The second service cannot connect

I found that the first service can be accessed smoothly after configuring it, but the second service createService is always inaccessible.

What sorts of errors are you seeing? Did the browzer show you an error? Or does it just not connect? We need a bit more information as to what sort of problem you have. Even if it's "everything looks right but it just never connects".

Can you share the bootstrapper ZITI_BROWZER_BOOTSTRAPPER_TARGETS? Can you run policy advisor and make sure your service has a dialer and a binder?

Any extra details would be helpful. Thanks

Yes, I configured targets and created the service
"targetArray": [{
"vhost": "",
"service": "brozac“,
"path": "/",
"scheme": "http",
"idp_issuer_base_url": "",
"idp_client_id": "idpclient",
"idp_type": "keycloak",
"idp_realm": "idp"
"vhost": "",
"service": "test“,
"path": "/",
"scheme": "http",
"idp_issuer_base_url": "",
"idp_client_id": "idpclient",
"idp_type": "keycloak",
"idp_realm": "idp"

The second service created successful:

function createService {
ziti edge create config ${svc}.host.config host.v1 '{"protocol":"tcp", "address":"'"${offload_address}"'", "port":'${offload_port}'}'
ziti edge create config ${svc}.int.config intercept.v1 '{"protocols":["tcp"],"addresses":["'"${intercept_address}"'"], "portRanges":[{"low":'${intercept_port}', "high":'${intercept_port}'}]}'
ziti edge create service "${svc}" --configs "${svc}.host.config","${svc}.int.config"
ziti edge create service-policy "${svc}.bind" Bind --service-roles "@${svc}" --identity-roles "#${svc}.binders"
ziti edge create service-policy "${svc}.dial" Dial --service-roles "@${svc}" --identity-roles "#${svc}.dialers"

function deleteService {
ziti edge delete config where 'name contains "'"${svc}"'."'
ziti edge delete service where 'name = "'"${svc}"'"'
ziti edge delete sp where 'name contains "'"${svc}"'."'

And when you run policy-advisor, does it show you the correct identities having the proper attributes?

With two services and those scripts, you'll have two attributes to add to your identity. see how my "clint" user has two attributes:

│ ID         │ NAME                         │ TYPE    │ ATTRIBUTES                          │ AUTH-POLICY                  │
│ G4EEB7LrQ0 │ clint.dovholuk │ Default │ brozac.dialers,docker.whale.dialers │ browzer-keycloak-auth-policy │
│ JIXNTbD5w  │ Default Admin                │ Default │                                     │ Default                      │
│ P2yDb7LCQ0 │ public                       │ Default │                                     │ Default                      │
│ VRggB7LCQ0 │ curt.tudor     │ Default │ brozac.dialers,docker.whale.dialers │ browzer-keycloak-auth-policy │
│ h8KwqMc5F  │ ip-172-31-11-231-edge-router │ Router  │ brozac.binders,docker.whale.binders │ Default                      │
results: 1-5 of 5

Test using policy advisor. Something like:

ziti edge policy-advisor services -q
OKAY : clint.dovholuk (1) -> docker.whale (1) Common Routers: (1/1) Dial: Y Bind: N

OKAY : curt.tudor@ (1) -> docker.whale (1) Common Routers: (1/1) Dial: Y Bind: N

OKAY : ip-172-31-11-231-edge-router (1) -> docker.whale (1) Common Routers: (1/1) Dial: N Bind: Y

OKAY : clint.dovholuk@ (1) -> brozac (1) Common Routers: (1/1) Dial: Y Bind: N

OKAY : curt.tudor@ (1) -> brozac (1) Common Routers: (1/1) Dial: Y Bind: N

OKAY : ip-172-31-11-231-edge-router (1) -> brozac (1) Common Routers: (1/1) Dial: N Bind: Y

You can see my router has 'bind' on both brozac and docker.whale and my clint/curt identities can dial both services

~$ ziti edge list identities
│ 9sqj3Hq41 │ iZ2ze2dwhfc8ehsqxmy7r1Z-edge-router │ Router │ brozac.dialers │ Default │
│ SX1qQ-4r6 │ Default Admin │ Default │ │ Default │
│ no.KBdyKDj │ 123 │ Default │ brozac.dialers │ browzer-keycloak-auth-policy │
results: 1-3 of 3

Your users don't have access to the test service. Run policy advisor and you should see helpful information:

ziti edge policy-advisor services test -q
ERROR: test
  - Service is not accessible by any identities. Adjust service policies.

Also, seems like your router identity needs "bind" rights too. I would expect your brozac to not work either at this point?

Yes, I added the binders of the "test" service to the route and I can access it.
Why is the first service automatically bound without binders, and the second one needs to be bound manually?After comparing the brozac service, I found that the difference between them in zac is the terminator. However, I used the same creation method and did not generate the terminator. What is the role of terminators?

It is not. You definitely need to have an identity with "bind" rights. If you ran that script, it doesn't update identities. That's something you had to have done at one point. EVERY service in openziti must be explicitly granted the privilege to bind a service, that's a fundamental tenant of openziti itself.

Don't focus on the terminators yet. Terminators are the 'logical end of traffic on the openziti overlay'. So in all the browzer demos like the ziti tv from last week, the router is the point where traffic exits the openziti overlay network and returns back to the underlay network. The router "binds" a service and when that bind happens, a terminator is created in the controller that basically says, "send all the traffic for this service, to this identity". Once at that identity, the identity decides what to do with the traffic. In this case, the identity is a router, and it decides to offload the traffic from the openziti overlay, back to the ip-based underlay network, towards the final destination of the traffic (zac, or the test service)... But all that is not important, if your router identity doesn't have 'bind' priviliges to bind that service.

For every service you want to protect with browzer, you must ensure:

  • browzer's ZITI_BROWZER_BOOTSTRAPPER_TARGETS is updated and the docker container is restarted
  • an external jwt signer is properly created
  • an identity can dial the service
  • an identity which can bind the service

When you make the services using the script above, the part that is missing is the last two bullets. AFTER you create the service, you then need to update your dialing identity and binding identity with the proper attributes. In this case, it'd be something like:

ziti edge update iZ2ze2dwhfc8ehsqxmy7r1Z-edge-router -a brozac.binders,test.binders

:point_up: notice that i added TWO attributes because that script you show (which I use) makes a service-policy that grants identities with the "#${svc}.binders" attribute the 'bind' privilege and "#${svc}.dialers" the dial privilge.

Then you need to update your client identity:

ziti edge update identity 123 -a brozac.dialers,test.dialers

Ok thank you,now i understand。
Thank you for your video, very detailed.
There is another question. You mentioned sh in the video. I saw zrok in sh. What role does zrok play in it?
Later I think I will learn about zrok. It will be better to understand if I can combine browser with zrok.

Oh it plays no role at this time... :slight_smile: I was just trying to setup all our tech in one script to make it easier for me and anyone else who was interested to see what the steps are...

If you haven't seen zrok, you might be interested in it too. It's adding some cool and interesting features and is solving different problems than browzer and OpenZiti are solving, yet still offers private sharing too and is built on/with OpenZiti.

Okay, I think I will consider the integration issue after I understand zrok