Fiware AuthZForce error: "AZF domain not created for application"

Question

I'm trying to protect Orion Context Broker using KeyRock idm, Wilma PEP-Proxy and AuthZForce PDP over Docker. For now, level 1 security works well and I can deny access to non logged users, but I get this error on Wilma when trying to add level 2.

AZF domain not created for application <applicationID>

Here it is my azf configuration in Wilma's config.js file:

config.azf = {
    enabled: true,
    protocol: 'http',
    host: 'azfcontainer',
    port: 8080,
    custom_policy: undefined
};

And this is how I set the access control configuration on KeyRock:

# ACCESS CONTROL GE
ACCESS_CONTROL_URL = 'http://azfcontainer:8080'
ACCESS_CONTROL_MAGIC_KEY = None

I have created the custom policies on Keyrock, but AuthZForce logs don't show any request from KeyRock or Wilma, so no domain is created on the PDP. I have checked that all containers can see and reach each other and that all ports are up. I may be missing some configuration.

These are the versions I'm using:

keyrock=5.4.1
wilma=5.4
autzforce=6.0.0/5.4.1

This question is the same that “AZF domain not created for application” AuthZforce, but my problem persists even with the shown AuthZForce GE Configuration.

Which versions of KeyRock, Wilma and AuthzForce are you using? — cdan, Mar 14 '17 at 10:01
I have edited the question with the versions I'm using. `keyrock=5.4.1`, `wilma=5.4` and `autzforce=6.0.0 and 5.4.1` — Lorenzo García, Mar 14 '17 at 16:59

Daniel Rodriguez · Accepted Answer · 2017-03-15T11:32:52.617

I found the cause of this problem that is present when the AuthZForce is not behind a PEP Proxy and therefore the variable ACCESS_CONTROL_MAGIC_KEY is not modified (None by default).

It seems horizon reads both ACCESS_CONTROL_URL and ACCESS_CONTROL_MAGIC_KEY parameters in openstack_dashboard/local/local_settings.py when it needs to connect to AuthZForce. Theoretically, the second parameter is optional (it introduces a 'X-Auth-Token' header for the PEP Proxy), but if horizon detects it is None (the default value in local_settings.py) or an empty string, the log shows a Warning and returns inmediatly from the function "policyset_update" in openstack_dashboard/fiware_api/access_control_ge.py. So the communication to AuthZForce never takes place.

The easier way to solve the problem is to write some text as magic key in: openstack_dashboard/local/local_settings.py:

# ACCESS CONTROL GE
ACCESS_CONTROL_URL = 'http://authzforce_url:port'
ACCESS_CONTROL_MAGIC_KEY = '1234567890' # DO NOT LEAVE None OR EMPTY

Thus, a 'X-Auth-Token' header will be generated, but it shouldn't affect to the communication when the AuthZForce isn't behind a PEP Proxy (the header is simply ignored).

Notice: Remember to delete the cached bytecode file "openstack_dashboard/local/local_settings.pyc" when making changes to assure the new config is updated after restart horizon service.

PS: I sent a pull request to https://github.com/ging/horizon with a simple modification that fixes the problem.

Hello. I did what you told, in local_settings.py, but I am also getting the "AZF domain not created for application629cd23fe9bb42c..." message. Do you have any other suggestion? — Dalton Cézane, Mar 30 '17 at 19:06
It is working now. I am not sure, but I think the problem was because I had not created the permission before. Or something like that. Thanks. — Dalton Cézane, Apr 03 '17 at 17:30

Fiware AuthZForce error: "AZF domain not created for application"

1 Answers1

Linked