1336397 – [intservice_public_217] Failed to access "apimanui/api-manager/catalog/api-catalog" page due to "Cannot validate BearerToken"

Bug 1336397 - [intservice_public_217] Failed to access "apimanui/api-manager/catalog/api-catalog" page due to "Cannot validate BearerToken"

Summary: [intservice_public_217] Failed to access "apimanui/api-manager/catalog/api-ca...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	OKD
Classification:	Red Hat
Component:	Logging
Sub Component:
Version:	3.x
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Kurt T Stam
QA Contact:	chunchen
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-05-16 11:02 UTC by chunchen
Modified:	2016-09-30 02:16 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-08-08 21:39:40 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
catalog page screenshot (134.64 KB, image/png) 2016-05-16 11:03 UTC, chunchen	no flags	Details
View All

Description chunchen 2016-05-16 11:02:24 UTC

Description of problem:
It's failed to access "apimanui/api-manager/catalog/api-catalog" page due to 401 issue, the other pages could be accessed, like "apimanui/api-manager/users/chunchen/apis". 

Version-Release number of selected component (if applicable):
APIMan related images built from latest gitrepo source

How reproducible:
always

Steps to Reproduce:
1. Deploy APIMan stack via https://github.com/openshift/origin-apiman/blob/master/README.md#building-from-source

2. Access to the console with a test form like: https://gist.githubusercontent.com/sosiouxme/1a069b243c5f227037fa0566acbd0420/raw/de474bef92673f152aaddb72a355e59530bdb6af/test.html

3. Access the "catalog" page
https://<apiman-console-route>/apimanui/api-manager/catalog/api-catalog

Actual results:
Met 401 error, please refer to the screenshot in the attachment

Expected results:
Should access "catalog" pages successfully.

Additional info:

Comment 1 chunchen 2016-05-16 11:03:26 UTC

Created attachment 1157846 [details]
catalog page screenshot

Comment 2 Kurt T Stam 2016-05-19 12:59:51 UTC

sosiouxme: that page queries Kubernetes, so it’s likely to do with a service account not set up correctly.

Comment 3 Luke Meyer 2016-05-19 14:30:30 UTC

I reproduced with this stack trace:
https://paste.fedoraproject.org/368492/67078146/

Caused by: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://kubernetes.default.svc/oapi/v1/templates. Message: Forbidden!Configured service account doesn't have access. 

However, if I ssh into the container and use the SA token to GET that URL with curl, then it works fine. So it seems either something is using the SA token wrong or it's using the wrong account entirely.

Comment 4 Kurt T Stam 2016-05-19 14:48:24 UTC

Hmm the templates are queried to grab an image only.. Did the security around this change? If templates is the only issue I can turn that off..

Comment 5 Luke Meyer 2016-05-25 12:52:56 UTC

Neither service account nor user (most likely) should actually have access to all templates (https://kubernetes.default.svc/oapi/v1/templates) - everything should be scoped by one of the namespaces available to the user.

Comment 6 Jeff Cantrill 2016-08-08 17:46:04 UTC

@dan I presume we can close this since our plans of supporting ApiMan have changed?

Comment 7 Dan McPherson 2016-08-08 19:27:52 UTC

@jeff I believe so.

Comment 8 Jeff Cantrill 2016-08-08 21:39:40 UTC

Closing as this is no longer relevent

Note You need to log in before you can comment on or make changes to this bug.