Portal Register Instance error

[Timo Vuorijärvi]

Hi!

I found some service xml files from mcsr test resources. I have changed ids to the files to match bootstrap user. I have successfully registered the specification and the design xml files using portal. But I get error when trying to register the instance.

Last warning in MIR log is:

2020-12-09 14:33:47.487  WARN 33356 --- [nio-8181-exec-9] c.f.m.mcsr.web.rest.util.InstanceUtil    : User does not have the neccessary roles to perform this operation

The bootstrap user should have ROLE_SITE_ADMIN which should have rights to do all operations.

There are screenshot including xml and client errors. There are some 404 errors in client side..

Any clue have I some misconfiguration or what might be the reason? What should I check?

Br,

Timo

[oha...@gmail.com]

Hi Timo,

This fails because the bootstrap user does not as such actually exist in the MIR, it is only initially registered in Keycloak to be able to authenticate to the MIR API for the initial bootstrap process (hence also the name). Because of this the bearer token that is issued for the bootstrap user will not contain attributes such as the 'ROLES' claim which is needed by the MSR. Registration of specification and design should actually also fail if the claim is missing, but I can see in the source code that the check has actually not been implemented which is why it works. 

My recommendation would be that you either add the bootstrap user to the MIR database manually or set up a new organization as described in the MIR setup manual. 

Best regards

Oliver 

[Timo Vuorijärvi]

Hi Oliver,

Thanks for quick reply. Sounds right, I'll try..

Br,

Timo

[Timo Vuorijärvi]

Hi Oliver,

Should it be enough to add urn:mrn:mcp:user:idp1:bootstrap:mcp-admin to MIR users table and link it to the bootstrap organization (using id_organization) and set permissions to MCPADMIN?

Br, Timo

[oha...@gmail.com]

Hi Timo, 

Yes, I believe that should be enough. Remember to issue a new token after the registration. 

Best regards

Oliver

[Timo Vuorijärvi]

Hi Oliver, 

I had added the mcp-admin user to the users MIR table. So looks that there is something else missing. I double checked the mrn and it should match the user. I checked with debugger that the token does not have the roles attribute.

1) What information in the keycloak says to the keycloak that user's X bearer token should have a roles attribute? 

2) What(where) values are the roles in the keycloak?

There are roles, but those are offline_access and uma_authorization are those mapped to those ROLE_X_ADMIN roles? Or is the mapping done using permissions attribute (and mapping is in the MIR roles table)?

Br,

Timo

[oha...@gmail.com]

Hi Timo,

Keycloak does not as such know anything about the roles of users, instead it uses the custom MCP Keycloak SPI to fetch them from the MIR here. The role mappings in Keycloak are only used internally in Keycloak and are therefore not related to the roles in the MIR. 

If fetching of roles worked you will see an attribute called 'roles' in the 'Attributes' tab of the user. If it didn't work you will most likely see the error  "Getting user roles failed"  in the log of Keycloak. If you don't get this error when fetching the roles didn't work then that most likely means that the MCP SPI has not been loaded in. 

Best regards

Oliver

[Timo Vuorijärvi]

Hi Oliver,

Thank you for clarification and for your patience.

Yes there are this "Getting user roles failed" errors, the roles query return 403 http status code. The SPI has hardcoded use of the certificates (https) and I don't have currently https enabled in any service. So the next step would be to enable SSL to the services (setup nginx).

Br,

Timo

[oha...@gmail.com]

Hi Timo,

No problem! 

Yes, if you want it to work properly you will need to setup nginx. If you in the mean time just want to test the registration of instances in the MSR you can always just hard code the 'roles' claim in the attributes of the user in Keycloak - this way the token will also contain this value. 

Best regards

Oliver