{
"xsappname": "xsuaa-k8-scp-example",
"scopes": [
{
"name": "$XSAPPNAME.Display",
"description": "display"
}
],
"role-templates": [
{
"name": "Viewer",
"description": "Read Access",
"scope-references": [
"$XSAPPNAME.Display"
]
}
]
}
$ svcat provision xsuaa-example --class xsuaa --plan broker --params-json '{"xsappname":"xsuaa-k8-scp-example","scopes":[{"name":"$XSAPPNAME.Display","description":"display"}],"role-templates":[{"name":"Viewer","description":"Read Access","scope-references":["$XSAPPNAME.Display"]}]}'
Name: xsuaa-example
Namespace: default
Status:
Class: xsuaa
Plan: z48zz57zz45zgt9z2fzjz4azz47zz4-fd5fd60de69db525c44c9608067cb61a
Parameters:
role-templates:
- description: Read Access
name: Viewer
scope-references:
- $XSAPPNAME.Display
scopes:
- description: display
name: $XSAPPNAME.Display
xsappname: xsuaa-k8-scp-example
$ svcat get instance
NAME NAMESPACE CLASS PLAN STATUS
+----------------+-----------+-------+-----------------------------------------------------------------+--------+
xsuaa-example default xsuaa z48zz57zz45zgt9z2fzjz4azz47zz4-fd5fd60de69db525c44c9608067cb61a Ready
$ svcat bind xsuaa-example
Name: xsuaa-example
Namespace: default
Status:
Secret: xsuaa-example
Instance: xsuaa-example
Parameters:
No parameters defined
$ svcat get bindings
NAME NAMESPACE INSTANCE STATUS
+----------------+-----------+----------------+--------+
xsuaa-example default xsuaa-example Ready
$ kubectl get secrets
NAME TYPE DATA AGE
default-token-nvqvg kubernetes.io/service-account-token 3 4d20h
xsuaa-example Opaque 13 106s
├── Dockerfile
├── package.json
└── server.js
var express = require('express');
var xsenv = require('@sap/xsenv');
var passport = require('passport');
var JWTStrategy = require('@sap/xssec').JWTStrategy;
var app = express();
passport.use(new JWTStrategy(xsenv.getServices({uaa:{tag:'xsuaa'}}).uaa));
app.use(passport.initialize());
app.use(passport.authenticate('JWT', { session: false }));
app.get('/', function (req, res, next) {
console.log("Authenticated Request Reached...");
var isAuthorized = req.authInfo.checkScope('xsuaa-k8-scp-example!b10809.Display');
if (isAuthorized) {
console.log("Authorization success. User: " + req.user.id + ", Path: '/'.");
res.send('Application user: ' + req.user.id);
} else {
console.log("Authorization failed. User: " + req.user.id + ", Path: '/'.");
res.status(403).send('Forbidden');
}
});
var port = process.env.PORT || 8085;
app.listen(port, function () {
console.log('myapp listening on port ' + port);
});
{
"name": "xsuaa-k8-scp-example",
"version": "1.0.0",
"description": "",
"main": "server.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"dependencies": {
"@sap/xsenv": "1.2.7",
"@sap/xssec": "^2.1.16",
"express": "^4.17.1",
"http": "0.0.0",
"passport": "^0.4.0"
},
"author": "",
"license": "ISC"
}
FROM node:10.15.3-jessie-slim
EXPOSE 8085
COPY package.json .
COPY server.js .
COPY node_modules ./node_modules
CMD DEBUG=* node server.js
eval $(minikube docker-env)
npm install
$ docker build -t xsuaa-k8-scp-example:0.9 .
Sending build context to Docker daemon 25.87MB
Step 1/6 : FROM node:10.15.3-jessie-slim
---> b2566e062f4a
Step 2/6 : EXPOSE 8085
---> Using cache
---> e40927591070
Step 3/6 : COPY package.json .
---> Using cache
---> 2157829d59cc
Step 4/6 : COPY server.js .
---> Using cache
---> 73f35f9aae4c
Step 5/6 : COPY node_modules ./node_modules
---> 43a6d7f86cac
Step 6/6 : CMD DEBUG=* node server.js
---> Running in a5ebb6456a3f
Removing intermediate container a5ebb6456a3f
---> 103580985707
Successfully built 103580985707
Successfully tagged xsuaa-k8-scp-example:0.9
$ docker image list
REPOSITORY TAG IMAGE ID CREATED SIZE
xsuaa-k8-scp-example 0.9 72b63f9eb3f0 30 seconds ago 211MB
<none> <none> 4e85af197088 25 hours ago 211MB
k8s.gcr.io/kube-proxy v1.17.3 ae853e93800d 3 weeks ago 116MB
k8s.gcr.io/kube-apiserver v1.17.3 90d27391b780 3 weeks ago 171MB
k8s.gcr.io/kube-controller-manager v1.17.3 b0f1517c1f4b 3 weeks ago 161MB
k8s.gcr.io/kube-scheduler v1.17.3 d109c0821a2b 3 weeks ago 94.4MB
kubernetesui/dashboard v2.0.0-beta8 eb51a3597525 2 months ago 90.8MB
quay.io/kubernetes-service-catalog/service-catalog v0.3.0-beta.2 8da829e9f261 3 months ago 42.7MB
k8s.gcr.io/coredns 1.6.5 70f311871ae1 3 months ago 41.6MB
k8s.gcr.io/etcd 3.4.3-0 303ce5db0e90 4 months ago 288MB
kubernetesui/metrics-scraper v1.0.2 3b08661dc379 4 months ago 40.1MB
quay.io/service-manager/sb-proxy-k8s v0.3.2 1dffd12df62a 4 months ago 48.7MB
node 10.15.3-jessie-slim b2566e062f4a 10 months ago 187MB
k8s.gcr.io/pause 3.1 da86e6ba6ca1 2 years ago 742kB
gcr.io/k8s-minikube/storage-provisioner v1.8.1 4689081edb10 2 years ago 80.8MB
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: xsuaa-k8-scp-example
name: xsuaa-k8-scp-example
spec:
replicas: 1
selector:
matchLabels:
app: xsuaa-k8-scp-example
template:
metadata:
labels:
app: xsuaa-k8-scp-example
spec:
containers:
- image: xsuaa-k8-scp-example:0.9
name: xsuaa-k8-scp-example
env:
- name: clientid
valueFrom: { secretKeyRef: { name: xsuaa-example, key: clientid } }
- name: identityzone
valueFrom: { secretKeyRef: { name: xsuaa-example, key: identityzone } }
- name: sburl
valueFrom: { secretKeyRef: { name: xsuaa-example, key: sburl } }
- name: trustedclientidsuffix
valueFrom: { secretKeyRef: { name: xsuaa-example, key: trustedclientidsuffix } }
- name: apiurl
valueFrom: { secretKeyRef: { name: xsuaa-example, key: apiurl } }
- name: clientsecret
valueFrom: { secretKeyRef: { name: xsuaa-example, key: clientsecret } }
- name: identityzoneid
valueFrom: { secretKeyRef: { name: xsuaa-example, key: identityzoneid } }
- name: tenantid
valueFrom: { secretKeyRef: { name: xsuaa-example, key: tenantid } }
- name: tenantmode
valueFrom: { secretKeyRef: { name: xsuaa-example, key: tenantmode } }
- name: uaadomain
valueFrom: { secretKeyRef: { name: xsuaa-example, key: uaadomain } }
- name: url
valueFrom: { secretKeyRef: { name: xsuaa-example, key: url } }
- name: verificationkey
valueFrom: { secretKeyRef: { name: xsuaa-example, key: verificationkey } }
- name: xsappname
valueFrom: { secretKeyRef: { name: xsuaa-example, key: xsappname } }
$ kubectl describe secrets/xsuaa-example
Name: xsuaa-example
Namespace: default
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
identityzoneid: 36 bytes
tenantid: 36 bytes
trustedclientidsuffix: 34 bytes
url: 50 bytes
clientid: 36 bytes
clientsecret: 28 bytes
identityzone: 5 bytes
sburl: 59 bytes
tenantmode: 9 bytes
uaadomain: 36 bytes
verificationkey: 442 bytes
xsappname: 33 bytes
apiurl: 48 bytes
var express = require('express');
var app = express();
app.get('/', function (req, res, next) {
console.log("Authenticated Request Reached...");
});
var port = process.env.PORT || 8085;
app.listen(port, function () {
console.log('myapp listening on port ' + port);
});
kubectl apply -f xsuaa-k8-scp-example-config/
$ kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
xsuaa-k8-scp-example-6b7d458bd6-cdgv9 1/1 Running 0 25h 172.17.0.7 minikube <none> <none>
$ kubectl exec -it xsuaa-k8-scp-example-6b7d458bd6-cdgv9 bash
root@xsuaa-k8-scp-example-6b7d458bd6-cdgv9:/#
# env
NODE_VERSION=10.15.3
HOSTNAME=xsuaa-k8-scp-example-6b7d458bd6-cdgv9
KUBERNETES_PORT_443_TCP_PORT=443
KUBERNETES_PORT=tcp://10.96.0.1:443
TERM=xterm
KUBERNETES_SERVICE_PORT=443
url=https://xxxx.authentication.sap.hana.ondemand.com
KUBERNETES_SERVICE_HOST=10.96.0.1
xsappname=<app name>
identityzone=xxx
verificationkey=-----BEGIN PUBLIC KEY-----<cert key>-----END PUBLIC KEY-----
clientid=sb-xsuaa-k8-scp-examplexxxxx
clientsecret=Ct/+xxxxxxxxxxxxxxxxxxxxxx/w=
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
trustedclientidsuffix=<trustedclientidsuffix>
PWD=/
identityzoneid=55d8129b-1e6b-4231-9c80-000ae080f9dd
SHLVL=1
HOME=/root
YARN_VERSION=1.13.0
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_SERVICE_PORT_HTTPS=443
sburl=https://internal-xsuaa.authentication.sap.hana.ondemand.com
tenantid=55d8129b-1e6b-4231-9c80-000ae080f9dd
tenantmode=dedicated
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
apiurl=https://api.authentication.sap.hana.ondemand.com
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
uaadomain=authentication.sap.hana.ondemand.com
_=/usr/bin/env
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: xsuaa-k8-scp-example
name: xsuaa-k8-scp-example
spec:
replicas: 1
selector:
matchLabels:
app: xsuaa-k8-scp-example
template:
metadata:
labels:
app: xsuaa-k8-scp-example
spec:
containers:
- image: xsuaa-k8-scp-example:0.9
name: xsuaa-k8-scp-example
env:
- name: VCAP_SERVICES
value: "{\"xsuaa\":[{\"credentials\":{\"apiurl\":\"https://api.authentication.sap.hana.ondemand.com\",\"clientid\":\"sb-xsuaa-k8-scp-examplexxxx\",\"clientsecret\":\"xxxxxxxxxxxxxxx\",\"identityzone\":\"xxx\",\"identityzoneid\":\"55d8129b-1e6b-4231-9c80-000ae080f9dd\",\"sburl\":\"https://internal-xsuaa.authentication.sap.hana.ondemand.com\",\"tenantid\":\"55d8129b-1e6b-4231-9c80-000ae080f9dd\",\"tenantmode\":\"dedicated\",\"uaadomain\":\"authentication.sap.hana.ondemand.com\",\"url\":\"https://xxxx.authentication.sap.hana.ondemand.com\",\"verificationkey\":\"-----BEGIN PUBLIC KEY-----<cert key>-----END PUBLIC KEY-----\",\"xsappname\":\"xsuaa-k8-scp-example!b10809\"},\"tags\":[\"xsuaa\"],\"label\":\"xsuaa\",\"plan\":\"application\",\"name\":\"xsuaa-example1\"}]}"
kubectl apply -f xsuaa-k8-scp-example-config/
kubectl port-forward deployment.apps/xsuaa-k8-scp-example 8085:8085
curl --location --request POST 'https://xxx.authentication.sap.hana.ondemand.com/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Accept: application/json' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'password=<user's password>' \
--data-urlencode 'username=<user's email address>' \
--data-urlencode 'client_id=<xsuaa client id>' \
--data-urlencode 'client_secret=<xsuaa client secret>' \
--data-urlencode 'response_type=token'
{
"access_token": "<token>",
"token_type": "bearer",
"id_token": "<token>",
"refresh_token": "<token>",
"expires_in": 43199,
"scope": "openid xsuaa-k8-scp-example!b10809.Display",
"jti": "65501d3df7de4e7387267f44e106a8ea"
}
curl -i --location --request GET 'http://localhost:8085/' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer <token>'
HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: text/html; charset=utf-8
Content-Length: 43
ETag: W/"2b-M8JdCOGSPyy3PSSpF4lP7MEeqAI"
Date: Wed, 04 Mar 2020 08:46:45 GMT
Connection: keep-alive
Application user: xxx@sap.com
curl -i --location --request GET 'http://localhost:8085/' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer <token>'
HTTP/1.1 403 Forbidden
X-Powered-By: Express
Date: Wed, 04 Mar 2020 08:47:43 GMT
Connection: keep-alive
Content-Length: 9
Forbidden
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
38 | |
19 | |
13 | |
13 | |
11 | |
10 | |
10 | |
10 | |
8 | |
8 |