how to restore the original scope authorities for uaa admin in tkgi
search cancel

how to restore the original scope authorities for uaa admin in tkgi

book

Article ID: 342912

calendar_today

Updated On:

Products

VMware Tanzu Kubernetes Grid Integrated Edition

Issue/Introduction

This KB explain how to restore the original scope authorities for uaa admin account used by TKGi

Symptoms:
When manipulating the scope authorities for the uaa admin account used by TKGi, you may have inadvertently assigned a wrong scope to the uaa admin account, that may prevent to run any uaac command while using uaa admin account

ubuntu@opsmgr:~$ uaac clients

error response:
{
  "error": "insufficient_scope",
  "error_description": "Insufficient scope for this resource",
  "scope": "uaa.admin clients.read clients.admin zones.uaa.admin"
}



Environment

VMware Tanzu Kubernetes Grid Integrated Edition 1.x

Cause

Assigned the wrong scope to the uaac admin account when manipulating the scope authorities as outlined in Creating and managing users with the Tanzu UAA CLI

Resolution

uaa admin account is stored in the mysql database running on the pks-db VM under the pivotal-container-service deployment

1. Bosh ssh into the pks-db VM

bosh -d pivotal-container-service-DEPLOYMENT ssh pks-db


2. backup the uaa database with mysqldump from pks-db VM

sudo /var/vcap/packages/pxc/bin/mysqldump --defaults-file=/var/vcap/jobs/pxc-mysql/config/mylogin.cnf uaa > /tmp/database_uaa.sql


3. connect to the mysql and uaa database from the pks-db VM

mysql --defaults-file=/var/vcap/jobs/pxc-mysql/config/mylogin.cnf

mysql> USE uaa;


4. confirm the current scope authorities for uaa admin account

mysql> SELECT client_id,scope,authorities FROM oauth_client_details WHERE client_id = 'admin' ;


5. restore the original scope authorities for uaa admin account

UPDATE oauth_client_details SET authorities = 'uaa.admin,clients.read,clients.write,clients.secret,scim.read,scim.write,clients.admin,pks.clusters.admin,pks.clusters.admin.read,pks.clusters.manage' WHERE client_id = 'admin' ;

6. confirm the original scope authorities for uaa admin account has been restored

mysql> SELECT client_id,scope,authorities FROM oauth_client_details WHERE client_id = 'admin' ;
+-----------+----------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| client_id | scope    | authorities                                                                                                                                           |
+-----------+----------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| admin     | uaa.none | uaa.admin,clients.read,clients.write,clients.secret,scim.read,scim.write,clients.admin,pks.clusters.admin,pks.clusters.admin.read,pks.clusters.manage |
+-----------+----------+-------------------------------------------------------------------------------------------------------------------------------------------------------+



7. confirm with uaac cli from OpsManager VM, you can now list the uaa clients (PKS_UAA_MANAGEMENT_ADMIN_CLIENT and TKGI_API_URL can be retrieved from the TKGi tile)

uaac target https://TKGI_API_URL:8443 --skip-ssl-validation
uaac token client get admin -s PKS_UAA_MANAGEMENT_ADMIN_CLIENT
uaac clients




Powered by Wolken Software