Setting up UAA with a persisted DB
614 views
Skip to first unread message
Asankha Perera
May 13, 2013, 7:44:16 AM5/13/13
to vcap...@cloudfoundry.org
Hello All
I am trying to use the UAA as an OAuth2 auth server for a project, and have been having some issues getting it to work standalone (i.e. master branch) against MySQL or Postgres. First the YamlConfigurationValidator kept giving errors (like some properties were not valid) when I copied the default-uaa.yml as my default uaa.yml. However, commenting it from the env.xml let me avoid those errors on startup, and it now starts without error.
However, I am not able to define new user accounts (similar to the default marissa account) through the uaa.yml file, although it works if I specify it on the scim-endpoints.xml. I am new to Yaml, but reading the documentation I assumed that editing it was the recommended way to configure a UAA instance. Can someone share a uaa.yml file which will allow me to define new user accounts etc, that will work against the master branch code. As a side question, should I be looking at the master branch or the develop branch?
thanks!
asankha
I am trying to use the UAA as an OAuth2 auth server for a project, and have been having some issues getting it to work standalone (i.e. master branch) against MySQL or Postgres. First the YamlConfigurationValidator kept giving errors (like some properties were not valid) when I copied the default-uaa.yml as my default uaa.yml. However, commenting it from the env.xml let me avoid those errors on startup, and it now starts without error.
However, I am not able to define new user accounts (similar to the default marissa account) through the uaa.yml file, although it works if I specify it on the scim-endpoints.xml. I am new to Yaml, but reading the documentation I assumed that editing it was the recommended way to configure a UAA instance. Can someone share a uaa.yml file which will allow me to define new user accounts etc, that will work against the master branch code. As a side question, should I be looking at the master branch or the develop branch?
thanks!
asankha
Dave Syer
May 13, 2013, 10:32:36 AM5/13/13
to vcap...@cloudfoundry.org
On 13/05/13 12:44, Asankha Perera wrote:
> I am trying to use the UAA as an OAuth2 auth server for a project, and
> have been having some issues getting it to work standalone (i.e. master
> branch) against MySQL or Postgres.
You need to set the active Spring profile (and include "mysql" or
> I am trying to use the UAA as an OAuth2 auth server for a project, and
> have been having some issues getting it to work standalone (i.e. master
> branch) against MySQL or Postgres.
"postgresql" or "oracle"). You can do that with system properties
(-Dspring.profiles.active=mysql, see Spring User Guide) or using
spring_profiles property in uaa.yml.
uaa/src/test/resources/test/profiles/mysql/uaa.yml has an example.
> First the YamlConfigurationValidator
> kept giving errors (like some properties were not valid) when I copied
> the default-uaa.yml as my default uaa.yml.
just a documentation artifact - but if it has errors they could be
fixed. If I recall correctly it has pretty flakey data in it, more as a
guide than as a recommendation (like self commenting code).
> However, commenting it from
> the env.xml let me avoid those errors on startup, and it now starts
> without error.
stopping you from starting up, and the error messages should have clear
(at least as far as we control them).
> I assumed that editing it was the recommended way to
> configure a UAA instance.
production it is better to use the SCIM endpoints directly (e.g. with
uaac command line tool, or another custom client).
> Can someone share a uaa.yml file which will
> allow me to define new user accounts etc,
> As a side question, should I be looking at the
> master branch or the develop branch?
for stability. Develop is better for testing new features.
D.
Asankha Perera
May 13, 2013, 2:43:00 PM5/13/13
to vcap...@cloudfoundry.org
Hi Dave
Thanks for your reply!
That explains the issue, as I was under the impression that the "default"-uaa.yml was supposed to work by default
Here is one error I get:
Can't construct a java object for tag:yaml.org,2002:org.cloudfoundry.identity.uaa.UaaConfiguration; exception=Cannot create property=login for JavaBean=org.cloudfoundry.identity.uaa.UaaConfiguration@63425e17; Unable to find property 'login' on class: org.cloudfoundry.identity.uaa.UaaConfiguration
Caused when the uaa.yml contains:
login:
addnew: false # true in default profile
I think what it complains about is the lack of a property on the UaaConfiguration bean, not on the actual configuration [model] ? Looking at the source I assumed it was only validating a subset of the properties, so it shouldn't really throw an error about what it doesn't know
Cool.. I will do that
regards
asankha
Thanks for your reply!
> First the YamlConfigurationValidator kept giving errors..
That's interesting. The default-uaa.yml isn't tested that way - it's
just a documentation artifact - but if it has errors they could be
fixed. If I recall correctly it has pretty flakey data in it, more as a
guide than as a recommendation (like self commenting code).
That explains the issue, as I was under the impression that the "default"-uaa.yml was supposed to work by default
I wouldn't trust that - the errors would be genuine if they were
stopping you from starting up, and the error messages should have clear
(at least as far as we control them).
Here is one error I get:
Can't construct a java object for tag:yaml.org,2002:org.cloudfoundry.identity.uaa.UaaConfiguration; exception=Cannot create property=login for JavaBean=org.cloudfoundry.identity.uaa.UaaConfiguration@63425e17; Unable to find property 'login' on class: org.cloudfoundry.identity.uaa.UaaConfiguration
Caused when the uaa.yml contains:
login:
addnew: false # true in default profile
I think what it complains about is the lack of a property on the UaaConfiguration bean, not on the actual configuration [model] ? Looking at the source I assumed it was only validating a subset of the properties, so it shouldn't really throw an error about what it doesn't know
> I assumed that editing it was the recommended way to
> configure a UAA instance.
Not really, but it's certainly a possibility to get started quickly. In
production it is better to use the SCIM endpoints directly (e.g. with
uaac command line tool, or another custom client).
Cool.. I will do that
regards
asankha
Dave Syer
May 14, 2013, 3:28:02 AM5/14/13
to vcap...@cloudfoundry.org
On 13/05/13 19:43, Asankha Perera wrote:
> I think what it complains about is the lack of a property on the
> UaaConfiguration bean, not on the actual configuration [model] ? Looking
> at the source I assumed it was only validating a subset of the
> properties, so it shouldn't really throw an error about what it doesn't know
That's not the intention. But clearly UaConfiguration is incomplete if
> I think what it complains about is the lack of a property on the
> UaaConfiguration bean, not on the actual configuration [model] ? Looking
> at the source I assumed it was only validating a subset of the
> properties, so it shouldn't really throw an error about what it doesn't know
it can't bind to some valid properties (like this one). We can fix that.
--
Dave Syer
ds...@gopivital.com
Andrei Palskoi
Jun 11, 2013, 12:02:29 PM6/11/13
to vcap...@cloudfoundry.org
I was also trying to start UAA with Postgres profile and I am getting validation errors from the parser for uaa.yml:
---
[2013-06-11 11:57:28.171] uaa/uaa - ???? [main] .... ERROR --- YamlConfigurationValidator: Failed to load YAML validation bean. Your YAML file may be invalid.
Can't construct a java object for tag:yaml.org,2002:org.cloudfoundry.identity.uaa.UaaConfiguration; exception=Cannot create property=scim for JavaBean=org.cloudfoundry.identity.uaa.UaaConfiguration@c18c80; Cannot create property=groups for JavaBean=org.cloudfoundry.identity.uaa.UaaConfiguration$Scim@2eff6313; Unable to find property 'groups' on class: org.cloudfoundry.identity.uaa.UaaConfiguration$Scim
in 'string', line 1, column 1:
oauth:
^
at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:333)
at org.yaml.snakeyaml.constructor.BaseConstructor.constructObject(BaseConstructor.java:182)
at org.yaml.snakeyaml.constructor.BaseConstructor.constructDocument(BaseConstructor.java:141)
at org.yaml.snakeyaml.constructor.BaseConstructor.getSingleData(BaseConstructor.java:127)
at org.yaml.snakeyaml.Yaml.loadFromReader(Yaml.java:481)
I am running the latest UAA 1.4.2 and its clear that the UaaConfiguration class is missing some of the scim properties set in the example. Here is my uaa.yml:
oauth:
clients:
login:
id: login
secret: loginsecret
scope: uaa.none
authorized-grant-types: client_credentials
authorities: oauth.login
scim:
group_membership:
- acme.dev|marissa
users:
- admin|password|scim.write,scim.read,openid,cloud_controller.admin
- marissa|koala|<email>|Marissa|Bloggs|uaa.user
userids_enabled: true
spring_profiles: test,postgresql
cloud_controller:
database:
driverClassName: org.postgresql.Driver
url: jdbc:postgresql:uaa
username: root
password: root
Andrei Palskoi
Dave Syer
Jun 15, 2013, 2:16:36 PM6/15/13
to vcap...@cloudfoundry.org
On 11/06/13 17:02, Andrei Palskoi wrote:
> I am running the latest UAA 1.4.2 and its clear that the
> UaaConfiguration class is missing some of the scim properties set in the
> example.
Yes, but it's only a log file - it won't stop the server starting. At
> I am running the latest UAA 1.4.2 and its clear that the
> UaaConfiguration class is missing some of the scim properties set in the
> example.
some point we might stop the server starting on validation errors, but
that isn't enforced now.
If you want to send a pull request for any properties that actually do
something and are missing in UaaConfiguration, please feel free.
--
Dave Syer
ds...@gopivital.com
Andrei Palskoi
Jun 15, 2013, 5:09:57 PM6/15/13
to vcap...@cloudfoundry.org
Dave,
Thanks! We are still trying to get up to speed with it and figure out all configuration settings, so it's a bit too early for us to try modifying the code...
One more comment I've heard from our DBA after looking at the UAA DDL was that it looks a lot like "it was designed by application developers" and has some problems like column names that are reserved keywords in some popular RDBMS, lack of the table schema qualifier and so on. I'll try to find out more and see if the company allows me to post findings to the mailing list.
I've sent you an email few days ago asking if you or your team would be willing to have a consulting agreement with FICO to help us get the most out of UAA but I understand that you guys are now very busy with CF 2 launch.
Thanks,
Andrei
James Bayer
Jun 15, 2013, 7:04:06 PM6/15/13
to vcap...@cloudfoundry.org
Andrei, which DBs do you want to use? We've tested with Postgres and MySQL. There was contributor initiated work to get things to work with Oracle. Is the DB you want to use on that list?
--
Thank you,
James Bayer
Andrei Palskoi
Jun 16, 2013, 9:10:59 AM6/16/13
to vcap...@cloudfoundry.org
We'll use Postgres. It works fine but it creates tables in the default schema which is not ideal. We are going to set up a special user ID just for UAA and bind it to a different schema by default - this way the tables won't pollute global namespace and there is no need to change application code.
Reply all
Reply to author
Forward
0 new messages