Bug 1336397

Summary: [intservice_public_217] Failed to access "apimanui/api-manager/catalog/api-catalog" page due to "Cannot validate BearerToken"
Product: OKD Reporter: chunchen <chunchen>
Component: LoggingAssignee: Kurt T Stam <kurt.stam>
Status: CLOSED WONTFIX QA Contact: chunchen <chunchen>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.xCC: aos-bugs, dmcphers, jcantril, kurt.stam, wsun
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-08 21:39:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
catalog page screenshot none

Description chunchen 2016-05-16 11:02:24 UTC 
Description of problem:
It's failed to access "apimanui/api-manager/catalog/api-catalog" page due to 401 issue, the other pages could be accessed, like "apimanui/api-manager/users/chunchen/apis". 

Version-Release number of selected component (if applicable):
APIMan related images built from latest gitrepo source

How reproducible:
always

Steps to Reproduce:
1. Deploy APIMan stack via https://github.com/openshift/origin-apiman/blob/master/README.md#building-from-source

2. Access to the console with a test form like: https://gist.githubusercontent.com/sosiouxme/1a069b243c5f227037fa0566acbd0420/raw/de474bef92673f152aaddb72a355e59530bdb6af/test.html

3. Access the "catalog" page
https://<apiman-console-route>/apimanui/api-manager/catalog/api-catalog

Actual results:
Met 401 error, please refer to the screenshot in the attachment

Expected results:
Should access "catalog" pages successfully.

Additional info:
Comment 1 chunchen 2016-05-16 11:03:26 UTC 
Created attachment 1157846 [details]
catalog page screenshot
Comment 2 Kurt T Stam 2016-05-19 12:59:51 UTC 
sosiouxme: that page queries Kubernetes, so it’s likely to do with a service account not set up correctly.
Comment 3 Luke Meyer 2016-05-19 14:30:30 UTC 
I reproduced with this stack trace:
https://paste.fedoraproject.org/368492/67078146/

Caused by: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://kubernetes.default.svc/oapi/v1/templates. Message: Forbidden!Configured service account doesn't have access. 

However, if I ssh into the container and use the SA token to GET that URL with curl, then it works fine. So it seems either something is using the SA token wrong or it's using the wrong account entirely.
Comment 4 Kurt T Stam 2016-05-19 14:48:24 UTC 
Hmm the templates are queried to grab an image only.. Did the security around this change? If templates is the only issue I can turn that off..
Comment 5 Luke Meyer 2016-05-25 12:52:56 UTC 
Neither service account nor user (most likely) should actually have access to all templates (https://kubernetes.default.svc/oapi/v1/templates) - everything should be scoped by one of the namespaces available to the user.
Comment 6 Jeff Cantrill 2016-08-08 17:46:04 UTC 
@dan I presume we can close this since our plans of supporting ApiMan have changed?
Comment 7 Dan McPherson 2016-08-08 19:27:52 UTC 
@jeff I believe so.
Comment 8 Jeff Cantrill 2016-08-08 21:39:40 UTC 
Closing as this is no longer relevent