I am trying to use oauth2 in the kube-prom-stack for the authetication for metrics federate from a https node.
Below is my configuration:
`additionalScrapeConfigs:
- job_name: 'test-federation'
scrape_interval: 20s
scrape_timeout: 20s
scheme: https
oauth2:
client_id: 'auth-server'
client_secret: 'XXXXXXXXXXX'
token_url: 'http://XXX.XXX.XX.XX:80/auth/token '
endpoint_params:
grant_type: 'client_credentials'
metrics_path: /federate
honor_labels: true
tls_config:
insecure_skip_verify: true
metric_relabel_configs:
- source_labels: [id]
regex: '^static-agent$'
action: drop
params:
match[]:
- '{job="xyz"}'
static_configs:
- targets: ['XXX.XX.XX.XX:9090']`
But, when i checked my prometheus tarhgets i see below error:
oauth2: cannot fetch token: 400 Bad Request Response: {"code":"400","description":"Invalid credentials"}
Please help.
oauth2:
client_id: 'auth-server'
client_secret: 'XXXXXXXXXXX'
token_url: 'http://XXX.XXX.XX.XX:80/auth/token '
endpoint_params:
grant_type: 'client_credentials'
I tried the above for Oauth2 authentication, but i see the below error in prometheues targets while scraping metrics from other node.
oauth2: cannot fetch token: 400 Bad Request Response: {"code":"400","description":"Invalid credentials"}
I've followed instructions on other posts to add a custom policy, namely:
Add a custom .magick/policy.xml file
Add MAGICK_CONFIGURE_PATH = /app/.magick/:/etc/ImageMagick-6/ env var.
I'm still getting the old policy injecting itself above the new one.
~ $ convert -list policy
Path: /app/.magick/policy.xml
Policy: Resource
name: disk
value: 1GiB
Policy: Resource
name: map
value: 512MiB
Policy: Resource
name: memory
value: 256MiB
Policy: Resource
name: area
value: 128MB
Policy: Resource
name: height
value: 16KP
Policy: Resource
name: width
value: 16KP
Path: /app/vendor/imagemagick/policy.xml
Policy: Coder
rights: None
pattern: EPHEMERAL
Policy: Coder
rights: None
pattern: HTTPS
Policy: Coder
rights: None
pattern: MVG
Policy: Coder
rights: None
pattern: MSL
Path: /app/.magick/policy.xml
Policy: Delegate
rights: Read Write
pattern: URL
Policy: Delegate
rights: Read Write
pattern: HTTPS
Policy: Delegate
rights: Read Write
pattern: HTTP
Policy: Path
rights: None
Any help appreciated
I deployed an envoy as a side car to manage oauth2. Everything work fine for all the resources and the client is redirected to the OIDC in order to authenticate.
Here is a part of my conf (managed in a Helm chart):
- name: envoy.filters.network.http_connection_manager
typed_config:
"#type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
access_log:
- name: envoy.access_loggers.file
typed_config:
"#type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
path: /dev/stdout
codec_type: auto
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: my-service
domains:
- "*"
routes:
- match:
prefix: "/"
route:
cluster: my-service
http_filters:
- name: envoy.filters.http.oauth2
typed_config:
"#type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
config:
token_endpoint:
cluster: {{ .Values.back.envoy.oidc.name }}
uri: https://{{ .Values.back.envoy.oidc.address }}/oidc/token
timeout: 5s
authorization_endpoint: https://{{ .Values.back.envoy.oidc.address }}/oidc/authorize
redirect_uri: "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oidc/callback"
redirect_path_matcher:
path:
exact: /oidc/callback
signout_path:
path:
exact: /oidc/signout
credentials:
client_id: {{ required "back.envoy.oidc.client_id is required" .Values.back.envoy.oidc.client_id }}
token_secret:
name: token
sds_config:
resource_api_version: V3
path: "/etc/envoy/token-secret.yaml"
hmac_secret:
name: hmac
sds_config:
resource_api_version: V3
path: "/etc/envoy/hmac-secret.yaml"
forward_bearer_token: true
# (Optional): defaults to 'user' scope if not provided
auth_scopes:
- user
- openid
- email
- homelan_devices_read
- homelan_topology_read
- homelan_devices_write
# (Optional): set resource parameter for Authorization request
#resources:
#- oauth2-resource
#- http://example.com
- name: envoy.filters.http.router
typed_config: {}
Now I'd like that some of the exposed resources don't need to be authenticated.
I see in the doc the Oauth filter doc "Leave this empty to disable OAuth2 for a specific route, using per filter config." (see https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/oauth2/v3/oauth.proto#envoy-v3-api-msg-extensions-filters-http-oauth2-v3-oauth2config)
This phrase make me think that it may be possible.
I tried to manage it changing my conf throught virtual_hosts this way :
virtual_hosts:
- name: no-oauth
domains: ["*"]
typed_per_filter_config:
envoy.filters.http.oauth2:
"#type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
routes:
- match:
prefix: "/api/v1/myResource1"
route:
cluster: my-service
- name: my-service
domains: ["*"]
routes:
- match:
prefix: "/api/v1/myResource2"
route:
cluster: my-service
I have the error : [critical][main] [source/server/server.cc:117] error initializing configuration '/etc/envoy/envoy.yaml': The filter envoy.filters.http.oauth2 doesn't support virtual host-specific configurations
Any idea ? Did someone implement Envoy OAuth2 filter with disabled routes ?
After looking at my envoy logs, I realized that path is know as header ":path".
The pass_through_matcher math the header.
Then only adding:
pass_through_matcher:
- name: ":path"
prefix_match: "/healthz"
- name: ":path"
prefix_match: "/api/v1/myResource1"
in my conf without the lua filter (see my previous answer) it works.
For information, I found a workaround:
I added a LUA filter before my OAuth2 one:
- name: envoy.filters.http.lua
typed_config:
"#type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
inline_code: |
function envoy_on_request(request_handle)
request_handle:headers():add("X-Path", request_handle:headers():get(":path"))
end
In order to add the path in a header.
Then I can use this element of conf Oauth2:
pass_through_matcher
(repeated config.route.v3.HeaderMatcher) Any request that matches any of the provided matchers will be passed through without OAuth validation.
So I add this to my OAuth2 filter:
pass_through_matcher:
- name: "X-path"
prefix_match: "/healthz"
- name: "X-path"
prefix_match: "/api/v1/myResource1"
Then my /api/v1/myResource1 requests (and healthz also) don't need authentication (are disable from the OAuth2) while my /api/v1/myResource2 requests need it.
I still have got the unanswered question:
What do the OAuth filter doc means with :"Leave this empty to disable OAuth2 for a specific route, using per filter config."
I have declared a mapping named StageMap in my sam.yaml file:
AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::Serverless-2016-10-31
Parameters:
ProjectName:
Type: String
SubProjectName:
Type: String
Stage:
Type: String
AllowedValues:
- dev
- test
- preprod
- prod
...
Mappings:
StageMap:
dev:
AuthorizerArn: !Sub arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:auth-bk-main-dev-AuthorizerFunction-1RR2YJ5STBUB6/invocations
test:
AuthorizerArn: !Sub arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:auth-bk-main-test-AuthorizerFunction-UQ1EQ2SP5W6G/invocations
preprod:
AuthorizerArn: !Sub arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:auth-bk-main-preprod-AuthorizerFunction-UQ1W6EQ2SP5G/invocations
prod:
AuthorizerArn: !Sub arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:auth-bk-main-prod-AuthorizerFunction-5STBUB61RR2YJ/invocations
I would like to use this mapping in my swagger.yaml I have tried the following:
...
x-amazon-apigateway-authorizer:
type: request
authorizerUri:
Fn::FindInMap:
- 'StageMap'
- Ref: 'Stage'
- 'AuthorizerArn
I also tried this solution but I got an error Every Mappings attribute must be a String or a List.
Can you please let me know how to access one of the values in the mapping in the swagger.yaml? Thanks!
I found the following in the AWS SAM docs:
You cannot include parameters, pseudo parameters, or intrinsic functions in the Mappings section.
So I changed:
AuthorizerArn: !Sub arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:auth-bk-main-dev-AuthorizerFunction-1RR2YJ5STBUB6/invocations
For:
AuthorizerFunctionName: auth-bk-main-dev-AuthorizerFunction-1RR2YJ5STBUB6
And in the swagger.yaml I used the following:
x-amazon-apigateway-authorizer:
type: request
authorizerUri:
Fn::Sub:
- arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${AuthorizerFunctionName}/invocations
- AuthorizerFunctionName:
Fn::FindInMap:
- 'StageMap'
- Ref: 'Stage'
- 'AuthorizerFunctionName'
How do you configure Spring Security Rest Plugin for Grails 3.x (currently I'm using Grails 3.1.0 RC2).
The plugin page says to "Add compile :spring-security-rest:${version} to your BuildConfig.groovy," but BuildConfig.groovy has been removed from Grails 3.x
edit: the docs on the plugin page have been updated
SO I got this working. First off, the documentation located [here][1] is much more up to date. You need to add the following to build.gradle
build.gradle
dependencies {
//Other dependencies
compile "org.grails.plugins:spring-security-rest:2.0.0.M2"
}
Next, you need to run Spring Security quickstart
grails s2-quickstart com.yourapp Person Role
Finally, you need to configure the filter chain but adding the following into your application.groovy.
application.groovy
grails.plugin.springsecurity.filterChain.chainMap = [
//Stateless chain
[
pattern: '/api/**',
filters: 'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'
],
//Traditional chain
[
pattern: '/**',
filters: 'JOINED_FILTERS,-restTokenValidationFilter,-restExceptionTranslationFilter'
]
]
Alternatives:
I decided to move the configuration to application.yml, so I'm not using two different configuration syntaxes.
Alternative config #1:
using application.yml with standard default settings
grails:
# other config values
plugin.springsecurity:
userLookup.userDomainClassName: 'com.company.product.Person'
userLookup.authorityJoinClassName: 'com.company.product.PersonRole'
authority.className: 'com.company.product.Role'
controllerAnnotations.staticRules:
- {pattern: '/', access: ['permitAll']}
- {pattern: '/error', access: ['permitAll']}
- {pattern: '/index', access: ['permitAll']}
- {pattern: '/index.gsp', access: ['permitAll']}
- {pattern: '/shutdown', access: ['permitAll']}
- {pattern: '/assets/**', access: ['permitAll']}
- {pattern: '/**/js/**', access: ['permitAll']}
- {pattern: '/**/css/**', access: ['permitAll']}
- {pattern: '/**/images/**', access: ['permitAll']}
- {pattern: '/**/favicon.ico', access: ['permitAll']}
filterChain.chainMap:
- {pattern: '/assets/**', filters: 'none'}
- {pattern: '/**/js/**', filters: 'none'}
- {pattern: '/**/css/**', filters: 'none'}
- {pattern: '/**/images/**', filters: 'none'}
- {pattern: '/**/favicon.ico', filters: 'none'}
#Stateless chain
- {pattern: '/api/**', filters: 'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'}
#Traditional chain
- {pattern: '/**', filters: 'JOINED_FILTERS,-restTokenValidationFilter,-restExceptionTranslationFilter'}
I also (this is totally optional)
removed all of the generated config that pertains to serving GSPs since my app is just an API
configured the plugin to persist the authorization token using GORM
replaced the default bearer tokens config with the X-Auth-Token config
so I ended up with this
Alternative config #2:
using application.yml with API only (No GSPs) with GORM token storage and X-Auth-Tokens instead of Bearer Tokens
grails:
# other config values
plugin.springsecurity:
userLookup.userDomainClassName: 'com.company.product.Person'
userLookup.authorityJoinClassName: 'com.company.product.PersonRole'
authority.className: 'com.company.product.Role'
filterChain.chainMap:
#Stateless chain
- {pattern: '/**', filters: 'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'}
rest.token:
storage.gorm.tokenDomainClassName: 'com.company.product.AuthenticationToken'
validation:
useBearerToken: false
headerName: 'X-Auth-Token'