I am following below url and data-seed-service app to add policy and attributes to acs service
https://www.predix.io/docs/?r=828975#hCjpapDw
https://github.com/PredixDev/data-seed-service/tree/master/config/acs
when I am adding policy with the user credentials using below url I am getting the below error. I am also passing Predix-Zone-Id and Authorization as part of header.
https://predix-acs.run.aws-usw02-pr.ice.predix.io/v1/policy-set/lpmconfig
error: { "error": "invalid_token", "error_description": "Unauthorized zone access by principal: fa_user for zone: 06920ae7-78b1-43e2-ae87-c1d89232257c" }
I am getting the same error when I am creating attributes for resources and subject for enforcement
The documentation is now updated to include the scope information in the description. https://www.predix.io/docs#hCjpapDw
As I understand it, calling the ACS rest API is using User token authority checking. Thus you need to pass a User Token to it. Meaning that the user is a User created in UAA, not a clientId created in UAA.
In order for ACS to validate that token, the user has to be placed in a UAA "Group". The Group name cannot be "my-group". Instead the spelling of the group name has to match the spelling of the Scope that ACS is expecting.
Thus, if ACS is expecting a scope of access-acs.12345678guid.allow-policy-creation. In UAA you create a Group with that name.
Then you put the User in that group. Then you get a token for that User and pass that in the Header as a Bearer token.
ACS passes that token to UAA and checks if the User in a group with that spelling.
Tom, Your overall understanding is right. However I want to clarify a few things to avoid confusion
ACS only validates the 'scopes' (not authorities) claim in the JWT. The grant type used to obtain the token does not effect the authorization.
For example, if there is a administrative application which authenticates/authorizes policy administrators in some other way, it could authenticate to ACS using a token obtained with client_credentials grant. As long as the client id has been configured with the correct 'authorities' as you described.
The use case you describe above is valid as well, where both the user and the application are authenticated by UAA, and token is obtained with a authorization_code grant.
We recently added ACS to the Predix Tool Kit. Here is the url for the Basic (US West) cloud.
As I recall the user you are using needs to have certain privileges. I think ACS is using User token authorities, so that user has to be in a Group that matches the needed scopes of ACS.
If you are using DataSeed, try running the Reference App install script. Then use the app_admin_1 user to access the ACS service.
@Tom , please elaborate what you mean by "ACS is using User token authorities" ?
Srikanth,
The error is indicating that the token being used does not have the access to the zone (specified in Predix-Zone-Id) you are accessing.
The token being used must have the following scope (in addition to the scopes listed in the document you referenced):
predix-acs.zones.(YOUR_ZONE_ID).user
I will also file a issue to add this information to the documentation.
