[discourse] Authorization configuration

[markphelps]

Originally posted by wahyugnc on Discourse

Hello Team,

Currently, I am trying to enable authorization, but it is not activating even though I have enabled the feature, but not work

bash

set FLIPT_AUTHORIZATION_REQUIRED=true

set FLIPT_AUTHORIZATION_BACKEND=local

set FLIPT_AUTHORIZATION_BACKEND_LOCAL_POLICY_PATH=“/config/policy.rego”

Thanks

[dosubot[bot]]

I wasn't able to find documentation or code references that explain why authorization isn't activating or detail the correct setup for the local authorization backend and policy.rego file. I tried searching both the docs and the codebase, but didn't find any relevant guidance or troubleshooting steps.

Could you share more details about your Flipt version, how you're running it (Docker, binary, etc.), and any logs or errors you see? That info might help pinpoint the issue.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}   

[markphelps]

Reply from mark on Discourse:

Hey @wahyugnc ! sorry for the delay in responding. I need to enable notifications for this Discourse platform.

May I ask which version of Flipt server you are running?

[markphelps]

Reply from mark on Discourse:

Also are you able to post the contents of /config/policy.rego?

[markphelps]

Reply from wahyugnc on Discourse:

Hi @mark ,

I use flipt version flipt/flipt:v1.46.1

[markphelps]

Reply from wahyugnc on Discourse:

Same with example

package flipt.authz.v1

import rego.v1

default allow := false

allow if {
    claims := json.unmarshal(input.authentication.metadata["io.flipt.auth.claims"])
    "developer" in claims.roles
}

[markphelps]

Reply from mark on Discourse:

Hmm ok. Can you set FLIPT_LOG_LEVEL=debug and post the contents of your log at startup? and perhaps some request logs as well (ie at evaluation time)

[markphelps]

Reply from mark on Discourse:

AH we found the issue

its an issue on our end. we left the experiemental check in from a previous version. try setting FLIPT_EXPERIMENTAL_AUTHORIZATION_ENABLED=true as well

[markphelps]

Reply from wahyugnc on Discourse:

Sori i’m late,

this is log

2024-07-25 21:26:59 flipt  | {"L":"DEBUG","T":"2024-07-25T21:26:59+07:00","M":"configuration source","path":"/etc/flipt/config/default.yml"}
2024-07-25 21:26:59 flipt  | {"L":"INFO","T":"2024-07-25T21:26:59+07:00","M":"flipt starting","version":"v1.46.1","commit":"ac1b2fba83e3fa42956e36cc6aa35cade7bbe871","date":"2024-07-17T19:55:42Z","go_version":"go1.22.5"}
2024-07-25 21:26:59 flipt  | {"L":"DEBUG","T":"2024-07-25T21:26:59+07:00","M":"checking for updates"}
2024-07-25 21:26:59 flipt  | {"L":"DEBUG","T":"2024-07-25T21:26:59+07:00","M":"version info","current_version":"v1.46.1","latest_version":"1.46.1"}
2024-07-25 21:26:59 flipt  | {"L":"INFO","T":"2024-07-25T21:26:59+07:00","M":"running latest version","version":"v1.46.1"}
2024-07-25 21:26:59 flipt  | {"L":"DEBUG","T":"2024-07-25T21:26:59+07:00","M":"local state directory exists","path":"/home/flipt/.config/flipt"}
2024-07-25 21:26:59 flipt  | {"L":"DEBUG","T":"2024-07-25T21:26:59+07:00","M":"starting telemetry reporter","component":"telemetry"}
2024-07-25 21:26:59 flipt  | {"L":"DEBUG","T":"2024-07-25T21:26:59+07:00","M":"initialized new state","component":"telemetry"}
2024-07-25 21:26:59 flipt  | {"L":"DEBUG","T":"2024-07-25T21:26:59+07:00","M":"using driver","server":"grpc","driver":"sqlite3"}
2024-07-25 21:26:59 flipt  | {"L":"DEBUG","T":"2024-07-25T21:26:59+07:00","M":"first run, running migrations...","server":"grpc"}
2024-07-25 21:27:00 flipt  | {"L":"DEBUG","T":"2024-07-25T21:27:00+07:00","M":"migrations complete","server":"grpc"}
2024-07-25 21:27:00 flipt  | {"L":"DEBUG","T":"2024-07-25T21:27:00+07:00","M":"constructing builder","server":"grpc","prepared_statements":true}
2024-07-25 21:27:00 flipt  | {"L":"DEBUG","T":"2024-07-25T21:27:00+07:00","M":"database driver configured","server":"grpc","driver":"sqlite3"}
2024-07-25 21:27:00 flipt  | {"L":"DEBUG","T":"2024-07-25T21:27:00+07:00","M":"store enabled","server":"grpc","store":"sqlite"}
2024-07-25 21:27:00 flipt  | {"L":"DEBUG","T":"2024-07-25T21:27:00+07:00","M":"otel metrics enabled","server":"grpc","exporter":"prometheus"}
2024-07-25 21:27:00 flipt  | {"L":"INFO","T":"2024-07-25T21:27:00+07:00","M":"access token created","server":"grpc","client_token":"lWpgbS0RI1KpOucxxxxxx"}
2024-07-25 21:27:00 flipt  | {"L":"DEBUG","T":"2024-07-25T21:27:00+07:00","M":"authentication method \"token\" server registered","server":"grpc"}
2024-07-25 21:27:00 flipt  | {"L":"DEBUG","T":"2024-07-25T21:27:00+07:00","M":"starting grpc server","server":"grpc"}
2024-07-25 21:27:00 flipt  | {"L":"DEBUG","T":"2024-07-25T21:27:00+07:00","M":"starting http server","server":"http"}
2024-07-25 21:27:00 flipt  | {"L":"INFO","T":"2024-07-25T21:27:00+07:00","M":"api available","server":"http","address":"http://0.0.0.0:8080/api/v1"}
2024-07-25 21:27:00 flipt  | {"L":"INFO","T":"2024-07-25T21:27:00+07:00","M":"ui available","server":"http","address":"http://0.0.0.0:8080"}
2024-07-25 21:27:00 flipt  | {"L":"INFO","T":"2024-07-25T21:27:00+07:00","M":"cleanup process deleting authentications","server":"grpc","service":"authentication cleanup service","method":"METHOD_TOKEN","expired_before":"2024-07-25T13:57:00Z"}
2024-07-25 21:27:04 flipt  | {"L":"INFO","T":"2024-07-25T21:27:04+07:00","M":"finished unary call with code OK","server":"grpc","grpc.start_time":"2024-07-25T21:27:04+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.meta.MetadataService","grpc.method":"GetInfo","peer.address":"127.0.0.1:59186","grpc.code":"OK","grpc.time_ms":0.212}
2024-07-25 21:27:04 flipt  | {"L":"INFO","T":"2024-07-25T21:27:04+07:00","M":"finished unary call with code Unauthenticated","server":"grpc","grpc.start_time":"2024-07-25T21:27:04+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.auth.AuthenticationService","grpc.method":"GetAuthenticationSelf","peer.address":"127.0.0.1:59186","error":"rpc error: code = Unauthenticated desc = request was not authenticated","grpc.code":"Unauthenticated","grpc.time_ms":0.21}
2024-07-25 21:27:04 flipt  | {"L":"INFO","T":"2024-07-25T21:27:04+07:00","M":"finished unary call with code OK","server":"grpc","grpc.start_time":"2024-07-25T21:27:04+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.auth.PublicAuthenticationService","grpc.method":"ListAuthenticationMethods","peer.address":"127.0.0.1:59186","grpc.code":"OK","grpc.time_ms":0.155}
2024-07-25 21:27:04 flipt  | {"L":"INFO","T":"2024-07-25T21:27:04+07:00","M":"finished unary call with code OK","server":"grpc","grpc.start_time":"2024-07-25T21:27:04+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.meta.MetadataService","grpc.method":"GetInfo","peer.address":"127.0.0.1:59186","grpc.code":"OK","grpc.time_ms":0.158}
2024-07-25 21:27:04 flipt  | {"L":"INFO","T":"2024-07-25T21:27:04+07:00","M":"finished unary call with code OK","server":"grpc","grpc.start_time":"2024-07-25T21:27:04+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.meta.MetadataService","grpc.method":"GetConfiguration","peer.address":"127.0.0.1:59186","grpc.code":"OK","grpc.time_ms":1.175}
2024-07-25 21:27:04 flipt  | {"L":"DEBUG","T":"2024-07-25T21:27:04+07:00","M":"list namespaces","server":"grpc","request":""}
2024-07-25 21:27:04 flipt  | {"L":"DEBUG","T":"2024-07-25T21:27:04+07:00","M":"list namespaces","server":"grpc","response":"namespaces:{key:\"default\"  name:\"Default\"  description:\"Default namespace\"  protected:true  created_at:{seconds:1721917620}  updated_at:{seconds:1721917620}}  total_count:1"}
2024-07-25 21:27:04 flipt  | {"L":"INFO","T":"2024-07-25T21:27:04+07:00","M":"finished unary call with code OK","server":"grpc","grpc.start_time":"2024-07-25T21:27:04+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.Flipt","grpc.method":"ListNamespaces","peer.address":"127.0.0.1:59186","grpc.code":"OK","grpc.time_ms":3.543}
2024-07-25 21:27:04 flipt  | {"L":"INFO","T":"2024-07-25T21:27:04+07:00","M":"finished unary call with code OK","server":"grpc","grpc.start_time":"2024-07-25T21:27:04+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.meta.MetadataService","grpc.method":"GetInfo","peer.address":"127.0.0.1:59186","grpc.code":"OK","grpc.time_ms":0.094}
2024-07-25 21:27:04 flipt  | {"L":"INFO","T":"2024-07-25T21:27:04+07:00","M":"finished unary call with code OK","server":"grpc","grpc.start_time":"2024-07-25T21:27:04+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.meta.MetadataService","grpc.method":"GetConfiguration","peer.address":"127.0.0.1:59186","grpc.code":"OK","grpc.time_ms":0.247}
2024-07-25 21:27:04 flipt  | {"L":"INFO","T":"2024-07-25T21:27:04+07:00","M":"finished unary call with code OK","server":"grpc","grpc.start_time":"2024-07-25T21:27:04+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.meta.MetadataService","grpc.method":"GetInfo","peer.address":"127.0.0.1:59186","grpc.code":"OK","grpc.time_ms":0.206}
2024-07-25 21:27:04 flipt  | {"L":"DEBUG","T":"2024-07-25T21:27:04+07:00","M":"list namespaces","server":"grpc","request":""}
2024-07-25 21:27:04 flipt  | {"L":"DEBUG","T":"2024-07-25T21:27:04+07:00","M":"list namespaces","server":"grpc","response":"namespaces:{key:\"default\"  name:\"Default\"  description:\"Default namespace\"  protected:true  created_at:{seconds:1721917620}  updated_at:{seconds:1721917620}}  total_count:1"}
2024-07-25 21:27:04 flipt  | {"L":"INFO","T":"2024-07-25T21:27:04+07:00","M":"finished unary call with code OK","server":"grpc","grpc.start_time":"2024-07-25T21:27:04+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.Flipt","grpc.method":"ListNamespaces","peer.address":"127.0.0.1:59186","grpc.code":"OK","grpc.time_ms":0.645}
2024-07-25 21:27:04 flipt  | {"L":"INFO","T":"2024-07-25T21:27:04+07:00","M":"finished unary call with code OK","server":"grpc","grpc.start_time":"2024-07-25T21:27:04+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.meta.MetadataService","grpc.method":"GetConfiguration","peer.address":"127.0.0.1:59186","grpc.code":"OK","grpc.time_ms":0.203}
2024-07-25 21:27:06 flipt  | {"L":"DEBUG","T":"2024-07-25T21:27:06+07:00","M":"list segments","server":"grpc","request":"namespace_key:\"default\""}
2024-07-25 21:27:06 flipt  | {"L":"DEBUG","T":"2024-07-25T21:27:06+07:00","M":"list segments","server":"grpc","response":""}
2024-07-25 21:27:06 flipt  | {"L":"INFO","T":"2024-07-25T21:27:06+07:00","M":"finished unary call with code OK","server":"grpc","grpc.start_time":"2024-07-25T21:27:06+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.Flipt","grpc.method":"ListSegments","peer.address":"127.0.0.1:59186","grpc.code":"OK","grpc.time_ms":2.113}
2024-07-25 21:27:07 flipt  | {"L":"DEBUG","T":"2024-07-25T21:27:07+07:00","M":"list flags","server":"grpc","request":"namespace_key:\"default\""}
2024-07-25 21:27:07 flipt  | {"L":"DEBUG","T":"2024-07-25T21:27:07+07:00","M":"list flags","server":"grpc","response":""}
2024-07-25 21:27:07 flipt  | {"L":"INFO","T":"2024-07-25T21:27:07+07:00","M":"finished unary call with code OK","server":"grpc","grpc.start_time":"2024-07-25T21:27:07+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.Flipt","grpc.method":"ListFlags","peer.address":"127.0.0.1:59186","grpc.code":"OK","grpc.time_ms":0.992}
2024-07-25 21:27:20 flipt  | {"L":"DEBUG","T":"2024-07-25T21:27:20+07:00","M":"create flag","server":"grpc","request":"key:\"test\"  name:\"test\"  enabled:true  namespace_key:\"default\"  type:BOOLEAN_FLAG_TYPE"}
2024-07-25 21:27:20 flipt  | {"L":"DEBUG","T":"2024-07-25T21:27:20+07:00","M":"create flag","server":"grpc","response":"key:\"test\"  name:\"test\"  enabled:true  created_at:{seconds:1721917640  nanos:91448000}  updated_at:{seconds:1721917640  nanos:91448000}  namespace_key:\"default\"  type:BOOLEAN_FLAG_TYPE"}
2024-07-25 21:27:20 flipt  | {"L":"INFO","T":"2024-07-25T21:27:20+07:00","M":"finished unary call with code OK","server":"grpc","grpc.start_time":"2024-07-25T21:27:20+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.Flipt","grpc.method":"CreateFlag","peer.address":"127.0.0.1:59186","grpc.code":"OK","grpc.time_ms":21.101}
2024-07-25 21:27:20 flipt  | {"L":"DEBUG","T":"2024-07-25T21:27:20+07:00","M":"get flag","server":"grpc","request":"key:\"test\"  namespace_key:\"default\""}
2024-07-25 21:27:20 flipt  | {"L":"DEBUG","T":"2024-07-25T21:27:20+07:00","M":"get flag","server":"grpc","response":"key:\"test\"  name:\"test\"  enabled:true  created_at:{seconds:1721917640  nanos:91448000}  updated_at:{seconds:1721917640  nanos:91448000}  namespace_key:\"default\"  type:BOOLEAN_FLAG_TYPE"}
2024-07-25 21:27:20 flipt  | {"L":"INFO","T":"2024-07-25T21:27:20+07:00","M":"finished unary call with code OK","server":"grpc","grpc.start_time":"2024-07-25T21:27:20+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.Flipt","grpc.method":"GetFlag","peer.address":"127.0.0.1:59186","grpc.code":"OK","grpc.time_ms":1.444}
2024-07-25 21:27:20 flipt  | {"L":"DEBUG","T":"2024-07-25T21:27:20+07:00","M":"list rollout rules","server":"grpc","request":"namespace_key:\"default\"  flag_key:\"test\""}
2024-07-25 21:27:20 flipt  | {"L":"DEBUG","T":"2024-07-25T21:27:20+07:00","M":"list rollout rules","server":"grpc","response":""}
2024-07-25 21:27:20 flipt  | {"L":"INFO","T":"2024-07-25T21:27:20+07:00","M":"finished unary call with code OK","server":"grpc","grpc.start_time":"2024-07-25T21:27:20+07:00","system":"grpc","span.kind":"server","grpc.service":"flipt.Flipt","grpc.method":"ListRollouts","peer.address":"127.0.0.1:59186","grpc.code":"OK","grpc.time_ms":2.085}

[markphelps]

Reply from wahyugnc on Discourse:

Is this not in the documentation yet?

[markphelps]

Reply from wahyugnc on Discourse:

and how do I put policy.rego in experimental ?

[markphelps]

Reply from mark on Discourse:

We just released a fix in v1.46.2. If you upgrade to this version you shouldn’t have to mess w experimental at all. Sorry about that

[markphelps]

Reply from wahyugnc on Discourse:

thank you for helping me,

i have another problem, if i integrate oidc keycloak, then i also enable static token, if using api which token to use? is aceessToken oidc or static token? I tried both but it didn’t work

[markphelps]

Reply from george on Discourse:

Hey Wahyugnc! Static tokens should work. OIDC is primarily intended for the UI and browser session authentication.

Which Flipt clients are you using? or if you’re using a hand rolled one, how are you presenting the static token on the requests?

[markphelps]

Reply from wahyugnc on Discourse:

Hi @george ,

I am trying to use flipt api, with sample request,

curl --location 'http://flipt-self-hosted.com/api/v1/namespaces/default/flags' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer xxxxxx'

response

{
    "code": 16,
    "message": "request was not authenticated",
    "details": []
}

The following is an example of a Yaml config

authentication:
  required: true
  session:
    domain: domain.com
  methods:
    token:
      enabled: true
      bootstrap:
        token: "secret"
        expiration: 24h
      cleanup:
        interval: 2h
        grace_period: 48h
    oidc:
      enabled: true
      providers:
        keycloak:
          issuer_url: 'auth-domain.com'
          client_id: flipt
          client_secret: xxx
          redirect_address: 'domain.com'
authorization:
  required: true
  backend: local
  local:
    policy:
      path: policy.rego

Is there something wrong with my configuration?

[markphelps]

Reply from george on Discourse:

Thanks for sharing that @wahyugnc ! On initial glance I can’t see anything immediately obvious.

Just to clarify, you’re putting your static token where the xxxxxx is after the word Bearer in the Authorization header?

[markphelps]

Reply from wahyugnc on Discourse:

Yes, static token xxxxxx after word Bearer

[markphelps]

Reply from george on Discourse:

Do you have access to the UI by loging in with keycloak? Or does that also not work?

Im wondering if perhaps your bootstrap token is not what you expect. It only gets respected the first time you run Flipt, if its empty the first time, it makes a random one up and logs that on first load.

But if you make another token through the UI, that should be valid.

[markphelps]

Reply from wahyugnc on Discourse:

Yes, access to the UI with keycloak is succesfully,

i generate new token from the UI, but the token is not valid, this is example log

{"L":"INFO","T":"2024-07-26T10:08:31Z","M":"finished unary call with code Unauthenticated","server":"grpc","grpc.start_time":"2024-07-26T10:08:31Z","system":"grpc","span.kind":"server","grpc.service":"flipt.Flipt","grpc.method":"ListFlags","peer.address":"127.0.0.1:48642","error":"rpc error: code = Unauthenticated desc = request was not authenticated","grpc.code":"Unauthenticated","grpc.time_ms":1.685}

[markphelps]

Reply from wahyugnc on Discourse:

Hi, @george ,

i try to restart flipt and i can call the api, maybe cache issue ?, i already activate cache config

[markphelps]

Reply from george on Discourse:

Hey @wahyugnc ! Interesting! So after a restart it works, and you have the (redis? or memory?) cache enabled?