运行 WSO2 AM 2.1.0 的网关节点上的 WSO2 身份验证失败 [英] WSO2 Authentication failure on gateway node running WSO2 AM 2.1.0
问题描述
在使用 WSO2 AM 1.10.0 之后,我们现在正在为我们的 WSO2 集群评估 AM 2.1.0.集群有两种类型的节点:
- 管理节点:一套完整的 WSO2 AM 产品.
- 工作节点:仅运行网关 (-DworkerNode=true -Dprofile=gateway-worker)
在管理节点,一切正常.我能够创建一个租户 (0000s7.com) 和一个 API,并运行它(我将 GET 动词定义为未经身份验证,因此不需要订阅):
$ curl http://localhost:8280/t/0000s7.com/ofer1/1.0.0{ ...有效响应... }
在工作节点:
当我使用 WSClient 时,我在日志中收到以下错误:
TID: [-1234] [] [2018-02-06 07:26:48,893] 错误 {org.apache.axis2.transport.http.AxisServlet} -{org.apache.axis2.transport.http.AxisServlet} java.lang.NullPointerException在 org.apache.synapse.rest.RESTUtils.getFullRequestPath(RESTUtils.java:80)在 org.apache.synapse.rest.API.canProcess(API.java:223)在 org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:97)在 org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:69)在 org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:304)
我也试过 ThriftClient,我在日志中得到了一个不同的错误:
TID: [1] [] [2018-02-06 08:01:29,527] @0000s7.com [1] [AM]警告 {org.wso2.carbon.apimgt.gateway.handlers.security.thrift.ThriftKeyValidatorClient} -登录失败.. 再次验证..{org.wso2.carbon.apimgt.gateway.handlers.security.thrift.ThriftKeyValidatorClient}
在这两种情况下,API 调用都以
结束<ams:code>900900</ams:code><ams:message>未分类的认证失败</ams:message><ams:description>访问后端服务以进行 API 密钥验证时出错</ams:description></ams:fault>
更改的快速摘要.目前我离开 WSClient 版本运行:
管理节点(内部 IP 10.1.0.7)
./repository/conf/api-manager.xml
<块引用>WSClient <ThriftClientConnectionTimeOut>10000</ThriftClientConnectionTimeOut><ThriftClientPort>10397</ThriftClientPort><EnableThriftServer>false</EnableThriftServer><ThriftServerHost>10.1.0.7</ThriftServerHost><ThriftServerPort>10397</ThriftServerPort>./repository/conf/carbon.xml
10.1.0.7 <MgtHostName>10.1.0.7</MgtHostName>
- ./repository/conf/registry.xml
- ./repository/conf/user-mgt.xml
对 MySQL 数据库采用的小改动
- ./repository/conf/axis2/axis2.xml
<property name="port.mapping.80" value="9763"/><property name="port.mapping.443" value="9443"/>
- ./repository/conf/datasources/master-datasources.xml
更改为使用 MySQL 与 RDS 一起使用.我正在使用四个数据库:o regdb_21(共享"注册表"Ø apiimgtdb_21o 用户数据库_21Ø msgbrokerdb_21此外,统计数据库和本地注册表在 H2 中维护.
工作节点(内部 IP 10.1.0.150)
- ./bin/wso2server.sh
-DworkerNode=true \-Dprofile=网关工作者\
- ./repository/conf/api-manager.xml
WSClient <ThriftClientPort>10397</ThriftClientPort><ThriftClientConnectionTimeOut>10000</ThriftClientConnectionTimeOut><ThriftServerHost>10.1.0.7</ThriftServerHost><ThriftServerPort>10397</ThriftServerPort><EnableThriftServer>false</EnableThriftServer><JMSConnectionDetails><启用>假</启用>…加上 JMS IP 到管理器 IP 地址的一些更改(10.1.0.7)
- ./repository/conf/carbon.xml
10.1.0.150 <MgtHostName>10.1.0.150</MgtHostName>
- ./repository/conf/registry.xml
- ./repository/conf/user-mgt.xml
对 MySQL 数据库采用的小改动
- ./repository/conf/axis2/axis2.xml
<property name="port.mapping.443" value="9443"/>
- ./repository/conf/datasources/master-datasources.xml
与 manager 相同
- ./repository/conf/broker.xml
- ./repository/conf/event-broker.xml
- ./repository/conf/jndi.properties
- ./repository/conf/messaging-event-broker.xml
IP 从 localhost 更改为 10.1.0.7
完整的日志
由于 Keymanager 组件位于管理器节点中,因此您必须将 worker 的
更改为指向管理器节点.
如果您在 wso2server.sh
文件中有 -Dorg.wso2.ignoreHostnameVerification=true \
,则应该忽略主机名验证.
After working with WSO2 AM 1.10.0, we're now evaluating AM 2.1.0 for our WSO2 cluster. The cluster has two types of nodes:
- A manager node: a complete set of WSO2 AM products.
- A worker node: which runs only the gateway (-DworkerNode=true -Dprofile=gateway-worker)
At the manager node, everything works ok. I am able to create a tenant (0000s7.com) and an API, and run it (I defined the GET verb to be unauthenticated, so no subscription is needed):
$ curl http://localhost:8280/t/0000s7.com/ofer1/1.0.0
{ ...valid response... }
At the worker node:
When I’m working with WSClient, I get the following error in the log:
TID: [-1234] [] [2018-02-06 07:26:48,893] ERROR {org.apache.axis2.transport.http.AxisServlet} -
{org.apache.axis2.transport.http.AxisServlet} java.lang.NullPointerException
at org.apache.synapse.rest.RESTUtils.getFullRequestPath(RESTUtils.java:80)
at org.apache.synapse.rest.API.canProcess(API.java:223)
at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:97)
at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:69)
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:304)
I also tried ThriftClient, with it I get a different error in the log:
TID: [1] [] [2018-02-06 08:01:29,527] @0000s7.com [1] [AM]
WARN {org.wso2.carbon.apimgt.gateway.handlers.security.thrift.ThriftKeyValidatorClien t} -
Login failed.. Authenticating again..{org.wso2.carbon.apimgt.gateway.handlers.security.thrift.ThriftKeyValidatorClient}
In both cases, API call ends with
<ams:fault xmlns:ams="http://wso2.org/apimanager/security">
<ams:code>900900</ams:code><ams:message>Unclassified Authentication Failure</ams:message>
<ams:description>Error while accessing backend services for API key validation</ams:description>
</ams:fault>
Quick summary of changes. Currently I left the WSClient version to run:
Manager Node (internal IP 10.1.0.7)
./repository/conf/api-manager.xml
<KeyValidatorClientType>WSClient</KeyValidatorClientType> <ThriftClientConnectionTimeOut>10000</ThriftClientConnectionTimeOut> <ThriftClientPort>10397</ThriftClientPort> <EnableThriftServer>false</EnableThriftServer> <ThriftServerHost>10.1.0.7</ThriftServerHost> <ThriftServerPort>10397</ThriftServerPort>
./repository/conf/carbon.xml
<HostName>10.1.0.7</HostName> <MgtHostName>10.1.0.7</MgtHostName>
- ./repository/conf/registry.xml
- ./repository/conf/user-mgt.xml
Minor changes to adopt to the MySQL DB
- ./repository/conf/axis2/axis2.xml
<property name="subDomain" value="mgt"/> <property name="port.mapping.80" value="9763"/> <property name="port.mapping.443" value="9443"/>
- ./repository/conf/datasources/master-datasources.xml
Changed to work with RDS using MySQL. I'm using four databases: o regdb_21 (the "shared" registry" o apimgtdb_21 o userdb_21 o msgbrokerdb_21 In addition, stats DB and local registry are maintained in H2.
Worker Node (Internal IP 10.1.0.150)
- ./bin/wso2server.sh
-DworkerNode=true \ -Dprofile=gateway-worker \
- ./repository/conf/api-manager.xml
<KeyValidatorClientType>WSClient</KeyValidatorClientType> <ThriftClientPort>10397</ThriftClientPort> <ThriftClientConnectionTimeOut>10000</ThriftClientConnectionTimeOut> <ThriftServerHost>10.1.0.7</ThriftServerHost> <ThriftServerPort>10397</ThriftServerPort> <EnableThriftServer>false</EnableThriftServer> <JMSConnectionDetails> <Enabled>false</Enabled> … Plus some changes of JMS IP to the IP address of the manager (10.1.0.7)
- ./repository/conf/carbon.xml
<HostName>10.1.0.150</HostName> <MgtHostName>10.1.0.150</MgtHostName>
- ./repository/conf/registry.xml
- ./repository/conf/user-mgt.xml
Minor changes to adopt to the MySQL DB
- ./repository/conf/axis2/axis2.xml
<property name="port.mapping.80" value="9763"/> <property name="port.mapping.443" value="9443"/>
- ./repository/conf/datasources/master-datasources.xml
Same as in manager
- ./repository/conf/broker.xml
- ./repository/conf/event-broker.xml
- ./repository/conf/jndi.properties
- ./repository/conf/messaging-event-broker.xml
Changes in IP from localhost to 10.1.0.7
Complete logs
- Manager: http://thatsitradio.com/logs1/manager.html
- Worker: http://thatsitradio.com/logs1/worker.html
Since the Keymanager components are in manager node, you have to change <APIKeyValidator>
of the worker to point to manager node.
If you have -Dorg.wso2.ignoreHostnameVerification=true \
in wso2server.sh
file, that should ignore the hostname validation.
这篇关于运行 WSO2 AM 2.1.0 的网关节点上的 WSO2 身份验证失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!