Hello Team,
Currently, I am trying to enable authorization, but it is not activating even though I have enabled the feature, but not work
bash
set FLIPT_AUTHORIZATION_REQUIRED=true
set FLIPT_AUTHORIZATION_BACKEND=local
set FLIPT_AUTHORIZATION_BACKEND_LOCAL_POLICY_PATH=“/config/policy.rego”
Thanks
Hey @wahyugnc ! sorry for the delay in responding. I need to enable notifications for this Discourse platform.
May I ask which version of Flipt server you are running?
Also are you able to post the contents of /config/policy.rego?
Hi @mark ,
I use flipt version flipt/flipt:v1.46.1
Same with example
package flipt.authz.v1
import rego.v1
default allow := false
allow if {
claims := json.unmarshal(input.authentication.metadata["io.flipt.auth.claims"])
"developer" in claims.roles
}
Hmm ok. Can you set FLIPT_LOG_LEVEL=debug and post the contents of your log at startup? and perhaps some request logs as well (ie at evaluation time)
AH we found the issue
its an issue on our end. we left the experiemental check in from a previous version. try setting FLIPT_EXPERIMENTAL_AUTHORIZATION_ENABLED=true as well
Sori i’m late,
this is log
2024-07-25 21:26:59 flipt | {"L":"DEBUG","T":"2024-07-25T21:26:59+07:00","M":"configuration source","path":"/etc/flipt/config/default.yml"}
2024-07-25 21:26:59 flipt | {"L":"INFO","T":"2024-07-25T21:26:59+07:00","M":"flipt starting","version":"v1.46.1","commit":"ac1b2fba83e3fa42956e36cc6aa35cade7bbe871","date":"2024-07-17T19:55:42Z","go_version":"go1.22.5"}
2024-07-25 21:26:59 flipt | {"L":"DEBUG","T":"2024-07-25T21:26:59+07:00","M":"checking for updates"}
2024-07-25 21:26:59 flipt | {"L":"DEBUG","T":"2024-07-25T21:26:59+07:00","M":"version info","current_version":"v1.46.1","latest_version":"1.46.1"}
2024-07-25 21:26:59 flipt | {"L":"INFO","T":"2024-07-25T21:26:59+07:00","M":"running latest version","version":"v1.46.1"}
2024-07-25 21:26:59 flipt | {"L":"DEBUG","T":"2024-07-25T21:26:59+07:00","M":"local state directory exists","path":"/home/flipt/.config/flipt"}
2024-07-25 21:26:59 flipt | {"L":"DEBUG","T":"2024-07-25T21:26:59+07:00","M":"starting telemetry reporter","component":"telemetry"}
2024-07-25 21:26:59 flipt | {"L":"DEBUG","T":"2024-07-25T21:26:59+07:00","M":"initialized new state","component":"telemetry"}
2024-07-25 21:26:59 flipt | {"L":"DEBUG","T":"2024-07-25T21:26:59+07:00","M":"using driver","server":"grpc","driver":"sqlite3"}
2024-07-25 21:26:59 flipt | {"L":"DEBUG","T":"2024-07-25T21:26:59+07:00","M":"first run, running migrations...","server":"grpc"}
2024-07-25 21:27:00 flipt | {"L":"DEBUG","T":"2024-07-25T21:27:00+07:00","M":"migrations complete","server":"grpc"}
2024-07-25 21:27:00 flipt | {"L":"DEBUG","T":"2024-07-25T21:27:00+07:00","M":"constructing builder","server":"grpc","prepared_statements":true}
2024-07-25 21:27:00 flipt | {"L":"DEBUG","T":"2024-07-25T21:27:00+07:00","M":"database driver configured","server":"grpc","driver":"sqlite3"}
2024-07-25 21:27:00 flipt | {"L":"DEBUG","T":"2024-07-25T21:27:00+07:00","M":"store enabled","server":"grpc","store":"sqlite"}
2024-07-25 21:27:00 flipt | {"L":"DEBUG","T":"2024-07-25T21:27:00+07:00","M":"otel metrics enabled","server":"grpc","exporter":"prometheus"}
2024-07-25 21:27:00 flipt | {"L":"INFO","T":"2024-07-25T21:27:00+07:00","M":"access token created","server":"grpc","client_token":"lWpgbS0RI1KpOucxxxxxx"}
2024-07-25 21:27:00 flipt | {"L":"DEBUG","T":"2024-07-25T21:27:00+07:00","M":"authentication method \"token\" server registered","server":"grpc"}
2024-07-25 21:27:00 flipt | {"L":"DEBUG","T":"2024-07-25T21:27:00+07:00","M":"starting grpc server","server":"grpc"}
2024-07-25 21:27:00 flipt | {"L":"DEBUG","T":"2024-07-25T21:27:00+07:00","M":"starting http server","server":"http"}
2024-07-25 21:27:00 flipt | {"L":"INFO","T":"2024-07-25T21:27:00+07:00","M":"api available","server":"http","address":"http://0.0.0.0:8080/api/v1"}
2024-07-25 21:27:00 flipt | {"L":"INFO","T":"2024-07-25T21:27:00+07:00","M":"ui available","server":"http","address":"http://0.0.0.0:8080"}
2024-07-25 21:27:00 flipt | {"L":"INFO","T":"2024-07-25T21:27:00+07:00","M":"cleanup process deleting authentications","server":"grpc","service":"authentication cleanup service","method":"METHOD_TOKEN","expired_before":"2024-07-25T13:57:00Z"}
2024-07-25 21:27:04 flipt | {"L":"INFO","T":"2024-07-25T21:27:04+07:00","M":"finished unary call with code OK","server":"grpc","grpc.start_time":"2024-07-25T21:27:04+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.meta.MetadataService","grpc.method":"GetInfo","peer.address":"127.0.0.1:59186","grpc.code":"OK","grpc.time_ms":0.212}
2024-07-25 21:27:04 flipt | {"L":"INFO","T":"2024-07-25T21:27:04+07:00","M":"finished unary call with code Unauthenticated","server":"grpc","grpc.start_time":"2024-07-25T21:27:04+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.auth.AuthenticationService","grpc.method":"GetAuthenticationSelf","peer.address":"127.0.0.1:59186","error":"rpc error: code = Unauthenticated desc = request was not authenticated","grpc.code":"Unauthenticated","grpc.time_ms":0.21}
2024-07-25 21:27:04 flipt | {"L":"INFO","T":"2024-07-25T21:27:04+07:00","M":"finished unary call with code OK","server":"grpc","grpc.start_time":"2024-07-25T21:27:04+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.auth.PublicAuthenticationService","grpc.method":"ListAuthenticationMethods","peer.address":"127.0.0.1:59186","grpc.code":"OK","grpc.time_ms":0.155}
2024-07-25 21:27:04 flipt | {"L":"INFO","T":"2024-07-25T21:27:04+07:00","M":"finished unary call with code OK","server":"grpc","grpc.start_time":"2024-07-25T21:27:04+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.meta.MetadataService","grpc.method":"GetInfo","peer.address":"127.0.0.1:59186","grpc.code":"OK","grpc.time_ms":0.158}
2024-07-25 21:27:04 flipt | {"L":"INFO","T":"2024-07-25T21:27:04+07:00","M":"finished unary call with code OK","server":"grpc","grpc.start_time":"2024-07-25T21:27:04+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.meta.MetadataService","grpc.method":"GetConfiguration","peer.address":"127.0.0.1:59186","grpc.code":"OK","grpc.time_ms":1.175}
2024-07-25 21:27:04 flipt | {"L":"DEBUG","T":"2024-07-25T21:27:04+07:00","M":"list namespaces","server":"grpc","request":""}
2024-07-25 21:27:04 flipt | {"L":"DEBUG","T":"2024-07-25T21:27:04+07:00","M":"list namespaces","server":"grpc","response":"namespaces:{key:\"default\" name:\"Default\" description:\"Default namespace\" protected:true created_at:{seconds:1721917620} updated_at:{seconds:1721917620}} total_count:1"}
2024-07-25 21:27:04 flipt | {"L":"INFO","T":"2024-07-25T21:27:04+07:00","M":"finished unary call with code OK","server":"grpc","grpc.start_time":"2024-07-25T21:27:04+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.Flipt","grpc.method":"ListNamespaces","peer.address":"127.0.0.1:59186","grpc.code":"OK","grpc.time_ms":3.543}
2024-07-25 21:27:04 flipt | {"L":"INFO","T":"2024-07-25T21:27:04+07:00","M":"finished unary call with code OK","server":"grpc","grpc.start_time":"2024-07-25T21:27:04+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.meta.MetadataService","grpc.method":"GetInfo","peer.address":"127.0.0.1:59186","grpc.code":"OK","grpc.time_ms":0.094}
2024-07-25 21:27:04 flipt | {"L":"INFO","T":"2024-07-25T21:27:04+07:00","M":"finished unary call with code OK","server":"grpc","grpc.start_time":"2024-07-25T21:27:04+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.meta.MetadataService","grpc.method":"GetConfiguration","peer.address":"127.0.0.1:59186","grpc.code":"OK","grpc.time_ms":0.247}
2024-07-25 21:27:04 flipt | {"L":"INFO","T":"2024-07-25T21:27:04+07:00","M":"finished unary call with code OK","server":"grpc","grpc.start_time":"2024-07-25T21:27:04+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.meta.MetadataService","grpc.method":"GetInfo","peer.address":"127.0.0.1:59186","grpc.code":"OK","grpc.time_ms":0.206}
2024-07-25 21:27:04 flipt | {"L":"DEBUG","T":"2024-07-25T21:27:04+07:00","M":"list namespaces","server":"grpc","request":""}
2024-07-25 21:27:04 flipt | {"L":"DEBUG","T":"2024-07-25T21:27:04+07:00","M":"list namespaces","server":"grpc","response":"namespaces:{key:\"default\" name:\"Default\" description:\"Default namespace\" protected:true created_at:{seconds:1721917620} updated_at:{seconds:1721917620}} total_count:1"}
2024-07-25 21:27:04 flipt | {"L":"INFO","T":"2024-07-25T21:27:04+07:00","M":"finished unary call with code OK","server":"grpc","grpc.start_time":"2024-07-25T21:27:04+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.Flipt","grpc.method":"ListNamespaces","peer.address":"127.0.0.1:59186","grpc.code":"OK","grpc.time_ms":0.645}
2024-07-25 21:27:04 flipt | {"L":"INFO","T":"2024-07-25T21:27:04+07:00","M":"finished unary call with code OK","server":"grpc","grpc.start_time":"2024-07-25T21:27:04+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.meta.MetadataService","grpc.method":"GetConfiguration","peer.address":"127.0.0.1:59186","grpc.code":"OK","grpc.time_ms":0.203}
2024-07-25 21:27:06 flipt | {"L":"DEBUG","T":"2024-07-25T21:27:06+07:00","M":"list segments","server":"grpc","request":"namespace_key:\"default\""}
2024-07-25 21:27:06 flipt | {"L":"DEBUG","T":"2024-07-25T21:27:06+07:00","M":"list segments","server":"grpc","response":""}
2024-07-25 21:27:06 flipt | {"L":"INFO","T":"2024-07-25T21:27:06+07:00","M":"finished unary call with code OK","server":"grpc","grpc.start_time":"2024-07-25T21:27:06+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.Flipt","grpc.method":"ListSegments","peer.address":"127.0.0.1:59186","grpc.code":"OK","grpc.time_ms":2.113}
2024-07-25 21:27:07 flipt | {"L":"DEBUG","T":"2024-07-25T21:27:07+07:00","M":"list flags","server":"grpc","request":"namespace_key:\"default\""}
2024-07-25 21:27:07 flipt | {"L":"DEBUG","T":"2024-07-25T21:27:07+07:00","M":"list flags","server":"grpc","response":""}
2024-07-25 21:27:07 flipt | {"L":"INFO","T":"2024-07-25T21:27:07+07:00","M":"finished unary call with code OK","server":"grpc","grpc.start_time":"2024-07-25T21:27:07+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.Flipt","grpc.method":"ListFlags","peer.address":"127.0.0.1:59186","grpc.code":"OK","grpc.time_ms":0.992}
2024-07-25 21:27:20 flipt | {"L":"DEBUG","T":"2024-07-25T21:27:20+07:00","M":"create flag","server":"grpc","request":"key:\"test\" name:\"test\" enabled:true namespace_key:\"default\" type:BOOLEAN_FLAG_TYPE"}
2024-07-25 21:27:20 flipt | {"L":"DEBUG","T":"2024-07-25T21:27:20+07:00","M":"create flag","server":"grpc","response":"key:\"test\" name:\"test\" enabled:true created_at:{seconds:1721917640 nanos:91448000} updated_at:{seconds:1721917640 nanos:91448000} namespace_key:\"default\" type:BOOLEAN_FLAG_TYPE"}
2024-07-25 21:27:20 flipt | {"L":"INFO","T":"2024-07-25T21:27:20+07:00","M":"finished unary call with code OK","server":"grpc","grpc.start_time":"2024-07-25T21:27:20+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.Flipt","grpc.method":"CreateFlag","peer.address":"127.0.0.1:59186","grpc.code":"OK","grpc.time_ms":21.101}
2024-07-25 21:27:20 flipt | {"L":"DEBUG","T":"2024-07-25T21:27:20+07:00","M":"get flag","server":"grpc","request":"key:\"test\" namespace_key:\"default\""}
2024-07-25 21:27:20 flipt | {"L":"DEBUG","T":"2024-07-25T21:27:20+07:00","M":"get flag","server":"grpc","response":"key:\"test\" name:\"test\" enabled:true created_at:{seconds:1721917640 nanos:91448000} updated_at:{seconds:1721917640 nanos:91448000} namespace_key:\"default\" type:BOOLEAN_FLAG_TYPE"}
2024-07-25 21:27:20 flipt | {"L":"INFO","T":"2024-07-25T21:27:20+07:00","M":"finished unary call with code OK","server":"grpc","grpc.start_time":"2024-07-25T21:27:20+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.Flipt","grpc.method":"GetFlag","peer.address":"127.0.0.1:59186","grpc.code":"OK","grpc.time_ms":1.444}
2024-07-25 21:27:20 flipt | {"L":"DEBUG","T":"2024-07-25T21:27:20+07:00","M":"list rollout rules","server":"grpc","request":"namespace_key:\"default\" flag_key:\"test\""}
2024-07-25 21:27:20 flipt | {"L":"DEBUG","T":"2024-07-25T21:27:20+07:00","M":"list rollout rules","server":"grpc","response":""}
2024-07-25 21:27:20 flipt | {"L":"INFO","T":"2024-07-25T21:27:20+07:00","M":"finished unary call with code OK","server":"grpc","grpc.start_time":"2024-07-25T21:27:20+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.Flipt","grpc.method":"ListRollouts","peer.address":"127.0.0.1:59186","grpc.code":"OK","grpc.time_ms":2.085}
Is this not in the documentation yet?
and how do I put policy.rego in experimental ?
We just released a fix in v1.46.2. If you upgrade to this version you shouldn’t have to mess w experimental at all. Sorry about that
thank you for helping me,
i have another problem, if i integrate oidc keycloak, then i also enable static token, if using api which token to use? is aceessToken oidc or static token? I tried both but it didn’t work
Hey Wahyugnc! Static tokens should work. OIDC is primarily intended for the UI and browser session authentication.
Which Flipt clients are you using? or if you’re using a hand rolled one, how are you presenting the static token on the requests?
Hi @george ,
I am trying to use flipt api, with sample request,
curl --location 'http://flipt-self-hosted.com/api/v1/namespaces/default/flags' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer xxxxxx'
response
{
"code": 16,
"message": "request was not authenticated",
"details": []
}
The following is an example of a Yaml config
authentication:
required: true
session:
domain: domain.com
methods:
token:
enabled: true
bootstrap:
token: "secret"
expiration: 24h
cleanup:
interval: 2h
grace_period: 48h
oidc:
enabled: true
providers:
keycloak:
issuer_url: 'auth-domain.com'
client_id: flipt
client_secret: xxx
redirect_address: 'domain.com'
authorization:
required: true
backend: local
local:
policy:
path: policy.rego
Is there something wrong with my configuration?
Thanks for sharing that @wahyugnc ! On initial glance I can’t see anything immediately obvious.
Just to clarify, you’re putting your static token where the xxxxxx is after the word Bearer in the Authorization header?
Yes, static token xxxxxx after word Bearer
Do you have access to the UI by loging in with keycloak? Or does that also not work?
Im wondering if perhaps your bootstrap token is not what you expect. It only gets respected the first time you run Flipt, if its empty the first time, it makes a random one up and logs that on first load.
But if you make another token through the UI, that should be valid.
Yes, access to the UI with keycloak is succesfully,
i generate new token from the UI, but the token is not valid, this is example log
{"L":"INFO","T":"2024-07-26T10:08:31Z","M":"finished unary call with code Unauthenticated","server":"grpc","grpc.start_time":"2024-07-26T10:08:31Z","system":"grpc","span.kind":"server","grpc.service":"flipt.Flipt","grpc.method":"ListFlags","peer.address":"127.0.0.1:48642","error":"rpc error: code = Unauthenticated desc = request was not authenticated","grpc.code":"Unauthenticated","grpc.time_ms":1.685}
Hi, @george ,
i try to restart flipt and i can call the api, maybe cache issue ?, i already activate cache config
Hey @wahyugnc ! Interesting! So after a restart it works, and you have the (redis? or memory?) cache enabled?