These are chat archives for spring-cloud/spring-cloud

27th
Jul 2016
Ali Moghadam
@alighm
Jul 27 2016 05:16
@dsyer I hope you are doing well, I am using the configuration parameter in the @FeignClient in order to call a request interceptor. I was wondering if there is a way to access the name or even the url params of the @FeignClient annotation inside the interceptor…
Donovan Muller
@donovanmuller
Jul 27 2016 05:54

With regards to SCDF and SC Deployer. I'm looking into a Maven plugin for deploying apps with SC Deployer. At this point it's single/standalone apps (i.e. not stream/task definitions). The current deployer servers only support stream/task definitions in the DSL.

Is deploying standalone apps something would be considered for SCDF? I.e. something like app register --name test --uri .... and then app deploy test.
Alternatively, is there any thinking around how to expose the deployers for generic app deployment? I.e. a "deployer server"?

The idea being the Maven plugin would invoke a resource on a "SCDF deployer server" like instance that would then use SC Deployer to deploy the app to the relevant environment (K8, etc.)
So, add functionality to SCDF to handle single app deployments (like stream/task controllers currently) or keep it separate, like a "deployer server" or something?
Ali Moghadam
@alighm
Jul 27 2016 08:15
@dsyer and @spencergibb, Following my previous question, I want to see how is it possible to use the OAuth2FeignRequestInterceptor for multiple ResourceServers? I suppose this means having different OAuth2ProtectedResourceDetails for the OAuth2FeignRequestInterceptor base on different Clients. I hope I am making sense...
Dave Syer
@dsyer
Jul 27 2016 08:23
Each resource server is its own feign client, presumably?
Ali Moghadam
@alighm
Jul 27 2016 08:24
yup
that is correct
but they would share the same interceptor
Dave Syer
@dsyer
Jul 27 2016 08:24
@donovanmuller I'm not really sure, but it seems like you are outside the boundary of SCDF there. Ping @sabbyanandan.
Either all clients share the same interceptor, or you have to configure them individually.
If you put the interceptor in your main context it is shared
If you put it in the client child context, it is specific to the client.
but you don't want a shared interceptor because you want them all to have different OAuth2ProtectedResourceDetails
So I'd say you need a configuration per client
Ali Moghadam
@alighm
Jul 27 2016 08:26
I see
is there a way to get the name and the url params of the @FeignClient into the interceptor?
no I assume...
the reason I ask this is because, then base on the name of the client, inside the interceptor, I can do a API call and grab the ClientId and ClientSecret and create my OAuth2ProtectedResourceDetails dynamically

this way if I have the following:

@FeignClient(name = "sample1", configuration = ResourceServerFeignConfig.class)
@FeignClient(name = "sample2", configuration = ResourceServerFeignConfig.class)

Then inside the interceptor bean that I have defined inside the ResourceServerFeignConfig.class, I can use the name of the client and do a call to a custom API, on the Auth Service for example which I have created, to grab the ClientId and ClientSecret

Dave Syer
@dsyer
Jul 27 2016 08:57
the client secret is accessible to a public API?
Ali Moghadam
@alighm
Jul 27 2016 09:00
The API is protected itself
So how it works is, with every new service coming up, it automatically registers with the auth service and the secret is generated.
When a service wants to call APIs of the newly created service, it needs to get the clientID and secret from a custom API from the Auth Service. That custom API requires basic auth itself so not entirely open
Dave Syer
@dsyer
Jul 27 2016 09:11
That didn't make sense
Clients and resources aren't the same thing
I guess you can identify them manually
But you logic seems backwards if I understood
Ali Moghadam
@alighm
Jul 27 2016 09:13
Isn't each Resource Server having ClientDetails with the Auth Service?
Dave Syer
@dsyer
Jul 27 2016 09:14
If I want to talk to a new service it makes sense that I need a new access token (with a new audience), but it doesn't make sense that I need a new secret
Ali Moghadam
@alighm
Jul 27 2016 09:15
No that is correct, what I am saying is when a new Resource Server is up, it first creates a ClientDetails with Auth
Now if other services need to communicate with it, they need the credentials (clientID and clientSecret)
Dave Syer
@dsyer
Jul 27 2016 09:16
Resource servers and clients are not the same thing. There is no need to do that. Unless you have some custom logic to validate the audience of your tokens in the auth server perhaps.
Client apps do not need an additional secret in order to be able to contact a new service
That's upside down
Ali Moghadam
@alighm
Jul 27 2016 09:19
I assumed that Resource Servers are registered with the Auth Server as Client Details
My assumption was that client details is the resource server
So a Sample Resource Server Microservice has a ClientDetails registered with Auth Service
It's clientID being sample and clientSecret being secret
And list of scopes and grant type of client_credentials
Dave Syer
@dsyer
Jul 27 2016 09:24
There's nothing stopping you from doing that
It's just not part of the resource server role in oauth
And you definitely have the secrets flowing the wrong way
Ali Moghadam
@alighm
Jul 27 2016 09:29
So the secret shouldn't be created by the Resource Service ? Then who's responsibility is it to create the secret? I wanted to automate it so with every new service added, it registers a client details with the Auth and in doing so creates the secret
Dave Syer
@dsyer
Jul 27 2016 09:33
You don't need a secret in order to operate a resource server
If you want to create clients for all your resources you are free to do that
(you might find it useful when validating token requests)
Ali Moghadam
@alighm
Jul 27 2016 09:34
I see
Ali Moghadam
@alighm
Jul 27 2016 09:44
But please help me understand here, if 2 backend Microservices are communicating with one another, and both of them are protected meaning they are resource servers, if there is no client secret that is sent along the clientID to get a token from the Auth service, then how is there any security ? What I mean is, if I send the Auth service only the clientID and say please give me a token to use for service B, and the Auth service says ok here you go, how is that secure?
By the, using JWT so the Resource Services can decrypt individually via the signing key
Dave Syer
@dsyer
Jul 27 2016 09:46
That's what I mean by custom validation
Your auth server might want to restrict access to service A by service B
It can do that by refusing to grant it a token
Ali Moghadam
@alighm
Jul 27 2016 09:47
Right...
Dave Syer
@dsyer
Jul 27 2016 09:47
But the token request is authenticated as service B.
It might have scope=A (for instance)
Ali Moghadam
@alighm
Jul 27 2016 09:48
Spring Security OAuth uses basic Auth for clientID and clientSecret
Dave Syer
@dsyer
Jul 27 2016 09:48
yes, but you have to get it straight who the client is
Ali Moghadam
@alighm
Jul 27 2016 09:49
Client is the Resource Service itself
My thought was that Service A would have the credentials of service B
So that it can get a service B token
Dave Syer
@dsyer
Jul 27 2016 09:56
That's really not a good idea
Service B secret should only be known to service B
Ali Moghadam
@alighm
Jul 27 2016 09:57
I see!!
That is where I am losing this entire understanding
Client Credentials means that service A calls Auth service to get a token for service A, now with that token I can't call service B, can I ?
ccit-spence
@ccit-spence
Jul 27 2016 10:07
@dsyer Do you know much about Consul and Consul Config?
Dave Syer
@dsyer
Jul 27 2016 10:25
Nope (to both of you)
@ccit-spence Spencer was in charge of consul. He's on PTO. Maybe @ryanjbaxter can help you when he wakes up.
@alighm service A can ask the auth server for any kind of token it wants (typically you constrain them with scope=...). A token it obtains from the auth server is not a "token for service A" in the sense that it is only valid when authenticating with service A. It is used by service A to contact other services (resources).
Each of them has to make an access decision (am I in the audience, does the scope of the token allow access to this resuorce, etc?)
ccit-spence
@ccit-spence
Jul 27 2016 10:32
@dsyer ok, thanks. I will try later
turick
@turick
Jul 27 2016 11:38
@dsyer -- I'm still trying to wrap my head around this spring session issue. Thinking about what you said yesterday about cookies, as long as i'm behind zuul, the client will always see the domain for the cookie as the zuul server for both the zuul server itself and the microservice behind it.
for the life of me, i cannot get my microservice to share the session with the authenticated session created in zuul
should i leave Cookie and Set-Cookie as sensitive headers in zuul, or do i want those headers to be able to be passed around?
turick
@turick
Jul 27 2016 11:48
hmm i think i may be onto something. i definitely need to exclude *Cookie from sensitiveHeaders in zuul. but now, when I try to hit and endpoint, zuul prompts me for credentials, then tries to forward me to the microservice, which results in an HTTP 500 due to an NPE because i'm trying to print out the principal info in my controller and it can't find it.
if i hit refresh, the page loads just fine and the microservice sees me as "admin"
looking at the traces, the cookie header is not being passed to the microservice in the first request after i authenticate. on the second request, when i refresh, it is
and everything works.... hmmm.....
Fabian Wallwitz
@cforce
Jul 27 2016 12:10
what would be a good approach for wrapping (@ExpcetionHanlder / @ControllerAdvise) server side exceptions and unwrapping the same exeption (class imported from api project) on client side using Feign ErrorDecoder?
i thought about using VndError, but that has no explcit "ERROR_ID" on board, so i could map and serialize/deserialze the exception via the wire using this ID..
The disadvanatge of having "only" using "Bad Request" (400) for all kind of errors is being not able to distinguish on server side
Fabian Wallwitz
@cforce
Jul 27 2016 12:49
How can i extend the default FeignClientConfiguration torwads an enhanced ErrorDecoder?
Marcos Barbero
@marcosbarbero
Jul 27 2016 14:41

@dsyer I’m playing with ConfigServer and multi repo but I’m facing an issue with the health-check, let me know if a expected behaviour or not. In the method ConfigClientProperties#overridethere is this source code:

override.setName(
                environment.resolvePlaceholders("${" + ConfigClientProperties.PREFIX
                        + ".name:${spring.application.name:application}}"));

On the bootstrap phase it works fine and the name is set right, but on health check it always return application this behaviour causes a issue on configserver health check because there is no prefix in the request which makes the configserver lookup in the default repo. It works fine if the the default repo and the team-a-* repo has the same labels, but if it doesn’t we face an 404 status code.
E.g:

  • team-a-* repo has a branch named production
  • default repo has not a branch named production, it uses master as production
    Once the request happen it just gives a 404 because the branch (and of course the file) doesn’t exist.
I can be wrong, but I think the health check should make the same request of bootstrap phase
Dave Syer
@dsyer
Jul 27 2016 15:14
Maybe open an issue in github?
Marcos Barbero
@marcosbarbero
Jul 27 2016 15:39
Sure, but if it’s not an expected behaviour I can work on a PR
Marcos Barbero
@marcosbarbero
Jul 27 2016 16:12
spring-cloud-config repo is not building on master branch
I just made a clone and mvn clean install -U
[INFO] spring-cloud-config-server ......................... FAILURE [ 47.634 s]
Dave Syer
@dsyer
Jul 27 2016 16:13
@ryanjbaxter was hacking on the Vault bits. I thought he got it working. (You didn't say very much about what the problem is.)
Marcos Barbero
@marcosbarbero
Jul 27 2016 16:14
Here we go
Tests in error:
  shouldDecryptEnvironment(org.springframework.cloud.config.server.encryption.CipherEnvironmentEncryptorTests): Unable to initialize due to invalid secret key
  shouldDecryptEnvironmentWithKey(org.springframework.cloud.config.server.encryption.CipherEnvironmentEncryptorTests): Unable to initialize due to invalid secret key
  shouldEncryptUsingApplicationAndProfiles(org.springframework.cloud.config.server.encryption.EncryptionControllerMultiTextEncryptorTests): Unable to initialize due to invalid secret key
  appAndProfile(org.springframework.cloud.config.server.encryption.EncryptionControllerTests): Unable to initialize due to invalid secret key
  sunnyDayRsaKey(org.springframework.cloud.config.server.encryption.EncryptionControllerTests): Unable to initialize due to invalid secret key
  formDataIn(org.springframework.cloud.config.server.encryption.EncryptionControllerTests): Unable to initialize due to invalid secret key
  addEnvironment(org.springframework.cloud.config.server.encryption.EncryptionControllerTests): Unable to initialize due to invalid secret key
  formDataInWithPrefix(org.springframework.cloud.config.server.encryption.EncryptionControllerTests): Unable to initialize due to invalid secret key
  testDifferentKeyDefaultSecret(org.springframework.cloud.config.server.encryption.KeyStoreTextEncryptorLocatorTests): Unable to initialize due to invalid secret key
  testDifferentKeyAndSecret(org.springframework.cloud.config.server.encryption.KeyStoreTextEncryptorLocatorTests): Unable to initialize due to invalid secret key
  testDefaults(org.springframework.cloud.config.server.encryption.KeyStoreTextEncryptorLocatorTests): Unable to initialize due to invalid secret key

Tests run: 167, Failures: 0, Errors: 11, Skipped: 1
Dave Syer
@dsyer
Jul 27 2016 16:16
Do you have the JCE extensions in your JDK?
That looks like a bunch of crypto failures
(i.e. expected)
Marcos Barbero
@marcosbarbero
Jul 27 2016 16:16
Let me check, but I think so.. once I’m playing with JCE for my own config-server
I’ll verify that anyway
Marcos Barbero
@marcosbarbero
Jul 27 2016 16:26
My bad… it was the JCE, I updated my JDK last week and forgot about the JCE
[INFO] BUILD SUCCESS
Luke Shannon
@lshannon
Jul 27 2016 16:27
How are people doing CI with Config Server? Since wiring it up, my tests require the config server running for values to be populated and tests to run successfully. Is there a may to mock config server?
Marcos Barbero
@marcosbarbero
Jul 27 2016 16:28
In my opinion your build shouldn’t depends on configserver at all
your CI is running integration tests? What your scenario?
Luke Shannon
@lshannon
Jul 27 2016 16:31
my maven tests are failing, one sec, will grab the error
basically it can't resolve the variable that is being populated via @Value
Marcos Barbero
@marcosbarbero
Jul 27 2016 16:31
it is unit tests, right?
Luke Shannon
@lshannon
Jul 27 2016 16:31
correct
Marcos Barbero
@marcosbarbero
Jul 27 2016 16:32
Well, in that case I think your application may be capable to resolve those values without reach the configserver at all for the build phase
You may turn off configserver in test phase and provide a minimal configuration to make the application works without external dependency
Luke Shannon
@lshannon
Jul 27 2016 16:35
Could not resolve placeholder 'edge.url' in string value "${edge.url}"
so that is my error
these are coming from config server
Marcos Barbero
@marcosbarbero
Jul 27 2016 16:36
That’s what I’m saying, for test phase e.g: unit tests, you may not reach the configserver
Luke Shannon
@lshannon
Jul 27 2016 16:36
right ... :-)
i am hoping there is someway i can work around that
Marcos Barbero
@marcosbarbero
Jul 27 2016 16:38
create an application.yml and a bootstrap.yml in /src/test/resources turn off the configserver configuration and provide the minimal configuration to make your build work without external dependency
Luke Shannon
@lshannon
Jul 27 2016 16:38
ah, got it!
so i define those in my test resources and turn off config
Marcos Barbero
@marcosbarbero
Jul 27 2016 16:39
yeah! that’s it :)
Luke Shannon
@lshannon
Jul 27 2016 16:39
i should have thought of that :-)
thanks man
Marcos Barbero
@marcosbarbero
Jul 27 2016 16:39
Unit tests should not depends on any external resource, because it’s unit hehehe
Luke Shannon
@lshannon
Jul 27 2016 16:39
:-)
so true, thanks again!
Marcos Barbero
@marcosbarbero
Jul 27 2016 16:40
Maybe in integration tests you can reach configserver, but not in unit tests phase
turick
@turick
Jul 27 2016 18:08
just thought i'd throw out my solution for zuul with security + spring session, if anybody is interested
quick recap on my issue: i could authenticate on the zuul service with basic auth, but after being proxied to the actual service, it would not be able to find my session in redis. if i refreshed, it would find my session in redis.
the issue was that my zuul service wouldn't write the session to redis until after the http request was complete, so when my actual service downstream got the request, the session hadn't been written yet
i had to up my version of spring session to the latest, where the RedisOperationsSessionRepository class now has a "setRedisFlushMode" method. one of the options is "IMMEDIATE", so that any property change to the session will trigger a write to redis
then i set up a ZuulFilter to check if the "cookie" header is present in the incoming request. If it isn't, it means it's the first request and I add a zuul request header with the session ID, which in turn triggers the writing of the session to redis.
now on the very first request, i can authenticate, have the session written, and all back-end services will properly pick up the session.
Dave Syer
@dsyer
Jul 27 2016 18:28
Good
I think that's even why the IMMEDIATE flag exists
turick
@turick
Jul 27 2016 18:30
indeed. dependency management for the project was giving me version 1.0.2 on spring session and it didn't exist in that version. i had to override the version up to 1.2.1 to get the benefit :)
off to buy some new clothes for springone in vegas next week! thanks for your help @dsyer
Marcos Barbero
@marcosbarbero
Jul 27 2016 22:43
@dsyer I’ve made a pull request regarding the issue with multi repo on configserver, anyhow it has been failed on travis and I’m not finding out what’s the problem. Could you help me out? Once I find the problem I can fix it and resend the PR spring-cloud/spring-cloud-config#457