Hi again, I'm trying to integrate keto with oathke...
# talk-oathkeeperm
many-mouse-1149
10/20/2022, 6:05 AMHi again, I'm trying to integrate keto with oathkeeper but it's not working. Keto does not receive the calls that are configured in the payload of the access rules.
Oathkeeper config file (for helm in K8s):
Copy code
# -- Mode for oathkeeper controller
# -- Two possible modes are: controller or sidecar
global:
ory:
oathkeeper:
maester:
mode: controller
# -- Number of ORY Oathkeeper members
replicaCount: 1
image:
# -- ORY Oathkeeper image
repository: identity/oathkeeper
# -- ORY Oathkeeper version
tag: linux-latest
# -- Image pull policy
pullPolicy: IfNotPresent
# -- Options for the sidecar
sidecar:
image:
repository: oryd/oathkeeper-maester
tag: v0.1.2
envs: {}
# -- Image pull secrets
imagePullSecrets: []
# -- Chart name override
nameOverride: ""
# -- Full chart name override
fullnameOverride: ""
# -- If enabled, a demo deployment with exemplary access rules and JSON Web Key Secrets will be generated.
demo: false
# -- Configures the Kubernetes service
service:
# -- Configures the Kubernetes service for the proxy port.
proxy:
# -- En-/disable the service
enabled: true
# -- The service type
type: ClusterIP
# -- The service port
port: 4455
# -- The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio)
name: http
# -- If you do want to specify annotations, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
# <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
# <http://kubernetes.io/tls-acme|kubernetes.io/tls-acme>: "true"
annotations: {}
# -- If you do want to specify additional labels, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'labels:'.
# e.g. app: oathkeeper
labels: {}
# -- Configures the Kubernetes service for the api port.
api:
# -- En-/disable the service
enabled: true
# -- The service type
type: ClusterIP
# -- The service port
port: 4456
# -- The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio)
name: http
# -- If you do want to specify annotations, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
# <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
# <http://kubernetes.io/tls-acme|kubernetes.io/tls-acme>: "true"
annotations: {}
# -- If you do want to specify additional labels, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'labels:'.
# e.g. app: oathkeeper
labels: {}
# -- Configures the Kubernetes service for the metrics port.
metrics:
# -- En-/disable the service
enabled: false
# -- The service type
type: ClusterIP
# -- The service port
port: 80
# -- The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio)
name: http
# -- If you do want to specify annotations, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
# <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
# <http://kubernetes.io/tls-acme|kubernetes.io/tls-acme>: "true"
annotations: {}
# -- If you do want to specify additional labels, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'labels:'.
# e.g. app: oathkeeper
labels: {}
# -- Configure ingress
ingress:
# -- Configure ingress for the proxy port.
proxy:
# -- En-/Disable the proxy ingress.
enabled: true
#className: ""
annotations:
<http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
<http://nginx.ingress.kubernetes.io/rewrite-target|nginx.ingress.kubernetes.io/rewrite-target>: /$2
<http://nginx.ingress.kubernetes.io/use-regex|nginx.ingress.kubernetes.io/use-regex>: "true"
hosts:
- host: localhost
paths:
- path: /authz-proxy(/|$)(.*)
pathType: ImplementationSpecific
# tls: []
# hosts:
# - proxy.oathkeeper.local
# - secretName: oathkeeper-proxy-example-tls
# -- Configuration for custom default service. This service will be used to handle the response when the configured service in the Ingress rule does not have any active endpoints
defaultBackend:
{}
# service:
# name: myservice
# port:
# number: 80
api:
# -- En-/Disable the api ingress.
enabled: true
#className: ""
annotations:
<http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
<http://nginx.ingress.kubernetes.io/rewrite-target|nginx.ingress.kubernetes.io/rewrite-target>: /$2
<http://nginx.ingress.kubernetes.io/use-regex|nginx.ingress.kubernetes.io/use-regex>: "true"
hosts:
- host: localhost
paths:
- path: /authz-api(/|$)(.*)
pathType: ImplementationSpecific
# tls: []
# hosts:
# - api.oathkeeper.local
# - secretName: oathkeeper-api-example-tls
# -- Configure ORY Oathkeeper itself
oathkeeper:
# -- The ORY Oathkeeper configuration. For a full list of available settings, check:
# <https://github.com/ory/oathkeeper/blob/master/docs/config.yaml>
config:
log:
level: debug
format: json
access_rules:
matching_strategy: glob
repositories:
- <file://etc/oathkeeper/access-rules.yml>
serve:
proxy:
port: 4455
cors:
enabled: true
allowed_origins:
- <http://localhost>
- <http://localhost:3000>
allowed_methods:
- POST
- GET
- PUT
- PATCH
- DELETE
allowed_headers:
- Authorization
- Content-Type
exposed_headers:
- Content-Type
allow_credentials: true
debug: true
api:
port: 4456
cors:
enabled: true
allowed_origins:
- <http://localhost>
- <http://localhost:3000>
allowed_methods:
- POST
- GET
- PUT
- PATCH
- DELETE
allowed_headers:
- Authorization
- Content-Type
exposed_headers:
- Content-Type
allow_credentials: true
debug: true
prometheus:
port: 9000
authenticators:
anonymous:
enabled: true
config:
subject: guest
noop:
enabled: true
cookie_session:
enabled: true
config:
check_session_url: <http://kratos-public:4433/sessions/whoami>
preserve_path: true
extra_from: "@this"
subject_from: "identity.id"
preserve_host: true
additional_headers:
accept: application/json
accept-encoding: identity
only:
- ory_kratos_session
authorizers:
allow:
enabled: true
remote_json:
enabled: true
config:
remote: <http://localhost/authz/read/check>
payload: |
{ }
forward_response_headers_to_upstream:
- X-Foo
retry:
max_delay: 1s
give_up_after: 1s
mutators:
noop:
enabled: true
header:
# Set enabled to true if the authenticator should be enabled and false to disable the authenticator. Defaults to false.
enabled: true
config:
headers:
X-User: "{{ print .Subject }}"
errors:
fallback:
- json
handlers:
redirect:
enabled: true
config:
to: <http://localhost/identity-ui/login>
when:
- error:
- unauthorized
- forbidden
request:
header:
accept:
- text/html
json:
enabled: true
config:
verbose: true
# -- If set, uses the given JSON Web Key Set as the signing key for the ID Token Mutator.
mutatorIdTokenJWKs: {}
# -- If set, uses the given access rules.
accessRules: {}
# -- If you enable maester, the following value should be set to "false" to avoid overwriting
# the rules generated by the CDRs. Additionally, the value "accessRules" shouldn't be
# used as it will have no effect once "managedAccessRules" is disabled.
managedAccessRules: true
... Copy code
- id: "api:protected"
match:
url: "<http://localhost/webapigw/><**>"
methods:
- GET
- POST
- PUT"
- DELETE
- PATCH
authenticators:
- handler: cookie_session
mutators:
- handler: header
authorizer:
handler: remote_json
config:
remote: <http://localhost/authz/read/check>
#forward_response_headers_to_upstream: []
payload: |
{
"namespace": "permissions",
"object": "components",
"relation": "edit",
"subject_set": {
"namespace": "roles",
"object": "{{ print .Extra.identity.traits.role.name }}",
"relation": "member"
}
}
errors:
- handler: redirect
config:
to: <http://localhost/identity-ui/login> Copy code
# -- Ingress definitions
ingress:
read:
enabled: true
annotations:
<http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
<http://nginx.ingress.kubernetes.io/rewrite-target|nginx.ingress.kubernetes.io/rewrite-target>: /$2
hosts:
- host: localhost
paths:
- path: /authz/read(/|$)(.*)
pathType: Prefix
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
write:
enabled: false
className: ""
annotations: {}
# <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
# <http://kubernetes.io/tls-acme|kubernetes.io/tls-acme>: "true"
hosts:
- host: localhost
paths:
- path: /authz/write
pathType: Prefix
tls: [] Copy code
[cors] 2022/10/19 22:39:07 Handler: Actual request
[cors] 2022/10/19 22:39:07 Actual request no headers added: missing origin
{"http_request":{"headers":{"x-forwarded-for":"10.1.12.198"},"host":"localhost","method":"GET","path":"/decisions/webapigw/components/slide","query":null,"remote":"10.1.12.198:57212","scheme":"http"},"level":"info","msg":"started handling request","time":"2022-10-19T22:39:07Z"}
{"audience":"application","error":{"debug":"","message":"Access credentials are invalid","reason":"","status":"Unauthorized","status_code":401},"granted":false,"http_host":"localhost","http_method":"GET","http_url":"<http://localhost/webapigw/components/slide>","http_user_agent":"","level":"warning","msg":"No authentication handler was responsible for handling the authentication request","reason_id":"authentication_handler_no_match","rule_id":"api:protected","service_name":"ORY Oathkeeper","service_version":"v0.38.25-beta.1","time":"2022-10-19T22:39:07Z"}
{"audience":"application","error":{"debug":"","message":"Access credentials are invalid","reason":"","status":"Unauthorized","status_code":401},"granted":false,"http_host":"localhost","http_method":"GET","http_url":"<http://localhost/webapigw/components/slide>","http_user_agent":"","level":"info","msg":"Access request denied","service_name":"ORY Oathkeeper","service_version":"v0.38.25-beta.1","time":"2022-10-19T22:39:07Z"}
{"code":401,"debug":"","details":{},"error":"Access credentials are invalid","level":"error","msg":"An error occurred while handling a request","reason":"","request-id":"","status":401,"time":"2022-10-19T22:39:07Z","writer":"JSON"}
{"http_request":{"headers":{"x-forwarded-for":"10.1.12.198"},"host":"localhost","method":"GET","path":"/webapigw/components/slide","query":null,"remote":"10.1.12.198:57212","scheme":"http"},"http_response":{"status":401,"text_status":"Unauthorized","took":620400},"level":"info","msg":"completed handling request","time":"2022-10-19T22:39:07Z"}7 Views