Bug 1336397 - [intservice_public_217] Failed to access "apimanui/api-manager/catalog/api-catalog" page due to "Cannot validate BearerToken"
Summary: [intservice_public_217] Failed to access "apimanui/api-manager/catalog/api-ca...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OKD
Classification: Red Hat
Component: Logging
Version: 3.x
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Kurt T Stam
QA Contact: chunchen
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-05-16 11:02 UTC by chunchen
Modified: 2016-09-30 02:16 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-08-08 21:39:40 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
catalog page screenshot (134.64 KB, image/png)
2016-05-16 11:03 UTC, chunchen
no flags Details

Description chunchen 2016-05-16 11:02:24 UTC
Description of problem:
It's failed to access "apimanui/api-manager/catalog/api-catalog" page due to 401 issue, the other pages could be accessed, like "apimanui/api-manager/users/chunchen/apis". 

Version-Release number of selected component (if applicable):
APIMan related images built from latest gitrepo source

How reproducible:
always

Steps to Reproduce:
1. Deploy APIMan stack via https://github.com/openshift/origin-apiman/blob/master/README.md#building-from-source

2. Access to the console with a test form like: https://gist.githubusercontent.com/sosiouxme/1a069b243c5f227037fa0566acbd0420/raw/de474bef92673f152aaddb72a355e59530bdb6af/test.html

3. Access the "catalog" page
https://<apiman-console-route>/apimanui/api-manager/catalog/api-catalog

Actual results:
Met 401 error, please refer to the screenshot in the attachment

Expected results:
Should access "catalog" pages successfully.

Additional info:

Comment 1 chunchen 2016-05-16 11:03:26 UTC
Created attachment 1157846 [details]
catalog page screenshot

Comment 2 Kurt T Stam 2016-05-19 12:59:51 UTC
sosiouxme: that page queries Kubernetes, so it’s likely to do with a service account not set up correctly.

Comment 3 Luke Meyer 2016-05-19 14:30:30 UTC
I reproduced with this stack trace:
https://paste.fedoraproject.org/368492/67078146/

Caused by: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://kubernetes.default.svc/oapi/v1/templates. Message: Forbidden!Configured service account doesn't have access. 

However, if I ssh into the container and use the SA token to GET that URL with curl, then it works fine. So it seems either something is using the SA token wrong or it's using the wrong account entirely.

Comment 4 Kurt T Stam 2016-05-19 14:48:24 UTC
Hmm the templates are queried to grab an image only.. Did the security around this change? If templates is the only issue I can turn that off..

Comment 5 Luke Meyer 2016-05-25 12:52:56 UTC
Neither service account nor user (most likely) should actually have access to all templates (https://kubernetes.default.svc/oapi/v1/templates) - everything should be scoped by one of the namespaces available to the user.

Comment 6 Jeff Cantrill 2016-08-08 17:46:04 UTC
@dan I presume we can close this since our plans of supporting ApiMan have changed?

Comment 7 Dan McPherson 2016-08-08 19:27:52 UTC
@jeff I believe so.

Comment 8 Jeff Cantrill 2016-08-08 21:39:40 UTC
Closing as this is no longer relevent


Note You need to log in before you can comment on or make changes to this bug.