Reputation: 539
Authentication with Spring-Boot-Admin and Eureka discovery
SBA version 2.0.1
Spring-Cloud Finchley.RELEASE
I have some services registered in Eureka. The services are Spring-Boot apps, and have their actuators secured by HTTP basic auth. The service actuators are at /actuator. The services are working and I can interact with their actuators via Postman and curl. SBA connects to Eureka and discovers the services, but they are always in a down (red) state, except for the SBA application itself, which is shown just fine as green in the SBA console, and I am able to click on it and see it's properties.
When I click on one of the service instances, I am prompted for credentials. I'm not sure what credentials to use, so I use the credentials for the service actuator. I already have these credentials in the metadata-map as shown in the docs, but I am still prompted for credentials anyway. This always results in showing the Whitelabel Error Page, with an error message like this:
Mon Jun 25 12:40:57 CDT 2018 There was an unexpected error (type=Method Not Allowed, status=405). Request method 'POST' not supported
Though I note the url for that error is apparently on the SBA instance intself, not the remote service. The url decodes to this: http://localhost:8080/#/instances/9207aa5fc06b/
But I see this in the log for the service, so apparently an unauthenticated request is making it to the remove service:
[2018-06-25 12:16:54.242] - DEBUG - [http-nio-8380-exec-7] [AUTHENTICATION_SERVICE_DEV,8dc8165d4f77be7c,8dc8165d4f77be7c,false] --- [nio-8380-exec-7] o.s.w.s.m.m.a.HttpEntityMethodProcessor : Written [{timestamp=Mon Jun 25 12:16:54 CDT 2018, status=401, error=Unauthorized, message=Unauthorized, path=/actuator/health}] as "application/vnd.spring-boot.actuator.v2+json" using [org.springframework.http.converter.json.MappingJackson2HttpMessageConverter@30c8681]
And this in the SBA log:
2018-06-25 12:39:40.884 ERROR [SERVICES_ADMIN_CONSOLE_LOCAL,,,] 20728 --- [nio-8080-exec-8] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception
java.io.IOException: An established connection was aborted by the software in your host machine
This is the root of my confusion, I'm not sure what credentials I need or even what I am authenticating to. I have provided the credentials to remote service in properties as well as in the login form, and it doesn't work.
When I click on the SBA application in the SBA console, it works as expected. So this seems to be related to authenticating to a remote actuator, but I can't figure out what the problem is.
Server:
@Configuration
@EnableAutoConfiguration
@EnableEurekaClient
@EnableAdminServer
public class ServiceAdmin {
public static void main(String[] args) {
SpringApplication.run(ServiceAdmin.class, args);
}
@Configuration
public static class SecurityPermitAllConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().permitAll()
.and().csrf().disable();
}
}
}
SBA Config:
management.endpoints.web.exposure.include=*
management.endpoint.health.show-details=always
management.info.git.mode=full
management.endpoint.shutdown.enabled=true
spring.security.user.name=actuator
spring.security.user.password=password
spring.security.user.roles=ACTUATOR
eureka.instance.leaseRenewalIntervalInSeconds=10
eureka.instance.health-check-url-path=/actuator/health
eureka.instance.metadata-map.user.name=actuator
eureka.instance.metadata-map.user.password=password
eureka.client.registryFetchIntervalSeconds=5
eureka.client.serviceUrl.defaultZone=http://svcregistry1.mycompany.com/eureka/,http://svcregistry2.mycompany.com
Upvotes: 1
Views: 2942
Answers (2)
Reputation: 351
For anyone coming to this question, being as puzzled as I, to clear up this answer.
I'm having Eureka and Springboot admin server/ui in the same application
All the services that will register into eureka AND springboot admin, will need their own /actuator credentials present as metadata :
eureka.instance.metadata-map.user.name = ${endpoints.user.name}
eureka.instance.metadata-map.user.password = ${endpoints.user.password}
This post cleared up a few things. https://zoltanaltfatter.com/2018/05/15/spring-cloud-discovery-with-spring-boot-admin/
Upvotes: 2
Reputation: 539
The problem here was I failed to understand the docs. The eureka credentials in the metadataMap have to be provided by the monitored application at registration time. Not provided in the SBA config.
Upvotes: 0
Related Questions
- Spring Eureka asks for username password authentication
- Spring Boot Admin with Eureka and Docker Swarm
- How to secure spring cloud eureka service with basic auth?
- Spring boot admin server not showing u\eureka clients registered on eureka server
- Spring Boot 2.1.1 - Eureka Discovery & Spring Boot Admin Server
- Unauthorized in spring boot admin
- Eureka authentication method and UI
- Spring-Boot-Admin server fails to register clients from Eureka registry
- How to register spring boot admin client to spring boot admin client through eureka?
- Change Authentication of Eureka Client on JHipster