Predix_Logo
  • Categories
    • Questions
    • Predix | Updates
      • Pricing
      • Product
    • Deloitte - Private
    • How-To
    • Accenture-Private
  • Explore
    • Topics
    • Questions
    • Articles
    • Feedback or Feature Requests
  • Sign in
  • Home /
  • Questions /
avatar image
0
Question by srikanth.dannarapu@ge.com · Sep 28, 2016 at 02:41 AM · access-control-service

Unable to add policy and create attributes to acs service

I am following below url and data-seed-service app to add policy and attributes to acs service

https://www.predix.io/docs/?r=828975#hCjpapDw

https://github.com/PredixDev/data-seed-service/tree/master/config/acs

when I am adding policy with the user credentials using below url I am getting the below error. I am also passing Predix-Zone-Id and Authorization as part of header.

https://predix-acs.run.aws-usw02-pr.ice.predix.io/v1/policy-set/lpmconfig

error: { "error": "invalid_token", "error_description": "Unauthorized zone access by principal: fa_user for zone: 06920ae7-78b1-43e2-ae87-c1d89232257c" }

I am getting the same error when I am creating attributes for resources and subject for enforcement

Comment
Add comment
10 |1200 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

4 Replies

  • Sort: 
avatar image
1

Answer by Meeta Garg · Oct 04, 2016 at 10:59 AM

The documentation is now updated to include the scope information in the description. https://www.predix.io/docs#hCjpapDw

Comment
Add comment · Share
10 |1200 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image
0

Answer by Tom Turner · Oct 03, 2016 at 10:57 AM

As I understand it, calling the ACS rest API is using User token authority checking. Thus you need to pass a User Token to it. Meaning that the user is a User created in UAA, not a clientId created in UAA.

In order for ACS to validate that token, the user has to be placed in a UAA "Group". The Group name cannot be "my-group". Instead the spelling of the group name has to match the spelling of the Scope that ACS is expecting.

Thus, if ACS is expecting a scope of access-acs.12345678guid.allow-policy-creation. In UAA you create a Group with that name.

Then you put the User in that group. Then you get a token for that User and pass that in the Header as a Bearer token.

ACS passes that token to UAA and checks if the User in a group with that spelling.

Comment
Add comment · Show 1 · Share
10 |1200 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Sanjeev Chopra · Oct 03, 2016 at 11:28 AM 0
Share

Tom, Your overall understanding is right. However I want to clarify a few things to avoid confusion

  • ACS only validates the 'scopes' (not authorities) claim in the JWT. The grant type used to obtain the token does not effect the authorization.

  • For example, if there is a administrative application which authenticates/authorizes policy administrators in some other way, it could authenticate to ACS using a token obtained with client_credentials grant. As long as the client id has been configured with the correct 'authorities' as you described.

  • The use case you describe above is valid as well, where both the user and the application are authenticated by UAA, and token is obtained with a authorization_code grant.

avatar image
0

Answer by Tom Turner · Sep 28, 2016 at 08:20 AM

We recently added ACS to the Predix Tool Kit. Here is the url for the Basic (US West) cloud.

As I recall the user you are using needs to have certain privileges. I think ACS is using User token authorities, so that user has to be in a Group that matches the needed scopes of ACS.

If you are using DataSeed, try running the Reference App install script. Then use the app_admin_1 user to access the ACS service.

Comment
Add comment · Show 1 · Share
10 |1200 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Sanjeev Chopra · Oct 01, 2016 at 06:27 PM 0
Share

@Tom , please elaborate what you mean by "ACS is using User token authorities" ?

avatar image
0

Answer by Sanjeev Chopra · Oct 01, 2016 at 06:26 PM

Srikanth,

The error is indicating that the token being used does not have the access to the zone (specified in Predix-Zone-Id) you are accessing.

  • The token being used must have the following scope (in addition to the scopes listed in the document you referenced):

predix-acs.zones.(YOUR_ZONE_ID).user
  • I will also file a issue to add this information to the documentation.

Comment
Add comment · Share
10 |1200 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

Follow this Question

Answers Answers and Comments

42 People are following this question.

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Related Questions

Access Control Service Tutorial 2 Answers

Exclude Query Parameters in ACS Evaluation 2 Answers

Access Control Service Tutorial 2 Answers

Implementation of Appendix A, LAB-6 in Developer Boot Camp Guide 2 Answers

ACS Policy configuration is failing with DENY 3 Answers

GE Monogram
  • Legal
  • Cookies
  • Forum Terms
  • Contact Us
  • Copyright © 2017 General Electric Company. All rights reserved.


Enterprise
Social Q&A

  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Create an article
  • Submit your feedback or feature request
  • Categories
  • Questions
  • Predix | Updates
    • Pricing
    • Product
  • Deloitte - Private
  • How-To
  • Accenture-Private
  • Explore
  • Topics
  • Questions
  • Articles
  • Feedback or Feature Requests