You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/11/10 01:59:32 UTC
[GitHub] [apisix] wavemoroc001 opened a new issue, #8296: help request: How to configure apisix to allow route by role ?
wavemoroc001 opened a new issue, #8296:
URL: https://github.com/apache/apisix/issues/8296
### Description
I integrated keycloak with `authz-keycloak` plugins and i want to allow each route by role.
This is my config
```json
{
"bearer_only": true,
"client_id": "myclient",
"disable": false,
"discovery": "https://gateway-classroom.wavemoroc.app:8443/auth/realms/Apisix/.well-known/uma2-configuration",
"permissions": [
"student-scope"
]
}
```
and throw this error
```
Accessing discovery URL (https://gateway-classroom.wavemoroc.app:8443/auth/realms/Apisix/.well-known/uma2-configuration) failed: 20: unable to get local issuer certificate
```
Cloud you advice me some solution to archive my goal ?
### Environment
- APISIX version (run `apisix version`): 3.0.0
- Operating system (run `uname -a`): 3.0.0-debian (Docker)
- etcd version, if relevant (run `curl http://127.0.0.1:9090/v1/server_info`): 3.4.15
- Plugin runner version, for issues related to plugin runners: `authz-keycloak`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] wavemoroc001 commented on issue #8296: help request: How to configure apisix to allow route by role ?
Posted by GitBox <gi...@apache.org>.
wavemoroc001 commented on issue #8296:
URL: https://github.com/apache/apisix/issues/8296#issuecomment-1309922369
@Hazel6869 I did follow document this is` my config.yaml`
```yaml
apisix:
ssl:
ssl_trusted_certificate: "/usr/local/apisix/cert/classroom_cert.crt"
ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl_protocols: TLSv1.2 TLSv1.3
# ssl_cert: /usr/local/apisix/conf/cert/classroom_cert.crt
# ssl_cert_key: /usr/local/apisix/conf/cert/classroom_key.key
enable: true
listen: # APISIX listening port in https.
- port: 9443
enable_http2: true
node_listen: 9080 # APISIX listening port
enable_ipv6: false
enable_control: true
control:
ip: "0.0.0.0"
port: 9092
deployment:
admin:
allow_admin: # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
- 0.0.0.0/0 # We need to restrict ip access rules for security. 0.0.0.0/0 is for test.
admin_key:
- name: "admin"
key: edd1c9f034335f136f87ad84b625c8f1
role: admin # admin: manage all configuration data
- name: "viewer"
key: 4054f7cf07e344346cd3f287985e76a2
role: viewer
etcd:
host: # it's possible to define multiple etcd hosts addresses of the same etcd cluster.
- "http://etcd:2379" # multiple etcd address
prefix: "/apisix" # apisix configurations prefix
timeout: 30 # 30 seconds
plugin_attr:
prometheus:
export_addr:
ip: "0.0.0.0"
port: 9091
```
I look in error.log. It say that
```log
2022/11/10 08:10:53 [error] 46#46: *5016 [lua] radixtree_sni.lua:146: match_and_set(): failed to find any SSL certificate by SNI: gateway-classroom.wavemoroc.app, context: ssl_certificate_by_lua*, client: 172.68.234.221, server: 0.0.0.0:9443
```
<img width="1444" alt="Screen Shot 2565-11-10 at 15 11 32" src="https://user-images.githubusercontent.com/56395197/201036445-2fa978fd-5d85-4166-8954-df15436b6afe.png">
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on issue #8296: help request: How to configure apisix to allow route by role ?
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #8296:
URL: https://github.com/apache/apisix/issues/8296#issuecomment-1313039689
ref: https://github.com/apache/apisix/issues/8183
Perhaps the Dashboard is not yet compatible with the APISIX v3.0 modification and you need to upload the certificate via the admin API
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Hazel6869 commented on issue #8296: help request: How to configure apisix to allow route by role ?
Posted by GitBox <gi...@apache.org>.
Hazel6869 commented on issue #8296:
URL: https://github.com/apache/apisix/issues/8296#issuecomment-1309733049
> @Hazel6869 It still show that error, Is it related to my certificate ? I use [Cloudflare Origin Certificate](https://developers.cloudflare.com/ssl//origin-configuration/)
I don‘t know 🤔, did you follow the documentation?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] wavemoroc001 commented on issue #8296: help request: How to configure apisix to allow route by role ?
Posted by GitBox <gi...@apache.org>.
wavemoroc001 commented on issue #8296:
URL: https://github.com/apache/apisix/issues/8296#issuecomment-1311459094
@Hazel6869 I use postman to send request
**This my request body**
```curl
curl --location --request GET 'https://gateway-classroom.wavemoroc.app/student' \
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIyYzZlZDk1MC0yOTZiLTRlNTgtOTdjZi04NmI2MGEwODRmNjMifQ.eyJleHAiOjE2NjgwOTA3NDEsImlhdCI6MTY2ODA1NDc0MSwianRpIjoiMjRlNTYyYTgtZmVlZS00YmZmLThmNTgtOGQ4NjM1M2RjNTBhIiwiaXNzIjoiaHR0cHM6Ly9nYXRld2F5LWNsYXNzcm9vbS53YXZlbW9yb2MuYXBwOjg0NDMvYXV0aC9yZWFsbXMvQXBpc2l4IiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImE1N2FjYWY1LWJkZTYtNDkwZC05NWMzLWNkZDcxMjg3MzhjMSIsInR5cCI6IkJlYXJlciIsImF6cCI6Im15Y2xpZW50Iiwic2Vzc2lvbl9zdGF0ZSI6IjA5YWNjOWUzLTlkN2ItNDAyYS04MDE3LTBkNzNmMDNhMmU0NiIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiZGVmYXVsdC1yb2xlcy1hcGlzaXgiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSIsInNpZCI6IjA5YWNjOWUzLTlkN2ItNDAyYS04MDE3LTBkNzNmMDNhMmU0NiIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoidGVzdCIsImdpdmVuX25hbWUiOiIiLCJmYW1pbHlf
bmFtZSI6IiJ9.zuwYSynNh0NPCsINcG4fGWh-anhA1Vuq6YcMT0UoauE' \
--header 'Cookie: cf_use_ob=0'
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Hazel6869 commented on issue #8296: help request: How to configure apisix to allow route by role ?
Posted by GitBox <gi...@apache.org>.
Hazel6869 commented on issue #8296:
URL: https://github.com/apache/apisix/issues/8296#issuecomment-1310010014
> config.yaml
do you reload your config.yaml
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] wavemoroc001 commented on issue #8296: help request: How to configure apisix to allow route by role ?
Posted by GitBox <gi...@apache.org>.
wavemoroc001 commented on issue #8296:
URL: https://github.com/apache/apisix/issues/8296#issuecomment-1311150266
Error log says `failed to find any SSL certificate by SNI` so I just try to add certification and hope it will found but still log not found certificate
**this is my route that enable plugin `auth_keycloak`**
```json
{
"uri": "/student",
"name": "student-route",
"methods": [
"GET"
],
"plugins": {
"authz-keycloak": {
"bearer_only": true,
"client_id": "myclient",
"disable": false,
"discovery": "https://gateway-classroom.wavemoroc.app:8443/auth/realms/Apisix/.well-known/uma2-configuration"
}
},
"upstream": {
"nodes": [
{
"host": "example_web1_1",
"port": 80,
"weight": 1
}
],
"timeout": {
"connect": 6,
"send": 6,
"read": 6
},
"type": "roundrobin",
"checks": {
"active": {
"concurrency": 10,
"healthy": {
"http_statuses": [
200,
302
],
"interval": 1,
"successes": 2
},
"http_path": "/",
"timeout": 1,
"type": "http",
"unhealthy": {
"http_failures": 5,
"http_statuses": [
429,
404,
500,
501,
502,
503,
504,
505
],
"interval": 1,
"tcp_failures": 2,
"timeouts": 3
}
}
},
"scheme": "http",
"pass_host": "pass",
"keepalive_pool": {
"idle_timeout": 60,
"requests": 1000,
"size": 320
}
},
"status": 1
}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] wavemoroc001 commented on issue #8296: help request: How to configure apisix to allow route by role ?
Posted by GitBox <gi...@apache.org>.
wavemoroc001 commented on issue #8296:
URL: https://github.com/apache/apisix/issues/8296#issuecomment-1310035014
@Hazel6869 Yes, Already reloaded but it still show error. Should i rollback to lts version ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] wavemoroc001 closed issue #8296: help request: How to configure apisix to allow route by role ?
Posted by GitBox <gi...@apache.org>.
wavemoroc001 closed issue #8296: help request: How to configure apisix to allow route by role ?
URL: https://github.com/apache/apisix/issues/8296
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Hazel6869 commented on issue #8296: help request: How to configure apisix to allow route by role ?
Posted by GitBox <gi...@apache.org>.
Hazel6869 commented on issue #8296:
URL: https://github.com/apache/apisix/issues/8296#issuecomment-1309670465
@wavemoroc001 Hi, you can see https://apisix.apache.org/zh/docs/apisix/FAQ/#%E6%88%91%E5%BA%94%E8%AF%A5%E5%A6%82%E4%BD%95%E8%A7%A3%E5%86%B3-unable-to-get-local-issuer-certificate-%E8%BF%99%E4%B8%AA%E9%94%99%E8%AF%AF
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Hazel6869 commented on issue #8296: help request: How to configure apisix to allow route by role ?
Posted by GitBox <gi...@apache.org>.
Hazel6869 commented on issue #8296:
URL: https://github.com/apache/apisix/issues/8296#issuecomment-1311120494
@wavemoroc001 I think your ssl_trusted_certificate configuration is not right, why you do like this?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] wavemoroc001 commented on issue #8296: help request: How to configure apisix to allow route by role ?
Posted by GitBox <gi...@apache.org>.
wavemoroc001 commented on issue #8296:
URL: https://github.com/apache/apisix/issues/8296#issuecomment-1309694653
@Hazel6869 It still show that error, Is it related to my certificate ? I use [Cloudflare Origin Certificate](https://developers.cloudflare.com/ssl//origin-configuration/)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Hazel6869 commented on issue #8296: help request: How to configure apisix to allow route by role ?
Posted by GitBox <gi...@apache.org>.
Hazel6869 commented on issue #8296:
URL: https://github.com/apache/apisix/issues/8296#issuecomment-1311121146
> @Hazel6869 Yes, Already reloaded but it still show error. Should i rollback to lts version ?
Can you give me the complete routing request curl? I will help you check.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Hazel6869 commented on issue #8296: help request: How to configure apisix to allow route by role ?
Posted by GitBox <gi...@apache.org>.
Hazel6869 commented on issue #8296:
URL: https://github.com/apache/apisix/issues/8296#issuecomment-1311273737
> auth_keycloak
how did you send request?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org