Wilma PEP代理和基石-找不到有效的访问令牌 [英] Wilma pep proxy and keystone - valid access token not found
问题描述
我已经将恶意请求重定向到orion,但是没有消息到达,因为我总是从wilma收到找不到访问令牌".在wilma配置文件中输入的帐户是keystone的管理员帐户. 从 openStack API文档中,我使用以下请求来请求令牌.
I have wilma redirecting valid requests to orion but no messages are reaching it as i always get "Access Token not found" from wilma. The account entered in wilma config file is the admin account of keystone. From openStack API docs i request tokens using below request.
curl -i \
> -H "Content-Type: application/json" \
> -d '
> { "auth": {
> "identity": {
> "methods": ["password"],
> "password": {
> "user": {
> "name": "userAdmin",
> "domain": { "id": "default" },
> "password": "pw"
> }
> }
> }
> }
> }' \
> http://130.206.115.xxx:5000/v3/auth/tokens ; echo
我认为我得到了一个有效的令牌,因为使用带有x-auth-token的curl直接向梯形失真校正请求可以正常工作.
I think i get a valid token because direct requests to keystone using curl with x-auth-token work fine.
然后我尝试通过计算机卷曲
Then i try to curl from my computer
curl --header "X-Auth-Token:$TOKEN" <ipOfWilma>:80/v2/entities
得到答案:用户令牌未授权". 威尔玛在控制台上报告
And get as a answer: "User token not authorized". Wilma reports on console
[TOKEN] Checking token with IDM...
User access-token not authorized
Auth-token not found in request header
Keystone报告相同
Keystone reports the same
"GET /v3/access-tokens/90ecf18114164f98b25668b9a940eb44 HTTP/1.1" 404
为什么通过wilma却找不到直接访问请求时找不到此访问令牌?
Why am i getting this access token not found when going through wilma but not for direct requests?
我也尝试过请求域范围的令牌,但收到相同的错误.
I also tried requesting domain scoped tokens but received same error.
推荐答案
好的,我想我明白了.有两件事要考虑:
Ok, I think I got it. There are 2 things to consider:
-
Wilma返回的错误是
Auth-token not found in request header,这使我认为您以某种方式不能很好地发送--header 'X-Auth-Token: <x-auth-token>'.确保您的值已正确解析(如我所见,您使用了一个参数).
The error Wilma is returning is
Auth-token not found in request header, what makes me think that somehow you are not sending well the--header 'X-Auth-Token: <x-auth-token>'. Make sure your value is getting parsed well (as I see you use a parameter).
您从Keystone中获取的令牌是keystone token,并不适合您的需要.要访问受保护的资源,您需要使用Oauth-token.刚开始时可能会有些混乱,但是如果您考虑一下,那一切都是有道理的.检查打开规范以便更好地理解.
The token that you retrieve from Keystone, is a keystone token, and not intended for what you need. To access a protected resource, you need to use the Oauth-token. It can be a bit confusing in the beginning, but if you think about it, it all makes sense. Check the Open Specification for better understanding.
因此,在这一点上,我假设您已经在Keyrock实例中配置了APP,并且能够检索client_secret和client_id.现在,您有两种方法可以按 Fi-ware-Idm Wiki :
So, at this point, I'll assume that you already have configured your APP in the Keyrock instance and that you are able to retrieve both the client_secret and client_id. Now you have 2 ways to retrieve the Oauth Token as stands in the Fi-ware-Idm wiki:
Authorization Code Grant. You have a simple example here, just configure the
config.jsaccording your requirements.
资源所有者密码凭据授予,对于简单的请求,它更容易检索(我认为).对于这种情况,我们在bash中有一个简单的脚本此处.只需确保根据需要更换CLIENT_ID,CLIENT_SECRET和REQUEST中的主机(或IP)即可.然后,只需运行:
Resource Owner Password Credentials Grant, which is easier to retrieve for simple requests (in my opinion). For this case we have a simple script in bash here. Just make sure you replace the CLIENT_ID, CLIENT_SECRET, and the host (or IP) in the REQUEST according your requirements. Then, just run:
sh auth-token.sh <user-email> <password>
然后您应该能够检索令牌.有了该令牌,并且,如果该资源在Authzforce中得到了授权,那么一切都会正常工作.
And then you should be able to retrieve the token. With that token and, if the resource is authorized in the Authzforce, everything should work.
最后,如果您想尝试使用docker,我们有一个使用docker和docker-compose的变通办法,该变通办法使用正在使用的通用启动器.例如,您可以在此处找到 PEP Wilma 以及如何运行它(非常简单).
Finally, if you are into docker and want to give it a try, we have a workaround using docker and docker-compose that uses the Generic Enablers you are working with. For example, you can find here the documentation of PEP Wilma and how to run it (it's very simple).
如果您有任何疑问,请告诉我.
Let me know if you have any doubts.
这篇关于Wilma PEP代理和基石-找不到有效的访问令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
