I have setup a local (debian) installation of spinnaker and everything looks fine. I had also setup the authentication as ldap and able to sign in as well.
For authorization, I am using the FILE and have already enabled.
However, When I am trying to select an account in the application which I have created, it does not list any of the accounts.
I checked the logs and I am getting the following error in the logs:
Request GET:http://localhost:7002/applications/samit-app/serverGroups?expand=false is missing [X-SPINNAKER-ACCOUNTS] authentication headers and will be treated as anonymous.
Also, the deck and gate URLs are overridden and are behind a nginx proxy.
Can someone help me here and let me know what part I am missing in this setup?
You must choose an Account provider to deploy to and set it as a new Account in Halyard.
Set up an Account provider
Related
I am trying to have users access Keycloak from a different hostname through a proxy. Instead of the actual AWS hostname aws.exampleurl.com:8080 I have a proxy which routes all traffic from example.hostname.com/auth to the AWS url. I am able to access the Keycloak welcome screen and kick off the administrator login (with failed CSS loads which I assume is due to the same issue but I'm not sure), but when I input a set of credentials I am told that there was no cookie found. I have the cookies set to allow all in my browser (Brave).
I have set the HOSTNAME_URL env var to example.hostname.com/auth, tried using a mixture of the HOSTNAME and HOSTNAME_PATH env vars. I have tried setting HOSTNAME_STRICT to false, but to no luck. I've tried restarting the service and restarting the database I have running with Keycloak but these changes have also not worked.
Any ideas on how to get this running correctly would be amazing. Let me know if more info is needed to reproduce.
I have configured a custom SAML app in Google Workspace and configured AWS Opensearch to use SP-initiated SSO.
I am able to access OpenSearch via the URL but I get the following error
Missing Role
No roles available for this user, please contact your system administrator.
I guess there are some SAML attribute mapping and group set up that are required. I've created an opensearch group in Google for users that I wish to have access.
I think the following AWS Opensearch parameters require a value
SAML master backend role
Subject key
Roles key
From what I can see, the issue is that you need to create a custom attribute inside the Admin console of Google Workspace with the "roles" for AWS Opensearch.
You can also read this information in the AWS documentation.
This was resolved using and IdP initiated authentication flow instead. The links posted in answers above helped us implement this.
I use this tutorial to deploy a business network on a free bluemix cluster: https://ibm-blockchain.github.io/
I also deploy the REST Server and communicate via Web apps.
All went fine till yesterday. The REST Server was not accessible anymore.
I deleted everything on the cluster using the script delete_all available in the ibm-container-service repository.
I followed the install procedure using the create_all script. I could access the composer playground (port 31080) again but was not really able to deploy an online business network using the "profile" hlfv1. Now it asks at the bottom of the "deploy UI" for credentials.
I don't know what to fill in. I tried to use ID+Password. On this way I was able to deploy but I got access error by clicking on "connect now". I was able to start the REST server then but if i try to access it in the browser (port 31090), I get the feedback that I'm not authorized.
Any ideas?
And do you know which changes have been made in the last month, which could bring these troubles?
Thx
Phil
The tutorial pointed to only covers playground when used with a Web Browser connection not a real fabric. When you deploy to a real fabric you have to provide an initial identity that you want bound to an initial participant in the business network. The initial participant will be of type org.hyperledger.composer.system.NetworkAdmin and given a name of the initial identity name you provide.
This dialog looks like this
To get you started you should select the ID and Secret radio button. Then for Enrollment ID enter admin and for the Enrollment Secret enter adminpw.
This is the name and secret of the bootstrap identity that exists in the fabric-ca server that has been deployed as part of the scripts.
By providing this information that identity will be enrolled and it's public certificate will be bound to a NetworkAdmin participant which will be called admin. This identity admin will then have access to the business network as only identities that are bound to a participant in the business network can have any sort of access.
Numerous forum posts and documentations specify extracting login info for the Kubernetes install from ~/.kube/config.
The problem I found: mine doesn't have a proper user account, it specifies a name and a token.
How do I get the account name so I can use the kubernetes-cockpit UI? Surprisingly there appears to be nothing on that topic - what to do if the config doesn't contain an account.
It depends on how you use Cockpit.
According to cockpit official page:
Used in a standard cockpit session:
If a user is able to use kubectl successfully when at their shell terminal, then that same user will able to use Kubernetes dashboard when logged into Cockpit
I suppose this is your scenario, so if you didn't change default settings, the cockpit will look for .kube/config itself, i.e. you should be able to login without specifying your account.
My target site needs AD auth to browse and use the admin portal. All is fine there. This means syncing to this server via username and password authentication doesn't work. Does this mean i need to enable x.509 authentication?
If you mean using the Staging Module, the staging module's "Username and password" really is not linked to the actual CMS Users. You can put whatever Username and Password on the Destination server, and connect to it from the Source.
x.509 is also fine.
Tell me if you aren't talking about the Staging Module though.
You may need to do 1 of 2 things:
Enable mixed mode authentication. Yes the overall authentication doesn't need to use a physical cms_user user but since you have AD Authentication enabled, anytime another user or service tries to access a system page it may require them to log in.
Create a web.config location node in your /CMSPages/Staging/web.config file that excludes anyone or everyone to access a the SyncServer.asmx page within there.
Otherwise configure the x.509 certificate setup.