Taking a closer look at policies

qrkourier · January 28, 2022, 6:07pm

Hi, I’m following along with today’s Ziti TV episode which starts with setting up a local Ziti network with Docker Compose. I got everything up and have run the commands to create the identities and services and policies.

I know you stopped troubleshooting the roles and switched to allow #all but I want to see if I can get it working with the specific roles so I can really understand how roles work.

I read over this article about policies but I’m still not seeing why policy advisor has ERROR.

ubuntu@ubuntu-vbox:~/ziti$ ./ziti edge policy-advisor identities --quiet
ERROR: client 
  - Identity does not have access to any services. Adjust service policies.

ERROR: Default Admin 
  - Identity does not have access to any services. Adjust service policies.

ERROR: ziti-edge-router 
  - Identity does not have access to any services. Adjust service policies.

ERROR: zdew-client 
  - Identity does not have access to any services. Adjust service policies.

ERROR: demo-server 
  - Identity does not have access to any services. Adjust service policies.

ubuntu@ubuntu-vbox:~/ziti$ ./ziti edge policy-advisor services --quiet
ERROR: demo-service 
  - Service is not accessible by any identities. Adjust service policies.

ubuntu@ubuntu-vbox:~/ziti$ ./ziti edge list identities
id: DYTIAeihJ9    name: client    type: Device    role attributes: ["clients"]
id: P6K.cJwQD    name: Default Admin    type: User    role attributes: {}
id: fZNjAMihJ9    name: ziti-edge-router    type: Router    role attributes: {}
id: id.g1esjJ9    name: zdew-client    type: Device    role attributes: ["clients"]
id: woYI1eijU9    name: demo-server    type: Device    role attributes: ["servers"]
results: 1-5 of 5
ubuntu@ubuntu-vbox:~/ziti$ ./ziti edge list service-policies
id: .nf3AesjU    name: service-bind-policy    type: Bind    service roles: [#services]    identity roles: [#servers] posture check roles: []
id: XG4-1MshJ9    name: service-dial-policy    type: Dial    service roles: [#services]    identity roles: [#clients] posture check roles: []
results: 1-2 of 2

I understand that there are two identity roles: #clients, #servers that grant Dial and Bind permission respectively on service role #services. There’s only one router role: #public-edge-routers and that’s used to configure the identity edge (ERP) for #clients and the service edge (SERP) for #services.

ubuntu@ubuntu-vbox:~/ziti$ ./ziti edge list service-policies
id: .nf3AesjU    name: service-bind-policy    type: Bind    service roles: [#services]    identity roles: [#servers] posture check roles: []
id: XG4-1MshJ9    name: service-dial-policy    type: Dial    service roles: [#services]    identity roles: [#clients] posture check roles: []
results: 1-2 of 2
ubuntu@ubuntu-vbox:~/ziti$ ./ziti edge list edge-router-policies
id: DKqe1MijU9    name: public-client-router-policy    edge router roles: [#public-edge-routers]    identity roles: [#clients]
id: fZNjAMihJ9    name: edge-router-fZNjAMihJ9-system    edge router roles: [@ziti-edge-router]    identity roles: [@ziti-edge-router]
results: 1-2 of 2
ubuntu@ubuntu-vbox:~/ziti$ ./ziti edge list service-edge-router-policies
id: eFLA1eijJ9    name: public-service-router-policy    edge router roles: [#public-edge-routers]    service roles: [#services]
results: 1-1 of 1
ubuntu@ubuntu-vbox:~/ziti$ ./ziti edge list edge-routers
id: fZNjAMihJ9    name: ziti-edge-router    isOnline: true    role attributes: ["public-edge-routers"]

qrkourier · January 28, 2022, 6:08pm

This is the episode I’m following Working With Spring Boot! - YouTube

TheLumberjack · January 28, 2022, 6:18pm

can you list services too?

qrkourier · January 28, 2022, 6:27pm

Oh yeah, services! The one service’s role is a clear mismatch so I updated it. Progress.

ubuntu@ubuntu-vbox:~/ziti$ ./ziti edge list services
id: iuMmAeihJ9    name: demo-service    encryption required: true    terminator strategy: smartrouting    role attributes: ["demo-service"]
results: 1-1 of 1

ubuntu@ubuntu-vbox:~/ziti$ ./ziti edge update service demo-service -a "services"

ubuntu@ubuntu-vbox:~/ziti$ ./ziti edge policy-advisor services --quiet
OKAY : client (1) -> demo-service (1) Common Routers: (1/1) Dial: Y Bind: N 

OKAY : zdew-client (1) -> demo-service (1) Common Routers: (1/1) Dial: Y Bind: N 

ERROR: demo-server (0) -> demo-service (1) Common Routers: (0/0) Dial: N Bind: Y 
  - Identity has no edge routers assigned. Adjust edge router policies.

ubuntu@ubuntu-vbox:~/ziti$ ./ziti edge policy-advisor identities --quiet
OKAY : client (1) -> demo-service (1) Common Routers: (1/1) Dial: Y Bind: N 

ERROR: Default Admin 
  - Identity does not have access to any services. Adjust service policies.

ERROR: ziti-edge-router 
  - Identity does not have access to any services. Adjust service policies.

OKAY : zdew-client (1) -> demo-service (1) Common Routers: (1/1) Dial: Y Bind: N 

ERROR: demo-server (0) -> demo-service (1) Common Routers: (0/0) Dial: N Bind: Y 
  - Identity has no edge routers assigned. Adjust edge router policies.

TheLumberjack · January 28, 2022, 6:29pm

id: fZNjAMihJ9    name: ziti-edge-router    type: Router    role attributes: {}

your router has no attributes now and i see no policy for servers - only clients?

id: DKqe1MijU9    name: public-client-router-policy    edge router roles: [#public-edge-routers]    identity roles: [#clients]

TheLumberjack · January 28, 2022, 6:32pm

oh - maybe ziti edge list edge-routers too. i was looking at identities before

qrkourier · January 28, 2022, 6:34pm

The router still has the same role public-edge-routers shown earlier, and I didn’t create an ERP for #servers identities because I / we thought in the stream that only a SERP, not an ERP was necessary for the Bind identities. However, adding a new ERP named public-servers-router-policy for #servers did the trick.

ubuntu@ubuntu-vbox:~/ziti$ ./ziti edge create edge-router-policy public-servers-router-policy --identity-roles "#servers" --edge-router-roles "#public-edge-routers"
New edge router policy public-servers-router-policy created with id: H661mesjU9
ubuntu@ubuntu-vbox:~/ziti$ ./ziti edge policy-advisor identities --quiet
OKAY : client (1) -> demo-service (1) Common Routers: (1/1) Dial: Y Bind: N 

ERROR: Default Admin 
  - Identity does not have access to any services. Adjust service policies.

ERROR: ziti-edge-router 
  - Identity does not have access to any services. Adjust service policies.

OKAY : zdew-client (1) -> demo-service (1) Common Routers: (1/1) Dial: Y Bind: N 

OKAY : demo-server (1) -> demo-service (1) Common Routers: (1/1) Dial: N Bind: Y 

ubuntu@ubuntu-vbox:~/ziti$ ./ziti edge policy-advisor services --quiet
OKAY : client (1) -> demo-service (1) Common Routers: (1/1) Dial: Y Bind: N 

OKAY : zdew-client (1) -> demo-service (1) Common Routers: (1/1) Dial: Y Bind: N 

OKAY : demo-server (1) -> demo-service (1) Common Routers: (1/1) Dial: N Bind: Y

So ERP is necessary for Bind-only identities in addition to SERP for the services they bind.

TheLumberjack · January 28, 2022, 6:35pm

Looks like you made it!

Topic		Replies	Views
Service is not accessible	9	215	March 31, 2023
Docker Compose: no ziti edge list service-edge-router-policies configured Ziti Overlay	6	375	January 30, 2023
Creating new identities to the Reflect example Ziti Overlay	2	203	April 5, 2022
allSvcPublicRouters service Ziti Overlay	1	234	April 4, 2022
Understand service-policy behavior in 1 controller + 2 router topology Support	13	54	November 23, 2024

Taking a closer look at policies

Related topics