New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Concourse 4.0.0 - Failed to authenticate: cloud_controller.read is invalid. Please use a valid scope name in the request #2444

Closed
akamalov opened this Issue Jul 31, 2018 · 1 comment

Comments

Projects
None yet
1 participant
@akamalov
Copy link

akamalov commented Jul 31, 2018

  • Concourse version: 4.0.0
  • Deployment type (BOSH/Docker/binary): binary
  • PAAS: Pivotal Cloud Foundry: 2.0
  • Infrastructure/IaaS: vsphere
  • Browser (if applicable): Chrome
  • Did this used to work? Yes, with 3.14.0

Upgraded to Concourse 4.0.0 from 3.14.0. I see that UAA integration has moved to CF, and I am attempting to reconfigure Concourse to integrate with CF. Based on documentation there - https://concourse-ci.org/install.html#cf-auth-config, reconfigured by authentication to integrate Concourse with CF. Problems right off the bet.

Here are the steps:

Create a client for Concourse in UAA

$ uaac client add concourse  --name concourse --secret XXXXXX --scope openid,email,profile,roles  --authorized_grant_types "authorization_code,refresh_token" --access_token_validity 3600 --refresh_token_validity 3600 --redirect_uri http://akjump001.cglab.localnet.local:8080/sky/issuer/callback
  scope: openid profile roles email
  client_id: concourse
  resource_ids: none
  authorized_grant_types: refresh_token authorization_code
  redirect_uri: http://akjump001.cglab.localnet.local:8080/sky/issuer/callback
  autoapprove:
  access_token_validity: 3600
  refresh_token_validity: 3600
  authorities: uaa.none
  name: concourse
  required_user_groups:
  lastmodified: 1533060954000
  id: concourse
$

Next, use Client ID and a Client Secret for our new application. Pass these as the following flags to concourse web in /etc/systemd/system/concourse-web.service:

[Unit]
Description=Concourse CI web process (ATC and TSA)
After=postgresql.service

[Service]
User=concourse
Restart=on-failure
EnvironmentFile=/etc/concourse/web_environment
ExecStart=/opt/concourse/bin/concourse web --main-team-local-user=concourse --add-local-user concourse:<bcrypt_password> --cf-client-id concourse --cf-client-secret XXXXXXX --cf-api-url https://api.system.cflab02-cg.localnet.local

[Install]
WantedBy=multi-user.target

Next, setup the team:

$ fly -t lab set-team -n CloudEng --cf-org=Development cf-space=ALEX001 --cf-space-guid 41c5d60d-8b64-459d-a351-6787b87b3a9b
Team Name: CloudEng

Users:
- none

Groups:
- cf:development
- cf:41c5d60d-8b64-459d-a351-6787b87b3a9b

apply configuration? [yN]: y
could not find a valid token.
logging in to team 'CloudEng'

navigate to the following URL in your browser:

  http://akjump001.cglab.localnet.local:8080/sky/login?redirect_uri=http://127.0.0.1:50519/auth/callback

or enter token manually:

Open URL to http://akjump001.cglab.localnet.local:8080/sky/login?redirect_uri=http://127.0.0.1:50519/auth/callback and authenticate against CF. I get the following error:

Internal Server Error
Failed to return user's identity.

Now, looking through ATC logs I see the following:

Jul 31 14:45:22 akjump001 concourse[7084]: {"timestamp":"1533062722.425117016","source":"worker","message":"worker.beacon.beacon.beacon-client.keepalive.ok","log_level":0,"data":{"session":"4.1.1.1"}}
Jul 31 14:45:27 akjump001 concourse[7051]: {"timestamp":"1533062727.424652576","source":"tsa","message":"tsa.connection.keepalive","log_level":1,"data":{"remote":"127.0.0.1:49524","session":"1","type":"keepalive"}}
Jul 31 14:45:27 akjump001 concourse[7084]: {"timestamp":"1533062727.425798655","source":"worker","message":"worker.beacon.beacon.beacon-client.keepalive.ok","log_level":0,"data":{"session":"4.1.1.1"}}
Jul 31 14:45:30 akjump001 concourse[7051]: {"timestamp":"1533062730.555150747","source":"atc","message":"atc.dex.event","log_level":2,"data":{"fields":{},"message":"Failed to authenticate: cloud_controller.read is invalid. Please use a valid scope name in the request","session":"6"}}
Jul 31 14:45:31 akjump001 concourse[7051]: {"timestamp":"1533062731.181869745","source":"atc","message":"atc.build-tracker.track.start","log_level":0,"data":{"session":"40.6"}}
Jul 31 14:45:31 akjump001 concourse[7051]: {"timestamp":"1533062731.184748888","source":"atc","message":"atc.build-tracker.track.done","log_level":0,"data":{"session":"40.6"}}
Jul 31 14:45:32 akjump001 concourse[7051]: {"timestamp":"1533062732.424769878","source":"tsa","message":"tsa.connection.keepalive","log_level":1,"data":{"remote":"127.0.0.1:49524","session":"1","type":"keepalive"}}
Jul 31 14:45:32 akjump001 concourse[7084]: {"timestamp":"1533062732.425160170","source":"worker","message":"worker.beacon.beacon.beacon-client.keepalive.ok","log_level":0,"data":{"session":"4.1.1.1"}}
Jul 31 14:45:37 akjump001 concourse[7051]: {"timestamp":"1533062737.424593449","source":"tsa","message":"tsa.connection.keepalive","log_level":1,"data":{"remote":"127.0.0.1:49524","session":"1","type":"keepalive"}}
Jul 31 14:45:37 akjump001 concourse[7084]: {"timestamp":"1533062737.424866199","source":"worker","message":"worker.beacon.beacon.beacon-client.keepalive.ok","log_level":0,"data":{"session":"4.1.1.1"}}

Huh ? where ":{"fields":{},"message":"Failed to authenticate: cloud_controller.read is invalid. Please use a valid scope name in the request","session":"6"}} is coming from?

My one and only concourse client in UAAC is concourse and it is configured as per documentation:

concourse
    scope: openid profile roles email
    resource_ids: none
    authorized_grant_types: refresh_token authorization_code
    redirect_uri: http://akjump001.cglab.localnet.local:8080/sky/issuer/callback
    autoapprove:
    access_token_validity: 3600
    refresh_token_validity: 3600
    authorities: uaa.none
    name: concourse
    lastmodified: 1533063119000

Next, I modified uaac command as such:

uaac client add concourse  --name concourse  --scope "openid,email,profile,roles,cloud_controller.read"  --authorized_grant_types "authorization_code,refresh_token" --access_token_validity 3600 --refresh_token_validity 3600 --secret XXXXX  --redirect_uri http://akjump001.cglab.localnet.local:8080/sky/issuer/callback

Issued fly command:

fly -t lab set-team -n CloudEng --cf-user=concourse --cf-org=Development cf-space=ALEX001 --cf-space-guid 41c5d60d-8b64-459d-a351-6787b87b3a9b
Team Name: CloudEng

Users:
- cf:concourse

Groups:
- cf:development
- cf:41c5d60d-8b64-459d-a351-6787b87b3a9b

apply configuration? [yN]: y
could not find a valid token.
logging in to team 'CloudEng'

navigate to the following URL in your browser:

  http://akjump001.cglab.localnet.local:8080/sky/login?redirect_uri=http://127.0.0.1:53264/auth/callback

or enter token manually:

Received the following error from a browser:

Internal Server Error
Failed to return user's identity.

ATC syslog however shows a different error message, this time:

Aug  1 08:15:01 akjump001 CRON[13312]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
Aug  1 08:15:08 akjump001 concourse[13232]: {"timestamp":"1533125708.116680861","source":"atc","message":"atc.build-tracker.track.start","log_level":0,"data":{"session":"40.30"}}
Aug  1 08:15:08 akjump001 concourse[13232]: {"timestamp":"1533125708.120035648","source":"atc","message":"atc.build-tracker.track.done","log_level":0,"data":{"session":"40.30"}}
Aug  1 08:15:14 akjump001 concourse[13232]: {"timestamp":"1533125714.140654802","source":"atc","message":"atc.dex.event","log_level":2,"data":{"fields":{},"message":"Failed to authenticate: CF connector: failed to get token: oauth2: cannot fetch token: 401 Unauthorized\nResponse: {\"error\":\"unauthorized\",\"error_description\":\"Bad credentials\"}","session":"6"}}
Aug  1 08:15:18 akjump001 concourse[13232]: {"timestamp":"1533125718.116579533","source":"atc","message":"atc.build-tracker.track.start","log_level":0,"data":{"session":"40.31"}}
Aug  1 08:15:18 akjump001 concourse[13232]: {"timestamp":"1533125718.119224072","source":"atc","message":"atc.collector.tick.acquire.acquired","log_level":0,"data":{"id":[3,-824445620],"session":"42.10.1"}}

Anyone can shed light ? It used to work in 3.14 with UAA integration. It looks like it is broken now.

@akamalov

This comment has been minimized.

Copy link
Author

akamalov commented Aug 1, 2018

Answering my own question. You're setting up Concourse through systemD, make sure that CONCOURSE_CF_CLIENT_SECRET=XXXXX is not in 'bcrypt'ed. The only bcrypted password is for CONCOURSE_ADD_LOCAL_USER. I also had to modify uaac command that differs from what's in documentation:

What's in https://concourse-ci.org/install.html#cf-auth-config:

concourse:
  id: my-client-id
  secret: my-client-secret
  scope: openid,email,profile,roles
  authorized-grant-types: "authorization_code,refresh_token"
  access-token-validity: 3600
  refresh-token-validity: 3600
  redirect-uri: https://concourse.example.com/sky/issuer/callback

My modified parameters:

concourse:
  id: my-client-id
  secret: my-client-secret
  scope: openid,email,profile,roles,cloud_controller.read
  authorized-grant-types: "authorization_code,refresh_token"
  access-token-validity: 3600
  refresh-token-validity: 3600
  redirect-uri: https://concourse.example.com/sky/issuer/callback

Once modified, I was able to authenticate against CF.

@akamalov akamalov closed this Aug 1, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment