0

I have an application that uses the KeyRock, PEP, PDP(AuthZForce).

The security level 1 (authentication) with Keyrock and PEP are working, but when we try to use AuthZForce to check the authorization, I get the error message:

AZF domain not created for application

I have my user and my application that I created following the steps on the Fiware IdM User and Programmers Guide.

I am also able to create domains as stated in the AuthZForce - Installation and Administration Guide but I don't know how to bind the Domain ID with user roles when creating them.

So, how can I insert users/organizations/applications under a specific domain, and then have the security level 2?

My config.js file:

config.azf = {
    enabled: true,
    host: '192.168.99.100',
    port: 8080,
    path: '/authzforce/domains/',
    custom_policy: undefined  
};

And my docker-compose.yml file is:

authzforce:
    image: fiware/authzforce-ce-server:release-5.4.1
    hostname: authzforce
    container_name: authzforce
    ports:
      - "8080:8080"

keyrock:
    image: fiware/idm:v5.4.0
    hostname: keyrock
    container_name: keyrock 
    ports:
        - "5000:5000"
        - "8000:8000" 

pepproxy:
    build: Docker/fiware-pep-proxy
    hostname: pepproxy
    container_name: pepproxy
    ports:
        - 80:80
    links:
        - authzforce
        - keyrock

This question is the same that AuthZForce Security Level 2: Basic Authorization error "AZF domain not created for application", but I get the same error, and my keyrock version is v5.4.0.

cdan
  • 3,470
  • 13
  • 27
Gabriela Cavalcante
  • 85
  • 2
  • 11
  • Hi Gabriela. You have not to manually create a domain in AuthZForce. It is automatically created and assigned to the app by IdM when you create a new permission. – Álvaro Alonso Nov 14 '16 at 13:41
  • Ok, So, why I get the error about the domain for application? – Gabriela Cavalcante Nov 18 '16 at 14:02
  • I recommend you to check that Keyrock and AuthZForce are correctly connected. You can check the logs of both components to know if the domain is being created during the permissions creation. – Álvaro Alonso Nov 22 '16 at 08:47
  • Sorry for my delay. I connected the Keyrock and AuthZForce, and now this problem is fixed. Thanks. But I have a problem with my token yet, I'll create a new issue. – Gabriela Cavalcante Dec 09 '16 at 13:51

2 Answers2

2

I changed the AuthZForce GE Configuration: http://fiware-idm.readthedocs.io/en/latest/admin_guide.html#authzforce-ge-configuration

Gabriela Cavalcante
  • 85
  • 2
  • 11
  • Gabriela, could you please explain the steps you followed to fix the problem? Does your Keyrock create the domain on AuhtZForce automatically? Our Keyrock doesn't seem to talk to AuthZForce despite the endpoint is properly set in ACCESS_CONTROL_URL, could you share your config? Thank you! – Daniel Rodriguez Mar 10 '17 at 11:46
  • You don't need create a domain. The keystone and AuthZForce do it. In this file: https://github.com/openstack/horizon/blob/master/openstack_dashboard/local/local_settings.py.example#L74, I removed the comment of OPENSTACK_KEYSTONE_DEFAULT_DOMAIN (but I'm not sure if it's necessary, but in my case it's works) – Gabriela Cavalcante Mar 10 '17 at 13:16
  • And, my access_control_url: ACCESS_CONTROL_URL = 'http://192.168.99.100:8080' ACCESS_CONTROL_MAGIC_KEY = 'undefined' – Gabriela Cavalcante Mar 10 '17 at 13:31
1

After reviewing the horizon source code I found that function "policyset_update" in openstack_dashboard/fiware_api/access_control_ge.py returns inmediatly if ACCESS_CONTROL_MAGIC_KEY is None (the default configuration) or an empty string,so the communication with AuthZForce never takes place. Despite this parameter is optional when you don't have AuthZForce behind a PEP Proxy, you have to enter some text to avoid this error.

In your case, your string 'undefined' did the work. In fact, as result, a 'X-Auth-Token: undefined' is generated, but ignored when horizon communicates directly with AuthZForce.

Related topic: Fiware AuthZForce error: "AZF domain not created for application"

Community
  • 1
  • 1
Daniel Rodriguez
  • 102
  • 5