Re: multi-tenant domain configuration
On 25/07/2018 20:58, Wyllys Ingersoll wrote: When I create a user with a role that has all of the entitlements and attempt to login to the console, it fails and this error is in the console.log: Hi, the log below is not very explicative, it is hard to guess the actual problem: maybe you have users pending approval? Otherwise, please track down the stacktrace until some '*RestClient class is mentioned. Regards. 18:52:24.186 ERROR org.apache.syncope.client.console.SyncopeConsoleRequestCycleListener - Exception found org.apache.wicket.WicketRuntimeException: An error occurred while getting the model object for Component: [Component id = alerts, page = org.apache.syncope.client.console.pages.Dashboard, path = body:approvalsWidget:alerts, type = org.apache.wicket.markup.html.basic.Label, isVisible = true, isVersioned = true, markup = [markup = jar:file:/var/lib/tomcat8/webapps/syncope-console/WEB-INF/lib/syncope-client-console-2.1.1-SNAPSHOT.jar!/org/apache/syncope/client/console/widgets/AlertWidget.html , index = 0, current = '' (line 0, column 0)]] at org.apache.wicket.Component.getDefaultModelObject(Component.java:1581) ~[wicket-core-8.0.0.jar:8.0.0] at org.apache.syncope.client.console.widgets.AlertWidget$3.onComponentTag(AlertWidget.java:86) ~[syncope-client-console-2.1.1-SNAPSHOT.jar:2.1.1-SNAPSHOT] at org.apache.wicket.Component.internalRenderComponent(Component.java:2428) ~[wicket-core-8.0.0.jar:8.0.0] at org.apache.wicket.markup.html.WebComponent.onRender(WebComponent.java:60) ~[wicket-core-8.0.0.jar:8.0.0] at org.apache.wicket.Component.internalRender(Component.java:2287) ~[wicket-core-8.0.0.jar:8.0.0] ... When I create another user with no special entitlements, I can login to the console UI with no problems. On Wed, Jul 25, 2018 at 4:27 AM, Francesco Chicchiriccò wrote: On 24/07/2018 15:03, Wyllys Ingersoll wrote: Thanks, I got it to work by giving my "Admin" role a subset of the complete list of entitlements. It seems that granting the entire list of entitlements to a role or a user makes it unauthorized to access the UI, which is counter-intuitive, IMO. Not sure what to you mean here: I have just created a Role with all entitlements against Realm /, assigned to a user and then logged in with that user with no issues. All this in syncope-vm, with domain Two, naturally. Its also not clear what entitlements are in effect for administering roles. I granted all of the ROLE_* entitlements to a user but when I try to use that user to manage roles, it logs me out and says "Access is Denied" and the core.log shows messages like this: Unfortunately, the process of selecting the right set of Entitlements to grant for Delegated Administration is not straightforward,. The point is that Entitlements are fine-grained and mostly matching the corresponding REST endpoints, but Admin Console often does much more, in order to provide a better UX. In your example above, once assigned all ROLE_* entitlements and being forcibly logged out, look more carefully at the logs to find out the actual REST service which that user was not granted to invoke, then add the corresponding entitlement(s) to the Role, and try again. HTH Regards. On Tue, Jul 24, 2018 at 3:42 AM, Francesco Chicchiriccò wrote: On 23/07/2018 22:59, Wyllys Ingersoll wrote: Using the 2.1.1-SNAPSHOT build, I am now able to login to the 2nd domain as the default "admin" account, but I cannot login using any other accounts even if those accounts are assigned a role with all of the privileges. You can see the same error on the demo vm using login "testadm/password2" in domain "Two". Hi, since the demo is redeployed every few hours, and persistence gets cleared, such user is not there any more. However, I went to syncope-vm.apache.org, logged in as admin in the Two domain, created an user 'ilgrosso' with password 'Password123' and no roles. After logging out as admin, I was able to log in again as ilgrosso, in the Two domain of course, as expected - see https://snag.gy/mrUpi4.jpg When using roles, I'd suggest to take a look at http://syncope.apache.org/docs/reference-guide.html#delegated-administration-console to see how to define the 'minimal set' of entitlements to grant (you'll need to temporary add GROUP_SEARCH to such set, at least until my latest commit gets deployed). Regards. On Sun, Jul 22, 2018 at 3:00 PM, Wyllys Ingersoll wrote: Done - https://issues.apache.org/jira/browse/SYNCOPE-1342 thanks for confirming this, I thought I was just doing something stupid or the documentation was missing a step or 2. On Sun, Jul 22, 2018 at 1:25 PM, Francesco Chicchiriccò wrote: Hi, I have replicated your Docker-based setup, with two domains and 2.1.1-SNAPSHOT, found the same issue. ...that could be easily replicated by attempting to log in on the public demo: http://syncope-vm.apache.org:9080/syncope-console on the Two domain, with credentials admin / password2 - working via REST. Please raise an issue
Re: multi-tenant domain configuration
When I create a user with a role that has all of the entitlements and attempt to login to the console, it fails and this error is in the console.log: 18:52:24.186 ERROR org.apache.syncope.client.console.SyncopeConsoleRequestCycleListener - Exception found org.apache.wicket.WicketRuntimeException: An error occurred while getting the model object for Component: [Component id = alerts, page = org.apache.syncope.client.console.pages.Dashboard, path = body:approvalsWidget:alerts, type = org.apache.wicket.markup.html.basic.Label, isVisible = true, isVersioned = true, markup = [markup = jar:file:/var/lib/tomcat8/webapps/syncope-console/WEB-INF/lib/syncope-client-console-2.1.1-SNAPSHOT.jar!/org/apache/syncope/client/console/widgets/AlertWidget.html , index = 0, current = '' (line 0, column 0)]] at org.apache.wicket.Component.getDefaultModelObject(Component.java:1581) ~[wicket-core-8.0.0.jar:8.0.0] at org.apache.syncope.client.console.widgets.AlertWidget$3.onComponentTag(AlertWidget.java:86) ~[syncope-client-console-2.1.1-SNAPSHOT.jar:2.1.1-SNAPSHOT] at org.apache.wicket.Component.internalRenderComponent(Component.java:2428) ~[wicket-core-8.0.0.jar:8.0.0] at org.apache.wicket.markup.html.WebComponent.onRender(WebComponent.java:60) ~[wicket-core-8.0.0.jar:8.0.0] at org.apache.wicket.Component.internalRender(Component.java:2287) ~[wicket-core-8.0.0.jar:8.0.0] ... When I create another user with no special entitlements, I can login to the console UI with no problems. On Wed, Jul 25, 2018 at 4:27 AM, Francesco Chicchiriccò wrote: > On 24/07/2018 15:03, Wyllys Ingersoll wrote: >> >> Thanks, I got it to work by giving my "Admin" role a subset of the >> complete list of entitlements. >> >> It seems that granting the entire list of entitlements to a role or a >> user makes it unauthorized to access the UI, which is >> counter-intuitive, IMO. > > > Not sure what to you mean here: I have just created a Role with all > entitlements against Realm /, assigned to a user and then logged in with > that user with no issues. > All this in syncope-vm, with domain Two, naturally. > >> Its also not clear what entitlements are in effect for administering >> roles. I granted all of the ROLE_* entitlements to a user but when I >> try to use that user to manage roles, it logs me out and says "Access >> is Denied" and the core.log shows messages like this: > > > Unfortunately, the process of selecting the right set of Entitlements to > grant for Delegated Administration is not straightforward,. > > The point is that Entitlements are fine-grained and mostly matching the > corresponding REST endpoints, but Admin Console often does much more, in > order to provide a better UX. > > In your example above, once assigned all ROLE_* entitlements and being > forcibly logged out, look more carefully at the logs to find out the actual > REST service which that user was not granted to invoke, then add the > corresponding entitlement(s) to the Role, and try again. > > HTH > Regards. > > >> On Tue, Jul 24, 2018 at 3:42 AM, Francesco Chicchiriccò >> wrote: >>> >>> On 23/07/2018 22:59, Wyllys Ingersoll wrote: Using the 2.1.1-SNAPSHOT build, I am now able to login to the 2nd domain as the default "admin" account, but I cannot login using any other accounts even if those accounts are assigned a role with all of the privileges. You can see the same error on the demo vm using login "testadm/password2" in domain "Two". >>> >>> >>> Hi, >>> since the demo is redeployed every few hours, and persistence gets >>> cleared, >>> such user is not there any more. >>> >>> However, I went to syncope-vm.apache.org, logged in as admin in the Two >>> domain, created an user 'ilgrosso' with password 'Password123' and no >>> roles. >>> After logging out as admin, I was able to log in again as ilgrosso, in >>> the >>> Two domain of course, as expected - see >>> >>> https://snag.gy/mrUpi4.jpg >>> >>> When using roles, I'd suggest to take a look at >>> >>> >>> http://syncope.apache.org/docs/reference-guide.html#delegated-administration-console >>> >>> to see how to define the 'minimal set' of entitlements to grant (you'll >>> need >>> to temporary add GROUP_SEARCH to such set, at least until my latest >>> commit >>> gets deployed). >>> >>> Regards. >>> >>> On Sun, Jul 22, 2018 at 3:00 PM, Wyllys Ingersoll wrote: > > Done - https://issues.apache.org/jira/browse/SYNCOPE-1342 > > thanks for confirming this, I thought I was just doing something > stupid or the documentation was missing a step or 2. > > On Sun, Jul 22, 2018 at 1:25 PM, Francesco Chicchiriccò > wrote: >> >> Hi, >> I have replicated your Docker-based setup, with two domains and >> 2.1.1-SNAPSHOT, found the same issue. >> >> ...that could be easily replicated by attempting to log in on the >> public >> demo: >> >> http://syncope-vm.apache.org:9080/syncope-console >> >> on the
Re: multi-tenant domain configuration
On 24/07/2018 15:03, Wyllys Ingersoll wrote: Thanks, I got it to work by giving my "Admin" role a subset of the complete list of entitlements. It seems that granting the entire list of entitlements to a role or a user makes it unauthorized to access the UI, which is counter-intuitive, IMO. Not sure what to you mean here: I have just created a Role with all entitlements against Realm /, assigned to a user and then logged in with that user with no issues. All this in syncope-vm, with domain Two, naturally. Its also not clear what entitlements are in effect for administering roles. I granted all of the ROLE_* entitlements to a user but when I try to use that user to manage roles, it logs me out and says "Access is Denied" and the core.log shows messages like this: Unfortunately, the process of selecting the right set of Entitlements to grant for Delegated Administration is not straightforward,. The point is that Entitlements are fine-grained and mostly matching the corresponding REST endpoints, but Admin Console often does much more, in order to provide a better UX. In your example above, once assigned all ROLE_* entitlements and being forcibly logged out, look more carefully at the logs to find out the actual REST service which that user was not granted to invoke, then add the corresponding entitlement(s) to the Role, and try again. HTH Regards. On Tue, Jul 24, 2018 at 3:42 AM, Francesco Chicchiriccò wrote: On 23/07/2018 22:59, Wyllys Ingersoll wrote: Using the 2.1.1-SNAPSHOT build, I am now able to login to the 2nd domain as the default "admin" account, but I cannot login using any other accounts even if those accounts are assigned a role with all of the privileges. You can see the same error on the demo vm using login "testadm/password2" in domain "Two". Hi, since the demo is redeployed every few hours, and persistence gets cleared, such user is not there any more. However, I went to syncope-vm.apache.org, logged in as admin in the Two domain, created an user 'ilgrosso' with password 'Password123' and no roles. After logging out as admin, I was able to log in again as ilgrosso, in the Two domain of course, as expected - see https://snag.gy/mrUpi4.jpg When using roles, I'd suggest to take a look at http://syncope.apache.org/docs/reference-guide.html#delegated-administration-console to see how to define the 'minimal set' of entitlements to grant (you'll need to temporary add GROUP_SEARCH to such set, at least until my latest commit gets deployed). Regards. On Sun, Jul 22, 2018 at 3:00 PM, Wyllys Ingersoll wrote: Done - https://issues.apache.org/jira/browse/SYNCOPE-1342 thanks for confirming this, I thought I was just doing something stupid or the documentation was missing a step or 2. On Sun, Jul 22, 2018 at 1:25 PM, Francesco Chicchiriccò wrote: Hi, I have replicated your Docker-based setup, with two domains and 2.1.1-SNAPSHOT, found the same issue. ...that could be easily replicated by attempting to log in on the public demo: http://syncope-vm.apache.org:9080/syncope-console on the Two domain, with credentials admin / password2 - working via REST. Please raise an issue on JIRA: it seems that the Admin Console's login form does not take into account the value selected in the 'Domain' combo. I have verified that the problem only affects 2.1.0, as 2.0.9 works as expected - this means that there was something missing in the migration to Wicket 8. Regards. On 22/07/2018 17:35, Wyllys Ingersoll wrote: I created a role in the 2nd domain and granted it all of the entitlements using the REST api, then assigned that role to a user ("admin2") in the 2nd domain. Now when I attempt to login to the 2nd domain on the console UI, I get the following errors in the core.log file: Its basically complaining about the connector not having privileges to authenticate anyone. Not sure how to fix this since I cant manage the domain with the UI yet (chicken and egg problem?). 11:21:39.265 INFO org.apache.syncope.core.provisioning.java.ConnectorFacadeProxy - Authenticate was attempted, although the connector only has these capabilities: [SEARCH, DELETE, SYNC, UPDATE]. No action. I can get a token for this user with the REST api and validate the token and see that it does indeed have all of the required entitlements, the problem seems to be with the console UI and how it authenticates/authorizes users since going directly to the core for authentication via REST works as expected. Full stack trace: java.util.concurrent.ExecutionException: org.identityconnectors.framework.common.exceptions.InvalidCredentialException: Authentication failed for "admin2" at java.util.concurrent.FutureTask.report(FutureTask.java:122) ~[?:1.8.0_171] at java.util.concurrent.FutureTask.get(FutureTask.java:206) ~[?:1.8.0_171] at org.apache.syncope.core.provisioning.java.ConnectorFacadeProxy.authenticate(ConnectorFacadeProxy.java:141) ~[syncope-core-provisioning-java-2.1.0.jar:2.1.0] at
Re: multi-tenant domain configuration
Thanks, I got it to work by giving my "Admin" role a subset of the complete list of entitlements. It seems that granting the entire list of entitlements to a role or a user makes it unauthorized to access the UI, which is counter-intuitive, IMO. Its also not clear what entitlements are in effect for administering roles. I granted all of the ROLE_* entitlements to a user but when I try to use that user to manage roles, it logs me out and says "Access is Denied" and the core.log shows messages like this: 12:59:23.078 ERROR org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver - An unexpected error occurred during error handling. No further error processing will occur. org.apache.cxf.interceptor.Fault: Access is denied On Tue, Jul 24, 2018 at 3:42 AM, Francesco Chicchiriccò wrote: > On 23/07/2018 22:59, Wyllys Ingersoll wrote: >> >> Using the 2.1.1-SNAPSHOT build, I am now able to login to the 2nd >> domain as the default "admin" account, but I cannot login using any >> other accounts even if those accounts are assigned a role with all of >> the privileges. >> >> You can see the same error on the demo vm using login >> "testadm/password2" in domain "Two". > > > Hi, > since the demo is redeployed every few hours, and persistence gets cleared, > such user is not there any more. > > However, I went to syncope-vm.apache.org, logged in as admin in the Two > domain, created an user 'ilgrosso' with password 'Password123' and no roles. > After logging out as admin, I was able to log in again as ilgrosso, in the > Two domain of course, as expected - see > > https://snag.gy/mrUpi4.jpg > > When using roles, I'd suggest to take a look at > > http://syncope.apache.org/docs/reference-guide.html#delegated-administration-console > > to see how to define the 'minimal set' of entitlements to grant (you'll need > to temporary add GROUP_SEARCH to such set, at least until my latest commit > gets deployed). > > Regards. > > >> On Sun, Jul 22, 2018 at 3:00 PM, Wyllys Ingersoll >> wrote: >>> >>> Done - https://issues.apache.org/jira/browse/SYNCOPE-1342 >>> >>> thanks for confirming this, I thought I was just doing something >>> stupid or the documentation was missing a step or 2. >>> >>> On Sun, Jul 22, 2018 at 1:25 PM, Francesco Chicchiriccò >>> wrote: Hi, I have replicated your Docker-based setup, with two domains and 2.1.1-SNAPSHOT, found the same issue. ...that could be easily replicated by attempting to log in on the public demo: http://syncope-vm.apache.org:9080/syncope-console on the Two domain, with credentials admin / password2 - working via REST. Please raise an issue on JIRA: it seems that the Admin Console's login form does not take into account the value selected in the 'Domain' combo. I have verified that the problem only affects 2.1.0, as 2.0.9 works as expected - this means that there was something missing in the migration to Wicket 8. Regards. On 22/07/2018 17:35, Wyllys Ingersoll wrote: > > I created a role in the 2nd domain and granted it all of the > entitlements using the REST api, then assigned that role to a user > ("admin2") in the 2nd domain. Now when I attempt to login to the 2nd > domain on the console UI, I get the following errors in the core.log > file: > > Its basically complaining about the connector not having privileges to > authenticate anyone. Not sure how to fix this since I cant manage the > domain with the UI yet (chicken and egg problem?). > 11:21:39.265 INFO > org.apache.syncope.core.provisioning.java.ConnectorFacadeProxy - > Authenticate was attempted, although the connector only has these > capabilities: [SEARCH, DELETE, SYNC, UPDATE]. No action. > > > I can get a token for this user with the REST api and validate the > token and see that it does indeed have all of the required > entitlements, the problem seems to be with the console UI and how it > authenticates/authorizes users since going directly to the core for > authentication via REST works as expected. > > > > Full stack trace: > > java.util.concurrent.ExecutionException: > > > org.identityconnectors.framework.common.exceptions.InvalidCredentialException: > Authentication failed for "admin2" > at java.util.concurrent.FutureTask.report(FutureTask.java:122) > ~[?:1.8.0_171] > at java.util.concurrent.FutureTask.get(FutureTask.java:206) > ~[?:1.8.0_171] > at > > org.apache.syncope.core.provisioning.java.ConnectorFacadeProxy.authenticate(ConnectorFacadeProxy.java:141) > ~[syncope-core-provisioning-java-2.1.0.jar:2.1.0] > at > > org.apache.syncope.core.spring.security.AuthDataAccessor.authenticate(AuthDataAccessor.java:255) > ~[syncope-core-spring-2.1.0.jar:2.1.0] > at > >
Re: multi-tenant domain configuration
On 23/07/2018 22:59, Wyllys Ingersoll wrote: Using the 2.1.1-SNAPSHOT build, I am now able to login to the 2nd domain as the default "admin" account, but I cannot login using any other accounts even if those accounts are assigned a role with all of the privileges. You can see the same error on the demo vm using login "testadm/password2" in domain "Two". Hi, since the demo is redeployed every few hours, and persistence gets cleared, such user is not there any more. However, I went to syncope-vm.apache.org, logged in as admin in the Two domain, created an user 'ilgrosso' with password 'Password123' and no roles. After logging out as admin, I was able to log in again as ilgrosso, in the Two domain of course, as expected - see https://snag.gy/mrUpi4.jpg When using roles, I'd suggest to take a look at http://syncope.apache.org/docs/reference-guide.html#delegated-administration-console to see how to define the 'minimal set' of entitlements to grant (you'll need to temporary add GROUP_SEARCH to such set, at least until my latest commit gets deployed). Regards. On Sun, Jul 22, 2018 at 3:00 PM, Wyllys Ingersoll wrote: Done - https://issues.apache.org/jira/browse/SYNCOPE-1342 thanks for confirming this, I thought I was just doing something stupid or the documentation was missing a step or 2. On Sun, Jul 22, 2018 at 1:25 PM, Francesco Chicchiriccò wrote: Hi, I have replicated your Docker-based setup, with two domains and 2.1.1-SNAPSHOT, found the same issue. ...that could be easily replicated by attempting to log in on the public demo: http://syncope-vm.apache.org:9080/syncope-console on the Two domain, with credentials admin / password2 - working via REST. Please raise an issue on JIRA: it seems that the Admin Console's login form does not take into account the value selected in the 'Domain' combo. I have verified that the problem only affects 2.1.0, as 2.0.9 works as expected - this means that there was something missing in the migration to Wicket 8. Regards. On 22/07/2018 17:35, Wyllys Ingersoll wrote: I created a role in the 2nd domain and granted it all of the entitlements using the REST api, then assigned that role to a user ("admin2") in the 2nd domain. Now when I attempt to login to the 2nd domain on the console UI, I get the following errors in the core.log file: Its basically complaining about the connector not having privileges to authenticate anyone. Not sure how to fix this since I cant manage the domain with the UI yet (chicken and egg problem?). 11:21:39.265 INFO org.apache.syncope.core.provisioning.java.ConnectorFacadeProxy - Authenticate was attempted, although the connector only has these capabilities: [SEARCH, DELETE, SYNC, UPDATE]. No action. I can get a token for this user with the REST api and validate the token and see that it does indeed have all of the required entitlements, the problem seems to be with the console UI and how it authenticates/authorizes users since going directly to the core for authentication via REST works as expected. Full stack trace: java.util.concurrent.ExecutionException: org.identityconnectors.framework.common.exceptions.InvalidCredentialException: Authentication failed for "admin2" at java.util.concurrent.FutureTask.report(FutureTask.java:122) ~[?:1.8.0_171] at java.util.concurrent.FutureTask.get(FutureTask.java:206) ~[?:1.8.0_171] at org.apache.syncope.core.provisioning.java.ConnectorFacadeProxy.authenticate(ConnectorFacadeProxy.java:141) ~[syncope-core-provisioning-java-2.1.0.jar:2.1.0] at org.apache.syncope.core.spring.security.AuthDataAccessor.authenticate(AuthDataAccessor.java:255) ~[syncope-core-spring-2.1.0.jar:2.1.0] at org.apache.syncope.core.spring.security.AuthDataAccessor.authenticate(AuthDataAccessor.java:218) ~[syncope-core-spring-2.1.0.jar:2.1.0] at org.apache.syncope.core.spring.security.AuthDataAccessor$$FastClassBySpringCGLIB$$b4b63ada.invoke() ~[syncope-core-spring-2.1.0.jar:2.1.0] at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) ~[spring-core-5.0.7.RELEASE.jar:5.0.7.RELEASE] at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:746) ~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE] at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE] at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:294) ~[spring-tx-5.0.7.RELEASE.jar:5.0.7.RELEASE] at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:98) ~[spring-tx-5.0.7.RELEASE.jar:5.0.7.RELEASE] at org.apache.syncope.core.persistence.jpa.spring.DomainTransactionInterceptor.invoke(DomainTransactionInterceptor.java:60) ~[syncope-core-persistence-jpa-2.1.0.jar:2.1.0] at
Re: multi-tenant domain configuration
Using the 2.1.1-SNAPSHOT build, I am now able to login to the 2nd domain as the default "admin" account, but I cannot login using any other accounts even if those accounts are assigned a role with all of the privileges. You can see the same error on the demo vm using login "testadm/password2" in domain "Two". On Sun, Jul 22, 2018 at 3:00 PM, Wyllys Ingersoll wrote: > Done - https://issues.apache.org/jira/browse/SYNCOPE-1342 > > thanks for confirming this, I thought I was just doing something > stupid or the documentation was missing a step or 2. > > On Sun, Jul 22, 2018 at 1:25 PM, Francesco Chicchiriccò > wrote: >> Hi, >> I have replicated your Docker-based setup, with two domains and >> 2.1.1-SNAPSHOT, found the same issue. >> >> ...that could be easily replicated by attempting to log in on the public >> demo: >> >> http://syncope-vm.apache.org:9080/syncope-console >> >> on the Two domain, with credentials admin / password2 - working via REST. >> >> Please raise an issue on JIRA: it seems that the Admin Console's login form >> does not take into account the value selected in the 'Domain' combo. >> I have verified that the problem only affects 2.1.0, as 2.0.9 works as >> expected - this means that there was something missing in the migration to >> Wicket 8. >> >> Regards. >> >> >> On 22/07/2018 17:35, Wyllys Ingersoll wrote: >>> >>> I created a role in the 2nd domain and granted it all of the >>> entitlements using the REST api, then assigned that role to a user >>> ("admin2") in the 2nd domain. Now when I attempt to login to the 2nd >>> domain on the console UI, I get the following errors in the core.log >>> file: >>> >>> Its basically complaining about the connector not having privileges to >>> authenticate anyone. Not sure how to fix this since I cant manage the >>> domain with the UI yet (chicken and egg problem?). >>> 11:21:39.265 INFO >>> org.apache.syncope.core.provisioning.java.ConnectorFacadeProxy - >>> Authenticate was attempted, although the connector only has these >>> capabilities: [SEARCH, DELETE, SYNC, UPDATE]. No action. >>> >>> >>> I can get a token for this user with the REST api and validate the >>> token and see that it does indeed have all of the required >>> entitlements, the problem seems to be with the console UI and how it >>> authenticates/authorizes users since going directly to the core for >>> authentication via REST works as expected. >>> >>> >>> >>> Full stack trace: >>> >>> java.util.concurrent.ExecutionException: >>> >>> org.identityconnectors.framework.common.exceptions.InvalidCredentialException: >>> Authentication failed for "admin2" >>> at java.util.concurrent.FutureTask.report(FutureTask.java:122) >>> ~[?:1.8.0_171] >>> at java.util.concurrent.FutureTask.get(FutureTask.java:206) ~[?:1.8.0_171] >>> at >>> org.apache.syncope.core.provisioning.java.ConnectorFacadeProxy.authenticate(ConnectorFacadeProxy.java:141) >>> ~[syncope-core-provisioning-java-2.1.0.jar:2.1.0] >>> at >>> org.apache.syncope.core.spring.security.AuthDataAccessor.authenticate(AuthDataAccessor.java:255) >>> ~[syncope-core-spring-2.1.0.jar:2.1.0] >>> at >>> org.apache.syncope.core.spring.security.AuthDataAccessor.authenticate(AuthDataAccessor.java:218) >>> ~[syncope-core-spring-2.1.0.jar:2.1.0] >>> at >>> org.apache.syncope.core.spring.security.AuthDataAccessor$$FastClassBySpringCGLIB$$b4b63ada.invoke() >>> ~[syncope-core-spring-2.1.0.jar:2.1.0] >>> at >>> org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) >>> ~[spring-core-5.0.7.RELEASE.jar:5.0.7.RELEASE] >>> at >>> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:746) >>> ~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE] >>> at >>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) >>> ~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE] >>> at >>> org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:294) >>> ~[spring-tx-5.0.7.RELEASE.jar:5.0.7.RELEASE] >>> at >>> org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:98) >>> ~[spring-tx-5.0.7.RELEASE.jar:5.0.7.RELEASE] >>> at >>> org.apache.syncope.core.persistence.jpa.spring.DomainTransactionInterceptor.invoke(DomainTransactionInterceptor.java:60) >>> ~[syncope-core-persistence-jpa-2.1.0.jar:2.1.0] >>> at >>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:185) >>> ~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE] >>> at >>> org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:688) >>> ~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE] >>> at >>> org.apache.syncope.core.spring.security.AuthDataAccessor$$EnhancerBySpringCGLIB$$fea6d20d.authenticate() >>> ~[syncope-core-spring-2.1.0.jar:2.1.0] >>> at >>>
Re: multi-tenant domain configuration
Done - https://issues.apache.org/jira/browse/SYNCOPE-1342 thanks for confirming this, I thought I was just doing something stupid or the documentation was missing a step or 2. On Sun, Jul 22, 2018 at 1:25 PM, Francesco Chicchiriccò wrote: > Hi, > I have replicated your Docker-based setup, with two domains and > 2.1.1-SNAPSHOT, found the same issue. > > ...that could be easily replicated by attempting to log in on the public > demo: > > http://syncope-vm.apache.org:9080/syncope-console > > on the Two domain, with credentials admin / password2 - working via REST. > > Please raise an issue on JIRA: it seems that the Admin Console's login form > does not take into account the value selected in the 'Domain' combo. > I have verified that the problem only affects 2.1.0, as 2.0.9 works as > expected - this means that there was something missing in the migration to > Wicket 8. > > Regards. > > > On 22/07/2018 17:35, Wyllys Ingersoll wrote: >> >> I created a role in the 2nd domain and granted it all of the >> entitlements using the REST api, then assigned that role to a user >> ("admin2") in the 2nd domain. Now when I attempt to login to the 2nd >> domain on the console UI, I get the following errors in the core.log >> file: >> >> Its basically complaining about the connector not having privileges to >> authenticate anyone. Not sure how to fix this since I cant manage the >> domain with the UI yet (chicken and egg problem?). >> 11:21:39.265 INFO >> org.apache.syncope.core.provisioning.java.ConnectorFacadeProxy - >> Authenticate was attempted, although the connector only has these >> capabilities: [SEARCH, DELETE, SYNC, UPDATE]. No action. >> >> >> I can get a token for this user with the REST api and validate the >> token and see that it does indeed have all of the required >> entitlements, the problem seems to be with the console UI and how it >> authenticates/authorizes users since going directly to the core for >> authentication via REST works as expected. >> >> >> >> Full stack trace: >> >> java.util.concurrent.ExecutionException: >> >> org.identityconnectors.framework.common.exceptions.InvalidCredentialException: >> Authentication failed for "admin2" >> at java.util.concurrent.FutureTask.report(FutureTask.java:122) >> ~[?:1.8.0_171] >> at java.util.concurrent.FutureTask.get(FutureTask.java:206) ~[?:1.8.0_171] >> at >> org.apache.syncope.core.provisioning.java.ConnectorFacadeProxy.authenticate(ConnectorFacadeProxy.java:141) >> ~[syncope-core-provisioning-java-2.1.0.jar:2.1.0] >> at >> org.apache.syncope.core.spring.security.AuthDataAccessor.authenticate(AuthDataAccessor.java:255) >> ~[syncope-core-spring-2.1.0.jar:2.1.0] >> at >> org.apache.syncope.core.spring.security.AuthDataAccessor.authenticate(AuthDataAccessor.java:218) >> ~[syncope-core-spring-2.1.0.jar:2.1.0] >> at >> org.apache.syncope.core.spring.security.AuthDataAccessor$$FastClassBySpringCGLIB$$b4b63ada.invoke() >> ~[syncope-core-spring-2.1.0.jar:2.1.0] >> at >> org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) >> ~[spring-core-5.0.7.RELEASE.jar:5.0.7.RELEASE] >> at >> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:746) >> ~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE] >> at >> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) >> ~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE] >> at >> org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:294) >> ~[spring-tx-5.0.7.RELEASE.jar:5.0.7.RELEASE] >> at >> org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:98) >> ~[spring-tx-5.0.7.RELEASE.jar:5.0.7.RELEASE] >> at >> org.apache.syncope.core.persistence.jpa.spring.DomainTransactionInterceptor.invoke(DomainTransactionInterceptor.java:60) >> ~[syncope-core-persistence-jpa-2.1.0.jar:2.1.0] >> at >> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:185) >> ~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE] >> at >> org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:688) >> ~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE] >> at >> org.apache.syncope.core.spring.security.AuthDataAccessor$$EnhancerBySpringCGLIB$$fea6d20d.authenticate() >> ~[syncope-core-spring-2.1.0.jar:2.1.0] >> at >> org.apache.syncope.core.spring.security.UsernamePasswordAuthenticationProvider.lambda$authenticate$1(UsernamePasswordAuthenticationProvider.java:123) >> ~[syncope-core-spring-2.1.0.jar:2.1.0] >> at >> org.apache.syncope.core.spring.security.AuthContextUtils.execWithAuthContext(AuthContextUtils.java:126) >> ~[syncope-core-spring-2.1.0.jar:2.1.0] >> at >> org.apache.syncope.core.spring.security.UsernamePasswordAuthenticationProvider.authenticate(UsernamePasswordAuthenticationProvider.java:123) >> ~[syncope-core-spring-2.1.0.jar:2.1.0] >>
Re: multi-tenant domain configuration
Hi, I have replicated your Docker-based setup, with two domains and 2.1.1-SNAPSHOT, found the same issue. ...that could be easily replicated by attempting to log in on the public demo: http://syncope-vm.apache.org:9080/syncope-console on the Two domain, with credentials admin / password2 - working via REST. Please raise an issue on JIRA: it seems that the Admin Console's login form does not take into account the value selected in the 'Domain' combo. I have verified that the problem only affects 2.1.0, as 2.0.9 works as expected - this means that there was something missing in the migration to Wicket 8. Regards. On 22/07/2018 17:35, Wyllys Ingersoll wrote: I created a role in the 2nd domain and granted it all of the entitlements using the REST api, then assigned that role to a user ("admin2") in the 2nd domain. Now when I attempt to login to the 2nd domain on the console UI, I get the following errors in the core.log file: Its basically complaining about the connector not having privileges to authenticate anyone. Not sure how to fix this since I cant manage the domain with the UI yet (chicken and egg problem?). 11:21:39.265 INFO org.apache.syncope.core.provisioning.java.ConnectorFacadeProxy - Authenticate was attempted, although the connector only has these capabilities: [SEARCH, DELETE, SYNC, UPDATE]. No action. I can get a token for this user with the REST api and validate the token and see that it does indeed have all of the required entitlements, the problem seems to be with the console UI and how it authenticates/authorizes users since going directly to the core for authentication via REST works as expected. Full stack trace: java.util.concurrent.ExecutionException: org.identityconnectors.framework.common.exceptions.InvalidCredentialException: Authentication failed for "admin2" at java.util.concurrent.FutureTask.report(FutureTask.java:122) ~[?:1.8.0_171] at java.util.concurrent.FutureTask.get(FutureTask.java:206) ~[?:1.8.0_171] at org.apache.syncope.core.provisioning.java.ConnectorFacadeProxy.authenticate(ConnectorFacadeProxy.java:141) ~[syncope-core-provisioning-java-2.1.0.jar:2.1.0] at org.apache.syncope.core.spring.security.AuthDataAccessor.authenticate(AuthDataAccessor.java:255) ~[syncope-core-spring-2.1.0.jar:2.1.0] at org.apache.syncope.core.spring.security.AuthDataAccessor.authenticate(AuthDataAccessor.java:218) ~[syncope-core-spring-2.1.0.jar:2.1.0] at org.apache.syncope.core.spring.security.AuthDataAccessor$$FastClassBySpringCGLIB$$b4b63ada.invoke() ~[syncope-core-spring-2.1.0.jar:2.1.0] at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) ~[spring-core-5.0.7.RELEASE.jar:5.0.7.RELEASE] at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:746) ~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE] at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE] at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:294) ~[spring-tx-5.0.7.RELEASE.jar:5.0.7.RELEASE] at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:98) ~[spring-tx-5.0.7.RELEASE.jar:5.0.7.RELEASE] at org.apache.syncope.core.persistence.jpa.spring.DomainTransactionInterceptor.invoke(DomainTransactionInterceptor.java:60) ~[syncope-core-persistence-jpa-2.1.0.jar:2.1.0] at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:185) ~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE] at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:688) ~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE] at org.apache.syncope.core.spring.security.AuthDataAccessor$$EnhancerBySpringCGLIB$$fea6d20d.authenticate() ~[syncope-core-spring-2.1.0.jar:2.1.0] at org.apache.syncope.core.spring.security.UsernamePasswordAuthenticationProvider.lambda$authenticate$1(UsernamePasswordAuthenticationProvider.java:123) ~[syncope-core-spring-2.1.0.jar:2.1.0] at org.apache.syncope.core.spring.security.AuthContextUtils.execWithAuthContext(AuthContextUtils.java:126) ~[syncope-core-spring-2.1.0.jar:2.1.0] at org.apache.syncope.core.spring.security.UsernamePasswordAuthenticationProvider.authenticate(UsernamePasswordAuthenticationProvider.java:123) ~[syncope-core-spring-2.1.0.jar:2.1.0] at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174) ~[spring-security-core-5.0.6.RELEASE.jar:5.0.6.RELEASE] at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199) ~[spring-security-core-5.0.6.RELEASE.jar:5.0.6.RELEASE] at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:180)
Re: multi-tenant domain configuration
I created a role in the 2nd domain and granted it all of the entitlements using the REST api, then assigned that role to a user ("admin2") in the 2nd domain. Now when I attempt to login to the 2nd domain on the console UI, I get the following errors in the core.log file: Its basically complaining about the connector not having privileges to authenticate anyone. Not sure how to fix this since I cant manage the domain with the UI yet (chicken and egg problem?). 11:21:39.265 INFO org.apache.syncope.core.provisioning.java.ConnectorFacadeProxy - Authenticate was attempted, although the connector only has these capabilities: [SEARCH, DELETE, SYNC, UPDATE]. No action. I can get a token for this user with the REST api and validate the token and see that it does indeed have all of the required entitlements, the problem seems to be with the console UI and how it authenticates/authorizes users since going directly to the core for authentication via REST works as expected. Full stack trace: java.util.concurrent.ExecutionException: org.identityconnectors.framework.common.exceptions.InvalidCredentialException: Authentication failed for "admin2" at java.util.concurrent.FutureTask.report(FutureTask.java:122) ~[?:1.8.0_171] at java.util.concurrent.FutureTask.get(FutureTask.java:206) ~[?:1.8.0_171] at org.apache.syncope.core.provisioning.java.ConnectorFacadeProxy.authenticate(ConnectorFacadeProxy.java:141) ~[syncope-core-provisioning-java-2.1.0.jar:2.1.0] at org.apache.syncope.core.spring.security.AuthDataAccessor.authenticate(AuthDataAccessor.java:255) ~[syncope-core-spring-2.1.0.jar:2.1.0] at org.apache.syncope.core.spring.security.AuthDataAccessor.authenticate(AuthDataAccessor.java:218) ~[syncope-core-spring-2.1.0.jar:2.1.0] at org.apache.syncope.core.spring.security.AuthDataAccessor$$FastClassBySpringCGLIB$$b4b63ada.invoke() ~[syncope-core-spring-2.1.0.jar:2.1.0] at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) ~[spring-core-5.0.7.RELEASE.jar:5.0.7.RELEASE] at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:746) ~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE] at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163) ~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE] at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:294) ~[spring-tx-5.0.7.RELEASE.jar:5.0.7.RELEASE] at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:98) ~[spring-tx-5.0.7.RELEASE.jar:5.0.7.RELEASE] at org.apache.syncope.core.persistence.jpa.spring.DomainTransactionInterceptor.invoke(DomainTransactionInterceptor.java:60) ~[syncope-core-persistence-jpa-2.1.0.jar:2.1.0] at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:185) ~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE] at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:688) ~[spring-aop-5.0.7.RELEASE.jar:5.0.7.RELEASE] at org.apache.syncope.core.spring.security.AuthDataAccessor$$EnhancerBySpringCGLIB$$fea6d20d.authenticate() ~[syncope-core-spring-2.1.0.jar:2.1.0] at org.apache.syncope.core.spring.security.UsernamePasswordAuthenticationProvider.lambda$authenticate$1(UsernamePasswordAuthenticationProvider.java:123) ~[syncope-core-spring-2.1.0.jar:2.1.0] at org.apache.syncope.core.spring.security.AuthContextUtils.execWithAuthContext(AuthContextUtils.java:126) ~[syncope-core-spring-2.1.0.jar:2.1.0] at org.apache.syncope.core.spring.security.UsernamePasswordAuthenticationProvider.authenticate(UsernamePasswordAuthenticationProvider.java:123) ~[syncope-core-spring-2.1.0.jar:2.1.0] at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174) ~[spring-security-core-5.0.6.RELEASE.jar:5.0.6.RELEASE] at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199) ~[spring-security-core-5.0.6.RELEASE.jar:5.0.6.RELEASE] at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:180) ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE] at org.apache.syncope.core.spring.security.JWTAuthenticationFilter.doFilterInternal(JWTAuthenticationFilter.java:90) ~[syncope-core-spring-2.1.0.jar:2.1.0] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.0.7.RELEASE.jar:5.0.7.RELEASE] at
Re: multi-tenant domain configuration
The reason it was reverting back to the Master domain was due to the browser automatically re-populating the fields, I've fixed that issue but still cannot login to the 2nd domain. I have verified that the password is correct and I can get a token using the /rest/accessTokens API with the 2nd domain admin/password. I still cannot login to the 2nd domain as an administrator with the "admin" account (using the password for the 2nd domain admin). syncope-console only appears to authenticate users defined in the Master domain, not the new one. The core log shows the following error when trying to use the "admin" login to the 2nd domain (with the correct password for 2nd domain): 10:48:37.808 WARN org.apache.syncope.core.spring.security.DefaultCredentialChecker - The default adminPassword property is being used. This must be changed to avoid a security breach! NOTE: I am testing all of this on a private network, so Im not concerned about the default password/security stuff at this point, Im just trying to get it to all work as expected. I created a 2nd account in the new domain with a new name and password using the swagger API and when I try to use that to login to the admin console, it also fails but the core log never shows any error when using accounts other than "admin". So far: 1. I know that the admin and password for the 2nd domain are valid because I can get a token and verify that it has the required entitlements using the REST api(s). 2. I cannot use the "admin" account to login to the 2nd domain on the console UI 3. I can create new accounts in the 2nd domain using REST api and the 2nd domain "admin" account, but cannot login to the console UI with those either. - perhaps I need to create a new Role in the 2nd domain and give it all of the entitlements required to be an administrator, then assign that role to the new account? The stack trace in the console log - any login ("admin" or other accounts from 2nd domain) from the new domain generates this: 14:48:37.815 ERROR org.apache.syncope.client.console.SyncopeConsoleSession - Authentication failed java.security.AccessControlException: Remote unauthorized exception at org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:61) ~[syncope-client-lib-2.1.0.jar:2.1.0] at org.apache.syncope.client.lib.RestClientExceptionMapper.fromResponse(RestClientExceptionMapper.java:42) ~[syncope-client-lib-2.1.0.jar:2.1.0] at org.apache.cxf.jaxrs.client.ClientProxyImpl.checkResponse(ClientProxyImpl.java:313) ~[cxf-rt-rs-client-3.2.5.jar:3.2.5] at org.apache.cxf.jaxrs.client.ClientProxyImpl.handleResponse(ClientProxyImpl.java:875) ~[cxf-rt-rs-client-3.2.5.jar:3.2.5] at org.apache.cxf.jaxrs.client.ClientProxyImpl.doChainedInvocation(ClientProxyImpl.java:788) ~[cxf-rt-rs-client-3.2.5.jar:3.2.5] at org.apache.cxf.jaxrs.client.ClientProxyImpl.invoke(ClientProxyImpl.java:235) ~[cxf-rt-rs-client-3.2.5.jar:3.2.5] at com.sun.proxy.$Proxy75.login(Unknown Source) ~[?:?] at org.apache.syncope.client.lib.SyncopeClient.init(SyncopeClient.java:111) ~[syncope-client-lib-2.1.0.jar:2.1.0] at org.apache.syncope.client.lib.SyncopeClient.(SyncopeClient.java:83) ~[syncope-client-lib-2.1.0.jar:2.1.0] at org.apache.syncope.client.lib.SyncopeClientFactoryBean.create(SyncopeClientFactoryBean.java:287) ~[syncope-client-lib-2.1.0.jar:2.1.0] at org.apache.syncope.client.lib.SyncopeClientFactoryBean.create(SyncopeClientFactoryBean.java:260) ~[syncope-client-lib-2.1.0.jar:2.1.0] at org.apache.syncope.client.console.SyncopeConsoleSession.authenticate(SyncopeConsoleSession.java:148) ~[syncope-client-console-2.1.0.jar:2.1.0] at org.apache.wicket.authroles.authentication.AuthenticatedWebSession.signIn(AuthenticatedWebSession.java:66) ~[wicket-auth-roles-8.0.0.jar:8.0.0] at org.apache.syncope.client.console.pages.Login$1.onSubmit(Login.java:118) ~[syncope-client-console-2.1.0.jar:2.1.0] at org.apache.wicket.ajax.markup.html.form.AjaxButton$1.onSubmit(AjaxButton.java:113) ~[wicket-core-8.0.0.jar:8.0.0] at org.apache.wicket.ajax.form.AjaxFormSubmitBehavior$AjaxFormSubmitter.onSubmit(AjaxFormSubmitBehavior.java:223) ~[wicket-core-8.0.0.jar:8.0.0] at org.apache.wicket.markup.html.form.Form.onFormSubmitted(Form.java:778) ~[wicket-core-8.0.0.jar:8.0.0] at org.apache.wicket.ajax.form.AjaxFormSubmitBehavior.onEvent(AjaxFormSubmitBehavior.java:176) ~[wicket-core-8.0.0.jar:8.0.0] at org.apache.wicket.ajax.AjaxEventBehavior.respond(AjaxEventBehavior.java:127) ~[wicket-core-8.0.0.jar:8.0.0] at org.apache.wicket.ajax.AbstractDefaultAjaxBehavior.onRequest(AbstractDefaultAjaxBehavior.java:598) ~[wicket-core-8.0.0.jar:8.0.0] at org.apache.wicket.core.request.handler.ListenerRequestHandler.internalInvoke(ListenerRequestHandler.java:306) ~[wicket-core-8.0.0.jar:8.0.0] at org.apache.wicket.core.request.handler.ListenerRequestHandler.invoke(ListenerRequestHandler.java:280) ~[wicket-core-8.0.0.jar:8.0.0] at
Re: multi-tenant domain configuration
On 21/07/2018 13:44, Wyllys Ingersoll wrote: I followed the guide and have setup using the docker containers from docker-hub apache/syncope, not maven. I setup a 2nd database and redeployed the core and the console apps. Now I ca see the new domain when I query the /rest/domains endpoint. At this point I can even login to the new domain and get a token, so I have gotten further than when I wrote the original question to the list here. The issue now is that the admin UI (syncope-console) displays both domains in the drop-down widget on the login page, but even if I select the new domain and use the right credentials, it still logs into the Master domain, not the new one. This sounds quite odd: could you please clear out Core and Console logs, then attempt to log in to the new domain from the Admin Console? Hopefully you'll get some stacktrace which should explain such a behavior. Regards. On Sat, Jul 21, 2018 at 6:38 AM, Francesco Chicchiriccò wrote: On 20/07/2018 19:15, Wyllys Ingersoll wrote: Im trying to get multiple domains configured in Syncope 2.1.0, I've read the docs and have created a 2nd set of files under the "domains" directory and the system seems to recognize them and connects to their DB. I was able to add the domain adminPassword using the "POST /domains" API using an account that had the correct DOMAIN_* entitlements, but the new domain still doesnt show up as an option in the main syncope-console login UI. I can login using the REST api via curl using the new admin:password combination along with the new realm in the X-Syncope-Domain header and get a token, so at least that much seems to be working. How do I make the 2nd domain appear as a choice for the web console login screen? It still only shows "Master" as the option. Hi Wyllys, thanks of your interest in Apache Syncope. I guess you've been following [1], correct? As you can read from there, at the moment adding a new domain involves two steps: 1. add some configuration files and redeploy the Core - this also requires to specify a DBMS to use as internal storage for new domain's data 2. create new admin credentials I understand you succeeded with latter, but I think there might be problem with former step. Adding the configuration files highly depends on how you obtained Syncope: as from Maven archetype, then it's obviously under core/src/main/resources/domains - and then rebuild and redeploy; for other distributions it might be a bit tricky. If you want to check, just see if curl -u admin:password -H "Accept: application/json" "http://localhost:9080/syncope/rest/domains; returns an empty array or not; you might also use Swagger UI for such a purpose. Additionally, you can inspect if the Syncope tables were created in the DBMS specified as above. If both checks fail - as I suspect - this means that Syncope is not picking your new configuration files: depending on your distribution, I can suggest how to do that. Regards. [1] http://syncope.apache.org/docs/reference-guide.html#domains-management -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: multi-tenant domain configuration
I followed the guide and have setup using the docker containers from docker-hub apache/syncope, not maven. I setup a 2nd database and redeployed the core and the console apps. Now I ca see the new domain when I query the /rest/domains endpoint. At this point I can even login to the new domain and get a token, so I have gotten further than when I wrote the original question to the list here. The issue now is that the admin UI (syncope-console) displays both domains in the drop-down widget on the login page, but even if I select the new domain and use the right credentials, it still logs into the Master domain, not the new one. -Wyllys On Sat, Jul 21, 2018 at 6:38 AM, Francesco Chicchiriccò wrote: > On 20/07/2018 19:15, Wyllys Ingersoll wrote: >> >> Im trying to get multiple domains configured in Syncope 2.1.0, I've >> read the docs and have created a 2nd set of files under the "domains" >> directory and the system seems to recognize them and connects to their >> DB. >> >> I was able to add the domain adminPassword using the "POST /domains" >> API using an account that had the correct DOMAIN_* entitlements, but >> the new domain still doesnt show up as an option in the main >> syncope-console login UI. >> >> I can login using the REST api via curl using the new admin:password >> combination along with the new realm in the X-Syncope-Domain header >> and get a token, so at least that much seems to be working. >> >> How do I make the 2nd domain appear as a choice for the web console >> login screen? It still only shows "Master" as the option. > > > Hi Wyllys, > thanks of your interest in Apache Syncope. > > I guess you've been following [1], correct? > As you can read from there, at the moment adding a new domain involves two > steps: > > 1. add some configuration files and redeploy the Core - this also requires > to specify a DBMS to use as internal storage for new domain's data > 2. create new admin credentials > > I understand you succeeded with latter, but I think there might be problem > with former step. > > Adding the configuration files highly depends on how you obtained Syncope: > as from Maven archetype, then it's obviously under > core/src/main/resources/domains - and then rebuild and redeploy; for other > distributions it might be a bit tricky. > > If you want to check, just see if > > curl -u admin:password -H "Accept: application/json" > "http://localhost:9080/syncope/rest/domains; > > returns an empty array or not; you might also use Swagger UI for such a > purpose. > > Additionally, you can inspect if the Syncope tables were created in the DBMS > specified as above. > > If both checks fail - as I suspect - this means that Syncope is not picking > your new configuration files: depending on your distribution, I can suggest > how to do that. > > Regards. > > [1] http://syncope.apache.org/docs/reference-guide.html#domains-management > > -- > Francesco Chicchiriccò > > Tirasa - Open Source Excellence > http://www.tirasa.net/ > > Member at The Apache Software Foundation > Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail > http://home.apache.org/~ilgrosso/ >
Re: multi-tenant domain configuration
On 20/07/2018 19:15, Wyllys Ingersoll wrote: Im trying to get multiple domains configured in Syncope 2.1.0, I've read the docs and have created a 2nd set of files under the "domains" directory and the system seems to recognize them and connects to their DB. I was able to add the domain adminPassword using the "POST /domains" API using an account that had the correct DOMAIN_* entitlements, but the new domain still doesnt show up as an option in the main syncope-console login UI. I can login using the REST api via curl using the new admin:password combination along with the new realm in the X-Syncope-Domain header and get a token, so at least that much seems to be working. How do I make the 2nd domain appear as a choice for the web console login screen? It still only shows "Master" as the option. Hi Wyllys, thanks of your interest in Apache Syncope. I guess you've been following [1], correct? As you can read from there, at the moment adding a new domain involves two steps: 1. add some configuration files and redeploy the Core - this also requires to specify a DBMS to use as internal storage for new domain's data 2. create new admin credentials I understand you succeeded with latter, but I think there might be problem with former step. Adding the configuration files highly depends on how you obtained Syncope: as from Maven archetype, then it's obviously under core/src/main/resources/domains - and then rebuild and redeploy; for other distributions it might be a bit tricky. If you want to check, just see if curl -u admin:password -H "Accept: application/json" "http://localhost:9080/syncope/rest/domains; returns an empty array or not; you might also use Swagger UI for such a purpose. Additionally, you can inspect if the Syncope tables were created in the DBMS specified as above. If both checks fail - as I suspect - this means that Syncope is not picking your new configuration files: depending on your distribution, I can suggest how to do that. Regards. [1] http://syncope.apache.org/docs/reference-guide.html#domains-management -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/