This blocker our test tsb on catalog console. we want fix asap. Could you help check. thanks.
How did you create the cluster, installer or OC cluster up?
For future catalog bugs it is very important to include what method you used to create the cluster. The two pathways we have (oc cluster up and the installer) are different code paths with different maintainers.
I set up the cluster by openshift-ansible
Further debug, I find I can access token to request the /v2/catalog, According to https://github.com/openservicebrokerapi/servicebroker/blob/v2.12/spec.md#curl But when do 'curl -H "X-Broker-API-Version: 2.12" http://username:password@broker-url/v2/catalog', I get 403. In my openshift I use auth type AllowAllPasswordIdentityProvider # cat /etc/origin/master/master-config.yaml -------skip------------ oauthConfig: assetPublicURL: https://<master>:8443/console/ grantConfig: method: auto identityProviders: - challenge: true login: true mappingMethod: claim name: allow_all provider: apiVersion: v1 kind: AllowAllPasswordIdentityProvider masterCA: ca-bundle.crt masterPublicURL: https://<master>:8443 masterURL: https://<master>:8443 sessionConfig: sessionMaxAgeSeconds: 3600 sessionName: ssn sessionSecretsFile: /etc/origin/master/session-secrets.yaml tokenConfig: accessTokenMaxAgeSeconds: 86400 authorizeTokenMaxAgeSeconds: 500 # oc get template -n tsb NAME DESCRIPTION PARAMETERS OBJECTS ruby-helloworld-sample This example shows how to create a simple ruby application in openshift origi... 3 (2 generated) 9 [root@host-8-175-186 dma]# curl -k -H "X-Broker-API-Version: 2.12" -H "Authorization: Bearer oLHF6t2o6reGO-O4UjsPeALItFtSlACjh8YlbF0eUrE" https://<master>:8443/brokers/template.openshift.io/v2/catalog { "services": [ { "name": "ruby-helloworld-sample", "id": "c4e87ede-6ab0-11e7-a7e8-fa163e680dd3", "description": "This example shows how to create a simple ruby application in openshift origin v3", "tags": [ "instant-app", "ruby", "mysql" ], "bindable": true, "metadata": { "console.openshift.io/iconClass": "icon-ruby" }, "plans": [ { "id": "c4e87ede-6ab0-11e7-a7e8-fa163e680dd3", "name": "default", "description": "Default plan", "free": true, "bindable": true, "schemas": { "service_instance": { "create": { "parameters": { "$schema": "http://json-schema.org/draft-04/schema", "additionalProperties": false, "properties": { "MYSQL_DATABASE": { "default": "root", "description": "database name", "type": "string" }, "MYSQL_PASSWORD": { "default": "", "description": "database password", "type": "string" }, "MYSQL_USER": { "default": "", "description": "database username", "type": "string" }, "template.openshift.io/requester-username": { "description": "OpenShift user requesting provision/bind", "title": "Template service broker: requester username", "type": "string" } }, "required": [ "template.openshift.io/requester-username", "MYSQL_DATABASE" ], "type": "object" } } }, "service_binding": { "create": { "parameters": { "$schema": "http://json-schema.org/draft-04/schema", "additionalProperties": false, "properties": { "template.openshift.io/requester-username": { "description": "OpenShift user requesting provision/bind", "title": "Template service broker: requester username", "type": "string" } }, "required": [ "template.openshift.io/requester-username" ], "type": "object" } } } } } ] } ] # curl -k -H "X-Broker-API-Version: 2.12" https://dma:dma@<master>:8443/brokers/template.openshift.io/v2/catalog{ "kind": "Status", "apiVersion": "v1", "metadata": {}, "status": "Failure", "message": "User \"system:anonymous\" cannot \"get\" on \"/brokers/template.openshift.io/v2/catalog\"", "reason": "Forbidden", "details": {}, "code": 403 }
The ansible installer doesn't currently support the template broker, so this is working as designed; keeping this open and transferring to the templates component.
(In reply to Paul Morie from comment #6) > The ansible installer doesn't currently support the template broker, so this > is working as designed; keeping this open and transferring to the templates > component. I think this pr have support tsb in installer. https://github.com/openshift/openshift-ansible/pull/3982
Hi, Ben: Could you help check the issue. How can I access tsb by broker resource? thanks
You must take 3 steps, 1 of which the ansible installer should handle: 1) configure the TSB namespaces (ansible installer should have an option for this today) 2) enable anonymous access (this makes your cluster completely exposed to malicious attacks, use with caution!) oc adm policy add-cluster-role-to-group system:openshift:templateservicebroker-client system:unauthenticated system:authenticated 3) register the TSB with the SC, create this yaml: apiVersion: servicecatalog.k8s.io/v1alpha1 kind: Broker metadata: name: template-broker spec: url: https://kubernetes.default.svc:443/brokers/template.openshift.io and then use it with oc create.
The question here is I have set user/password in broker, why still use system:anonymous? In broker it has "spec": { "authInfo": { "basicAuthSecret": { "name": "tsb", "namespace": "kube-service-catalog" } }, Thanks so much.
I'm pretty sure system:anonymous is any unauthenticated user, and your user is considered unauthenticated because the TSB api does not respect the basic auth mechanism the SC is providing, it only respects token based auth (which the SC is incapable of providing). That is why you must grant unauthenticated access to the TSB apis.
Client and server have different implement for open service broker api auth, so maybe we need broker to support token or tsb respect basic auth in future, thanks for your reply.
the SC is going to support token based auth in the future.
Upstream proposal: https://github.com/kubernetes-incubator/service-catalog/pull/1044 Implementation: https://github.com/pmorie/go-open-service-broker-client/pull/50
Commit pushed to master at https://github.com/openshift/origin https://github.com/openshift/origin/commit/a2c1538e8e4f30f29f820ddd58dd80b6fef52ff3 include token in tsb registration bug 1470628 https://bugzilla.redhat.com/show_bug.cgi?id=1470628
Using cluster up, the TSB now registers with a token that the SC will use when calling the TSB, so you do not need to grant unauthenticated access to the TSB. We'll be following this up with work to do the same thing when installing via openshift ansible.
We are tracking work related to that here: https://github.com/openshift/origin/issues/16075
PR to handle registration in a template so ansible can also do the registration: https://github.com/openshift/origin/pull/16115
This is fixed for cluster up, but DeShuai I think you will want a second BZ to track getting this fixed in the ansible installer. Eric Wolinetz would own that bug.
Test with cluster up env [1] Could use token to access tsb api. And no sync error in template-service-broker resource. [root@devexp-cluster-up newscripts]# oc get broker template-service-broker -o json { "apiVersion": "servicecatalog.k8s.io/v1alpha1", "kind": "Broker", "metadata": { "creationTimestamp": "2017-09-14T08:42:01Z", "finalizers": [ "kubernetes-incubator/service-catalog" ], "name": "template-service-broker", "resourceVersion": "1264", "selfLink": "/apis/servicecatalog.k8s.io/v1alpha1/brokers/template-service-broker", "uid": "939fa87f-9928-11e7-97c7-0242ac110006" }, "spec": { "authInfo": { "bearer": { "secretRef": { "kind": "Secret", "name": "templateservicebroker-client", "namespace": "openshift-template-service-broker" } } }, "url": "https://apiserver.openshift-template-service-broker.svc:443/brokers/template.openshift.io" }, "status": { "checksum": "fd02ec8a89acc79d8185ab855d745354b3fd96307b8b9988b772838584965334", "conditions": [ { "lastTransitionTime": "2017-09-14T08:42:08Z", "message": "Successfully fetched catalog entries from broker.", "reason": "FetchedCatalog", "status": "True", "type": "Ready" } ] } } [1] oc v3.7.0-0.126.1 kubernetes v1.7.0+80709908fd features: Basic-Auth GSSAPI Kerberos SPNEGO Server https://10.8.***:8443 openshift v3.7.0-0.126.1 kubernetes v1.7.0+80709908fd
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:3188