-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
uaa login failing -- wrong redirect? #203
Comments
Any additional information needed? Tom |
Hi @tomsherrod ! |
Hi @Infra-Red |
@tomsherrod You right, initially I tested with Kibana as Cloud Foundry application. I made additional fix, could you please try to create release and redeploy again with https://github.com/cloudfoundry-community/logsearch-for-cloudfoundry/blob/develop/templates/logsearch-for-cf.example-with-uaa-auth.yml#L97 property added to deployment manifest. |
@Infra-Red Failing. I did a complete redeploy using the latest logsearch-boshrelease and logsearch-for-cloudfoundry. Pointers welcome. After logging in, the browser: From kibana.stdout.log: |
@tomsherrod Could you please additionally share Logsearch deployment manifest. |
@Infra-Red Thanks for the response. |
Hi @tomsherrod - have you got it running ? I have similar issue (on AWS) - the auth plugin seems to get into an infinite loop -> /login -> / -> /login, ending up with a 502 bad gateway? I can't get the auth with uaa working. |
Hi,
I have not. A colleague has, however, I haven't done it myself as of yet.
Your question kicks me back into it. Will share whatever I find over the
next couple of days.
Tom
…On Wed, Jan 4, 2017 at 12:48 PM, Sylvain Gibier ***@***.***> wrote:
Hi @tomsherrod <https://github.com/tomsherrod> - have you got it running
? I have similar issue (on AWS) - the auth plugin seems to get into an
infinite loop -> /login -> / -> /login, ending up with a 502 bad gateway?
I can't get the auth with uaa working.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#203 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AHYTXcpOU6dp0qqEgXodqwVTNwcpV9DOks5rO9tZgaJpZM4KbGsj>
.
|
@muconsulting In your deployment you are using Kibana as standalone VM from logsearch-boshrelease or CF Kibana application included in this release? |
Hi - i tried - using the CF kibana application from this release, the standalone VM and even downloaded a standard kibana 4.4.2 from elastic and deployed the plugin. From what I can tell, the communication to my UAA server is working fine, the redirect is working, ... it seems that the oauth cookie is not set. |
Hi @tomsherrod and @muconsulting , As far as I can see from your deploy manifest, you didn't set REDIS_HOST to Kibana env: properties:
kibana:
env:
- REDIS_HOST: foo Could you try using a real redis host? We use redis for auth sessions, so probably this causes the problem you get. |
Nope - REDIS_HOST and REDIS_PORT are set in my case, since I can see connection on the redis server happening. Any reason why cookies (uaa-cookie) are not set ? I seem to only see the bell cookie one. |
Can you share your deployment manifest and tell which versions of logsearch-boshrelease and logsearch-for-cf you use? |
Hi, I'm using logsearch-boshrelease (v203) and logsearch-for-cloudfoundry (v200.0.0). Regarding the manifest - I'm deploying Kibana 4.4.2 (from the release itself) + the installed auth plugin with a generated manifest as below for faster debugging - which is equivalent to the errand job anyway. `---
Idea ? As I indicated - it seems the loop redirection is due to cookie not found, or set ? |
@muconsulting , I had similar redirect issue when my Redis properties were set wrong. So, could you please make sure that there is a If there is no one, then probably something wrong with your Redis connection. If everything is ok with Redis (there is a |
Also, can you try using recent 201 release of logsearch-for-cloudfoundry? |
Hi, I can confirm that my redis contains kibana* key entries. I can try the latest release, but i don't see any code changes in the authentication plugin, nor the kibana release. UPDATE: I think i found the problem, it seems that the uaa-auth cookie size exceeds the 4K limit, despite having redis cache working properly, that could explain why the cookie is never set and then transmitted between requests. Sorry - I'm not really a node js expert. |
@muconsulting, Thank you for your PR #216. You are right, there is no need to store an auth credentials object in the user session cookie - storing of session_id is enough. Additionally, we are not risking to exceed a cookie size limit. For your question regarding Thanks! |
@hannayurkevich You have mentioned that I need to make sure that there is a kibana* key storing your session in Redis, And I tried to ssh to the queue instance and check the keys of redis:
Does it mean that my current redis is not properly configured and how should I fix it? I have tried to add REDIS_HOST information in my manifest but it seems not works. Many thanks!
|
Hi @maoyi8212 , do you deploy cf-kibana or standalone one? Could you please provide your deploy manifest, so that I can get a better picture of your deployment and try to help? Thanks. |
@hannayurkevich Thank you for your quick reply. I deploy the cf-kibana and here attached the manifest |
I see that you set Redis host in your deployment:
This property should be enough to make Kibana use Redis to store auth sessions. Just double check that this IP is correct. Also you don't need to set
I can't see any problems with your manifest. So, could you please describe your case in more detail:
Also cc @Infra-Red Thanks |
@hannayurkevich @Infra-Red
2 . The error response is:
|
It looks like Kibana auth plugin can't connect Redis to persist user session and that's why tries to authenticate them again and again. Could you please check that Redis port is open, so that Kibana can access it? UPDATE: Please check in your CF that you have security group for Redis, it is created by cf-kibana errand using this template. The security group should be set for your org/space where Kibana app is deployed. |
@hannayurkevich @Infra-Red And what's the default name of security group for Redis? I checked my current security group. There are only cf-kibana-asg(Which is I created for Kibana) and logsearch-access
|
It's
Also, one thing you can try is to clear your browser cookies and also content of your Redis. And then retry login to Kibana. It's possible that "old" data breaks authentication. |
@hannayurkevich Really appreciate your great help! I just wandering how does the manifest get the "cf-kibana.elasticsearch.host" and "redis.host" configuration parameter. from environment variable or some other ways? How can I make it correct? Or I just hard code the update information and update the security group? Many thanks! |
You should set values in properties section (global or for a specific job). For exmple in your manifest I can find the following values:
-> so your configuration values and what you get in your security group is different? Then you should probably deploy from scratch. You can also fix it manually, if you prefer. |
@hannayurkevich |
@maoyi8212 You should check that Elasticsearch indexes are created and logs data are available.
Also cf-kibana allows to list all logs only for users from particular Cloud Foundry organization, this org can be configured with property |
@Infra-Red Thank you for the reploy Currently there are only 2 Elasticsearch indexes |
Your In general it is highly recommended to use the predefined stub for generating your deploy manifest and customize features you are sure about. Go carefully through the deplyment doc. |
@hannayurkevich @Infra-Red Thank you for your suggestion. One of the error is the parser issue
When I ssh to the parser instance, I found a issue as following:
So I checked the /var/vcap/jobs/parser/bin/parser_ctl script and I found a command and this command cause the error. `
Many thanks for your kindly explanation. |
I don't see how For your question about diego, you need to provide the parser with names of your cf and diego deployments, so that parser can apply these names and set |
Also, If you try from scratch and meet any problems, please open a separate issue to not overload this thread. Thank you! |
Hi,
logsearch-boshrelease(v203) working at http://10.104.2.2/.
Passed smoke tests.
Updated the deployment with logsearch-for-cloudfoundry.
http://10.104.2.2/ redirected to the login page.
Got a page for ok that kibana_client have access.
Once ok, redirects to https://10.104.2.2/login?code=oBpTLd&state=EgQjI4X3NVqPO1Jm6DFRB9 which fails since https isn't enabled. http version of that url, returns a 500.
Pointers to what I missed appreciated.
Tom
The text was updated successfully, but these errors were encountered: