Sorry I don't know If I should ask the question here. I used the echo sample project and
deploy it to google cloud endpoints, and I want to configure it with firebase auth instead of api key. the following is the openapi.yaml
paths:
"/echo":
post:
description: "Echo back a given message."
operationId: "echo"
produces:
- "application/json"
responses:
200:
description: "Echo"
schema:
$ref: "#/definitions/echoMessage"
parameters:
- description: "Message to echo"
in: body
name: message
required: true
schema:
$ref: "#/definitions/echoMessage"
security:
- firebase: []
And when I deploy it and access with
curl -d '{"message":"hello world"}' -H "content-
type:application/json""http://[IPADDRESS]:80/echo"
I get the error message.
"message": "Method doesn't allow unregistered callers (callers without
established identity). Please use API Key or other form of API consumer
identity to call this API.",
And if I add the api key.
curl -d '{"message":"hello world"}' -H "content-type:application/json""http://35.194.225.89:80/echo?api_key=[API_KEY]"
I can get the correct result.
I am not sure how to configure the openapi.yaml, please help. thank you very much.
Related
So I am using vault approle with airflow as secret backend and it keeps throwing permission denied error on $Vault_ADDR/v1/auth/approle/login. I tried using approle from CLI like:
vault write auth/approle/login role_id="$role_id" secret_id="$secret_id"
and it works fine.
But if I try it using API:
curl --request POST --data #payload.json $VAULT_ADDR/v1/auth/approle/login
where payload.json contains secret and role id. It fails with permission denied.
Here is my policy:
vault policy write test-policy -<<EOF
path "kv/data/airflow/*" {
capabilities = [ "read", "list" ]
}
EOF
It works fine for reading on this path.
and role:
vault write auth/approle/role/test-role token_ttl=4h token_max_ttl=5h token_policies="test-policy"
Don't know why it is failing with API.
An important thing to mention is that I am using cloud based HCP Vault.
The problem is with your app_role authentication.You need to provide admin namespace in your url.
Change this:
curl --request POST --data #payload.json $VAULT_ADDR/v1/auth/approle/login
To this:
curl --request POST --data #payload.json $VAULT_ADDR/v1/admin/auth/approle/login
Furthermore, if you are trying to access from a third party tool like airflow then try adding "namespace=admin" in your config file.
Found the problem. HCP vault uses namespace (default = admin). Namespace was needed in url :
$VAULT_ADDR/v1/admin/auth/approle/login
but the problem still exists in Airflow's Hashicorp provider. Changing the auth_mount_point still concatenates it at the end as :
$VAULT_ADDR/v1/auth/{$auth_mount_point}
I am trying to achieve Airflow integration with Slack,
have received the webhook URL, and created the connection as below. Why is it showing google.com ??
Why is it using the default http_conn_id and connecting to google ??
But got an error as below
ERROR - Error in sending a message to Slack channel #airflow-alerts
by Airflow: 404:Not Found
{base_hook.py:83} INFO - Using connection to: id: http_default. Host: https://www.google.com/, Port: None, Schema: None, Login: None, Password: None, extra: {}
{logging_mixin.py:95} INFO - [2020-05-29 12:43:21,374] {http_hook.py:128} INFO - Sending 'POST' to url: https://www.google.com//T00A6ASFHD8S/G1FDF4K/a3zfKsadfsrScxgadfsdafOIgIvgW
requests.exceptions.HTTPError: 404 Client Error: Not Found for url: https://www.google.com//T00A6ASFHD8S/G1FDF4K/a3zfKsadfsrScxgadfsdafOIgIvgW
But I got the below error, unable to figure out
Your connection is not setup correctly, you need to select HTTP as the Conn Type, leave the Extra field blank and put the webhook token (format is /STRING/STRING/STRING) in the Password field. Then you can use the SlackWebhookOperator operator which allows you to set the channel and username.
I finally figured out after long struggle ...
There was a bug in SlackWebhookOperator in Airflow≤1.10.3 (Bug Jira Issue). This was fixed in 1.10.4 with this PR (fix commit).
As in let's say my api is located at domain/_ah/api. We have domain/_ah/api/getUser, domain/_ah/api/stuff/getStuff, domain/_ah/api/stuff/moreStuff/postMoreStuff.
Is it possible to do that by only defining something like this?´
swagger: '2.0'
info:
title: "Cloud Endpoints + Cloud Run"
description: "Sample API on Cloud Endpoints with a Cloud Run backend"
version: "1.0.0"
host: "domain"
schemes:
- "https"
produces:
- "application/json"
x-google-backend:
jwt_audience: "audience"
address: "domain_backend"
protocol: "h2"
paths:
/_ah/api/*:
get, post, put, etc:
description: "Protects Base URL"
operationId: "authInfoFirebase"
security:
- firebase: []
securityDefinitions:
firebase:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
x-google-issuer: "https://securetoken.google.com/<project_id>"
x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken#system.gserviceaccount.com"
x-google-audiences: "<project_id>"
I am afraid Cloud Endpoints does not recognize wildcards as you specified.
Quoting the documentation:
“Endpoints only supports URL path template parameters that correspond to entire path segments (delimited by slashes /). URL path template parameters that correspond to partial path segments aren't supported.”[1]
A workaround to wildcards would be to use path templates.
You can use curly braces {} to mark parts of an URL as path parameters, using your example:
domain/_ah/api/{value1}
domain/_ah/api/{value1}/{value2}
domain/_ah/api/{value1}/{value2}/{value3}
Just be careful not to overlap the path templates, like in this example:
/items/{itemid} ---> This is valid
/items/{itemId}/subitem ----> This is valid
/items/cat ----> This is NOT valid
[1] https://cloud.google.com/endpoints/docs/openapi/openapi-limitations#url_path_templating
Using curl I can access HTTP resource on a Web service with Kerberos / SPNEGO this way, after I did a kinit
curl -x POST --negotiate -u : http://host.mydomain.net:14000/my/web/resource
You can see I just pass -u : without actually passing any user / password and it works because of --negotiate
With ansible I can access the resource but I need to put my credentials
- uri:
url: "http://host.mydomain.net:14000/my/web/resource"
return_content: true
method: POST
headers:
Content-Type: "application/x-www-form-urlencoded"
user: "{{ myuser }}"
password: "{{ mypass }}"
register: login
- debug:
msg: "{{ login.content }}"
Now I like to access the resource only using Kerberos authentication so the executor will use it's credentials, I tried to define user and password parameters empty but this fails.
So I'd like to know if uri module support SPNEGO and how I should do?
Thanks
Curl comitter here...
This will not work. Curl cannot authenticate for you. The authentication has to happen at logon time to the machine/server. Since you want to automate that, create a service account, export the keytab and provide the keytab file with the env var KRB5_CLIENT_KTNAME to Ansible. This will work, but you need MIT Kerberos.
Please read my canonical answer to this. If you are in a Active Directory environment, you can easily use msktutil(1) which will do all the magic for you.
I just installed and configured the LexikJWTAuthenticationBundle as the provided example shows for.
But when I try to generate a token
with
curl -X POST http://localhost:8000/api/login_check -d _username=johndoe -d _password=test
I use my correct user and password
I get:
{"error":{"code":500,"message":"Internal Server Error","exception":[{"message":"Failed to load private key \"\/home\/web\/symfony\/app\/var\/jwt\/private.pem\". Did you correctly configure the corresponding passphrase?
How do I debug this error?
Please set provider first in app/config/security.yml file like below:-
providers:
in_memory:
memory:
users:
johndoe:
password: test
roles: 'ROLE_USER'
After above setting, you can run below command, after running below command you will get token, use that token for your request:
curl -X POST http://localhost:8000/api/login_check -d _username=johndoe -d _password=test
For more about setting, please refer below link:-
enter link description here