Spinnaker GKE oauth - 用户信息不包含所有必填字段
Spinnaker GKE oauth - User's info does not have all required fields
我正在尝试使用本教程对我的大三角帆界面进行身份验证:
https://www.spinnaker.io/setup/quickstart/halyard-gke-public/
在本教程之前,spinnaker 已在 http://localhost:9000 上得到确认并 运行。我在 1.3.1、1.4.1 和 1.4.2.
上尝试了以下操作
在 editing/applying/enabling google 安全之后,我尝试登录并成功地接受了 google 登录屏幕的挑战。完成 two-factor 身份验证后,我被重定向到 http://localhost:8084/login,但我收到以下错误:
{
"error": "Unauthorized",
"message": "Authentication Failed: User's info does not have all required fields.",
"status": 401,
"timestamp": 1506985726074
}
这是我的设置步骤日志:
kross@halyard:~$ hal config security authn oauth2 edit --provider google \
> --client-id $CLIENT_ID \
> --client-secret $CLIENT_SECRET \
> --user-info-requirements hd=$DOMAIN
+ Get current deployment
Success
+ Get authentication settings
Success
+ Edit oauth2 authentication settings
Success
Problems in default.security:
- WARNING Your UI or API domain does not have override base URLs
set even though your Spinnaker deployment is a Distributed deployment on a
remote cloud provider. As a result, you will need to open SSH tunnels against
that deployment to access Spinnaker.
? We recommend that you instead configure an authentication
mechanism (OAuth2, SAML2, or x509) to make it easier to access Spinnaker
securely, and then register the intended Domain and IP addresses that your
publicly facing services will be using.
+ Successfully edited oauth2 method.
kross@halyard:~$ hal config security authn oauth2 enable
+ Get current deployment
Success
+ Edit oauth2 authentication settings
Success
Problems in default.security:
- WARNING Your UI or API domain does not have override base URLs
set even though your Spinnaker deployment is a Distributed deployment on a
remote cloud provider. As a result, you will need to open SSH tunnels against
that deployment to access Spinnaker.
? We recommend that you instead configure an authentication
mechanism (OAuth2, SAML2, or x509) to make it easier to access Spinnaker
securely, and then register the intended Domain and IP addresses that your
publicly facing services will be using.
+ Successfully enabled oauth2
kross@halyard:~$ hal deploy apply
+ Get current deployment
Success
+ Apply deployment
Success
+ Deploy spin-clouddriver
Success
+ Deploy spin-front50
Success
+ Deploy spin-orca
Success
+ Deploy spin-deck
Success
+ Deploy spin-echo
Success
+ Deploy spin-gate
Success
+ Deploy spin-igor
Success
+ Deploy spin-rosco
Success
Problems in default.security:
- WARNING Your UI or API domain does not have override base URLs
set even though your Spinnaker deployment is a Distributed deployment on a
remote cloud provider. As a result, you will need to open SSH tunnels against
that deployment to access Spinnaker.
? We recommend that you instead configure an authentication
mechanism (OAuth2, SAML2, or x509) to make it easier to access Spinnaker
securely, and then register the intended Domain and IP addresses that your
publicly facing services will be using.
我不太确定该怎么做。看来我是真实的,但由于某些原因,交互中不允许必填的用户字段。
我也查看了 spinnaker's authentication setup 并反复进行了一些更改并使用新的隐身浏览器进行了测试,但没有任何变化。
自 google provider is a packaged OAuth 2 provider with spinnaker 以来,我对需要进行哪些进一步的配置感到困惑,因为我不是 "bringing my own provider"。
接下来我可以从哪里开始寻找?任何 references/pointers 文档?
问题出在 --user-info-requirements hd=$DOMAIN 参数上。这(通常)只有在您使用 G Suite/Google Apps for Work 帐户作为您的 OAuth 身份提供者时才需要 - 它限制登录到您域中的用户。否则,任何拥有有效@gmail 帐户的人都可以登录。
如果您使用 --user-info-requirements hd=$DOMAIN 并且指定的 $DOMAIN 无效,您将收到此错误。请务必使用完全限定域名作为值。
我正在尝试使用本教程对我的大三角帆界面进行身份验证: https://www.spinnaker.io/setup/quickstart/halyard-gke-public/
在本教程之前,spinnaker 已在 http://localhost:9000 上得到确认并 运行。我在 1.3.1、1.4.1 和 1.4.2.
在 editing/applying/enabling google 安全之后,我尝试登录并成功地接受了 google 登录屏幕的挑战。完成 two-factor 身份验证后,我被重定向到 http://localhost:8084/login,但我收到以下错误:
{
"error": "Unauthorized",
"message": "Authentication Failed: User's info does not have all required fields.",
"status": 401,
"timestamp": 1506985726074
}
这是我的设置步骤日志:
kross@halyard:~$ hal config security authn oauth2 edit --provider google \
> --client-id $CLIENT_ID \
> --client-secret $CLIENT_SECRET \
> --user-info-requirements hd=$DOMAIN
+ Get current deployment
Success
+ Get authentication settings
Success
+ Edit oauth2 authentication settings
Success
Problems in default.security:
- WARNING Your UI or API domain does not have override base URLs
set even though your Spinnaker deployment is a Distributed deployment on a
remote cloud provider. As a result, you will need to open SSH tunnels against
that deployment to access Spinnaker.
? We recommend that you instead configure an authentication
mechanism (OAuth2, SAML2, or x509) to make it easier to access Spinnaker
securely, and then register the intended Domain and IP addresses that your
publicly facing services will be using.
+ Successfully edited oauth2 method.
kross@halyard:~$ hal config security authn oauth2 enable
+ Get current deployment
Success
+ Edit oauth2 authentication settings
Success
Problems in default.security:
- WARNING Your UI or API domain does not have override base URLs
set even though your Spinnaker deployment is a Distributed deployment on a
remote cloud provider. As a result, you will need to open SSH tunnels against
that deployment to access Spinnaker.
? We recommend that you instead configure an authentication
mechanism (OAuth2, SAML2, or x509) to make it easier to access Spinnaker
securely, and then register the intended Domain and IP addresses that your
publicly facing services will be using.
+ Successfully enabled oauth2
kross@halyard:~$ hal deploy apply
+ Get current deployment
Success
+ Apply deployment
Success
+ Deploy spin-clouddriver
Success
+ Deploy spin-front50
Success
+ Deploy spin-orca
Success
+ Deploy spin-deck
Success
+ Deploy spin-echo
Success
+ Deploy spin-gate
Success
+ Deploy spin-igor
Success
+ Deploy spin-rosco
Success
Problems in default.security:
- WARNING Your UI or API domain does not have override base URLs
set even though your Spinnaker deployment is a Distributed deployment on a
remote cloud provider. As a result, you will need to open SSH tunnels against
that deployment to access Spinnaker.
? We recommend that you instead configure an authentication
mechanism (OAuth2, SAML2, or x509) to make it easier to access Spinnaker
securely, and then register the intended Domain and IP addresses that your
publicly facing services will be using.
我不太确定该怎么做。看来我是真实的,但由于某些原因,交互中不允许必填的用户字段。
我也查看了 spinnaker's authentication setup 并反复进行了一些更改并使用新的隐身浏览器进行了测试,但没有任何变化。
自 google provider is a packaged OAuth 2 provider with spinnaker 以来,我对需要进行哪些进一步的配置感到困惑,因为我不是 "bringing my own provider"。
接下来我可以从哪里开始寻找?任何 references/pointers 文档?
问题出在 --user-info-requirements hd=$DOMAIN 参数上。这(通常)只有在您使用 G Suite/Google Apps for Work 帐户作为您的 OAuth 身份提供者时才需要 - 它限制登录到您域中的用户。否则,任何拥有有效@gmail 帐户的人都可以登录。
如果您使用 --user-info-requirements hd=$DOMAIN 并且指定的 $DOMAIN 无效,您将收到此错误。请务必使用完全限定域名作为值。