1

I've been struggling for a while with this issue and wondered if anyone else had the same problem.

I've got a Keyrock 7.8.0 + MySQL architecture running with docker as FIWARE tutorials suggest. I can access both GUI and API through localhost:3005. Everything seems to work fine through GUI with admin user but when it comes to granting, with admin Auth-Token, a role to a user

curl -X PUT \
  http://localhost:3005/v1/applications/20f9bc1d-a9d1-45af-bdd9-f96fdc7a1ec9/users/c8336e47-8e3b-4081-b0f7-b2a3431847d7/roles/55e8a41c-52b5-4ef9-ad9c-ef60762d32e3 \
  -H 'Accept: */*' \
  -H 'Accept-Encoding: gzip, deflate' \
  -H 'Cache-Control: no-cache' \
  -H 'Connection: keep-alive' \
  -H 'Content-Length: 0' \
  -H 'Content-Type: application/json' \
  -H 'Cookie: session=eyJyZWRpciI6Ii8ifQ==; session.sig=TqcHvLKCvDVxuMk5xVfrKEP-GSQ' \
  -H 'Host: localhost:3005' \
  -H 'Postman-Token: cb7e8ae3-87b4-4d8e-9fb7-a66ef439a7cf,7f736505-8c7e-4991-8449-ebd6e54714f7' \
  -H 'User-Agent: PostmanRuntime/7.19.0' \
  -H 'X-Auth-token: f20c72c6-7c2a-4d8e-8d48-568e1c4e47d6' \
  -H 'cache-control: no-cache'

or an organization, 

curl -X PUT \
  http://localhost:3005/v1/applications/20f9bc1d-a9d1-45af-bdd9-f96fdc7a1ec9/organizations/d98534f7-ecaa-4c38-93cc-c17d87f010ee/roles/55e8a41c-52b5-4ef9-ad9c-ef60762d32e3/organization_roles/member \
  -H 'Accept: */*' \
  -H 'Accept-Encoding: gzip, deflate' \
  -H 'Cache-Control: no-cache' \
  -H 'Connection: keep-alive' \
  -H 'Content-Length: 0' \
  -H 'Content-Type: application/json' \
  -H 'Cookie: session=eyJyZWRpciI6Ii8ifQ==; session.sig=TqcHvLKCvDVxuMk5xVfrKEP-GSQ' \
  -H 'Host: localhost:3005' \
  -H 'Postman-Token: 11fc3dbb-8484-482f-8bc1-af89dcdeebb5,8bfdcdb5-f200-4bee-bcee-a8f6d83b18f0' \
  -H 'User-Agent: PostmanRuntime/7.19.0' \
  -H 'X-Auth-token: f20c72c6-7c2a-4d8e-8d48-568e1c4e47d6' \
  -H 'cache-control: no-cache'

it just responds with this error in the body:

{
    "error": {
        "message": "User not allow to perform the action",
        "code": 403,
        "title": "Forbidden"
    }
}

Anyone knows how can it be that the same user has permission to do a thing through the GUI and not through the API?

Mannix
  • 41
  • 6

1 Answers1

1

We encountered the same issue and probably found a solution:

According to the documentation for assigning roles to organizations or for assigning roles to users, the HTTP verb PUT must be used. In reality, Keyrock then responds with the following error message:

{ 
   "error": {
      "message": "User not allow to perform the action",
      "code": 403,
      "title": "Forbidden"   
   }
}

When we use the HTTP verb POST instead of PUT, the role is assigned successfully to the organization/user.

Therefore, we assume that either the documentation or the implementation is faulty.

Source: https://github.com/ging/fiware-idm/issues/144

Florian
  • 23
  • 8
  • Thanks for the reply, @Florian. I will try again with keyrock and see if your suggestion works. – Mannix Jul 13 '20 at 10:26