Unable to log in to deployment
601 views
Skip to first unread message
Kody Kantor
Dec 13, 2013, 5:51:21 PM12/13/13
to vcap...@cloudfoundry.org
Hello all,
Any idea what's going on here? Do I even need a Login job? Looking at some other manifest files, it looks like some of them don't include Login jobs.
I'm having issues logging in to a new vSphere deployment. I'm super new to CF, so bear with me.
I can target the deployment fine with both the gcf and cf command line tools. Then, I run into a problem while trying to log in. Here's some output:
root@server:~# gcf loginAPI endpoint: http://ccng.cloudfoundry.localWarning: Insecure http API endpoint detected: secure https API endpoints are recommended
Username> admin
Password>Authenticating...Server error, status code: 500, error code: , message:
If I look at the Login VM logs while trying to log in, a crazy long error message is generated. The top of the error trace is:
ERROR --- DispatcherServlet: Context initialization failedorg.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.context.support.PropertySourcesPlaceholderConfigurer#0': Cannot resolve reference to bean 'applicationProperties' while setting bean property 'properties'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'applicationProperties' defined in class path resource [env-context.xml]: Initialization of bean failed; nested exception is org.springframework.beans.TypeMismatchException: Failed to convert property value of type 'java.util.LinkedHashMap' to required type 'java.util.Properties' for property 'properties'; nested exception is java.lang.IllegalArgumentException: Cannot convert value of type [java.util.LinkedHashMap] to required type [java.util.Properties] for property 'properties': PropertyEditor [org.springframework.beans.propertyeditors.PropertiesEditor] returned inappropriate value of type [java.util.LinkedHashMap]Here's the UAA portion of the deployment manifest. I don't understand any of the autoapprove section, and I couldn't find any explanation of it anywhere either.
For 'spring_profiles,' the UAA couldn't talk to the UAADB unless I specified postgresql twice... weird.
uaa: port: 6767 no_ssl: true catalina_opts: -Xmx768m -XX:MaxPermSize=512m spring_profiles: postgresql,postgresql client_secret: <%= common_password %> token_secret: <%= common_password %> cc: token_secret: <%= common_password %> client_secret: <%= common_password %> admin: client_secret: <%= common_password %> login: client_secret: <%= common_password %> addnew: true batch: username: admin password: <%= common_password %> client: override: true autoapprove: - cf - gcf - vmc - my - portal - micro - support-signon - login clients: cf: &cf override: true authorized-grant-types: implicit,password,refresh_token authorities: uaa.admin,cloud_controller.admin redirect-uri: http://ccng.cloudfoundry.local scope: cloud_controller.read,cloud_controller.write,openid,password.write,cloud_controller.admin,scim.read,scim.write admin: secret: <%= common_password %> authorized-grant-types: client_credentials authorities: clients.read,clients.write,clients.secret,password.write,scim.read,uaa.admin vmc: *cf gcf: *cf scim:
users: - admin|<%= common_password %>|scim.write,scim.read,openid,cloud_controller.admin,uaa.admin,password.writeAny idea what's going on here? Do I even need a Login job? Looking at some other manifest files, it looks like some of them don't include Login jobs.
Thanks!
Kody Kantor
James Bayer
Dec 14, 2013, 12:02:02 PM12/14/13
to vcap...@cloudfoundry.org
kody,
the vsphere sample manifest you're using is very old [1]. the first hint to me was that you are using "ccng" as the endpoint. all of the recent deployments use "api" for that sub-domain.
i've attached one of our example manifest stubs for a vsphere deployment. the login server (or saml login server) is required if you want to login using a website to get a token, but i believe the uaa can do everything required if all you're using is the command line. i have no idea if this will work for you or which release it was deployed with. the stemcell version that is referenced is older too. so if you're using a newer cf-release like v151, it probably requires a newer stemcell as i believe the path to rsyslog changed.
we'll look into updating the sample vsphere deployment. another option for you in the meantime could be to download pivotal cf [3] and do a deployment with that, login to the microbosh used, and download the deployment manifest and use that as a sample deployment manifest to build one from.
[1] http://docs.cloudfoundry.com/docs/running/deploying-cf/vsphere/cloud-foundry-example-manifest.html
[2] example vsphere manifest stub
---
name: cf-yourenvhere
director_uuid: your_bosh_dir_guid_here
releases:
- name: cf-release
version: latest
networks:
- name: default
subnets:
- range: 172.16.76.0/23
gateway: 172.16.76.1
dns:
- 10.80.0.44
static:
- 172.16.76.19
- 172.16.76.20
- 172.16.76.21
- 172.16.76.22
- 172.16.76.23
- 172.16.76.16
- 172.16.76.24
- 172.16.76.25
- 172.16.76.26
- 172.16.76.27
- 172.16.76.28
- 172.16.76.29
- 172.16.76.31
- 172.16.76.32
reserved:
- 172.16.76.2-172.16.76.15
- 172.16.76.17-172.16.76.18
- 172.16.76.52-172.16.77.254
cloud_properties:
name: VM Network
resource_pools:
- name: nats
stemcell:
name: bosh-stemcell
version: 962
network: default
size: 1
cloud_properties:
ram: 1024
disk: 2048
cpu: 1
env:
bosh:
password: !binary |-
a bunch
of password
stuff here
- name: health_manager
stemcell:
name: bosh-stemcell
version: 962
network: default
size: 1
cloud_properties:
ram: 1024
disk: 2048
cpu: 1
env:
bosh:
password: !binary |-
a bunch
of password
stuff here
- name: nfs_server
stemcell:
name: bosh-stemcell
version: 962
network: default
size: 1
cloud_properties:
ram: 1024
disk: 2048
cpu: 1
env:
bosh:
password: !binary |-
a bunch
of password
stuff here
- name: ccdb
stemcell:
name: bosh-stemcell
version: 962
network: default
size: 1
cloud_properties:
ram: 1024
disk: 2048
cpu: 1
env:
bosh:
password: !binary |-
a bunch
of password
stuff here
- name: cloud_controller
stemcell:
name: bosh-stemcell
version: 962
network: default
size: 1
cloud_properties:
ram: 1024
disk: 10240
cpu: 1
env:
bosh:
password: !binary |-
a bunch
of password
stuff here
- name: router
stemcell:
name: bosh-stemcell
version: 962
network: default
size: 1
cloud_properties:
ram: 1024
disk: 2048
cpu: 1
env:
bosh:
password: !binary |-
a bunch
of password
stuff here
- name: syslog
stemcell:
name: bosh-stemcell
version: 962
network: default
size: 1
cloud_properties:
ram: 1024
disk: 2048
cpu: 1
env:
bosh:
password: !binary |-
a bunch
of password
stuff here
- name: collector
stemcell:
name: bosh-stemcell
version: 962
network: default
size: 1
cloud_properties:
ram: 1024
disk: 2048
cpu: 1
env:
bosh:
password: !binary |-
a bunch
of password
stuff here
- name: uaadb
stemcell:
name: bosh-stemcell
version: 962
network: default
size: 1
cloud_properties:
ram: 1024
disk: 2048
cpu: 1
env:
bosh:
password: !binary |-
a bunch
of password
stuff here
- name: uaa
stemcell:
name: bosh-stemcell
version: 962
network: default
size: 1
cloud_properties:
ram: 1024
disk: 2048
cpu: 1
env:
bosh:
password: !binary |-
a bunch
of password
stuff here
- name: saml_login
stemcell:
name: bosh-stemcell
version: 962
network: default
size: 1
cloud_properties:
ram: 1024
disk: 2048
cpu: 1
env:
bosh:
password: !binary |-
a bunch
of password
stuff here
- name: dea
stemcell:
name: bosh-stemcell
version: 962
network: default
size: 4
cloud_properties:
ram: 16384
disk: 32768
cpu: 2
env:
bosh:
password: !binary |-
a bunch
of password
stuff here
- name: loggregator
stemcell:
name: bosh-stemcell
version: 962
network: default
size: 1
cloud_properties:
ram: 1024
disk: 2048
cpu: 1
env:
bosh:
password: !binary |-
a bunch
of password
stuff here
- name: loggregator_router
stemcell:
name: bosh-stemcell
version: 962
network: default
size: 1
cloud_properties:
ram: 1024
disk: 2048
cpu: 1
env:
bosh:
password: !binary |-
a bunch
of password
stuff here
compilation:
workers: 5
network: default
cloud_properties:
ram: 1024
disk: 4096
cpu: 2
update:
canaries: 1
canary_watch_time: 30000-300000
update_watch_time: 5000-300000
max_in_flight: 1
max_errors: 2
jobs:
- name: nats
template: nats
instances: 1
resource_pool: nats
persistent_disk: 0
networks:
- name: default
static_ips:
- 172.16.76.19
properties:
networks:
apps: default
nats:
user: nats
password: somepassword
address: 172.16.76.19
port: 4222
- name: health_manager
template: health_manager_next
instances: 1
resource_pool: health_manager
persistent_disk: 0
networks:
- name: default
static_ips:
- 172.16.76.20
properties:
cc:
srv_api_uri: http://api.172.16.76.16.xip.io
networks:
apps: default
nats:
user: nats
password: somepassword
address: 172.16.76.19
port: 4222
syslog_aggregator:
address: 172.16.76.24
port: 54321
health_manager:
intervals:
giveup_crash_number: 4
- name: nfs_server
template: debian_nfs_server
instances: 1
resource_pool: nfs_server
persistent_disk: 102400
networks:
- name: default
static_ips:
- 172.16.76.21
properties:
nfs_server:
address: 172.16.76.21
network: 172.16.76.0/23
- name: ccdb
template: postgres
instances: 1
resource_pool: ccdb
persistent_disk: 2048
networks:
- name: default
static_ips:
- 172.16.76.22
properties:
db: ccdb
ccdb:
address: 172.16.76.22
port: 2544
db_scheme: postgres
roles:
- tag: admin
name: admin
password: somepassword
databases:
- tag: cc
name: ccdb
citext: true
- name: cloud_controller
template: cloud_controller_ng
instances: 1
resource_pool: cloud_controller
persistent_disk: 0
networks:
- name: default
static_ips:
- 172.16.76.23
properties:
domain: 172.16.76.16.xip.io
system_domain: 172.16.76.16.xip.io
system_domain_organization: system
app_domains:
ccng:
external_host: api
logging_level: debug
uaa_resource_id: cloud_controller
staging_upload_user: staging_upload_user
staging_upload_password: somepassword
bulk_api_password: somepassword
db_encryption_key: someencryptionkey
bootstrap_admin_email: admin
cc_partition: default
default_quota_definition: runaway
stacks:
- name: lucid64
description: Ubuntu 10.04
ccdb_ng:
address: 172.16.76.22
port: 2544
db_scheme: postgres
roles:
- tag: admin
name: admin
password: somepassword
databases:
- tag: cc
name: ccdb
citext: true
networks:
apps: default
nfs_server:
address: 172.16.76.21
uaa:
jwt:
verification_key: ! '-----BEGIN PUBLIC KEY-----
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA
-----END PUBLIC KEY-----
'
login:
nats:
user: nats
password: somepassword
address: 172.16.76.19
port: 4222
syslog_aggregator:
address: 172.16.76.24
port: 54321
- name: router
template: gorouter
instances: 1
resource_pool: router
persistent_disk: 0
networks:
- name: default
static_ips:
- 172.16.76.16
properties:
router:
endpoint_timeout: 300
status:
port: 8080
user: router_status
password: somepassword
nats:
user: nats
password: somepassword
address: 172.16.76.19
port: 4222
syslog_aggregator:
address: 172.16.76.24
port: 54321
- name: syslog
template: syslog_aggregator
instances: 1
resource_pool: syslog
persistent_disk: 8192
networks:
- name: default
static_ips:
- 172.16.76.24
properties:
domain: 172.16.76.16.xip.io
nats:
user: nats
password: somepassword
address: 172.16.76.19
port: 4222
syslog_aggregator:
address: 172.16.76.24
port: 54321
- name: collector
template: collector
instances: 1
resource_pool: collector
persistent_disk: 0
networks:
- name: default
static_ips:
- 172.16.76.25
properties:
nats:
user: nats
password: somepassword
address: 172.16.76.19
port: 4222
syslog_aggregator:
address: 172.16.76.24
port: 54321
- name: uaadb
template: postgres
instances: 1
resource_pool: uaadb
persistent_disk: 8192
networks:
- name: default
static_ips:
- 172.16.76.26
properties:
db: uaadb
uaadb:
address: 172.16.76.26
port: 2544
db_scheme: postgresql
roles:
- tag: admin
name: root
password: somepassword
databases:
- tag: uaa
name: uaa
networks:
services: default
- name: uaa
template: uaa
instances: 1
resource_pool: uaa
persistent_disk: 0
networks:
- name: default
static_ips:
- 172.16.76.27
properties:
uaa:
catalina_opts: -Xmx768m -XX:MaxPermSize=256m
jwt:
signing_key: ! '-----BEGIN RSA PRIVATE KEY-----
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA
-----END RSA PRIVATE KEY-----
'
verification_key: ! '-----BEGIN PUBLIC KEY-----
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA
-----END PUBLIC KEY-----
'
cc:
client_secret: somesecret
admin:
client_secret: somesecret
clients:
login:
id: login
override: true
autoapprove: true
authorities: oauth.login
authorized-grant-types: authorization_code,client_credentials,refresh_token
scope: openid
secret: somesecret
cf:
id: cf
override: true
autoapprove: true
authorities: uaa.none
authorized-grant-types: implicit,password,refresh_token
scope: cloud_controller.read,cloud_controller.write,openid,password.write,cloud_controller.admin,scim.read,scim.write
system_passwords:
id: system_passwords
override: true
autoapprove: true
authorities: uaa.admin,scim.read,scim.write,password.write
authorized-grant-types: client_credentials
secret: somesecret
scim:
user:
override: false
users:
- admin|somepassword|scim.write,scim.read,openid,cloud_controller.admin,dashboard.user,console.admin,console.support
- system_services|somepassword|cloud_controller.admin
- system_verification|somepassword|scim.write,scim.read,openid,cloud_controller.admin,dashboard.user,console.admin,console.support
ccdb:
address: 172.16.76.22
port: 2544
db_scheme: postgres
roles:
- tag: admin
name: admin
password: somepassword
databases:
- tag: cc
name: ccdb
citext: true
domain: 172.16.76.16.xip.io
db: uaadb
uaadb:
address: 172.16.76.26
port: 2544
db_scheme: postgresql
roles:
- tag: admin
name: root
password: somepassword
databases:
- tag: uaa
name: uaa
networks:
apps: default
nats:
user: nats
password: somepassword
address: 172.16.76.19
port: 4222
syslog_aggregator:
address: 172.16.76.24
port: 54321
- name: saml_login
template: saml_login
instances: 1
resource_pool: saml_login
persistent_disk: 0
networks:
- name: default
static_ips:
- 172.16.76.28
properties:
domain: 172.16.76.16.xip.io
saml_login:
uaa_base: http://uaa.172.16.76.16.xip.io
serviceProviderKey: ! '-----BEGIN RSA PRIVATE KEY-----
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA
-----END RSA PRIVATE KEY-----
'
serviceProviderCertificate: ! '-----BEGIN CERTIFICATE-----
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA
-----END CERTIFICATE-----
'
idp_entity_alias: sso-sp
idp_metadata_url: ! ''''''
uaa:
clients:
login:
secret: somesecret
networks:
apps: default
nats:
user: nats
password: somepassword
address: 172.16.76.19
port: 4222
syslog_aggregator:
address: 172.16.76.24
port: 54321
- name: dea
template:
- dea_next
- dea_logging_agent
instances: 4
resource_pool: dea
persistent_disk: 0
networks:
- name: default
properties:
domain: 172.16.76.16.xip.io
dea_next:
directory_server_protocol: http
memory_mb: 16384
memory_overcommit_factor: 3
disk_mb: 32768
disk_overcommit_factor: 2
num_instances: 10
stacks:
- lucid64
loggregator:
router: 172.16.76.32:3456
status:
user: someuser
password: somepassword
port: 5768
nats:
user: nats
password: somepassword
address: 172.16.76.19
port: 4222
- name: loggregator
template: loggregator
instances: 1
resource_pool: loggregator
persistent_disk: 0
networks:
- name: default
static_ips:
- 172.16.76.31
properties:
loggregator:
disableEmailDomainAuthorization: true
status:
user: someuser
password: somepassword
port: 5768
cc:
srv_api_uri: http://api.172.16.76.16.xip.io
system_domain: 172.16.76.16.xip.io
uaa:
jwt:
verification_key: ! '-----BEGIN PUBLIC KEY-----
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA
-----END PUBLIC KEY-----
'
nats:
user: nats
password: somepassword
address: 172.16.76.19
port: 4222
- name: loggregator_router
template: loggregatorrouter
instances: 1
resource_pool: loggregator_router
persistent_disk: 0
networks:
- name: default
static_ips:
- 172.16.76.32
properties:
loggregator:
router: 0.0.0.0:3456
servers:
status:
user: someuser
password: somepassword
port: 5768
system_domain: 172.16.76.16.xip.io
nats:
user: nats
password: somepassword
address: 172.16.76.19
port: 4222
To unsubscribe from this group and stop receiving emails from it, send an email to vcap-dev+u...@cloudfoundry.org.
Thank you,
James Bayer
James Bayer
Dec 14, 2013, 5:32:29 PM12/14/13
to vcap...@cloudfoundry.org
actually, perhaps using the bosh-lite docs to generate a deployment manifest using spiff [1] and then just changing the things you need for vsphere might be the easiest.
Kody Kantor
Dec 17, 2013, 3:16:09 PM12/17/13
to vcap...@cloudfoundry.org
Alrighty, so I used spiff, and targeted my director (changed the "expected_director_name"), and it generated a manifest fine.
However, after I changed the manifest, bosh can't deploy the compilation vms due to "undefined method '-'" errors. It's hard to see what is and isn't being used in the spiff-generated yaml, so I'm not comfortable ripping things out.
Really, I'm extremely close to having my original deployment up and running. I just can't get the login server to work, and I have no idea why it doesn't. As far as I know, that's the only problem.
I can definitely post my deployment manifest, if that'll help point out holes that I'm not seeing.
Thanks, James!
Kody Kantor
Filip Hanik
Dec 17, 2013, 3:26:00 PM12/17/13
to vcap...@cloudfoundry.org
You don't need the login job, that is a web based UI for logging in.
gem install cf-uaac (it does expect you to have ruby 1.9.3)
I can help you trouble shoot the actual authentication, it should be against the UAA job. Another way to test it is
uaac target http://uaa.<domain-ip-usually-that-of-haproxy>/
uaac token client get admin -s <admin-secret>
uaac token decodeuaac client get admin
if you still get an error, let us see the uaa.log from the uaa job
To unsubscribe from this group and stop receiving emails from it, send an email to vcap-dev+u...@cloudfoundry.org.
--Thank you,James Bayer
--Thank you,James Bayer
Kody Kantor
Dec 17, 2013, 3:51:58 PM12/17/13
to vcap...@cloudfoundry.org
Cool. I didn't know that tool existed. I'm still getting error messages on the UAA side, so I attached the uaa.log file. Interesting stuff is at the bottom.
I ran 'uaac target http://uaa.cloudfoundry.local'
I don't have haproxy configured. Should I? It's just a small deployment that two people are going to be messing around with.
To unsubscribe from this group and stop receiving emails from it, send an email to vcap-dev+unsubscribe@cloudfoundry.org.
Filip Hanik
Dec 17, 2013, 4:04:53 PM12/17/13
to vcap...@cloudfoundry.org
Kody, take a look at your uaa.yml file in something like
/var/vcap//data/jobs/uaa/36.3-dev/config/uaa.yml
paste us the section of
jwt:
token:
signing-key: |
verification-key: |
Kody Kantor
Dec 17, 2013, 4:17:55 PM12/17/13
to vcap...@cloudfoundry.org
Very nice. In the deployment manifest, I copied these values from the spiff generated manifest into the one I had been using previously.
Formatting might be messed up after pasting.
jwt:
token:
signing-key: |
RSA PRIVATE KEY----- MIICXAIBAAKBgQDHFr+KICms+tuT1OXJwhCUmR2dKVy7psa8xzElSyzqx7oJyfJ1 JZyOzToj9T5SfTIq396agbHJWVfYphNahvZ/7uMXqHxf+ZH9BL1gk9Y6kCnbM5R6 0gfwjyW1/dQPjOzn9N394zd2FJoFHwdq9Qs0wBugspULZVNRxq7veq/fzwIDAQAB AoGBAJ8dRTQFhIllbHx4GLbpTQsWXJ6w4hZvskJKCLM/o8R4n+0W45pQ1xEiYKdA Z/DRcnjltylRImBD8XuLL8iYOQSZXNMb1h3g5/UGbUXLmCgQLOUUlnYt34QOQm+0 KvUqfMSFBbKMsYBAoQmNdTHBaz3dZa8ON9hh/f5TT8u0OWNRAkEA5opzsIXv+52J duc1VGyX3SwlxiE2dStW8wZqGiuLH142n6MKnkLU4ctNLiclw6BZePXFZYIK+AkE xQ+k16je5QJBAN0TIKMPWIbbHVr5rkdUqOyezlFFWYOwnMmw/BKa1d3zp54VP/P8 +5aQ2d4sMoKEOfdWH7UqMe3FszfYFvSu5KMCQFMYeFaaEEP7Jn8rGzfQ5HQd44ek lQJqmq6CE2BXbY/i34FuvPcKU70HEEygY6Y9d8J3o6zQ0K9SYNu+pcXt4lkCQA3h jJQQe5uEGJTExqed7jllQ0khFJzLMx0K6tj0NeeIzAaGCQz13oo2sCdeGRHO4aDh HH6Qlq/6UOV5wP8+GAcCQFgRCcB+hrje8hfEEefHcFpyKH+5g1Eu1k0mLrxK2zd+ 4SlotYRHgPCEubokb2S1zfZDWIXW3HmggnGgM949TlY= -----END RSA PRIVATE KEY-----'
verification-key: |
PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHFr+KICms+tuT1OXJwhCUmR2d KVy7psa8xzElSyzqx7oJyfJ1JZyOzToj9T5SfTIq396agbHJWVfYphNahvZ/7uMX qHxf+ZH9BL1gk9Y6kCnbM5R60gfwjyW1/dQPjOzn9N394zd2FJoFHwdq9Qs0wBug spULZVNRxq7veq/fzwIDAQAB -----END PUBLIC KEY-----'
Filip Hanik
Dec 17, 2013, 4:35:38 PM12/17/13
to vcap...@cloudfoundry.org
hi Kody, yes, those are messed up. You are missing characters the "-----BEGIN " string for both keys, you have added extra characters to the end, the apostrophy ',
it should look like this
Kody Kantor
Dec 17, 2013, 4:57:05 PM12/17/13
to vcap...@cloudfoundry.org
Yep, I notice that now. I had an extra character in the manifest.
So now all of the uaac commands work, but without a login server, gcf login returns a 404.
This is really exciting! I'm extremely glad that the UAA seems to be working.
Filip Hanik
Dec 17, 2013, 5:02:10 PM12/17/13
to vcap...@cloudfoundry.org
I'm too new to have fully dabbled in gcf, not sure why it would go against the login job(it seems unlikely), but as I said, not fully clued in on the details.
also, make sure that your admin user has the scim.write scope to be able to create other users
uaac client update admin --authorities "clients.write clients.read uaa.admin scim.read scim.write"
uaac token delete
uaac token client get admin -s <admin secret>
Kody Kantor
Dec 17, 2013, 5:35:56 PM12/17/13
to vcap...@cloudfoundry.org
Those authorities are already present for the admin account.
====
====
root@faeblclvm1:~/deployments# cf login
target: http://api.cloudfoundry.local
CFoundry::NotFound: :
Do I need to do something in the manifest to route to the UAA instead of the login server (which doesn't exist)?
Filip Hanik
Dec 17, 2013, 6:00:49 PM12/17/13
to vcap...@cloudfoundry.org
API is neither the login server, nor the UAA. so if it can't find your API job, you must make sure it exists. do an output of 'bosh vms'
Filip
Kody Kantor
Dec 17, 2013, 6:09:35 PM12/17/13
to vcap...@cloudfoundry.org
Right, but api is the cloud controller, which is what should be targeted, correct?
If I directly target the uaa, I get an invalid API endpoint.
In the manifest, api.cloudfoundry.local is the cloud controller's srv_api_uri, and the value for 'external_host' is api.
Here's bosh vms
+-----------------------+---------+----------------+--------------+
| Job/index | State | Resource Pool | IPs |
+-----------------------+---------+----------------+--------------+
| unknown/unknown | running | infrastructure | 192.168.1.37 |
| unknown/unknown | running | infrastructure | 192.168.1.36 |
| ccdb_ng/0 | running | infrastructure | 192.168.1.29 |
| cloud_controller_ng/0 | running | infrastructure | 192.168.1.30 |
| collector/0 | running | infrastructure | 192.168.1.26 |
| dea_next/0 | running | deas | 192.168.1.48 |
| debian_nfs_server/0 | running | infrastructure | 192.168.1.20 |
| health_manager_next/0 | running | infrastructure | 192.168.1.23 |
| nats/0 | running | infrastructure | 192.168.1.22 |
| router/0 | running | infrastructure | 192.168.1.21 |
| syslog_aggregator/0 | running | infrastructure | 192.168.1.25 |
| uaa/0 | running | infrastructure | 192.168.1.28 |
| uaadb/0 | running | infrastructure | 192.168.1.27 |
+-----------------------+---------+----------------+--------------+
Filip Hanik
Dec 17, 2013, 6:12:27 PM12/17/13
to vcap...@cloudfoundry.org
Below is what a bosh-lite 'bosh vms' looks like. so I would start figuring out what you may be missing, and why some of them state unknown/unknown
+------------------------------------+---------+---------------+-------------+
| Job/index | State | Resource Pool | IPs |
+------------------------------------+---------+---------------+-------------+
| api_z1/0 | running | large_z1 | 10.244.1.10 |
| etcd_leader_z1/0 | running | medium_z1 | 10.244.0.38 |
| ha_proxy_z1/0 | running | router_z1 | 10.244.0.34 |
| hm9000_z1/0 | running | medium_z1 | 10.244.1.14 |
| hm9000_z2/0 | running | medium_z2 | 10.244.3.2 |
| loggregator_trafficcontroller_z1/0 | running | small_z1 | 10.244.0.10 |
| loggregator_z1/0 | running | large_z1 | 10.244.0.14 |
| login_z1/0 | running | medium_z1 | 10.244.1.6 |
| nats_z1/0 | running | medium_z1 | 10.244.0.6 |
| postgres_z1/0 | running | large_z1 | 10.244.0.30 |
| router_z1/0 | running | router_z1 | 10.244.0.22 |
| runner_z1/0 | running | runner_z1 | 10.244.0.26 |
| uaa_z1/0 | running | large_z1 | 10.244.1.2 |
+------------------------------------+---------+---------------+-------------+
Aristoteles Neto
Dec 17, 2013, 6:31:01 PM12/17/13
to vcap...@cloudfoundry.org
I’ve also been learning how to use CLoudfoundry recently, and from what I could gather, those 'unknown/unknown’ virtual machines are simply 'excess capacity’.
i.e. the resource pool specifies 10 instances, but you only had 8 jobs that used instances from that pool.
Kody Kantor
Dec 18, 2013, 3:09:36 PM12/18/13
to vcap...@cloudfoundry.org, ne...@orcon.net.nz
Yeppers, I just changed the size of the resource pool, and the unknown vms disappeared.
The issue was that I hadn't set
login:
enabed: false
in the manifest. I found this by running cf -t login, and saw that it was still using login.cloudfoundry.local as the authentication endpoint.
Now the issue is that I get an 'invalid authentication token' error.
Here's the response from the cf -t login command:
Filip Hanik
Dec 18, 2013, 5:15:00 PM12/18/13
to vcap...@cloudfoundry.org
try
uaac token client get admin -s admin-secret
uaac client update admin --authorities "password.write clients.write clients.read scim.read uaa.admin clients.secret scim.write"
uaac token delete
uaac token client get admin -s admin-secret
uaac user add filip -p password --emails fha...@gopivotal.com
uaac member add cloud_controller.admin filip
cf login filip
the user filip worked fine for me
the user filip worked fine for me
Filip
Kody Kantor
Dec 19, 2013, 12:40:46 PM12/19/13
to vcap...@cloudfoundry.org
That doesn't work with my setup. It still returns an 'invalid authentication token' error.
Would it be easier if I had you folks look at my manifest? I feel that I'm missing something or have something wrong, and that's the cause of the problem.
If I ssh into the uaadb job, I can see that adding users succeeds (or fails if it's already there). And in the cloud controller, I get this error when attempting to log in.
{"timestamp":1387474615.5330763,"message":"Invalid bearer token: #<CF::UAA::InvalidSignature: Signature verification failed>
Kody Kantor
Filip Hanik
Dec 19, 2013, 12:48:45 PM12/19/13
to vcap...@cloudfoundry.org
hi Kody, out of all the commands I sent you, which one fails?
Kody Kantor
Dec 19, 2013, 12:50:15 PM12/19/13
to vcap...@cloudfoundry.org
Just the last one,
cf login <username>
password> ====> after this command, it fails
Filip Hanik
Dec 19, 2013, 1:08:22 PM12/19/13
to vcap...@cloudfoundry.org
This seems to go back to your original problems with keys,
in your example, the token generates
Headers
{
"alg": "RS256"
}
looking at the code for cf-uaa-lib
and so let's figure out what is wrong with your token, so please print the output of "cf -t login ..." again
Filip
Kody Kantor
Dec 19, 2013, 1:12:12 PM12/19/13
to vcap...@cloudfoundry.org
root@faeblclvm1:~# cf -t login admintarget: http://api.cloudfoundry.local
>>>REQUEST: GET http://api.cloudfoundry.local/infoREQUEST_HEADERS: Accept : application/json Authorization : [PRIVATE DATA HIDDEN] Content-Length : 0RESPONSE: [200]RESPONSE_HEADERS: content-length : 262 content-type : application/json;charset=utf-8 date : Thu, 19 Dec 2013 18:08:55 GMT server : nginx x-content-type-options : nosniff x-vcap-request-id : c03b4cfe-1a74-4cf9-89f1-f9adc2c23d57RESPONSE_BODY:{ "name": "vcap", "build": "2222", "support": "http://support.cloudfoundry.com", "version": 2, "description": "Cloud Foundry sponsored by Pivotal", "authorization_endpoint": "http://uaa.cloudfoundry.local", "token_endpoint": "http://uaa.cloudfoundry.local", "allow_debug": true}<<<Password> ********
Authenticating. --->request: post http://uaa.cloudfoundry.local/oauth/tokenheaders: {"content-type"=>"application/x-www-form-urlencoded;charset=utf-8", "accept"=>"application/json;charset=utf-8", "authorization"=>"Basic Y2Y6"}body: grant_type=password&username=admin&password=password <---response: 200headers: {"cache-control"=>"no-store", "content-type"=>"application/json;charset=UTF-8", "date"=>"Thu, 19 Dec 2013 18:08:58 GMT", "pragma"=>"no-cache", "server"=>"Apache-Coyote/1.1", "transfer-encoding"=>"chunked"}body: {"access_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJlZWY4ZDE3OS1kODk5LTQ5MGYtODJkOS1jYTNiMTRlNmViMDAiLCJzdWIiOiJiYTJkZDIxZi04N2YxLTRkNzctOTY2Mi1hMTQzMDQ5ZGE4NmMiLCJzY29wZSI6WyJjbG91ZF9jb250cm9sbGVyLmFkbWluIiwiY2xvdWRfY29udHJvbGxlci5yZWFkIiwiY2xvdWRfY29udHJvbGxlci53cml0ZSIsIm9wZW5pZCIsInBhc3N3b3JkLndyaXRlIiwic2NpbS5yZWFkIiwic2NpbS53cml0ZSJdLCJjbGllbnRfaWQiOiJjZiIsImNpZCI6ImNmIiwiZ3JhbnRfdHlwZSI6InBhc3N3b3JkIiwidXNlcl9pZCI6ImJhMmRkMjFmLTg3ZjEtNGQ3Ny05NjYyLWExNDMwNDlkYTg2YyIsInVzZXJfbmFtZSI6ImFkbWluIiwiZW1haWwiOiJhZG1pbiIsImlhdCI6MTM4NzQ3NjUzOCwiZXhwIjoxMzg4Njg2MTM4LCJpc3MiOiJodHRwczovL3VhYS5jbG91ZGZvdW5kcnkubG9jYWwvb2F1dGgvdG9rZW4iLCJhdWQiOlsic2NpbSIsIm9wZW5pZCIsImNsb3VkX2NvbnRyb2xsZXIiLCJwYXNzd29yZCJdfQ.ALa3AccNHOK8BOsPDySGbHvrjcSHM4T7RTcWWHRpPNDarrj891y9RMJmp4-nSo8H5-3qyglHU-ds9zFg86_bj35ON9mERWTG1EY7kATFfLcuq3vzY47hb56UFfK4MNek50uKOfeUzBsQD4CmIa_MsywRM9emz5-bh9o0NFSRlkM","token_type":"bearer","refresh_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJlMWIzMzk0MS0xNWFjLTQ1NGMtYmVlMS03MjVkMDQzZjc2OGYiLCJzdWIiOiJiYTJkZDIxZi04N2YxLTRkNzctOTY2Mi1hMTQzMDQ5ZGE4NmMiLCJzY29wZSI6WyJjbG91ZF9jb250cm9sbGVyLmFkbWluIiwiY2xvdWRfY29udHJvbGxlci5yZWFkIiwiY2xvdWRfY29udHJvbGxlci53cml0ZSIsIm9wZW5pZCIsInBhc3N3b3JkLndyaXRlIiwic2NpbS5yZWFkIiwic2NpbS53cml0ZSJdLCJpYXQiOjEzODc0NzY1MzgsImV4cCI6MTM4ODY4NjEzOCwiY2lkIjoiY2YiLCJpc3MiOiJodHRwczovL3VhYS5jbG91ZGZvdW5kcnkubG9jYWwvb2F1dGgvdG9rZW4iLCJncmFudF90eXBlIjoicGFzc3dvcmQiLCJ1c2VyX25hbWUiOiJhZG1pbiIsImF1ZCI6WyJjbG91ZF9jb250cm9sbGVyLmFkbWluIiwiY2xvdWRfY29udHJvbGxlci5yZWFkIiwiY2xvdWRfY29udHJvbGxlci53cml0ZSIsIm9wZW5pZCIsInBhc3N3b3JkLndyaXRlIiwic2NpbS5yZWFkIiwic2NpbS53cml0ZSJdfQ.jkxgsYYbSWE-4rSwb4frDUg9u5gdrQtnia4SQRp4W7EwQQrRg6dDBY_wClHiRw46cQUet7ErWJbeE_BgtBKc4TskzIcoyrznyF4lsSEwXh5lw0l1rWicM9yIrMR5DTZaucPt2Iqji6_h0pd4PDnqTiDyddRip4sQCAom8MzRpXQ","expires_in":1209599,"scope":"cloud_controller.admin cloud_controller.read cloud_controller.write openid password.write scim.read scim.write","jti":"eef8d179-d899-490f-82d9-ca3b14e6eb00"} ... OK>>>REQUEST_HEADERS: Accept : application/json Authorization : [PRIVATE DATA HIDDEN] Content-Length : 0RESPONSE: [401]RESPONSE_HEADERS: content-length : 8829 content-type : application/json;charset=utf-8 date : Thu, 19 Dec 2013 18:08:58 GMT server : nginx x-content-type-options : nosniff x-vcap-request-id : 0f7f19ae-98e8-44d1-a2b6-b13a98f53870RESPONSE_BODY:{"code":1000,"description":"Invalid Auth Token","error_code":"CF-InvalidAuthToken","types":["InvalidAuthToken","Error"],"backtrace":["/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/lib/cloud_controller/rest_controller/base.rb:142:in `check_authentication'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/lib/cloud_controller/rest_controller/base.rb:95:in `dispatch'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/lib/cloud_controller/rest_controller/routes.rb:16:in `block in define_route'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:1540:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:1540:in `block in compile!'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:950:in `[]'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:950:in `block (3 levels) in route!'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:966:in `route_eval'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/newrelic_rpm-3.6.9.171/lib/new_relic/agent/instrumentation/sinatra.rb:133:in `route_eval_with_newrelic'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:950:in `block (2 levels) in route!'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:987:in `block in process_route'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:985:in `catch'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:985:in `process_route'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/newrelic_rpm-3.6.9.171/lib/new_relic/agent/instrumentation/sinatra.rb:116:in `process_route_with_newrelic'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:948:in `block in route!'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:947:in `each'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:947:in `route!'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:1059:in `block in dispatch!'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:1041:in `block in invoke'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:1041:in `catch'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:1041:in `invoke'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:1056:in `dispatch!'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/newrelic_rpm-3.6.9.171/lib/new_relic/agent/instrumentation/sinatra.rb:151:in `dispatch_and_notice_errors_with_newrelic'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/newrelic_rpm-3.6.9.171/lib/new_relic/agent/instrumentation/sinatra.rb:146:in `block in dispatch_with_newrelic'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/newrelic_rpm-3.6.9.171/lib/new_relic/agent/instrumentation/controller_instrumentation.rb:339:in `perform_action_with_newrelic_trace'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/newrelic_rpm-3.6.9.171/lib/new_relic/agent/instrumentation/sinatra.rb:145:in `dispatch_with_newrelic'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:882:in `block in call!'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:1041:in `block in invoke'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:1041:in `catch'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:1041:in `invoke'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:882:in `call!'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:870:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/newrelic_rpm-3.6.9.171/lib/new_relic/rack/error_collector.rb:50:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/newrelic_rpm-3.6.9.171/lib/new_relic/rack/browser_monitoring.rb:23:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/newrelic_rpm-3.6.9.171/lib/new_relic/rack/agent_hooks.rb:28:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-protection-1.5.0/lib/rack/protection/xss_header.rb:18:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-protection-1.5.0/lib/rack/protection/path_traversal.rb:16:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-protection-1.5.0/lib/rack/protection/json_csrf.rb:18:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-protection-1.5.0/lib/rack/protection/base.rb:49:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-protection-1.5.0/lib/rack/protection/base.rb:49:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-protection-1.5.0/lib/rack/protection/frame_options.rb:31:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/nulllogger.rb:9:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/head.rb:11:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:175:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:1949:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/builder.rb:138:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/urlmap.rb:65:in `block in call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/urlmap.rb:50:in `each'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/urlmap.rb:50:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/commonlogger.rb:33:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:212:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/builder.rb:138:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/thin-1.5.1/lib/thin/connection.rb:81:in `block in pre_process'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/thin-1.5.1/lib/thin/connection.rb:79:in `catch'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/thin-1.5.1/lib/thin/connection.rb:79:in `pre_process'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/eventmachine-1.0.3/lib/eventmachine.rb:1037:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/eventmachine-1.0.3/lib/eventmachine.rb:1037:in `block in spawn_threadpool'"]}<<<
Invalid authentication token. Try logging in again with 'cf login'. If problems continue, please contact your Cloud Operator.
Alrighty.
Filip Hanik
Dec 19, 2013, 1:14:45 PM12/19/13
to vcap...@cloudfoundry.org
actually, don't use the user admin, use the user you created using the commands I sent you
Kody Kantor
Dec 19, 2013, 1:16:53 PM12/19/13
to vcap...@cloudfoundry.org
Sounds good:
root@faeblclvm1:~# cf -t login kodytarget: http://api.cloudfoundry.local
>>>REQUEST: GET http://api.cloudfoundry.local/infoREQUEST_HEADERS: Accept : application/json Authorization : [PRIVATE DATA HIDDEN] Content-Length : 0RESPONSE: [200]RESPONSE_HEADERS: content-length : 262 content-type : application/json;charset=utf-8 date : Thu, 19 Dec 2013 18:15:13 GMT server : nginx x-content-type-options : nosniff x-vcap-request-id : fd090b6f-457b-43e7-9fe4-e845784a784dRESPONSE_BODY:{ "name": "vcap", "build": "2222", "support": "http://support.cloudfoundry.com", "version": 2, "description": "Cloud Foundry sponsored by Pivotal", "authorization_endpoint": "http://uaa.cloudfoundry.local", "token_endpoint": "http://uaa.cloudfoundry.local", "allow_debug": true}<<<Password> ********
Authenticating. --->request: post http://uaa.cloudfoundry.local/oauth/tokenheaders: {"content-type"=>"application/x-www-form-urlencoded;charset=utf-8", "accept"=>"application/json;charset=utf-8", "authorization"=>"Basic Y2Y6"}body: grant_type=password&username=kody&password=password <---response: 200headers: {"cache-control"=>"no-store", "content-type"=>"application/json;charset=UTF-8", "date"=>"Thu, 19 Dec 2013 18:15:16 GMT", "pragma"=>"no-cache", "server"=>"Apache-Coyote/1.1", "transfer-encoding"=>"chunked"}body: {"access_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI4MzU0YzAwZC1kOGE0LTQ2ZDQtODM3NC01MGRlMTQxYWQ1MDciLCJzdWIiOiI2MDgxODk3OS1mM2I1LTRiMmMtODc5YS1jNzk0MzAzN2UwMGUiLCJzY29wZSI6WyJjbG91ZF9jb250cm9sbGVyLmFkbWluIiwiY2xvdWRfY29udHJvbGxlci5yZWFkIiwiY2xvdWRfY29udHJvbGxlci53cml0ZSIsIm9wZW5pZCIsInBhc3N3b3JkLndyaXRlIl0sImNsaWVudF9pZCI6ImNmIiwiY2lkIjoiY2YiLCJncmFudF90eXBlIjoicGFzc3dvcmQiLCJ1c2VyX2lkIjoiNjA4MTg5NzktZjNiNS00YjJjLTg3OWEtYzc5NDMwMzdlMDBlIiwidXNlcl9uYW1lIjoia29keSIsImVtYWlsIjoia29keV9rYW50b3JAc3ltYW50ZWMuY29tIiwiaWF0IjoxMzg3NDc2OTE2LCJleHAiOjEzODg2ODY1MTYsImlzcyI6Imh0dHBzOi8vdWFhLmNsb3VkZm91bmRyeS5sb2NhbC9vYXV0aC90b2tlbiIsImF1ZCI6WyJvcGVuaWQiLCJjbG91ZF9jb250cm9sbGVyIiwicGFzc3dvcmQiXX0.HjDH_nD6qLwDLt0nodgnzmInCBYDsKjVb5-4ygZyoj-7lpu60ADm6LOFQYbLeXeQZ7hODI4uWyjPUrnwpgZUsHp404VJT7mT-ZBlPJdCFR6HbLJu0Asjim5OeqE4f7azeqSR38lOsV94FjtHgrW3YcMsZLO2jsGeAAxdwdeVlic","token_type":"bearer","refresh_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJkNzBlZGEyYS01MmIwLTRlMzktOGUxYi03NmVlNTliMDY4YWIiLCJzdWIiOiI2MDgxODk3OS1mM2I1LTRiMmMtODc5YS1jNzk0MzAzN2UwMGUiLCJzY29wZSI6WyJjbG91ZF9jb250cm9sbGVyLmFkbWluIiwiY2xvdWRfY29udHJvbGxlci5yZWFkIiwiY2xvdWRfY29udHJvbGxlci53cml0ZSIsIm9wZW5pZCIsInBhc3N3b3JkLndyaXRlIl0sImlhdCI6MTM4NzQ3NjkxNiwiZXhwIjoxMzg4Njg2NTE2LCJjaWQiOiJjZiIsImlzcyI6Imh0dHBzOi8vdWFhLmNsb3VkZm91bmRyeS5sb2NhbC9vYXV0aC90b2tlbiIsImdyYW50X3R5cGUiOiJwYXNzd29yZCIsInVzZXJfbmFtZSI6ImtvZHkiLCJhdWQiOlsiY2xvdWRfY29udHJvbGxlci5hZG1pbiIsImNsb3VkX2NvbnRyb2xsZXIucmVhZCIsImNsb3VkX2NvbnRyb2xsZXIud3JpdGUiLCJvcGVuaWQiLCJwYXNzd29yZC53cml0ZSJdfQ.ST2oNeiYwv5TjO2Ru2KZjiTF8YwICJgXzdLFh4786L0_AVfhSLLW_feoYLiB49Us8ug9PUElPMWVB2saZ2QjWiTP3M28nR4DxaTRTVEL9W9W66HV-C4glt2u5pvvdh9U_zVqQuNa5tgNzmVTN2qwnu4om-jSUKQNNkS-QPO-LtU","expires_in":1209599,"scope":"cloud_controller.admin cloud_controller.read cloud_controller.write openid password.write","jti":"8354c00d-d8a4-46d4-8374-50de141ad507"} ... OK>>>REQUEST_HEADERS: Accept : application/json Authorization : [PRIVATE DATA HIDDEN] Content-Length : 0RESPONSE: [401]RESPONSE_HEADERS: content-length : 8829 content-type : application/json;charset=utf-8 date : Thu, 19 Dec 2013 18:15:16 GMT server : nginx x-content-type-options : nosniff x-vcap-request-id : 1ca409b4-64e8-4847-ab9f-5b9f3fd2fcc7RESPONSE_BODY:{"code":1000,"description":"Invalid Auth Token","error_code":"CF-InvalidAuthToken","types":["InvalidAuthToken","Error"],"backtrace":["/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/lib/cloud_controller/rest_controller/base.rb:142:in `check_authentication'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/lib/cloud_controller/rest_controller/base.rb:95:in `dispatch'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/lib/cloud_controller/rest_controller/routes.rb:16:in `block in define_route'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:1540:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:1540:in `block in compile!'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:950:in `[]'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:950:in `block (3 levels) in route!'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:966:in `route_eval'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/newrelic_rpm-3.6.9.171/lib/new_relic/agent/instrumentation/sinatra.rb:133:in `route_eval_with_newrelic'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:950:in `block (2 levels) in route!'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:987:in `block in process_route'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:985:in `catch'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:985:in `process_route'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/newrelic_rpm-3.6.9.171/lib/new_relic/agent/instrumentation/sinatra.rb:116:in `process_route_with_newrelic'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:948:in `block in route!'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:947:in `each'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:947:in `route!'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:1059:in `block in dispatch!'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:1041:in `block in invoke'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:1041:in `catch'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:1041:in `invoke'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:1056:in `dispatch!'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/newrelic_rpm-3.6.9.171/lib/new_relic/agent/instrumentation/sinatra.rb:151:in `dispatch_and_notice_errors_with_newrelic'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/newrelic_rpm-3.6.9.171/lib/new_relic/agent/instrumentation/sinatra.rb:146:in `block in dispatch_with_newrelic'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/newrelic_rpm-3.6.9.171/lib/new_relic/agent/instrumentation/controller_instrumentation.rb:339:in `perform_action_with_newrelic_trace'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/newrelic_rpm-3.6.9.171/lib/new_relic/agent/instrumentation/sinatra.rb:145:in `dispatch_with_newrelic'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:882:in `block in call!'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:1041:in `block in invoke'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:1041:in `catch'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:1041:in `invoke'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:882:in `call!'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:870:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/newrelic_rpm-3.6.9.171/lib/new_relic/rack/error_collector.rb:50:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/newrelic_rpm-3.6.9.171/lib/new_relic/rack/browser_monitoring.rb:23:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/newrelic_rpm-3.6.9.171/lib/new_relic/rack/agent_hooks.rb:28:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-protection-1.5.0/lib/rack/protection/xss_header.rb:18:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-protection-1.5.0/lib/rack/protection/path_traversal.rb:16:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-protection-1.5.0/lib/rack/protection/json_csrf.rb:18:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-protection-1.5.0/lib/rack/protection/base.rb:49:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-protection-1.5.0/lib/rack/protection/base.rb:49:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-protection-1.5.0/lib/rack/protection/frame_options.rb:31:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/nulllogger.rb:9:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/head.rb:11:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:175:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:1949:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/builder.rb:138:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/urlmap.rb:65:in `block in call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/urlmap.rb:50:in `each'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/urlmap.rb:50:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/commonlogger.rb:33:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/sinatra-1.4.3/lib/sinatra/base.rb:212:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/rack-1.5.2/lib/rack/builder.rb:138:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/thin-1.5.1/lib/thin/connection.rb:81:in `block in pre_process'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/thin-1.5.1/lib/thin/connection.rb:79:in `catch'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/thin-1.5.1/lib/thin/connection.rb:79:in `pre_process'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/eventmachine-1.0.3/lib/eventmachine.rb:1037:in `call'","/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/vendor/bundle/ruby/1.9.1/gems/eventmachine-1.0.3/lib/eventmachine.rb:1037:in `block in spawn_threadpool'"]}<<<
Invalid authentication token. Try logging in again with 'cf login'. If problems continue, please contact your Cloud Operator.Filip Hanik
Dec 19, 2013, 1:51:59 PM12/19/13
to vcap...@cloudfoundry.org
let's try an experiment, run the following commands
uaac token client get admin -s admin-secret
uaac client get cf
uaac client update cf --authorities "uaa.resource"
cf -t login kody
Kody Kantor
Dec 19, 2013, 2:05:39 PM12/19/13
to vcap...@cloudfoundry.org
Same result:
Filip Hanik
Dec 19, 2013, 2:41:41 PM12/19/13
to vcap...@cloudfoundry.org
ok, I know what is going on
go to your file cloud_controller_ng.yml, find the section uaa (mine was in /var/vcap/data/jobs/cloud_controller_ng/22.1-dev/config/cloud_controller_ng.yml
uaa:
resource_id: cloud_controller
verification_key: |
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHFr+KICms+tuT1OXJwhCUmR2d
KVy7psa8xzElSyzqx7oJyfJ1JZyOzToj9T5SfTIq396agbHJWVfYphNahvZ/7uMX
qHxf+ZH9BL1gk9Y6kCnbM5R60gfwjyW1/dQPjOzn9N394zd2FJoFHwdq9Qs0wBug
spULZVNRxq7veq/fzwIDAQAB
-----END PUBLIC KEY-----
and make sure your key is properly there
Kody Kantor
Dec 19, 2013, 4:05:10 PM12/19/13
to vcap...@cloudfoundry.org
It was messed up. I added extra spaces to the corresponding portion of my deploy manifest.
However, the login command still fails after I enter my password with the same error.
Kody Kantor
Filip Hanik
Dec 19, 2013, 4:07:01 PM12/19/13
to vcap...@cloudfoundry.org
>However, the login command still fails after I enter my password with the same error.
so it is probably still messed up. should be the exact same snippet as in uaa.yml on the UAA job.
Filip
Filip Hanik
Dec 19, 2013, 4:15:52 PM12/19/13
to vcap...@cloudfoundry.org
(btw, you did restart the cloud controller job after updating it?)
Kody Kantor
Dec 19, 2013, 4:17:52 PM12/19/13
to vcap...@cloudfoundry.org
Yep, I re-deployed the whole setup, and then ran the uaac commands again.
The keys are the same:
Filip Hanik
Dec 19, 2013, 4:19:56 PM12/19/13
to vcap...@cloudfoundry.org
so your logs keep spitting out?
{"timestamp":1387474615.5330763,"message":"Invalid bearer token: #<CF::UAA::InvalidSignature: Signature verification failed>
Kody Kantor
Dec 19, 2013, 4:26:06 PM12/19/13
to vcap...@cloudfoundry.org
Nope. After we created the 'kody' user, and tried logging in with it, the error has been:
{"code":1000,"description":"Invalid Auth Token","error_code":"CF-InvalidAuthToken","types":["InvalidAuthToken","Error"],"
Kody Kantor
...
Filip Hanik
Dec 19, 2013, 4:46:15 PM12/19/13
to vcap...@cloudfoundry.org
ok, two guesses, all your machines are time synced right? so that one doesn't think the token has expired cause it's clock is wrong?
and, also check other config files for the key.
Kody Kantor
Dec 30, 2013, 3:18:49 PM12/30/13
to vcap...@cloudfoundry.org
The machines weren't synced correctly, so I changed the command line machine to match the rest of them. Good catch!
The uaa and ccdb have the same keys listed.
The same "Invalid Auth Token" error is still generated whenever I try to log in.
...
mauj
Jan 22, 2014, 12:24:54 AM1/22/14
to vcap...@cloudfoundry.org
Kody, I am running into exactly the same error ("Invalid authentication token"). Were you able to get your setup going? what was the change required??
Same result:
Sounds good:
...<a href="http://pastebin.com/mzajd6Aj" target="_blank" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Fpastebin.com%2Fmzajd6Aj\46sa\75D\46sntz\0751\46usg\75AFQjCNGB9s9guArUSLJwsmZNuodJ5C9UYw';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A
Kody Kantor
Jan 22, 2014, 1:00:58 PM1/22/14
to vcap...@cloudfoundry.org, ajay...@gmail.com
I was able to get mine running, however the fix probably isn't recommended.
In my deployment manifest, I added
admin:
override: true #this line
refresh-token-validity: <number>
access-token-validity: <number>
<etc etc>to the admin user's list of properties. I just log in as admin, because for what I'm doing with Cloud Foundry, I only need one user. If you find a better solution, I'd definitely be happy to hear what it is!
Kody Kantor
Same result:
Sounds good:
...<a href="<a href="http://pastebin.com/mzajd6Aj" target="_blank" onmousedown="this.href='http://www.google.com/url?
Filip Hanik
Jan 22, 2014, 1:11:44 PM1/22/14
to vcap...@cloudfoundry.org
That line indicates that it will overwrite existing settings in the DB for that user. When you upgrade cloudfoundry, it can be used to overwrite old data.
To unsubscribe from this group and stop receiving emails from it, send an email to vcap-dev+u...@cloudfoundry.org.
mauj
Jan 23, 2014, 2:14:05 AM1/23/14
to vcap...@cloudfoundry.org
Tried adding this line.. but same error - Invalid authentication token
If I enter the wrong passwd, it says auth failed. So in Invalid authentication token case, it is validating the passwd fine, but after that something seems to go wrong
Filip Hanik
Jan 23, 2014, 8:39:25 AM1/23/14
to vcap...@cloudfoundry.org
send us your manifest. sync your clocks.
mauj
Jan 23, 2014, 1:34:57 PM1/23/14
to vcap...@cloudfoundry.org
Filip - the output got is below and manifest is attached. Thx
rcf@rcf-ubuntu1:~$ gcf login
API endpoint: http://api.10.1.10.186.xip.io
Warning: Insecure http API endpoint detected: secure https API endpoints are recommended
Username> admin
Password>
Authenticating...
OK
FAILED
Error finding avilable orgs
Server error, status code: 401, error code: GATEWAY INVALID TOKEN CODE, message: Invalid Auth Token
rcf@rcf-ubuntu1:~$
Filip Hanik
Jan 23, 2014, 1:53:20 PM1/23/14
to vcap...@cloudfoundry.org
found the problem - see the string <snip>, that doesn't look like valid keys.
GHKHrD8gsCEt/ <snip>
-----END RSA PRIVATE KEY-----
verification_key: |
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvd/SRZ3oOeWNp2eMhMs3
SfejERgvr7eP4Q0N <snip>
-----END PUBLIC KEY-----
uaa:
no_ssl: true
catalina_opts: -Xmx768m -XX:MaxPermSize=256m
jwt:
signing_key: |
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAvd/SRZ3oOeWNp2eMhMs3SfejERgvr7eP4Q0Nj3tf11hfhfZ9
Rkk3A16804GdABKSVl7oXBSqa/dO6dD+SEXiXI9qCCZNkFX23VJ7DZoZTcrxvAgJ
xr+stT5JXmtEAQ0L5zlM8uYnuRlK2MhcIQQlDzS4p3IAJkN/Q3XwPjrEJN5g0lgn
jERDpmeVgoczOQpJopcZJQ5fMtHpzlWNybdgUnatrLSLDOjQbxUMe3BRWPE6pgcQ
d48PvX9X+wVypl+i92qLvuBbWRw36B+tweFISAThmX+mBKRSrlyuAt+yNkH4XOSw
7I2Eei0XvPkVwUH1JX8DAbee0zUtrpAuXqYI9wIDAQABAoIBAQCdI4VENEEi2UX4
i4wRwpUJVDbSSO/+Pq6GlGTqoDJbaDn2Bl77MlCjK16etKAYlUYi0P0AZ+H65Huc
qmgnrB6Ad/hKslhy4ZIi7MYGJchXR2P0N7rPj4YBoYDa8W8gZ4m4XQW/6JZra/Ez
o+4LLQD2qq0/duuEv0utqweemMgHsc30wiAMxYUqqpXcZ9yRZf9NRN+2WZmLz8iy
QDkaXnKyh7DXbXXSe5map8W39AzBJWz7fb5o6Zgv8/XyO2e05nq12jey2Q/o3+x0
L/xoY8Ce9YSOopiiCGSw5vPxBgC0uu4sEelP838Q0plj1/fVe+gdhQfYIYuM2zDF
LTwvcMexAoGBAODA7I2z27lGEbqVucOSLMeBINb0mXLfZeMWhE71ngPiw1aDdsMK
ccXpnBPy8kvNKYwR3K9QRuvD6QOdbRYVBfCyTsrAZlYD2pHRkQPtqZ6xencXXXT6
GHKHrD8gsCEt/ <snip>
-----END RSA PRIVATE KEY-----
verification_key: |
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvd/SRZ3oOeWNp2eMhMs3
SfejERgvr7eP4Q0N <snip>
-----END PUBLIC KEY-----
To unsubscribe from this group and stop receiving emails from it, send an email to vcap-dev+u...@cloudfoundry.org.
ajay...@gmail.com
Jan 23, 2014, 2:12:04 PM1/23/14
to vcap...@cloudfoundry.org
Oops.. should have mentioned it. I truncated the full key string while attaching the manifest. In the version being used, the entire string is there..
Filip Hanik
Jan 23, 2014, 3:02:35 PM1/23/14
to vcap...@cloudfoundry.org
you can try recreating your users by setting override: true -
scim:
user:
override: false
users:
- admin|vcap|scim.write,scim.read,openid,cloud_controller.admin,dashboard.user,console.admin,console.support
- system_services|vcap|cloud_controller.admin
- system_verification|vcap|scim.write,scim.read,openid,cloud_controller.admin,dashboard.user,console.admin,console.support
ajay...@gmail.com
Jan 23, 2014, 5:42:33 PM1/23/14
to vcap...@cloudfoundry.org
Set override to true and ran below commands after re-deploying, but still same issue. Are there any logs / debugs that can throw light on what is going on
uaac token client get admin -s secret
uaac client update admin --authorities "password.write clients.write clients.read scim.read uaa.admin clients.secret scim.write"
uaac token delete
uaac token client get admin -s secret
uaac user add abc -p password --emails a...@abc.com
uaac member add cloud_controller.admin abc
cf login abc
Filip Hanik
Jan 23, 2014, 8:21:46 PM1/23/14
to vcap...@cloudfoundry.org
do this,
uaac token get abc
then you can get us the file ~/.uaac.yml which contains your token and we can see what it doesn't have.
you can also get the log file from the uaa job
bosh ssh uaa_z1/0
sudo su -
find / -name uaa.log
ajay...@gmail.com
Jan 24, 2014, 5:17:56 PM1/24/14
to vcap...@cloudfoundry.org
Thx Filip. I played around a bit more with my manifest and the changes suggested in below thread seem to fix it..
Filip Hanik
Jan 24, 2014, 10:11:41 PM1/24/14
to vcap...@cloudfoundry.org
yup, a side effect of tying down security is that old client definitions need to be updated. it is always good to work off a new manifest, and override existing client definition.
Reply all
Reply to author
Forward
0 new messages