https://www.ory.sh/ logo
#talk-oathkeeper
Title
# talk-oathkeeper
s

sticky-guitar-94474

03/11/2022, 10:05 PM
Hi #oathkeeper I am facing the following issue when deployed using Helm Chart
unable to update access rules from given location, changes will be ignored. Check the configuration or restart the service if the issue persists.  audience=application error=map[message:No Major.Minor.Patch elements found] file=access-rule-1.json service_name=ORY Oathkeeper service_version=v0.38.23-beta.1
<< Same goes with Pastebin url which is publicly accesible and base64 encoded rules string Here is the values.yaml file I am using
Copy code
oathkeeper:
  config:
    serve:
      proxy:
        port: 4455
      api:
        port: 4456
    access_rules:
      repositories:
        - <file://access-rule-1.json>
        - <https://pastebin.com/raw/zPu0JHqv>
      matching_strategy: regexp
  mutatorIdTokenJWKs: {}
My Sample Access Rule is as follows
Copy code
[
  {
    "id": "asd2",
    "version": "v0.1",
    "upstream": {
      "url": "<https://httpbin.org/get>",
      "preserve_host": true
    },
    "match": {
      "url": "<http://127.0.0.1:4455/get>",
      "methods": ["GET", "POST"]
    }
  }
]
Kindly let me know if there’s any more information needed
m

magnificent-energy-493

03/14/2022, 8:52 AM
Hello @User Could you repost this in #self-hosted? I think this is mostly an issue with helm configuration and the k8s wizards are all residing in that channel 😋
s

sticky-guitar-94474

03/14/2022, 12:48 PM
For sure
d

damp-sunset-69236

03/14/2022, 3:41 PM
Hello @User What cloud provider do you use?
s

sticky-guitar-94474

03/14/2022, 3:44 PM
I am using AWS, and I am trying to use Public URLs and inline (base64 encoded) for the Access Rules Can this be linked to the Cloud Provider?
d

damp-sunset-69236

03/14/2022, 3:47 PM
I think that
access-rule-1.json
does not exist in your deployed container. As a solution you can try to store it in private s3 bucket and pass to the configuration using
Copy code
repositories:
  - <s3://bucket_name/access-rule.json>
  - <s3://bucket_name/access-rule.json>
at least it would be more secure compared to current version.
Unfortunately I’m not familar with helm charts yet, but creating s3 bucket to store your access rules looks like a good solution for your case. I hope someone would help how to solve your issue with locally passed configuration files
s

sticky-guitar-94474

03/14/2022, 4:03 PM
I have tried uploading a json file on S3 which is publicly accessible and used it haven’t tried with S3 specific settings
Moreover I tried using CLI to serve with Config File which was throwing error that I’ve shared (
unable to update access rules from given location, changes will be ignored
) compared to a file not found issue that I received prior to this issue
Seems like the files are accessible
Unable to update access rules from given location, changes will be ignored. Check the configuration or restart the service if the issue persists. audience=application error=map[message:No Major.Minor.Patch elements found] file=<https://<my-bucked-name>.s3.ap-south-1.amazonaws.com/uploads/0f12db7a-4a1d-46e7-97b4-78fceb817894/media/access-rule-1.json> service_name=ORY Oathkeeper service_version=v0.38.9-beta.1 Tried with S3 bucket files that are public , still facing the same issue
d

damp-sunset-69236

03/14/2022, 7:48 PM
I see
Copy code
[
        {
                "id": "asd2",
                "upstream": {
                        "url": "<https://httpbin.org/get>",
                        "preserve_host": true
                },
                "match": {
                        "url": "<http://127.0.0.1:4455/get>",
                        "methods": ["GET", "POST"]
                },
                "authenticators": [
                        {
                                "handler": "anonymous"
                        }
                ],
                "authorizer":                   {
                        "handler": "allow"
                },
                "mutators": [
                        {
                                "handler": "noop"
                        }
                ]
        }
]
You need to setup
Authenticators, authorizer and mutators
. These configuration options are mandatory
s

sticky-guitar-94474

03/14/2022, 8:03 PM
Copy code
[
  {
    "id": "1",
    "version": "v0.1",
    "upstream": {
      "url": "<https://httpbin.org/get>",
      "preserve_host": true
    },
    "match": {
      "url": "<http://127.0.0.1:4455/get>",
      "methods": ["GET", "POST"]
    },
    "authenticators": [{ "handler": "noop" }],
    "authorizer": { "handler": "allow" },
    "mutators": [{ "handler": "noop" }],
    "errors": [{ "handler": "json" }]
  }
]
I’m using this @User
It has a dummy values, still not working
https://pastebin.com/raw/zPu0JHqv You can refer this file, using this in rules list
d

damp-sunset-69236

03/15/2022, 6:24 AM
version
uses semver to support versioning. You need to have
vx.y.z
format
Copy code
Given a version number MAJOR.MINOR.PATCH, increment the:

MAJOR version when you make incompatible API changes,
MINOR version when you add functionality in a backwards compatible manner, and
PATCH version when you make backwards compatible bug fixes.
Additional labels for pre-release and build metadata are available as extensions to the MAJOR.MINOR.PATCH format.
s

sticky-guitar-94474

03/15/2022, 6:24 AM
Yeah Figured it out
d

damp-sunset-69236

03/15/2022, 6:24 AM
Changing version value
v0.1.2
solved issue
s

sticky-guitar-94474

03/15/2022, 6:24 AM
Thanks for the Reply
d

damp-sunset-69236

03/15/2022, 6:25 AM
Thanks for pointing this out. I’ll update documentation for oathkeeper
s

sticky-guitar-94474

03/15/2022, 6:25 AM
Copy code
[
  {
    "id": "1",
    "version": "0.0.1",
    "upstream": {
      "url": "<https://httpbin.org>",
      "preserve_host": true
    },
    "match": {
      "url": "<http://127.0.0.1:4455/get>",
      "methods": ["GET", "POST"]
    },
    "authenticators": [{ "handler": "noop" }],
    "authorizer": { "handler": "allow" },
    "mutators": [{ "handler": "noop" }],
    "errors": [{ "handler": "json" }]
  },
  {
    "id": "2",
    "version": "0.0.1",
    "upstream": {
      "url": "<https://httpbin.org>",
      "preserve_host": true
    },
    "match": {
      "url": "<http://127.0.0.1:4455/stream/><.*>",
      "methods": ["GET", "POST"]
    },
    "authenticators": [{ "handler": "oauth2_introspection"}],
    "authorizer": { "handler": "allow" },
    "mutators": [{ "handler": "noop" }],
    "errors": [{ "handler": "json" }]
  }
]
I’m using this now and it’s Working like a charm
@User Can the error be more specific? Here there is no label that mentioned the error was with
version
key
It would be more meaningful and easy to debug
d

damp-sunset-69236

03/15/2022, 6:57 AM
Could you please create an issue for that?
s

sticky-guitar-94474

03/15/2022, 7:19 AM
Sure
🙏 1