cryostat-legacy
cryostat-legacy copied to clipboard
Published
20 hours ago •
cryostatio
cryostatio
feat(openshift): replace TokenReview with User self-query
Fixes #782
Container image for operator integration/testing available at quay.io/andrewazores/cryostat:k8s-userinfo.
Currently, deploying that image using the existing mainline operator results in failing to log in with the following log:
INFO: Exception thrown
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://10.217.4.1/apis/user.openshift.io/v1/users/~. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. users.user.openshift.io "~" is forbidden: User "kubeadmin" cannot get resource "users" in API group "user.openshift.io" at the cluster scope: scopes [user:check-access role:cryostat-operator-oauth-client:myproject] prevent this action.
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:639)
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:576)
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:543)
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:504)
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleGet(OperationSupport.java:471)
at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleGet(OperationSupport.java:453)
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.handleGet(BaseOperation.java:947)
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.getMandatory(BaseOperation.java:221)
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.get(BaseOperation.java:187)
at io.fabric8.kubernetes.client.dsl.base.BaseOperation.get(BaseOperation.java:86)
at io.fabric8.openshift.client.DefaultOpenShiftClient.currentUser(DefaultOpenShiftClient.java:766)
at io.cryostat.net.openshift.OpenShiftAuthManager.authenticateUserToken(OpenShiftAuthManager.java:428)
at io.cryostat.net.openshift.OpenShiftAuthManager.reviewToken(OpenShiftAuthManager.java:281)
at io.cryostat.net.openshift.OpenShiftAuthManager.validateToken(OpenShiftAuthManager.java:252)
at io.cryostat.net.openshift.OpenShiftAuthManager.validateHttpHeader(OpenShiftAuthManager.java:359)
at io.cryostat.net.openshift.OpenShiftAuthManager.getLoginRedirectUrl(OpenShiftAuthManager.java:217)
at io.cryostat.net.web.http.api.v2.AuthPostHandler.handle(AuthPostHandler.java:104)
at io.cryostat.net.web.http.api.v2.AbstractV2RequestHandler.handle(AbstractV2RequestHandler.java:120)
at io.cryostat.net.web.http.api.v2.AbstractV2RequestHandler.handle(AbstractV2RequestHandler.java:72)
at io.vertx.ext.web.impl.BlockingHandlerDecorator.lambda$handle$0(BlockingHandlerDecorator.java:48)
at io.vertx.core.impl.ContextImpl.lambda$null$0(ContextImpl.java:159)
at io.vertx.core.impl.AbstractContext.dispatch(AbstractContext.java:100)
at io.vertx.core.impl.ContextImpl.lambda$executeBlocking$1(ContextImpl.java:157)
at io.vertx.core.impl.TaskQueue.run(TaskQueue.java:76)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:833)
quay.io/andrewazores/cryostat:k8s-userinfo-2 has the user:info scope added. I don't get the log exception anymore, but logging in just loops back to the cluster SSO page now.