DockerHub build(s) of Apiman master commit now available
by Marc Savy
Hi,
We will now be deploying successful master builds of our all-in-one
Wildfly10 image to DockerHub. To get it:
docker pull apiman/on-wildfly10:master
As this is based on the latest commit it should not be considered
stable and is for testing, developers, advanced users, etc.
At some point in the near future we hope to have high-quality Vert.x
gateway container builds (via internal and external contributors).
More on that soon!
We've also had a lot of demand for updated OpenShift images, so it's
something we're also working on.
Regards,
Marc
6 years, 5 months
Authorization question
by Stephen Henrie
My goal is minimize the amount of Apiman configuration that I need to do by
sharing a single, common authentication Plan using the Keycloak plugin
across all APIs while using an API specific authorization policy for each
individual API.
As such, I am trying to configure a single, global plan within Apiman that
can be used for ensuring authentication policy using the Keycloak plugin
which forwards all of my realm roles. This single plan would be assigned to
all of my APIs in the Org, which would allow me to only have to configure
the Keycloak realm information in one place. Then for each individual API,
I was hoping to add a single Authorization policy plugin configured with
endpoints and paths specific for each API.
Something like
Api1 ---> Keycloak Plan Abc
+---->Authorization Policy (123)
Api2 ---> Keycloak Plan Abc
+---->Authorization Policy (456)
When I do this and call one of the API endpoints, I am getting the
following error:
curl -k -H "Authorization: Bearer $T"
https://localhost:9443/apiman-gateway/chassi/chassi-tenant-bff/1.0/mytenants
{"type":"Other","failureCode":10010,"responseCode":0,"message":"No roles
have been extracted during authentication. Make sure the authorization
policy comes *after* a compatible authentication policy in your
configuration.","headers":[]}
It would seem that the Keycloak plugin that is configured in the Plan
assigned to the API is not forwarding the realm roles to the Authentication
policy which is also assigned to the same API.
Is this by design? Do the authentication and authorization policies have to
be within the same entity (ie. Plan, Api, etc) and not passed out of a plan
to be used by downstream policies? If so, is there another way to
configure plans and policies that will allow me to accomplish my goal?
Thanks in advance!
Stephen
6 years, 5 months
Bind Vert.x Gateway to IP
by Jorge Riquelme
Hi,
I couldn't find how to bind Vert.x Gateway to a specific IP (using the
conf-es.json file, or some parameter like -b=x.x.x.x).
Any help would be appreciated :)
Best regards,
Jorge Riquelme
6 years, 5 months
Enhancing apiman-cli to make headless gateway configs easier to use.
by Marc Savy
We've had some people using the Apiman Gateway headless for a while
now, either with the new immutable registry that loads from JSON[1],
or simply using any existing registry via the gateway API instead of
using a manager.
The main issue people encounter is that policy configuration contains
two fields that are difficult to work out and clumsy to encode
properly[1]:
- `policyImpl` requires the plugin's URI, including the path to its
main class. You can work these out by looking at the plugin's source
code, but that's rather circuitous and it would be nicer to just
provide the plugin's GAV (like in the manager) and for it to be
resolved.
- `policyJsonConfig`[3] needs to be escaped properly (and must valid
according to its schema).
Neither of these aspects are especially user-friendly. My proposal is
to extend apiman-cli's functionality to allow the Apiman Gateway to be
configured directly via a YAML/JSON file (i.e. declaratively).
We can therefore provide a more user-friendly interface that automates
the resolution of plugins; validations and escapes the policy config;
etc.
A final step would be to bundle the apiman-cli tool with our distros
to make it easier to access.
Any thoughts?
Regards,
Marc
[1] https://apiman.gitbooks.io/apiman-installation-guide/installation-guide/v...
[2] Of course, this interface was never truly designed to be used by
humans, so that's understandable
[3] Unfortunately named as it can be any arbitrary string, the policy
just needs to be able to decode it. For example, it could be XML.
6 years, 5 months
Apiman 1.2.9 support for elastic search version 5.*.*
by Ram.Tanna@ril.com
Hi Team,
Do we have support for elastic search 5+ versions ? I am using apiman 1.2.9.
I have upgraded the elastic search version 5.6.3 and started getting following error.
ERROR [stderr] (ESRegistryCacheInvalidator) Exception in thread "ESRegistryCacheInvalidator" java.lang.RuntimeException: com.google.gson.JsonSyntaxException: com.google.gson.stream.MalformedJsonException: Use JsonReader.setLenient(true) to accept malformed JSON at line 1 column 5 path $
17:35:54,005 ERROR [stderr] (ESRegistryCacheInvalidator) at io.apiman.gateway.engine.es.AbstractClientFactory.initializeClient(AbstractClientFactory.java:68)
17:35:54,005 ERROR [stderr] (ESRegistryCacheInvalidator) at io.apiman.gateway.engine.es.DefaultESClientFactory.createJestClient(DefaultESClientFactory.java:121)
17:35:54,005 ERROR [stderr] (ESRegistryCacheInvalidator) at io.apiman.gateway.engine.es.DefaultESClientFactory.createClient(DefaultESClientFactory.java:68)
17:35:54,005 ERROR [stderr] (ESRegistryCacheInvalidator) at io.apiman.gateway.engine.es.AbstractESComponent.createClient(AbstractESComponent.java:61)
17:35:54,005 ERROR [stderr] (ESRegistryCacheInvalidator) at io.apiman.gateway.engine.es.AbstractESComponent.getClient(AbstractESComponent.java:51)
17:35:54,005 ERROR [stderr] (ESRegistryCacheInvalidator) at io.apiman.gateway.engine.es.PollCachingESRegistry.checkCacheVersion(PollCachingESRegistry.java:204)
17:35:54,005 ERROR [stderr] (ESRegistryCacheInvalidator) at io.apiman.gateway.engine.es.PollCachingESRegistry$6.run(PollCachingESRegistry.java:180)
17:35:54,005 ERROR [stderr] (ESRegistryCacheInvalidator) at java.lang.Thread.run(Thread.java:745)
17:35:54,006 ERROR [stderr] (ESRegistryCacheInvalidator) Caused by: com.google.gson.JsonSyntaxException: com.google.gson.stream.MalformedJsonException: Use JsonReader.setLenient(true) to accept malformed JSON at line 1 column 5 path $
17:35:54,006 ERROR [stderr] (ESRegistryCacheInvalidator) at com.google.gson.JsonParser.parse(JsonParser.java:65)
17:35:54,006 ERROR [stderr] (ESRegistryCacheInvalidator) at com.google.gson.JsonParser.parse(JsonParser.java:45)
17:35:54,006 ERROR [stderr] (ESRegistryCacheInvalidator) at io.searchbox.action.AbstractAction.parseResponseBody(AbstractAction.java:96)
17:35:54,006 ERROR [stderr] (ESRegistryCacheInvalidator) at io.searchbox.action.AbstractAction.createNewElasticSearchResult(AbstractAction.java:67)
17:35:54,006 ERROR [stderr] (ESRegistryCacheInvalidator) at io.searchbox.action.GenericResultAbstractAction.createNewElasticSearchResult(GenericResultAbstractAction.java:20)
17:35:54,007 ERROR [stderr] (ESRegistryCacheInvalidator) at io.searchbox.client.http.JestHttpClient.deserializeResponse(JestHttpClient.java:146)
17:35:54,007 ERROR [stderr] (ESRegistryCacheInvalidator) at io.searchbox.client.http.JestHttpClient.execute(JestHttpClient.java:65)
17:35:54,008 ERROR [stderr] (ESRegistryCacheInvalidator) at io.apiman.gateway.engine.es.AbstractClientFactory.createIndex(AbstractClientFactory.java:80)
17:35:54,008 ERROR [stderr] (ESRegistryCacheInvalidator) at io.apiman.gateway.engine.es.AbstractClientFactory.initializeClient(AbstractClientFactory.java:65)
17:35:54,008 ERROR [stderr] (ESRegistryCacheInvalidator) ... 7 more
17:35:54,009 ERROR [stderr] (ESRegistryCacheInvalidator) Caused by: com.google.gson.stream.MalformedJsonException: Use JsonReader.setLenient(true) to accept malformed JSON at line 1 column 5 path $
17:35:54,009 ERROR [stderr] (ESRegistryCacheInvalidator) at com.google.gson.stream.JsonReader.syntaxError(JsonReader.java:1573)
17:35:54,009 ERROR [stderr] (ESRegistryCacheInvalidator) at com.google.gson.stream.JsonReader.checkLenient(JsonReader.java:1423)
17:35:54,009 ERROR [stderr] (ESRegistryCacheInvalidator) at com.google.gson.stream.JsonReader.doPeek(JsonReader.java:546)
17:35:54,009 ERROR [stderr] (ESRegistryCacheInvalidator) at com.google.gson.stream.JsonReader.peek(JsonReader.java:429)
17:35:54,009 ERROR [stderr] (ESRegistryCacheInvalidator) at com.google.gson.JsonParser.parse(JsonParser.java:60)
17:35:54,009 ERROR [stderr] (ESRegistryCacheInvalidator) ... 15 more
Thanks and Regards,
Ram Tanna
"Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s).
are confidential and may be privileged. If you are not the intended recipient. you are hereby notified that any
review. re-transmission. conversion to hard copy. copying. circulation or other use of this message and any attachments is
strictly prohibited. If you are not the intended recipient. please notify the sender immediately by return email.
and delete this message and any attachments from your system.
Virus Warning: Although the company has taken reasonable precautions to ensure no viruses are present in this email.
The company cannot accept responsibility for any loss or damage arising from the use of this email or attachment."
6 years, 5 months