User \"system:anonymous\" cannot \"proxy\" \"services\" with name \"fabric8-forge\" in project...
565 views
Skip to first unread message
can...@intrinsic.world
Jan 14, 2016, 3:51:56 AM1/14/16
to fabric8
Hi,
This is just a follow-up of my yesterday's question. I figured this might be more explicit.
I'm hitting this error while hitting: http://fabric8.apps.intrinsic.world/workspaces/default/forge/command/project-new
The console reports not being able to call the following endpoint:
https://paas.intrinsic.world:8443/api/v1/proxy/namespaces/default/services/fabric8-forge/api/forge/command/validate/project-new?secret=candide&secretNamespace=user-secrets-source-admin
When I open it in a separate browser window, I get:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "User \"system:anonymous\" cannot \"proxy\" \"services\" with name \"fabric8-forge\" in project \"default\"",
"reason": "Forbidden",
"details": {
"name": "fabric8-forge",
"kind": "services"
},
"code": 403
}
I don't even know how to start debugging this problem. I'd love to have some pointers. What it looks like is that the user I'm authenticated with (admin) has not propagated the authentication context to the point where it calls the above URL. I struggled to get fabric8 to work on a master-node setup and had to go through great length to make sure that authentication worked while the fabric8 app is running on the node and authentication actually takes place on the master. I suspect that, perhaps, the session token is not available everywhere it is needed.
I feel doomed :-/ Please help.
Candide
James Rawlings
Jan 14, 2016, 4:58:30 AM1/14/16
to can...@intrinsic.world, fab...@googlegroups.com
Hi Candide, this is a bit strange and I don't have an answer yet.
The system:anonymous error you mentioned is just the unauthenticated browser request when you try to access the URL directly so its not an issue, instead the error you are getting can be seen in the javascript console...
GET https://paas.intrinsic.world:8443/api/v1/proxy/namespaces/default/services/…ject-new?secret=gogs-https-admin&secretNamespace=user-secrets-source-admin 503 (Service Unavailable)
libs.js:39375 [Forge] Failed to load https://paas.intrinsic.world:8443/api/v1/proxy/namespaces/default/services/…ject-new?secret=gogs-https-admin&secretNamespace=user-secrets-source-admin Error: 'dial tcp 10.1.0.11:8080: i/o timeout'
Trying to reach: 'http://10.1.0.11:8080/api/forge/commandInput/project-new?secret=gogs-https-admin&secretNamespace=user-secrets-source-admin' 503
Which is odd to say the least. The IP address that the browser can't access is the forge pod when using the kubernetes service proxy, but as you mentioned somewhere else the openshift route, service and pod communication is working as we can access forge using its own route here http://fabric8-forge.apps.intrinsic.world/api/forge/
This is just a bit more information about the problem, figured I'd give an update as it seems more to do with the kubernetes service proxy, I'll try and recreate the issue today on a similar setup but it might be worth raising an issue so we can track it.
James.
--
You received this message because you are subscribed to the Google Groups "fabric8" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fabric8+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
can...@intrinsic.world
Jan 14, 2016, 5:20:00 AM1/14/16
to fabric8, can...@intrinsic.world
can...@intrinsic.world
Jan 19, 2016, 3:15:36 AM1/19/16
to fabric8, can...@intrinsic.world
Hi James,
I'm sorry to insist. This is a blocking issue for us. Maybe one just has to realise that fabric8 is not meant to run on other setups than a one machine "cluster", which is fine as well. Just let us know.
Also, I wonder if the call to 10.1.0.11 is just reported by the browser but not made by it: it's just saying that some service on the backend has trouble connecting to that IP, because it doesn't have the right credentials etc.
Unless you have to/need to recreate the cluster setup (and don't forget you have my full install log here), I'm also happy to give you the password to our machines. It's just a proof of concept so nothing confidential so far.
Take care,
Candide
On Thursday, January 14, 2016 at 10:58:30 AM UTC+1, James Rawlings wrote:
James Rawlings
Jan 19, 2016, 12:34:37 PM1/19/16
to can...@intrinsic.world, fab...@googlegroups.com
Hi Candide - we've taken a look and we're not sure what the problem is I'm afraid. We think it's something to do with the openshift installation because the api server cannot talk to the forge pod. We use a service proxy on the api server to access forge and we can see the issue by running the following curl command..
curl --insecure -H "Authorization: Bearer daErBhdMqevWAT3NnATQXFgd1RcNMR81HZb2SWN2aOs" https://paas.intrinsic.world:8443/api/v1/proxy/namespaces/default/services/fabric8-forge/
I think at the moment the best we can suggest is you followup with the openshift team to see if they can offer an explanation or advice.
Candide Kemmler
Jan 19, 2016, 2:18:03 PM1/19/16
to James Rawlings, fab...@googlegroups.com
Awesome. Thanks, just posted the OpenShift ML. Will keep you updated.
Candide
Reply all
Reply to author
Forward
0 new messages