In my locale, Enabled to multitenancy but I didnt deploy for tenant with Desktop Camunda Modeler.
Tenant Id No matter what I type, I get an error
Is it not possible to deploy with modeler?
Tenant Id No matter what I type, I get an error
Is it not possible to deploy with modeler?
Hi @aylao, welcome to the forums! The Tenant ID “default” is not valid; in your first screenshot, you can see the two available IDs of “” and “tenant1”. Based on the error received (“tenant is not authorized to perform this request”), I suspect you may need to go into Identity and assign the application you created (with the Client ID “zeebe”) to the tenant you want to deploy to.
hi @nathan.loding thanks. Although I assigned the application, give same error. I share screenshots with you.
Hi @aylao - something appears to still be wrong with the permissions. Can you show the configuration for the zeebe application?
this is my docker-compose.yaml file
i have created an environment variable in .env file, so that i can manage it easily
and I have docker-compose.override.yaml for zeebe
docker-compose.override.yml
version: '3.7'
services:
redis:
container_name: redis
restart: on-failure
ports:
- "6379:6379"
networks:
- camunda-platform
zeebe:
image: camunda/zeebe:${CAMUNDA_PLATFORM_VERSION}
container_name: zeebe
restart: on-failure
ports:
- "26500:26500"
- "9600:9600"
environment:
-ZEEBE_BROKER_GATEWAY_SECURITY_AUTHENTICATION_MODE=${ZEEBE_AUTHENTICATION_MODE}
-ZEEBE_BROKER_GATEWAY_SECURITY_AUTHENTICATION_IDENTITY_ISSUERBACKENDURL=http://keycloak:8080/auth/realms/camunda-platform
-ZEEBE_BROKER_GATEWAY_SECURITY_AUTHENTICATION_IDENTITY_AUDIENCE=zeebe-api
-ZEEBE_BROKER_GATEWAY_SECURITY_AUTHENTICATION_IDENTITY_BASEURL=http://identity:8084/
-ZEEBE_GATEWAY_SECURITY_AUTHENTICATION_IDENTITY_BASEURL=http://identity:8084
-ZEEBE_GATEWAY_MULTITENANCY_ENABLED=${MULTITENANCY_ENABLED}
-ZEEBE_BROKER_GATEWAY_MULTITENANCY_ENABLED=${MULTITENANCY_ENABLED}
-ZEEBE_TENANT_ID=tenant1
-ZEEBE_BROKER_EXPORTERS_ELASTICSEARCH_CLASSNAME=io.camunda.zeebe.exporter.ElasticsearchExporter
-ZEEBE_BROKER_EXPORTERS_ELASTICSEARCH_ARGS_URL=http://elasticsearch:9200
-ZEEBE_BROKER_EXPORTERS_ELASTICSEARCH_ARGS_BULK_SIZE=1000
-ZEEBE_BROKER_EXPORTERS_AURA_CLASSNAME=io.zeebe.aura.exporter.AuraExporter
-ZEEBE_BROKER_EXPORTERS_AURA_JARPATH=exporters/zeebe-aura-exporter-1.4.4-jar-with-dependencies.jar
-ZEEBE_AURA_DAPR_ADDRESS=http://zeebe-dapr:3601
-ZEEBE_AURA_DAPR_PUBSUB_NAME=pubsub
-ZEEBE_AURA_DISABLED_VALUE_TYPES=JOB_BATCH
-ZEEBE_AURA_DISABLED_RECORD_TYPES=COMMAND
-ZEEBE_AURA_RESPONSE_TOPIC=RESPONSE-EXPORTER
-ZEEBE_AURA_COMPENSATION_TOPIC=COMPENSATION-EXPORTER
-ZEEBE_AURA_DAPR_TOPIC=DAPR-EXPORTER
-ZEEBE_AURA_CORRELATION_ID_KEY=CorrelationId
-ZEEBE_AURA_ACTIVITY_ID_KEY=ActivityId
# allow running with low disk space
-ZEEBE_BROKER_DATA_DISKUSAGECOMMANDWATERMARK=0.998
-ZEEBE_BROKER_DATA_DISKUSAGEREPLICATIONWATERMARK=0.999
-ZEEBE_BROKER_GATEWAY_CLUSTER_REQUESTTIMEOUT=PT20S
-JAVA_TOOL_OPTIONS=-Xms512m -Xmx512m
-ZEEBE_METRICS_HTTP_SERVER="true"
#- ZEEBE_LOG_LEVEL=debug
volumes:
- zeebe:/usr/local/zeebe/data
- ./exporters/:/usr/local/zeebe/exporters/
networks:
- camunda-platform
depends_on:
- elasticsearch
- identity
elasticsearch:
volumes:
- elastic:/usr/share/elasticsearch/data
volumes:
zeebe:
elastic: {}
docker-compose.yml
version: '3.7'
services:
dapr-placement:
image: daprio/dapr
container_name: dapr-placement
restart: unless-stopped
command: ["./placement", "-port", "50000", "-log-level", "debug"]
ports:
- "50000:50000"
networks:
- camunda-platform
seq:
image: datalust/seq:${SEQ_VERSION}
container_name: seq
restart: on-failure
environment:
- ACCEPT_EULA=Y
ports:
- "5341:80"
postgres:
image: postgres:${POSTGRES_VERSION}
container_name: postgres
restart: unless-stopped
environment:
PGUSER: admin
POSTGRES_DB: bitnami_keycloak
POSTGRES_USER: ${POSTGRES_USER:-admin}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-postgres}
healthcheck:
test: [ "CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}" ]
interval: 10s
timeout: 5s
retries: 5
ports:
- "5432:5432"
volumes:
- postgres-data:/var/lib/postgresql/data
networks:
- identity-network
redis:
image: redis:${REDIS_VERSION}
container_name: redis
restart: unless-stopped
ports:
- "6379:6379"
networks:
- camunda-platform
rabbitmq:
image: rabbitmq:3-management-alpine
container_name: rabbitmq
restart: unless-stopped
ports:
- 5672:5672
- 15672:15672
volumes:
- ~/.docker-conf/rabbitmq/data/:/var/lib/rabbitmq/
- ~/.docker-conf/rabbitmq/log/:/var/log/rabbitmq
networks:
- camunda-platform
zeebe-dapr:
container_name: zeebe-dapr
image: "daprio/daprd:edge"
restart: unless-stopped
ports:
- "3601:3601"
command: [
"./daprd",
"--app-id", "zeebe",
"--app-port", "26500",
"--app-protocol", "grpc",
"--dapr-http-port", "3601",
"--placement-host-address", "dapr-placement:50000",
"--resources-path", "./components"
]
volumes:
- "./components/:/components"
networks:
- camunda-platform
- identity-network
depends_on:
- zeebe
operate:
image: camunda/operate:${CAMUNDA_PLATFORM_VERSION}
container_name: operate
restart: unless-stopped
ports:
- "8081:8080"
environment: # https://docs.camunda.io/docs/self-managed/operate-deployment/configuration/
- CAMUNDA_OPERATE_ZEEBE_GATEWAYADDRESS=zeebe:26500
- ZEEBE_CLIENT_ID=${ZEEBE_CLIENT_ID}
- ZEEBE_CLIENT_SECRET=${ZEEBE_CLIENT_SECRET}
- ZEEBE_TOKEN_AUDIENCE=zeebe-api
- ZEEBE_AUTHORIZATION_SERVER_URL=http://keycloak:8080/auth/realms/camunda-platform/protocol/openid-connect/token
- CAMUNDA_OPERATE_ELASTICSEARCH_URL=http://elasticsearch:9200
- CAMUNDA_OPERATE_ZEEBEELASTICSEARCH_URL=http://elasticsearch:9200
# For more information regarding configuration with Identity see:
# https://docs.camunda.io/docs/self-managed/operate-deployment/authentication/#identity
- SPRING_PROFILES_ACTIVE=identity-auth
- CAMUNDA_OPERATE_IDENTITY_BASEURL=http://identity:8084
- CAMUNDA_OPERATE_IDENTITY_ISSUER_URL=http://${HOST}:18080/auth/realms/camunda-platform
- CAMUNDA_OPERATE_IDENTITY_ISSUER_BACKEND_URL=http://keycloak:8080/auth/realms/camunda-platform
- CAMUNDA_OPERATE_IDENTITY_CLIENTID=operate
- CAMUNDA_OPERATE_IDENTITY_CLIENTSECRET=XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
- CAMUNDA_OPERATE_IDENTITY_AUDIENCE=operate-api
- SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=http://${HOST}:18080/auth/realms/camunda-platform
- SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWK_SET_URI=http://${HOST}:18080/auth/realms/camunda-platform/protocol/openid-connect/certs
- CAMUNDA_OPERATE_IDENTITY_RESOURCEPERMISSIONSENABLED=${RESOURCE_AUTHORIZATIONS_ENABLED}
- CAMUNDA_OPERATE_MULTITENANCY_ENABLED=${MULTITENANCY_ENABLED}
- management.endpoints.web.exposure.include=health
- management.endpoint.health.probes.enabled=true
networks:
- camunda-platform
- identity-network
depends_on:
- zeebe
- identity
- elasticsearch
tasklist:
image: camunda/tasklist:${CAMUNDA_PLATFORM_VERSION}
container_name: tasklist
restart: unless-stopped
ports:
- "8082:8080"
environment: # https://docs.camunda.io/docs/self-managed/tasklist-deployment/configuration/
- CAMUNDA_TASKLIST_ZEEBE_GATEWAYADDRESS=zeebe:26500
- ZEEBE_CLIENT_ID=${ZEEBE_CLIENT_ID}
- ZEEBE_CLIENT_SECRET=${ZEEBE_CLIENT_SECRET}
- ZEEBE_TOKEN_AUDIENCE=zeebe-api
- ZEEBE_AUTHORIZATION_SERVER_URL=http://keycloak:8080/auth/realms/camunda-platform/protocol/openid-connect/token
- CAMUNDA_TASKLIST_ELASTICSEARCH_URL=http://elasticsearch:9200
- CAMUNDA_TASKLIST_ZEEBEELASTICSEARCH_URL=http://elasticsearch:9200
# For more information regarding configuration with Identity see:
# https://docs.camunda.io/docs/self-managed/tasklist-deployment/authentication/#identity
- SPRING_PROFILES_ACTIVE=identity-auth
- CAMUNDA_TASKLIST_IDENTITY_BASEURL=http://identity:8084
- CAMUNDA_TASKLIST_IDENTITY_ISSUER_URL=http://${HOST}:18080/auth/realms/camunda-platform
- CAMUNDA_TASKLIST_IDENTITY_ISSUER_BACKEND_URL=http://keycloak:8080/auth/realms/camunda-platform
- CAMUNDA_TASKLIST_IDENTITY_CLIENTID=tasklist
- CAMUNDA_TASKLIST_IDENTITY_CLIENTSECRET=XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
- CAMUNDA_TASKLIST_IDENTITY_AUDIENCE=tasklist-api
- SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=http://${HOST}:18080/auth/realms/camunda-platform
- SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWK_SET_URI=http://${HOST}:18080/auth/realms/camunda-platform/protocol/openid-connect/certs
#- CAMUNDA_TASKLIST_IDENTITY_RESOURCE_PERMISSIONS_ENABLED=${RESOURCE_AUTHORIZATIONS_ENABLED}
- CAMUNDA_TASKLIST_MULTITENANCY_ENABLED=${MULTITENANCY_ENABLED}
- management.endpoints.web.exposure.include=health
- management.endpoint.health.probes.enabled=true
networks:
- camunda-platform
- identity-network
depends_on:
- zeebe
- identity
- elasticsearch
connectors:
image: camunda/connectors-bundle:${CAMUNDA_CONNECTORS_VERSION}
container_name: connectors
restart: on-failure
ports:
- "8085:8080"
environment:
- ZEEBE_CLIENT_BROKER_GATEWAY-ADDRESS=zeebe:26500
- ZEEBE_CLIENT_SECURITY_PLAINTEXT=true
- ZEEBE_CLIENT_ID=${ZEEBE_CLIENT_ID}
- ZEEBE_CLIENT_SECRET=${ZEEBE_CLIENT_SECRET}
- ZEEBE_TOKEN_AUDIENCE=zeebe-api
- ZEEBE_AUTHORIZATION_SERVER_URL=http://keycloak:8080/auth/realms/camunda-platform/protocol/openid-connect/token
- CAMUNDA_OPERATE_CLIENT_KEYCLOAK-URL=http://keycloak:8080
- CAMUNDA_OPERATE_CLIENT_CLIENT-ID=connectors
- CAMUNDA_OPERATE_CLIENT_CLIENT-SECRET=c0nn3ct0rsAr3Aw3s0me
- CAMUNDA_OPERATE_CLIENT_KEYCLOAK-REALM=camunda-platform
- CAMUNDA_OPERATE_CLIENT_URL=http://operate:8080
env_file: connector-secrets.txt
networks:
- camunda-platform
depends_on:
- zeebe
- operate
- identity
identity:
image: camunda/identity:${CAMUNDA_PLATFORM_VERSION}
container_name: identity
restart: unless-stopped
ports:
- "8084:8084"
environment: # https://docs.camunda.io/docs/self-managed/identity/deployment/configuration-variables/
SERVER_PORT: 8084
IDENTITY_RETRY_DELAY_SECONDS: 30
KEYCLOAK_URL: http://keycloak:8080/auth
IDENTITY_AUTH_PROVIDER_BACKEND_URL: http://keycloak:8080/auth/realms/camunda-platform
IDENTITY_DATABASE_HOST: postgres
IDENTITY_DATABASE_PORT: 5432
IDENTITY_DATABASE_NAME: bitnami_keycloak
IDENTITY_DATABASE_USERNAME: ${POSTGRES_USER}
IDENTITY_DATABASE_PASSWORD: ${POSTGRES_PASSWORD}
KEYCLOAK_INIT_OPERATE_SECRET: XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
KEYCLOAK_INIT_OPERATE_ROOT_URL: http://${HOST}:8081
KEYCLOAK_INIT_TASKLIST_SECRET: XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
KEYCLOAK_INIT_TASKLIST_ROOT_URL: http://${HOST}:8082
KEYCLOAK_INIT_OPTIMIZE_SECRET: XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
KEYCLOAK_INIT_OPTIMIZE_ROOT_URL: http://${HOST}:8083
KEYCLOAK_INIT_WEBMODELER_ROOT_URL: http://${HOST}:8070
KEYCLOAK_INIT_CONNECTORS_SECRET: XALaRPl5qwTEItdwCMiPS62nVpKs7dL7
KEYCLOAK_INIT_CONNECTORS_ROOT_URL: http://${HOST}:8085
KEYCLOAK_INIT_ZEEBE_NAME: zeebe
KEYCLOAK_USERS_0_USERNAME: "demo"
KEYCLOAK_USERS_0_PASSWORD: "demo"
KEYCLOAK_USERS_0_FIRST_NAME: "demo"
KEYCLOAK_USERS_0_EMAIL: "demo@acme.com"
KEYCLOAK_USERS_0_ROLES_0: "Identity"
KEYCLOAK_USERS_0_ROLES_1: "Optimize"
KEYCLOAK_USERS_0_ROLES_2: "Operate"
KEYCLOAK_USERS_0_ROLES_3: "Tasklist"
KEYCLOAK_USERS_0_ROLES_4: "Web Modeler"
KEYCLOAK_CLIENTS_0_NAME: zeebe
KEYCLOAK_CLIENTS_0_ID: ${ZEEBE_CLIENT_ID}
KEYCLOAK_CLIENTS_0_SECRET: ${ZEEBE_CLIENT_SECRET}
KEYCLOAK_CLIENTS_0_TYPE: M2M
KEYCLOAK_CLIENTS_0_PERMISSIONS_0_RESOURCE_SERVER_ID: zeebe-api
KEYCLOAK_CLIENTS_0_PERMISSIONS_0_DEFINITION: write:*
RESOURCE_PERMISSIONS_ENABLED: ${RESOURCE_AUTHORIZATIONS_ENABLED}
MULTITENANCY_ENABLED: ${MULTITENANCY_ENABLED}
healthcheck:
test: [ "CMD", "curl", "-f", "http://localhost:8084/actuator/health" ]
interval: 5s
timeout: 15s
retries: 30
start_period: 60s
volumes:
- keycloak-theme:/app/keycloak-theme
networks:
- camunda-platform
- identity-network
depends_on:
keycloak:
condition: service_healthy
keycloak:
image: bitnami/keycloak:${KEYCLOAK_SERVER_VERSION}
container_name: keycloak
restart: unless-stopped
volumes:
- keycloak-theme:/opt/bitnami/keycloak/themes/identity
ports:
- "18080:8080"
environment:
KEYCLOAK_HTTP_RELATIVE_PATH: /auth
KEYCLOAK_DATABASE_HOST: postgres
KEYCLOAK_DATABASE_USER: ${POSTGRES_USER}
KEYCLOAK_DATABASE_PASSWORD: ${POSTGRES_PASSWORD}
KEYCLOAK_ADMIN_USER: ${KEYCLOAK_ADMIN_USER}
KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
healthcheck:
test: [ "CMD", "curl", "-f", "http://localhost:8080/auth" ]
interval: 30s
timeout: 15s
retries: 5
start_period: 30s
networks:
- camunda-platform
- identity-network
depends_on:
- postgres
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION}
container_name: elasticsearch
restart: unless-stopped
ports:
- "9200:9200"
- "9300:9300"
environment:
- bootstrap.memory_lock=true
- discovery.type=single-node
- xpack.security.enabled=false
# allow running with low disk space
- cluster.routing.allocation.disk.threshold_enabled=false
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
healthcheck:
test: [ "CMD-SHELL", "curl -f http://localhost:9200/_cat/health | grep -q green" ]
interval: 30s
timeout: 5s
retries: 3
networks:
- camunda-platform
kibana:
image: docker.elastic.co/kibana/kibana:${ELASTIC_VERSION}
container_name: kibana
restart: unless-stopped
ports:
- 5601:5601
volumes:
- kibana:/usr/share/kibana/data
networks:
- camunda-platform
depends_on:
- elasticsearch
jaeger:
image: jaegertracing/all-in-one
container_name: jaeger
restart: unless-stopped
environment:
- COLLECTOR_ZIPKIN_HOST_PORT=:9412
- COLLECTOR_OTLP_ENABLED=true
ports:
- "16686:16686"
- "9412:9412"
- "6831:6831/udp"
- "6832:6832/udp"
- "5778:5778"
- "4317:4317"
- "4318:4318"
- "14250:14250"
- "14268:14268"
- "14269:14269"
volumes:
postgres-data:
keycloak-theme:
kibana:
networks:
camunda-platform:
identity-network:
file .env
## Image versions ##
CAMUNDA_CONNECTORS_VERSION=8.3.0
CAMUNDA_PLATFORM_VERSION=8.3.0
ELASTIC_VERSION=8.8.2
KEYCLOAK_SERVER_VERSION=21.1.2
POSTGRES_VERSION=15.2
SEQ_VERSION=latest
REDIS_VERSION=alpine
HOST=localhost
POSTGRES_USER=admin
POSTGRES_PASSWORD=postgres
KEYCLOAK_ADMIN_USER=admin
KEYCLOAK_ADMIN_PASSWORD=admin
## Configuration ##
# By default the zeebe api is public, when setting this to `identity` a valid zeebe client token is required
ZEEBE_CLIENT_ID=zeebe
ZEEBE_CLIENT_SECRET=zecret
# This can be used to limit access for users or groups to view/update specific
# processes and decisions in Operate and Tasklist
RESOURCE_AUTHORIZATIONS_ENABLED=false
MULTITENANCY_ENABLED=true
ZEEBE_AUTHENTICATION_MODE=identity
IDENTITY_CLIENT_SECRET=JWSLQmCSHyFzfYoRd2i0iDbX0EqQ5ACE
Hi @aylao - apologies for the confusion! I meant the zeebe application inside Identity, that you assigned to the tenant1 tenant.
@nathan.loding I wanted to remind myself for this question 