjIiwiaWF0IjoxNTY1MDE3MzQxLCJleHAiOjE1NjUwNjA1NDEsImlzcyI6Imh0dHA6Ly91YWEtc2VydmljZTo4MDgwL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbImRhdGFmbG93IiwidWFhIl19.G2f8bIMbUWJOz8kcZYtU37yYhTtMOEJlsrvJFINnUjo","token_type":"bearer","expires_in":43199,"scope":"uaa.resource","jti":"e6e7c3b9ed2c4fb98499a72d67a3232a"}root@bf98436ccc82:/#