ZAC 4.2.0 does not resolve routers in policies and shows empty Terminators columns

Ziti Administration Console
1

Hi OpenZiti team,

We are having an issue with ZAC after upgrading.

Environment:

  • OpenZiti controller: openziti/ziti-controller:2.0.0

  • OpenZiti router: openziti/ziti-router:2.0.0

  • ZAC: openziti/zac:latest, currently showing version 4.2.0

  • Deployment: Docker Compose

Everything works correctly from the CLI.

For example, if I create or update a service edge router policy from the CLI, the command works correctly:

ziti edge update service-edge-router-policy <policy-id> \
  --name <service-edge-router-policy-name> \
  --edge-router-roles '@<edge-router-name>' \
  --service-roles '#<service-role>' \
  --semantic AnyOf

Then, when I list the policy from CLI, it is shown correctly:

<service-edge-router-policy-name>
SERVICE ROLES: #<service-role>
EDGE ROUTER ROLES: @<edge-router-name>

However, when I open the same policy in the ZAC web interface and check the JSON view, it appears with @undefined:

{
  "name": "<service-edge-router-policy-name>",
  "appData": "",
  "edgeRouterRoles": [
    "@undefined"
  ],
  "serviceRoles": [
    "#<service-role>"
  ],
  "semantic": "AnyOf",
  "tags": {}
}

So the policy works correctly from CLI and is listed correctly from CLI, but ZAC displays it incorrectly in the web JSON view.

The same behavior also happens with Edge Router Policies: CLI lists the correct router and identity roles, but the ZAC JSON view shows @undefined.

In addition, from the ZAC web interface, the routers do not appear correctly in the selector when creating or editing these policies. Even if I manually type the router name, ZAC does not detect it as an existing router, although the router is correctly registered and listed from the CLI. Because of this, I can only assign the router correctly using the CLI.

We also see an issue in the Terminators page. ZAC loads the table and pagination, and the Created At column is populated, but the rest of the columns appear empty:

  • Address

  • Router Name

  • Router ID

  • Service Name

  • Service ID

From CLI, terminators list correctly.

So the OpenZiti configuration seems to be working correctly. The issue appears to be only in ZAC 4.2.0 web UI: it displays @undefined in the JSON view for router policies and service edge router policies, does not detect existing routers in the policy selectors, and the Terminators page shows empty columns even though CLI output is correct.

Is this a known issue with ZAC 4.2.0 and OpenZiti controller 2.0.0?

Is there a recommended ZAC version for OpenZiti 2.0.0, or should we downgrade to another ZAC version?

Thanks.

2

The issue has just appeared again while creating a new service from ZAC. The router was created, registered, and online, and it appeared correctly from the CLI. However, when creating a new service from the web interface, the router did not appear in the selector when selecting the host router. Even when typing the name manually, ZAC did not detect it as existing. Because of that, I had to create/associate the service through the CLI. After that, policy-advisor showed the service as correctly configured.

3

Hi @frustrada1234, is it possible that this is when you're not authenticated, maybe? I've been noticing my zac thinks I'm logged out more often lately, perhaps that's when this triggers? Maybe there's some sort of ZAC-related login issue?

4

Hi,

Yes, I have noticed that my ZAC session seems to expire sooner than usual lately.

However, whenever I reproduce the issue, I am already inside ZAC because I have just authenticated again. What seems strange to me is that some routers/devices are displayed correctly in the UI, while others are not available in the selectors, even though they are correctly registered and visible from the CLI.

Because of that, for the affected routers/services I have to manage the configuration from the CLI instead of using ZAC.

So it may still be related to a ZAC session/authentication issue, but it does not look like I am simply unauthenticated when it happens. traducemelo

5

Hi @frustrada1234, a new ziti-console was released that will hopefully address the zac sessions expiration. Update to 4.3.0 and see if that makes a difference.

If you still have troubles, could you give me a short list of some steps to reproduce? (as few as necessary if possible) :slight_smile: cheers!