Hello, I try to deploy `<http://GoodData.CN|GoodDa...
# gooddata-cn
Hello, I try to deploy
<http://GoodData.CN|GoodData.CN> CE 2.1
with changed token secret via GDCN_TOKEN_SECRET but it doesn’t work. The deployed instance then completely breaks and stop working (details in 🧵). I suspect the problem is in using custom GDCN_PUBLIC_URL but not sure why this shouldn’t work. Can you please advise how can I make it work in this setup?
✔️ 1
In the logs I can see the succesfull deploy
if I go to url I get the error
No Organization found for hostname '<http://telemetry.east-us-2.azure.keboola-testing.com|telemetry.east-us-2.azure.keboola-testing.com>'
the bearer token
decodes to
this setup is working if I don’t specify
@Robert Moucha could you help here?
let me further say that overall I’m trying to change the password of the default user demo@example.com via https://www.gooddata.com/developers/cloud-native/doc/2.1/manage-deployment/set-up-authentication/built-in-oidc/#update-a-user-in-dex api call. I tried to first deploy without GDCN_TOKEN_SECRET and then keep the docker volume and do the second deploy with GDCN_TOKEN_SECRET -> I found out the I can still use the default token
to change the password for demo@example.com and if I use the token via GDCN_TOKEN_SECRET to change the password I get 401 error saying
Unable to lookup user details for provided Bearer token
Hi, let's sort it out, one thing at a time. You had GD.CN 2.1.0 running with docker volume mounted to /data directory, with default token set. Then, you decided to change both token secret using GDCN_TOKEN_SECRET env var and hostname using GDCN_PUBLIC_URL in a new container, while preserving data in volume? Or did you previously set GDCN_PUBLIC_URL in the first incarnation of container (with default token)?
Aha, the token you are trying to use is invalid
sorry for confusion. I always have GDCN_PUBLIC_URL set, and additionally try to set GDCN_TOKEN_SECRET as well. No matter how I do it, it fails. Lets say I have no previous gdcn installation deployed, everything is deleted including disk etc. Now I do: 1. deploy with GDCN_PUBLIC_URL and GDCN_TOKEN_SECRET set. It fails on
No Organization found for hostname
2. again delete all and I do: ◦ first deploy only with GDCN_PUBLIC_URL ◦ share the same docker volume with first deploy and do a second deploy with GDCN_PUBLIC_URL (same value as in first deploy) and GDCN_TOKEN_SECRET set -> then updating user default password fails on
Unable to lookup user details for provided Bearer token
What I try to achieve is to have custom token secret (GDCN_TOKEN_SECRET set), but noticed it probably not work with custom url (GDCN_PUBLIC_URL set). Is it more clear now?
again, if I delete all and deploy only with GDCN_PUBLIC_URL, then it works but I need to use default token which I don’t want
yes, it is clear. Let me check locally, this shoudl work.
🙏 1
stay tuned.
👍 1
How exactly did you passed the GDCN_TOKEN_SECRET value to your deployment? Because the token reported after container start (
) is generated from string with trailing newline: base64 -d <<< YWRtaW46Ym9vdHN0cmFwOlJPTHZUUnZzdTBxMDN6VnRLM3g2YVVFd2FoZm9WbXZzCg== | xxd 00000000: 6164 6d69 6e3a 626f 6f74 7374 7261 703a adminbootstrap 00000010: 524f 4c76 5452 7673 7530 7130 337a 5674 ROLvTRvsu0q03zVt 00000020: 4b33 7836 6155 4577 6168 666f 566d 7673 K3x6aUEwahfoVmvs 00000030: 0a .
When I run docker container manually, passing
-e GDCN_TOKEN_SECRET=ROLvTRvsu0q03zVtK3x6aUEwahfoVmvs
on command line, I get correct value when container starts:
Copy code
| To access API, use Bearer token YWRtaW46Ym9vdHN0cmFwOlJPTHZUUnZzdTBxMDN6VnRLM3g2YVVFd2FoZm9WbXZz
I generate it in the deploy script via command
Copy code
echo admin:bootstrap:$GOODDATACN_TOKEN_SECRET | base64 --wrap=0
the GOODDATACN_TOKEN_SECRET is generated as
openssl rand -base64 40 | tr -d "=+/" | cut -c1-32
I guess I should use printf instead of echo
echo -n
see the docs
ahh thanks! I try it
anyway, this doesn't explain why the old (default) token is still valid
I see now, must have missed it because I copied it from somewhere else
anyway, this doesn’t explain why the old (default) token is still valid
can you reproduce it?
will try
Sorry, cannot reproduce: • Fresh run with GDCN_PUBLIC_URL, without GDCN_TOKEN_SECRET:
To access API, use Bearer token YWRtaW46Ym9vdHN0cmFwOmFkbWluMTIz
Copy code
curl -sH 'Authorization: Bearer YWRtaW46Ym9vdHN0cmFwOmFkbWluMTIz' <http://tiger.example.com:3000/api/v1/profile> | jq .links.user
token works • 2nd run with the same GDCN_PUBLIC_URL and with GDCN_TOKEN_SECRET=ROLvTRvsu0q03zVtK3x6aUEwahfoVmvs:
To access API, use Bearer token YWRtaW46Ym9vdHN0cmFwOlJPTHZUUnZzdTBxMDN6VnRLM3g2YVVFd2FoZm9WbXZz
Copy code
# new token works
curl -sH 'Authorization: Bearer YWRtaW46Ym9vdHN0cmFwOlJPTHZUUnZzdTBxMDN6VnRLM3g2YVVFd2FoZm9WbXZz' <http://tiger.example.com:3000/api/v1/profile> | jq .links.user

# old token doesn't work
curl -iH 'Authorization: Bearer YWRtaW46Ym9vdHN0cmFwOmFkbWluMTIz' <http://tiger.example.com:3000/api/v1/profile> 
HTTP/1.1 401 Unauthorized
Server: nginx
Date: Mon, 03 Oct 2022 13:51:15 GMT
Content-Length: 0
so it most likely means there is some mistake in my provisioning scripts. I will debug it further. Thank you!
Finally I found more places in the deploy script that generate strings with a trailing newline character that I had to fix and now it works as expected. Thanks a lot for the help!
I'm glad to help