how to restore the original scope authorities for uaa admin in tkgi
Article ID: 342912
Updated On:
Products
VMware
VMware vSphere with Tanzu
Issue/Introduction
This KB explain how to restore the original scope authorities for uaa admin account used by TKGi
Symptoms:
When manipulating the scope authorities for the uaa admin account used by TKGi, you may have inadvertently assigned a wrong scope to the uaa admin account, that may prevent to run any uaac command while using uaa admin account
Symptoms:
When manipulating the scope authorities for the uaa admin account used by TKGi, you may have inadvertently assigned a wrong scope to the uaa admin account, that may prevent to run any uaac command while using uaa admin account
ubuntu@opsmgr:~$ uaac clients
error response:
{
"error": "insufficient_scope",
"error_description": "Insufficient scope for this resource",
"scope": "uaa.admin clients.read clients.admin zones.uaa.admin"
}
Environment
Tanzu Kubernetes Grid Integrated Edition 1.1.14.1
VMware Tanzu Kubernetes Grid Integrated Edition 1.x
VMware Tanzu Kubernetes Grid Integrated Edition 1.x
Cause
Assigned the wrong scope to the uaac admin account when manipulating the scope authorities
https://docs.vmware.com/en/VMware-Tanzu-Application-Service/3.0/tas-for-vms/uaa-user-management.html
https://docs.vmware.com/en/VMware-Tanzu-Application-Service/3.0/tas-for-vms/uaa-user-management.html
Resolution
uaa admin account is stored in the mysql database running on the pks-db VM under the pivotal-container-service deployment
1. Bosh ssh into the pks-db VM
2. backup the uaa database with mysqldump from pks-db VM
3. connect to the mysql and uaa database from the pks-db VM
4. confirm the current scope authorities for uaa admin account
5. restore the original scope authorities for uaa admin account
7. confirm with uaac cli from OpsManager VM, you can now list the uaa clients (PKS_UAA_MANAGEMENT_ADMIN_CLIENT and TKGI_API_URL can be retrieved from the TKGi tile)
1. Bosh ssh into the pks-db VM
bosh -d pivotal-container-service-DEPLOYMENT ssh pks-db
2. backup the uaa database with mysqldump from pks-db VM
sudo /var/vcap/packages/pxc/bin/mysqldump --defaults-file=/var/vcap/jobs/pxc-mysql/config/mylogin.cnf uaa > /tmp/database_uaa.sql
3. connect to the mysql and uaa database from the pks-db VM
mysql --defaults-file=/var/vcap/jobs/pxc-mysql/config/mylogin.cnf mysql> USE uaa;
4. confirm the current scope authorities for uaa admin account
mysql> SELECT client_id,scope,authorities FROM oauth_client_details WHERE client_id = 'admin' ;
5. restore the original scope authorities for uaa admin account
UPDATE oauth_client_details SET authorities = 'uaa.admin,clients.read,clients.write,clients.secret,scim.read,scim.write,clients.admin,pks.clusters.admin,pks.clusters.admin.read,pks.clusters.manage' WHERE client_id = 'admin' ;6. confirm the original scope authorities for uaa admin account has been restored
mysql> SELECT client_id,scope,authorities FROM oauth_client_details WHERE client_id = 'admin' ; +-----------+----------+-------------------------------------------------------------------------------------------------------------------------------------------------------+ | client_id | scope | authorities | +-----------+----------+-------------------------------------------------------------------------------------------------------------------------------------------------------+ | admin | uaa.none | uaa.admin,clients.read,clients.write,clients.secret,scim.read,scim.write,clients.admin,pks.clusters.admin,pks.clusters.admin.read,pks.clusters.manage | +-----------+----------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
7. confirm with uaac cli from OpsManager VM, you can now list the uaa clients (PKS_UAA_MANAGEMENT_ADMIN_CLIENT and TKGI_API_URL can be retrieved from the TKGi tile)
uaac target https://TKGI_API_URL:8443 --skip-ssl-validation uaac token client get admin -s PKS_UAA_MANAGEMENT_ADMIN_CLIENT uaac clients
Feedback
Yes
No
Powered by
