“AZF domain not created for application” AuthZforce

问题

I have an application that uses the KeyRock, PEP, PDP(AuthZForce).

The security level 1 (authentication) with Keyrock and PEP are working, but when we try to use AuthZForce to check the authorization, I get the error message:

AZF domain not created for application

I have my user and my application that I created following the steps on the Fiware IdM User and Programmers Guide.

I am also able to create domains as stated in the AuthZForce - Installation and Administration Guide but I don't know how to bind the Domain ID with user roles when creating them.

So, how can I insert users/organizations/applications under a specific domain, and then have the security level 2?

My config.js file:

config.azf = {
    enabled: true,
    host: '192.168.99.100',
    port: 8080,
    path: '/authzforce/domains/',
    custom_policy: undefined  
};

And my docker-compose.yml file is:

authzforce:
    image: fiware/authzforce-ce-server:release-5.4.1
    hostname: authzforce
    container_name: authzforce
    ports:
      - "8080:8080"

keyrock:
    image: fiware/idm:v5.4.0
    hostname: keyrock
    container_name: keyrock 
    ports:
        - "5000:5000"
        - "8000:8000" 

pepproxy:
    build: Docker/fiware-pep-proxy
    hostname: pepproxy
    container_name: pepproxy
    ports:
        - 80:80
    links:
        - authzforce
        - keyrock 

This question is the same that AuthZForce Security Level 2: Basic Authorization error "AZF domain not created for application", but I get the same error, and my keyrock version is v5.4.0.

回答1:

I changed the AuthZForce GE Configuration: http://fiware-idm.readthedocs.io/en/latest/admin_guide.html#authzforce-ge-configuration

回答2:

After reviewing the horizon source code I found that function "policyset_update" in openstack_dashboard/fiware_api/access_control_ge.py returns inmediatly if ACCESS_CONTROL_MAGIC_KEY is None (the default configuration) or an empty string,so the communication with AuthZForce never takes place. Despite this parameter is optional when you don't have AuthZForce behind a PEP Proxy, you have to enter some text to avoid this error.

In your case, your string 'undefined' did the work. In fact, as result, a 'X-Auth-Token: undefined' is generated, but ignored when horizon communicates directly with AuthZForce.

Related topic: Fiware AuthZForce error: "AZF domain not created for application"

来源：https://stackoverflow.com/questions/40513118/azf-domain-not-created-for-application-authzforce