REST API default user NOT CREATED / NOT GRANTED access-rest-api privilege

Robinyo · January 6, 2020, 11:11pm

First, I launch OpenLDAP:

# docker pull osixia/openldap

docker run --detach --name openldap \
  --publish 10389:389 \
  --publish 10636:636 \
  --volume ~/workspace/Robinyo/serendipity:/serendipity \
  --env LDAP_ORGANISATION="flowable" \
  --env LDAP_DOMAIN="flowable.org" \
  --env LDAP_ADMIN_PASSWORD="secret" \
  osixia/openldap:1.2.3

Then, I update OpenLDAP:

# In the project directory: /serendipity

docker exec openldap ldapadd \
  -x -H ldap://localhost \
  -D "cn=admin,dc=flowable,dc=org" \
  -w secret \
  -f ./serendipity/flowable/flowable.ldif

flowable.ldif describes Flowable’s users and groups:

# flowable.org
# dn: dc=flowable,dc=org
# objectClass: top
# objectClass: dcObject
# objectClass: organization
# o: flowable
# dc: flowable

# admin, flowable.org
# dn: cn=admin,dc=flowable,dc=org
# objectClass: simpleSecurityObject
# objectClass: organizationalRole
# cn: admin
# description: LDAP administrator
# userPassword:: e1NTSEF9TFFqN05uYzcydWVpcUREUHdxQ0xoMlNwRHB5V2FzaDY=

# Users root

dn: ou=users, dc=flowable,dc=org
ou: users
description: All users in the organisation
objectclass: organizationalUnit
objectClass: extensibleObject
objectClass: top

# Groups root

dn: ou=groups, dc=flowable,dc=org
ou: groups
description: All groups in the organisation
objectclass: organizationalUnit
objectClass: extensibleObject
objectClass: top

# Actual users

dn: cn=Flowable, ou=users,dc=flowable,dc=org
objectclass: inetOrgPerson
cn: Flowable
sn: Administrator
uid: flowable
userPassword:: dGVzdA==

# REST API Basic Auth user

dn: cn=Flowable Rest API, ou=users,dc=flowable,dc=org
objectclass: inetOrgPerson
cn: Flowable Rest API
sn: Administrator
uid: flowable-rest
userPassword:: dGVzdA==

When I launch the flowable/all-in-one image:

# docker pull flowable/all-in-one

docker run -d --name flowable \
  -p 8080:8080 \
  --env-file ldap-env.txt \
  flowable/all-in-one

I use an environment file (ldap-env.txt) to pass properties to the Docker container:

#
# https://docs.spring.io/spring-boot/docs/2.0.7.RELEASE/reference/html/boot-features-external-config.html#boot-features-external-config-relaxed-binding
# Note: Upper case format is recommended when using system environment variables
#

#
# LDAP
#

FLOWABLE_IDM_LDAP_ENABLED=true
FLOWABLE_IDM_LDAP_SERVER=ldap://host.docker.internal
FLOWABLE_IDM_LDAP_PORT=10389
FLOWABLE_IDM_LDAP_USER=cn=admin,dc=flowable,dc=org
FLOWABLE_IDM_LDAP_PASSWORD=secret
FLOWABLE_IDM_LDAP_BASE_DN=dc=flowable,dc=org
FLOWABLE_IDM_LDAP_USER_BASE_DN=ou=users,dc=flowable,dc=org
FLOWABLE_IDM_LDAP_GROUP_BASE_DN=ou=groups,dc=flowable,dc=org
FLOWABLE_IDM_LDAP_QUERY_USER_BY_ID=(&(objectClass=inetOrgPerson)(uid={0}))
FLOWABLE_IDM_LDAP_QUERY_USER_BY_FULL_NAME_LIKE=(&(objectClass=inetOrgPerson)(|({0}=*{1}*)({2}=*{3}*)))
FLOWABLE_IDM_LDAP_QUERY_ALL_USERS=(objectClass=inetOrgPerson)
FLOWABLE_IDM_LDAP_QUERY_GROUPS_FOR_USER=(&(objectClass=groupOfUniqueNames)(uniqueMember={0}))
FLOWABLE_IDM_LDAP_QUERY_ALL_GROUPS=(objectClass=groupOfUniqueNames)
FLOWABLE_IDM_LDAP_QUERY_GROUP_BY_ID=(&(objectClass=groupOfUniqueNames)(uniqueId={0}))
FLOWABLE_IDM_LDAP_ATTRIBUTE_USER_ID=uid
FLOWABLE_IDM_LDAP_ATTRIBUTE_FIRST_NAME=cn
FLOWABLE_IDM_LDAP_ATTRIBUTE_LAST_NAME=sn
FLOWABLE_IDM_LDAP_ATTRIBUTE_EMAIL=mail
FLOWABLE_IDM_LDAP_ATTRIBUTE_GROUP_ID=cn
FLOWABLE_IDM_LDAP_ATTRIBUTE_GROUP_NAME=cn
FLOWABLE_IDM_LDAP_CACHE_GROUP_SIZE=10000
FLOWABLE_IDM_LDAP_CACHE_GROUP_EXPIRATION=180000

#
# DEFAULT ADMINISTRATOR ACCOUNTS
#

FLOWABLE_IDM_APP_ADMIN_USER_ID=flowable
FLOWABLE_IDM_APP_ADMIN_PASSWORD=test
FLOWABLE_IDM_APP_ADMIN_FIRST_NAME=Flowable
FLOWABLE_IDM_APP_ADMIN_LAST_NAME=Administrator
FLOWABLE_IDM_APP_ADMIN_EMAIL=admin@flowable.org

FLOWABLE_COMMON_APP_IDM_ADMIN_USER=flowable
FLOWABLE_COMMON_APP_IDM_ADMIN_PASSWORD=test

#
# DEFAULT REST API ACCOUNTS
#

FLOWABLE_REST_APP_ADMIN_USERID=flowable-rest
FLOWABLE_REST_APP_ADMIN_PASSWORD=test
FLOWABLE_REST_APP_ADMIN_FIRSTNAME=Flowable Rest API
FLOWABLE_REST_APP_ADMIN_LASTNAME=Administrator

The REST API environment variables are set correctly, for example:

docker exec flowable sh -c 'echo "$FLOWABLE_REST_APP_ADMIN_USERID"'

Sample output:

flowable-rest

And the flowable-rest user has been created in OpenLDAP:

docker exec openldap ldapsearch -x -H ldap://localhost -b dc=flowable,dc=org -D "cn=admin,dc=flowable,dc=org" -w secret

Sample output:

...

# Flowable Rest API, users, flowable.org
dn: cn=Flowable Rest API,ou=users,dc=flowable,dc=org
objectClass: inetOrgPerson
cn: Flowable Rest API
sn: Administrator
userPassword:: dGVzdA==
uid: flowable-rest

However, the REST API default user (flowable-rest) has not been granted the access-rest-api privilege:

Ref: Serendipity’s Developer Documentation

Robinyo · January 7, 2020, 10:26pm

As per the REST API General Flowable REST principles. A default user that can access the REST API can be configured by setting the following properties:

flowable.rest.app.admin.user-id=rest-admin
flowable.rest.app.admin.password=test
flowable.rest.app.admin.first-name=Rest
flowable.rest.app.admin.last-name=Admin

I have tried several different scenarios, for example, without LDAP:

docker run -d --name flowable \
  -p 8080:8080 \
  -e "flowable.rest.app.admin.user-id=flowable-rest;flowable.rest.app.admin.password=test;flowable.rest.app.admin.first-name=Flowable Rest API;flowable.rest.app.admin.last-name=Administrator" \
  --env-file no-ldap-env.txt \
  flowable/all-in-one

Flowable IDM:

With LDAP:

docker run -d --name flowable \
  -p 8080:8080 \
  -e "flowable.rest.app.admin.user-id=flowable-rest;flowable.rest.app.admin.password=test;flowable.rest.app.admin.first-name=Flowable Rest API;flowable.rest.app.admin.last-name=Administrator" \
  --env-file ldap-env.txt \
  flowable/all-in-one

Flowable IDM:

Robinyo · January 8, 2020, 11:02am

I think that this issue may be related to the Alpine Image (and/or Relaxed Binding): Change in environment variable setting behaviour in 3.6 image?

For example:

docker run -d --name flowable \
  -p 8080:8080 \
  --env-file no-ldap-env.txt \
  flowable/all-in-one

I use an environment file to pass properties to the Docker container. I have tried several different scenarios (REST APP variable names) without success:

no-ldap-env.txt:

#
# https://docs.spring.io/spring-boot/docs/2.0.7.RELEASE/reference/html/boot-features-external-config.html#boot-features-external-config-relaxed-binding
# Note: Upper case format is recommended when using system environment variables
#

# https://github.com/flowable/flowable-engine/issues/1958#issuecomment-571569786
# -e "spring.datasource.url=jdbc:h2:~/flowable-db/db;AUTO_SERVER=TRUE;AUTO_SERVER_PORT=9091;DB_CLOSE_DELAY=-1"

#
# DEFAULT ADMINISTRATOR ACCOUNTS
#

FLOWABLE_IDM_APP_ADMIN_USER_ID=flowable
FLOWABLE_IDM_APP_ADMIN_PASSWORD=test
FLOWABLE_IDM_APP_ADMIN_FIRST_NAME=Flowable
FLOWABLE_IDM_APP_ADMIN_LAST_NAME=Administrator
FLOWABLE_IDM_APP_ADMIN_EMAIL=admin@flowable.org

FLOWABLE_COMMON_APP_IDM_ADMIN_USER=flowable
FLOWABLE_COMMON_APP_IDM_ADMIN_PASSWORD=test

#
# DEFAULT REST API ACCOUNTS - See: https://flowable.com/open-source/docs/bpmn/ch15-REST/
#

# flowable.rest.app.admin.user-id=rest-admin
# flowable.rest.app.admin.password=test
# flowable.rest.app.admin.first-name=Rest
# flowable.rest.app.admin.last-name=Admin

# FLOWABLE.REST.APP.ADMIN.USER-ID=flowable-rest
# FLOWABLE.REST.APP.ADMIN.PASSWORD=test
# FLOWABLE.REST.APP.ADMIN.FIRST-NAME=Flowable Rest API
# FLOWABLE.REST.APP.ADMIN.LAST-NAME=Administrator

#
# DEFAULT REST API ACCOUNTS - See: https://github.com/flowable/flowable-engine/blob/master/modules/flowable-app-rest/src/main/resources/flowable-default.properties
#

# flowable.rest.app.admin.user-id=rest-admin
# flowable.rest.app.admin.password=test
# flowable.rest.app.admin.firstname=Rest
# flowable.rest.app.admin.lastname=Admin

# FLOWABLE.REST.APP.ADMIN.USER-ID=flowable-rest

# FLOWABLE.REST.APP.ADMIN.USERID=flowable-rest
# FLOWABLE.REST.APP.ADMIN.PASSWORD=test
# FLOWABLE.REST.APP.ADMIN.FIRSTNAME=Flowable Rest API
# FLOWABLE.REST.APP.ADMIN.LASTNAME=Administrator

# flowable.rest.app.admin.userId=flowable-rest
# flowable.rest.app.admin.password=test
# flowable.rest.app.admin.firstName=Flowable Rest API
# flowable.rest.app.admin.lastName=Administrator

# flowable_rest_app_admin_userId=flowable-rest
# flowable_rest_app_admin_password=test
# flowable_rest_app_admin_firstName=Flowable Rest API
# flowable_rest_app_admin_lastName=Administrator

# -

# flowable.rest.app.admin.user-id=rest-admin
# flowable.rest.app.admin.password=test
# flowable.rest.app.admin.first-name=Rest
# flowable.rest.app.admin.last-name=Admin

FLOWABLE_REST_APP_ADMIN_USER_ID=flowable-rest
FLOWABLE_REST_APP_ADMIN_PASSWORD=test
FLOWABLE_REST_APP_ADMIN_FIRST_NAME=Flowable Rest API
FLOWABLE_REST_APP_ADMIN_LAST_NAME=Administrator

Robinyo · January 8, 2020, 11:38pm

I have raised the following issue: REST API default user is not created

Topic		Replies	Views
Unable to Login with Default Admin User after LDAP integration Flowable Engine	5	615	October 31, 2022
OpenLDAP Integration - Issues with IDM & user management Flowable Engine	1	558	December 13, 2019
Flowable-Ldap Integration Flowable Engine	3	1365	March 30, 2020
Flowable-rest doesn't use ldap users Flowable Engine	14	1397	January 24, 2020
How To: Keycloak, Flowable and OpenLDAP Flowable Engine	9	2033	January 12, 2020

REST API default user NOT CREATED / NOT GRANTED access-rest-api privilege

Related Topics