Unable to create/register user in Auth

[pmacik]

Expected behavior

I'm trying to create/register a new user (that already exists in RHD) in the auth service using POST /api/users using a service account token, so I could log it in and get token for secured endpoint calls (for the purposes of contract testing)

The actual code I used to create the user in auth is here.

This worked before the cluster service started to be called: (probably) #745

Actual behavior

When calling the POST /api/users endpoint with a valid service account token, the following error is returned:

{"errors":[{"code":"unknown_error","detail":"Post http://f8cluster/api/clusters/identities: dial tcp: lookup f8cluster on 10.38.5.26:53: no such host","status":"500","title":"Unknown error"}]}

Steps to reproduce the problem

1. Start local instance of auth service in dev mode: make dev
2. Once started (at http://localhost:8089) call

POST /api/users
Content-Type: application/json
Authorization: Bearer <SERVICE_ACCOUNT_TOKEN>

{
  "data": {
    "attributes": {
      "bio": "Contract testing user account",
      "cluster": "https://api.starter-us-east-2a.openshift.com/",
      "username": "osio-ci-contract1",
      "email": "[email protected]",
      "rhd_user_id": <UUID4>
    },
    "type": "identities"
  }
}

Specifications

• Which version of fabric8-auth are you running?
  master branch from GH
• Which operating system do you use?
  Fedora 28 x86_64

[xcoulon]

@pmacik are you running auth service locally (as I assume, since you mentioned a http://localhost:8089 URL). So, did you deploy cluster service locally as well? By default, if you don't specify an AUTH_CLUSTER_URL_SHORT env var, it defaults to http://f8cluster as specified in https://github.com/pmacik/fabric8-auth/blob/master/configuration/configuration.go#L569

[pmacik]

@xcoulon Yes, that's right, I'm running the auth locally, via make dev.

I tried to run cluster service locally (assuming you mean fabric8-services/fabric8-cluster) too, (also using it's own make dev).

But when the auth is starting, I get:

$ AUTH_CLUSTER_URL_SHORT="http://localhost:8087" make dev

...
13:55:54 app         | time="2019-02-05 13:55:54" level=error msg="unable to get clusters from Cluster Management Service" file="/home/pmacik/.go/src/github.com/fabric8-services/fabric8-auth/cluster/service/cache.go" func="github.com/fabric8-services/fabric8-auth/cluster/service.(*cache).fetchClusters" line=108 pid=18034 pkg="cluster/service" req_id= response_body="{\"errors\":[{\"code\":\"token_validation_failed\",\"detail\":\"token is invalid\",\"id\":\"gI0u7Xol\",\"status\":\"401\",\"title\":\"Unauthorized\"}]}\n" response_status="401 Unauthorized" 
13:55:54 app         | time="2019-02-05 13:55:54" level=warning msg="failed to fetch clusters" err="unable to get clusters from Cluster Management Service. Response status: 401 Unauthorized. Response body: {\"errors\":[{\"code\":\"token_validation_failed\",\"detail\":\"token is invalid\",\"id\":\"gI0u7Xol\",\"status\":\"401\",\"title\":\"Unauthorized\"}]}\n" file="/home/pmacik/.go/src/github.com/fabric8-services/fabric8-auth/main.go" func=main.main pkg=main
...

Later when I try to register a new user I get:

...
14:4:19 app         | time="2019-02-05 14:04:19" level=info msg="request started" POST="/api/token" action=Exchange ctrl=token from="::1" pkg=log.LogRequest.func1 req_id=yzyPT6d1Mb-1 
14:4:19 app         | time="2019-02-05 14:04:19" level=info msg="request headers" Accept-Encoding=[gzip] Content-Length=[111] Content-Type=[application/json] User-Agent=[Go-http-client/1.1] pkg=log.LogRequest.func1 req_id=yzyPT6d1Mb-1 
14:4:19 app         | time="2019-02-05 14:04:19" level=info msg=payload pkg=log.LogRequest.func1 raw="{\"client_id\":\"f867ec72-3171-4b8f-8eec-90a32eab6e0b\",\"client_secret\":\"secret\",\"grant_type\":\"client_credentials\"}" req_id=yzyPT6d1Mb-1 
14:4:19 app         | time="2019-02-05 14:04:19" level=info msg="request started" POST="/api/token" action=Exchange ctrl=token from="::1" pkg=log.LogRequest.func1 req_id=yzyPT6d1Mb-1 
14:4:19 app         | time="2019-02-05 14:04:19" level=info msg="request headers" Accept-Encoding=[gzip] Content-Length=[111] Content-Type=[application/json] User-Agent=[Go-http-client/1.1] pkg=log.LogRequest.func1 req_id=yzyPT6d1Mb-1 
14:4:19 app         | time="2019-02-05 14:04:19" level=info msg=payload pkg=log.LogRequest.func1 raw="{\"client_id\":\"f867ec72-3171-4b8f-8eec-90a32eab6e0b\",\"client_secret\":\"secret\",\"grant_type\":\"client_credentials\"}" req_id=yzyPT6d1Mb-1 
14:4:19 app         | time="2019-02-05 14:04:19" level=info msg=completed action=Exchange bytes=766 ctrl=token duration=81.568882 duration_unit=ms pkg=log.LogRequest.func1 req_id=yzyPT6d1Mb-1 status=200 
14:4:19 app         | time="2019-02-05 14:04:19" level=info msg=completed action=Exchange bytes=766 ctrl=token duration=81.80247899999999 duration_unit=ms pkg=log.LogRequest.func1 req_id=yzyPT6d1Mb-1 status=200 
14:4:19 app         | time="2019-02-05 14:04:19" level=info msg="request started" POST="/api/users" action=create ctrl=UsersController from="::1" pkg=log.LogRequest.func1 req_id=yzyPT6d1Mb-2 
time="2019-02-05 14:04:19" level=info msg="request headers" Accept-Encoding=[gzip] Authorization=[Bearer ********] Content-Length=[264] Content-Type=[application/json] User-Agent=[Go-http-client/1.1] pkg=log.LogRequest.func1 req_id=yzyPT6d1Mb-2 
14:4:19 app         | time="2019-02-05 14:04:19" level=info msg=payload pkg=log.LogRequest.func1 raw="{\"data\":{\"attributes\":{\"bio\":\"Contract testing user account\",\"cluster\":\"https://api.starter-us-east-2a.openshift.com/\",\"email\":\"[email protected]\",\"rhd_user_id\":\"8ca349c8-2946-11e9-b7f4-8c1645a90e98\",\"username\":\"osio-ci-contract1\"},\"type\":\"identities\"}}" req_id=yzyPT6d1Mb-2 
14:4:19 app         | time="2019-02-05 14:04:19" level=info msg="request started" POST="/api/users" action=create ctrl=UsersController from="::1" identity_id=f867ec72-3171-4b8f-8eec-90a32eab6e0b pkg=log.LogRequest.func1 req_id=yzyPT6d1Mb-2 
14:4:19 app         | time="2019-02-05 14:04:19" level=info msg="request headers" Accept-Encoding=[gzip] Authorization=[Bearer ********] Content-Length=[264] Content-Type=[application/json] User-Agent=[Go-http-client/1.1] identity_id=f867ec72-3171-4b8f-8eec-90a32eab6e0b pkg=log.LogRequest.func1 req_id=yzyPT6d1Mb-2 
14:4:19 app         | time="2019-02-05 14:04:19" level=info msg=payload identity_id=f867ec72-3171-4b8f-8eec-90a32eab6e0b pkg=log.LogRequest.func1 raw="{\"data\":{\"attributes\":{\"bio\":\"Contract testing user account\",\"cluster\":\"https://api.starter-us-east-2a.openshift.com/\",\"email\":\"[email protected]\",\"rhd_user_id\":\"8ca349c8-2946-11e9-b7f4-8c1645a90e98\",\"username\":\"osio-ci-contract1\"},\"type\":\"identities\"}}" req_id=yzyPT6d1Mb-2 
14:4:19 app         | time="2019-02-05 14:04:19" level=info msg="Identity created!" identity_id=02b422ba-514d-4e49-a8a7-f7fb6c30bf5d pkg="authentication/account/repository" req_id=yzyPT6d1Mb-2 
14:4:19 app         | time="2019-02-05 14:04:19" level=info msg="configuring a new service factory with 0 options" pkg="application/service/factory" 
14:4:19 app         | time="2019-02-05 14:04:19" level=info msg=started POST="http://localhost:8087/api/clusters/identities" id=yzyPT6d1Mb-2 req_id=AgOFaguG 
14:4:19 app         | time="2019-02-05 14:04:19" level=info msg=completed id=yzyPT6d1Mb-2 req_id=AgOFaguG status=401 time="909.677µs" 
14:4:19 app         | time="2019-02-05 14:04:19" level=error msg="unable to link identity to cluster in cluster management service" cluster_url="https://api.starter-us-east-2a.openshift.com/" file="/home/pmacik/.go/src/github.com/fabric8-services/fabric8-auth/cluster/service/cluster.go" func="github.com/fabric8-services/fabric8-auth/cluster/service.(*clusterService).LinkIdentityToCluster" identity_id=02b422ba-514d-4e49-a8a7-f7fb6c30bf5d line=106 pid=27881 pkg="cluster/service" req_headers=map[Accept-Encoding:[gzip] User-Agent:[Go-http-client/1.1] Content-Length:[264] Authorization:***** Content-Type:[application/json]] req_id=yzyPT6d1Mb-2 req_payload="{\"data\":{\"attributes\":{\"bio\":\"Contract testing user account\",\"cluster\":\"https://api.starter-us-east-2a.openshift.com/\",\"email\":\"[email protected]\",\"rhd_user_id\":\"8ca349c8-2946-11e9-b7f4-8c1645a90e98\",\"username\":\"osio-ci-contract1\"},\"type\":\"identities\"}}" response_body="{\"errors\":[{\"code\":\"token_validation_failed\",\"detail\":\"token is invalid\",\"id\":\"MdayjjRO\",\"status\":\"401\",\"title\":\"Unauthorized\"}]}\n" response_status="401 Unauthorized" 
14:4:19 app         | time="2019-02-05 14:04:19" level=error msg="failed to link identity to cluster in cluster service" cluster_url="https://api.starter-us-east-2a.openshift.com/" err="failed to link identity to cluster in cluster management service. Response status: 401 Unauthorized. Response body: {\"errors\":[{\"code\":\"token_validation_failed\",\"detail\":\"token is invalid\",\"id\":\"MdayjjRO\",\"status\":\"401\",\"title\":\"Unauthorized\"}]}\n" file="/home/pmacik/.go/src/github.com/fabric8-services/fabric8-auth/controller/users.go" func="github.com/fabric8-services/fabric8-auth/controller.(*UsersController).Create" identity_id=02b422ba-514d-4e49-a8a7-f7fb6c30bf5d line=162 pid=27881 pkg=controller req_headers=map[User-Agent:[Go-http-client/1.1] Content-Length:[264] Authorization:***** Content-Type:[application/json] Accept-Encoding:[gzip]] req_id=yzyPT6d1Mb-2 req_payload="{\"data\":{\"attributes\":{\"bio\":\"Contract testing user account\",\"cluster\":\"https://api.starter-us-east-2a.openshift.com/\",\"email\":\"[email protected]\",\"rhd_user_id\":\"8ca349c8-2946-11e9-b7f4-8c1645a90e98\",\"username\":\"osio-ci-contract1\"},\"type\":\"identities\"}}" 
14:4:19 app         | time="2019-02-05 14:04:19" level=info msg="configuring a new service factory with 0 options" pkg="application/service/factory" 
14:4:19 app         | time="2019-02-05 14:04:19" level=info msg="an error occurred in our api" err="failed to link identity to cluster in cluster management service. Response status: 401 Unauthorized. Response body: {\"errors\":[{\"code\":\"token_validation_failed\",\"detail\":\"token is invalid\",\"id\":\"MdayjjRO\",\"status\":\"401\",\"title\":\"Unauthorized\"}]}\n" error_message="failed to link identity to cluster in cluster management service. Response status: 401 Unauthorized. Response body: {\"errors\":[{\"code\":\"token_validation_failed\",\"detail\":\"token is invalid\",\"id\":\"MdayjjRO\",\"status\":\"401\",\"title\":\"Unauthorized\"}]}\n" identity_id=f867ec72-3171-4b8f-8eec-90a32eab6e0b pkg=jsonapi req_id=yzyPT6d1Mb-2
...

[dipak-pawar]

@pmacik, To run cluster service locally, you need to provide your local auth url e.g. F8_AUTH_URL="your_auth_url" make dev, otherwise it'll use prod-preview as default as in development mode. See here.

So in short, it's loading required public keys from prod-preview, due to which token is invalid. Can you try setting auth url while running it in development mode?

[pmacik]

@dipak-pawar Your suggestion works for me, thanks you!