Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Getting an error when configuring the created API #3310

Open
Ashi1993 opened this issue Oct 8, 2024 · 7 comments
Open

Getting an error when configuring the created API #3310

Ashi1993 opened this issue Oct 8, 2024 · 7 comments

Comments

@Ashi1993
Copy link

Ashi1993 commented Oct 8, 2024

Description

We observe an error in the console when trying to configure the created API before publishing. We tried configuring schema validation, policies, endpoints and got the same error in the console even thought the configurations saving is successful. We have added the WSO2 IS 7 as the custom key manager.

[2024-10-08 14:55:01,336] ERROR - APIProviderImpl Error while updating resource to scope attachment in Key Manager wso2IS
org.wso2.carbon.apimgt.api.APIManagementException: Failed to create role: Internal/subscriber

Steps to Reproduce

Setup IS 7 as a key manager.
Create an API.
Cinfigure endpoint.

Affected Component

APIM

Version

4.4.0-Alpha

Environment Details (with versions)

No response

Relevant Log Output

[2024-10-08 14:55:01,336] ERROR - APIProviderImpl Error while updating resource to scope attachment in Key Manager wso2IS
org.wso2.carbon.apimgt.api.APIManagementException: Failed to create role: Internal/subscriber
	at org.wso2.carbon.apimgt.impl.AbstractKeyManager.handleException_aroundBody12(AbstractKeyManager.java:274) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
	at org.wso2.carbon.apimgt.impl.AbstractKeyManager.handleException(AbstractKeyManager.java:1) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
	at org.wso2.is7.client.WSO2IS7KeyManager.createWSO2IS7Role(WSO2IS7KeyManager.java:1058) ~[wso2is7.key.manager_2.0.3.jar:?]
	at org.wso2.is7.client.WSO2IS7KeyManager.createWSO2IS7RoleToScopeBindings(WSO2IS7KeyManager.java:968) ~[wso2is7.key.manager_2.0.3.jar:?]
	at org.wso2.is7.client.WSO2IS7KeyManager.registerWSO2IS7Scopes(WSO2IS7KeyManager.java:874) ~[wso2is7.key.manager_2.0.3.jar:?]
	at org.wso2.is7.client.WSO2IS7KeyManager.updateResourceScopes(WSO2IS7KeyManager.java:1214) ~[wso2is7.key.manager_2.0.3.jar:?]
	at org.wso2.carbon.apimgt.impl.APIProviderImpl.updateAPIResources_aroundBody84(APIProviderImpl.java:1289) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
	at org.wso2.carbon.apimgt.impl.APIProviderImpl.updateAPIResources(APIProviderImpl.java:1) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
	at org.wso2.carbon.apimgt.impl.APIProviderImpl.updateAPI_aroundBody82(APIProviderImpl.java:1237) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
	at org.wso2.carbon.apimgt.impl.APIProviderImpl.updateAPI(APIProviderImpl.java:1) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
	at org.wso2.carbon.apimgt.impl.APIProviderImpl.updateAPI_aroundBody66(APIProviderImpl.java:1095) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
	at org.wso2.carbon.apimgt.impl.APIProviderImpl.updateAPI(APIProviderImpl.java:1) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
	at org.wso2.carbon.apimgt.impl.UserAwareAPIProvider.updateAPI(UserAwareAPIProvider.java:1) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
	at org.wso2.carbon.apimgt.rest.api.publisher.v1.common.mappings.PublisherCommonUtils.updateApi(PublisherCommonUtils.java:198) ~[org.wso2.carbon.apimgt.rest.api.publisher.v1.common_9.30.10.jar:?]
	at org.wso2.carbon.apimgt.rest.api.publisher.v1.impl.ApisApiServiceImpl.updateAPI(ApisApiServiceImpl.java:747) ~[?:?]
	at org.wso2.carbon.apimgt.rest.api.publisher.v1.ApisApi.updateAPI(ApisApi.java:1716) ~[?:?]
	at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
	at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) ~[?:?]
	at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
	at java.lang.reflect.Method.invoke(Method.java:568) ~[?:?]
	at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:179) ~[?:?]
	at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96) ~[?:?]
	at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:201) ~[?:?]
	at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:104) ~[?:?]
	at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59) ~[?:?]
	at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96) ~[?:?]
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) ~[?:?]
	at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) ~[?:?]
	at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:265) ~[?:?]
	at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) ~[?:?]
	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) ~[?:?]
	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) ~[?:?]
	at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:225) ~[?:?]
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:304) ~[?:?]
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPut(AbstractHTTPServlet.java:234) ~[?:?]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:558) ~[tomcat-servlet-api_9.0.94.wso2v1.jar:?]
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:279) ~[?:?]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:199) ~[tomcat_9.0.94.wso2v1.jar:?]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) ~[tomcat_9.0.94.wso2v1.jar:?]
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) ~[tomcat_9.0.94.wso2v1.jar:?]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168) ~[tomcat_9.0.94.wso2v1.jar:?]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) ~[tomcat_9.0.94.wso2v1.jar:?]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168) ~[tomcat_9.0.94.wso2v1.jar:?]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) ~[tomcat_9.0.94.wso2v1.jar:?]
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482) ~[tomcat_9.0.94.wso2v1.jar:?]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130) ~[tomcat_9.0.94.wso2v1.jar:?]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[tomcat_9.0.94.wso2v1.jar:?]
	at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:119) ~[org.wso2.carbon.identity.context.rewrite.valve_1.8.41.jar:?]
	at org.wso2.carbon.identity.context.rewrite.valve.OrganizationContextRewriteValve.invoke(OrganizationContextRewriteValve.java:115) ~[org.wso2.carbon.identity.context.rewrite.valve_1.8.41.jar:?]
	at org.wso2.carbon.tomcat.ext.valves.SameSiteCookieValve.invoke(SameSiteCookieValve.java:38) ~[org.wso2.carbon.tomcat.ext_4.9.27.alpha.jar:?]
	at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:167) ~[org.wso2.carbon.identity.authz.valve_1.8.41.jar:?]
	at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:118) ~[org.wso2.carbon.identity.auth.valve_1.8.41.jar:?]
	at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:114) ~[org.wso2.carbon.tomcat.ext_4.9.27.alpha.jar:?]
	at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:49) ~[org.wso2.carbon.tomcat.ext_4.9.27.alpha.jar:?]
	at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:75) ~[org.wso2.carbon.tomcat.ext_4.9.27.alpha.jar:?]
	at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:152) ~[org.wso2.carbon.tomcat.ext_4.9.27.alpha.jar:?]
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:660) ~[tomcat_9.0.94.wso2v1.jar:?]
	at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:63) ~[org.wso2.carbon.tomcat.ext_4.9.27.alpha.jar:?]
	at org.wso2.carbon.tomcat.ext.valves.RequestCorrelationIdValve.invoke(RequestCorrelationIdValve.java:137) ~[org.wso2.carbon.tomcat.ext_4.9.27.alpha.jar:?]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[tomcat_9.0.94.wso2v1.jar:?]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346) ~[tomcat_9.0.94.wso2v1.jar:?]
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:383) ~[tomcat_9.0.94.wso2v1.jar:?]
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat_9.0.94.wso2v1.jar:?]
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:936) ~[tomcat_9.0.94.wso2v1.jar:?]
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1791) ~[tomcat_9.0.94.wso2v1.jar:?]
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat_9.0.94.wso2v1.jar:?]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190) ~[tomcat_9.0.94.wso2v1.jar:?]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat_9.0.94.wso2v1.jar:?]
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) ~[tomcat_9.0.94.wso2v1.jar:?]
	at java.lang.Thread.run(Thread.java:833) ~[?:?]
Caused by: org.wso2.carbon.apimgt.impl.kmclient.KeyManagerClientException: Received status code: 400 Reason:
	at org.wso2.carbon.apimgt.impl.kmclient.KMClientErrorDecoder.decode_aroundBody0(KMClientErrorDecoder.java:42) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
	at org.wso2.carbon.apimgt.impl.kmclient.KMClientErrorDecoder.decode(KMClientErrorDecoder.java:1) ~[org.wso2.carbon.apimgt.impl_9.30.10.jar:?]
	at feign.InvocationContext.decodeError(InvocationContext.java:126) ~[io.github.openfeign.feign-core_13.2.1.jar:?]
	at feign.InvocationContext.proceed(InvocationContext.java:72) ~[io.github.openfeign.feign-core_13.2.1.jar:?]
	at feign.ResponseHandler.handleResponse(ResponseHandler.java:63) ~[io.github.openfeign.feign-core_13.2.1.jar:?]
	at feign.SynchronousMethodHandler.executeAndDecode(SynchronousMethodHandler.java:114) ~[io.github.openfeign.feign-core_13.2.1.jar:?]
	at feign.SynchronousMethodHandler.invoke(SynchronousMethodHandler.java:70) ~[io.github.openfeign.feign-core_13.2.1.jar:?]
	at feign.ReflectiveFeign$FeignInvocationHandler.invoke(ReflectiveFeign.java:99) ~[io.github.openfeign.feign-core_13.2.1.jar:?]
	at jdk.proxy39.$Proxy480.createRole(Unknown Source) ~[?:?]
	at org.wso2.is7.client.WSO2IS7KeyManager.createWSO2IS7Role(WSO2IS7KeyManager.java:1056) ~[wso2is7.key.manager_2.0.3.jar:?]
	... 67 more

Related Issues

No response

Suggested Labels

No response

@senthuran16
Copy link
Member

@Ashi1993 are you attaching any roles to any resource of an API created in APIM? Could you please share those details?

@Ashi1993
Copy link
Author

Hi @senthuran16,

We have added below to the swagger file we are publishing.

  x-scopes-bindings:
     accounts: Internal/subscriber

Regards,
Ashirwada

@senthuran16
Copy link
Member

senthuran16 commented Oct 12, 2024

Hi @Ashi1993 ,

It looks like IS7 doesn't support roles that have / in their name, therefore Internal/subscriber is not being accepted. Confirmed this via IS7 Role Creation REST API, and the UI as well. I will check with the IS team and provide an update on this.

@Ashi1993
Copy link
Author

Ashi1993 commented Oct 14, 2024

Hi @senthuran16,

We are kind of blocked due to this issue. Can you please prioritize this?

Regards,
Ashirwada

@senthuran16
Copy link
Member

senthuran16 commented Oct 15, 2024

Hi @Ashi1993 ,

Got to know from the IS team that, they are treating the old Internal/ roles as normal roles in IS7. I.e, Internal/subscriber role in APIM should be created as subscriber in IS7. The IS7 migration client also does the same [1]

Currently based on our IS7 KM connector implementation, we have tested PRIMARY/ roles, and those are saved as normal roles in IS7. I.e, PRIMARY/myrole - which is shown as myrole in APIM carbon console, will be created as myrole in IS7.

If we simply rename Internal/rolename as rolename, and create a role in IS7, how it would collide with PRIMARY/ roles (as of our current implementation) is a problem. I'm waiting for a call with @SujanSanjula96 to understand how PRIMARY/ roles are handled in migration cases; he is stuck in a customer issue a.t.m.

I will update you once we arrive at a solution, apologies for the delay.

[1] https://github.com/wso2-enterprise/identity-migration-resources/blob/master/components/org.wso2.is.migration/migration-service/src/main/java/org/wso2/carbon/is/migration/service/v700/migrator/ConsoleRoleMigrator.java#L131

@senthuran16
Copy link
Member

Hi all,

We had a call and decided to handle roles as follows:

  • PRIMARY roles in APIM (eg: manager):
    • Create the role system_primary_manager in IS7.
    • We won't create any user groups or assign roles to them.
      • Note: IS7 migration client would additionally do the following:
        • A primary user group called manager will be created in IS7.
        • system_primary_manager will be assigned to primary user group manager .
  • Internal roles in APIM (eg: Internal/publisher):
    • Create the role publisher in IS7.
  • APPLICATION roles are not supported.

I implemented this in the IS7KM connector, and tested the connector with Internal/ roles - it's working as expected.
However PRIMARY roles are giving an error, since IS7 doesn't allow creating roles that start with the name system_ externally. I'm checking this with the IS team, and we'll request a patch to handle this if required.

@nandika nandika transferred this issue from wso2/api-manager Oct 25, 2024
@RakhithaRR RakhithaRR transferred this issue from wso2/micro-integrator Oct 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants