-
Notifications
You must be signed in to change notification settings - Fork 140
/
Copy pathgranular-verifier-control.html.md.erb
262 lines (207 loc) · 9.24 KB
/
granular-verifier-control.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
---
title: Managing Ops Manager Verifiers
owner: Ops Manager
---
This topic describes how to disable and re-enable verifiers for fields in the BOSH
Director and other product tiles.
Ops Manager provides this option for troubleshooting
purposes. For example, your deployment may have a unique configuration that the
verifier cannot detect. In this case, you can unblock your deployment by disabling the verifier.
<p class="note"><strong>Note:</strong> <%= vars.company_name %> recommends contacting support before you
disable Ops Manager verifiers.</p>
<p class="warning note"><strong>WARNING:</strong> <%= vars.company_name %> recommends recording and routinely revisiting which verifiers you disable.
The Ops Manager UI does not indicate which verifiers you disable. Disabled verifiers
persist through upgrades.</p>
## <a id="about-verifiers"></a> About Verifiers
Ops Manager verifiers narrow the feedback loop for operators by checking that fields are
configured correctly. Ops Manager verifiers reach out and find objects in the world. For example, given an IP, a
verifier can ping the IP to see that it responds.
Verifiers run early in a deployment. With verifiers turned off,
deployments may fail much later.
Verifiers run on two occasions:
<table>
<tr>
<th>Verifier Label</th>
<th>Triggers when you...</th>
<th>Blocks deployment?</th>
</tr>
<tr>
<td><code>form</code></td>
<td>Click <strong>Save</strong> in a pane.</td>
<td>Does not block deployment. Error message is a warning.</td>
</tr>
<tr>
<td><code>install_time</code></td>
<td>Click <strong>Apply Changes</strong>.</td>
<td>Blocks you from deploying. Disabling verifiers unblocks deployment.</td>
</tr>
</table>
## <a id="disable"></a> Disable Verifiers by Type
You can disable verifiers by verifier type. For example, you can disable all MySQL
verifiers for a tile. To disable a verifier type for a tile, you
must find and record the type, then use the Ops Manager API.
### <a id="record-type"></a> Step 1: Record the Verifier Type
To record the verifier type, do the following:
1. Log in to Ops Manager and go to **Review Pending Changes**.
1. Click **Apply Changes** and see the verifier error message.
1. Record the `type` in the verifier error message. For example,
`WildcardDomainVerifier`.
<%= image_tag("verifier-error.png", :alt=>"The Ops Manager screenshot shows the following
error: The domain '*.apps.example.com' failed to resolve,
type:WildcardDomainVerifier") %>
### <a id="api-put"></a> Step 2: Use the Ops Manager API
To disable verifiers, you must use the Ops Manager API. To get started with
the Ops Manager API, follow the procedures in [Using the Ops Manager API](./ops-man-api.html).
The API endpoint varies by tile. Go to one of the procedures below:
- [Disable Verifiers for the Bosh Director Tile](#bosh-director-disable)
- [Disable Verifiers for Other Tiles](#tile-disable)
#### <a id="bosh-director-disable"></a> Disable Verifiers for the BOSH Director Tile
To disable a verifier type for the BOSH Director, do the following:
1. Run the following API command:
```
curl "https://OPS-MAN-FQDN/api/v0/staged/director/verifiers/install_time/VERIFER-TYPE" \
-X PUT \
-H "Authorization: Bearer UAA-ACCESS-TOKEN" \
-H "Content-Type: application/json" \
-d '{ "enabled": false }'
```
Where:
- `OPS-MAN-FQDN` is the fully-qualified domain name (FQDN) for your Ops Manager deployment.
- `VERIFIER-TYPE` is the verifier type you recorded in [Step 1: Record the Verifier Type
](#verifier-type).
- `UAA_ACCESS_TOKEN` is your UAA access token. For more information, see [Access the
API](./ops-man-api.html#access-api).
For more information about this endpoint, see [Turning off a verifier for the
director](http://docs.pivotal.io/pivotalcf/2-3/opsman-api/#turning-off-a-verifier-for-the-director)
in the Ops Manager API documentation.
1. To confirm your verifier type is disabled, run the following command:
```
curl "https://OPS-MAN-FQDN/api/v0/staged/director/verifiers/install_time" \
-X GET \
-H "Authorization: Bearer UAA-ACCESS-TOKEN"
```
See that the Ops Manager API shows `false` for the verifier type you disabled. In
the following example, `DirectorConfigurationVerifer` is set to `false`:
<pre class="terminal" style="height: 300px; scroll: auto;">
{
"verifiers": [
{
"type": "AllocatedIpAddressVerifier",
"enabled": true
},
{
"type": "AvailabilityZonesVerifier",
"enabled": true
},
{
"type": "DirectorConfigurationVerifier",
"enabled": false
},
{
"type": "IaasConfigurationVerifier",
"enabled": true
},
{
"type": "NetworksExistenceVerifier",
"enabled": true
},
{
"type": "NetworksPingableVerifier",
"enabled": true
},
{
"type": "PrivilegeVerifier",
"enabled": true
}]}
</pre>
For more information about this endpoint, see [Retrieving a list of install time
verifiers for a specific
product](http://docs.pivotal.io/pivotalcf/2-3/opsman-api/#retrieving-a-list-of-install-time-verifiers-for-a-specific-product)
in the Ops Manager API documentation.
1. Record the product and the verifier type that you disabled in a secure location.
<%= vars.company_name %> recommends recording and routinely revisiting which verifiers you disable.
#### <a id="tile-disable"></a> Disable Verifiers for Other Tiles
To disable a verifier type for tiles other than the BOSH Director, do the following:
1. Run the following command and record the `guid` corresponding to your product.
```
curl "https://OPS-MAN-FQDN/api/v0/staged/products" \
-X GET \
-H "Authorization: Bearer UAA_ACCESS_TOKEN"
```
Where:
- `OPS-MAN-FQDN` is the fully-qualified domain name (FQDN) for your Ops Manager deployment.
- `UAA_ACCESS_TOKEN` is your UAA access token. For more information, see [Access the
API](./ops-man-api.html#access-api).
See the following example output:
<pre class="terminal">{[{
"installation_name": "component-type1-installation-name",
"guid": "component-type1-guid",
"type": "component-type1"
},
{
"installation_name": "p-bosh-installation-name",
"guid": "p-bosh-guid",
"type": "p-bosh"
}]}</pre>
For more information about this endpoint, see [Listing all staged
products](http://docs.pivotal.io/pivotalcf/2-3/opsman-api/#listing-all-staged-products)
in the Ops Manager API documentation.
1. To disable your verifier by type, run the following command.
```
curl "https://OPS-MAN-FQDN/api/v0/staged/products/PRODUCT-GUID/verifiers/install_time/VERIFIER-TYPE" \
-X PUT \
-H "Authorization: Bearer UAA_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{ "enabled": false }'
```
Where:
- `OPS-MAN-FQDN` is the fully-qualified domain name (FQDN) for your Ops Manager deployment.
- `PRODUCT-GUID` is the GUID you recorded in the previous step.
- `VERIFIER-TYPE` is the verifier type you recorded in [Step 1: Record the Verifier Type
](#verifier-type).
For more information about this endpoint, see [Turning off a verifier for a specific
product](http://docs.pivotal.io/pivotalcf/2-3/opsman-api/#turning-off-a-verifier-for-a-specific-product)
in the Ops Manager API documentation.
1. To confirm your verifier type is disabled, run the following command.
```
curl "https://OPS-MAN-FQDN/api/v0/staged/products/PRODUCT-GUID/verifiers/install_time" \
-X GET \
-H "Authorization: Bearer UAA_ACCESS_TOKEN"
```
See that the Ops Manager API shows `false` for the verifier type you disabled. In
the following example, `MysqlDatabaseVerifier` is set to `false`:
<pre class="terminal" style="height: 300px; scroll: auto;">{
"verifiers":[
{
"type":"BlobstoreVerifier",
"enabled":true
},
{
"type":"MysqlDatabaseVerifier",
"enabled":false
},
{
"type":"SsoUrlVerifier",
"enabled":true
},
{
"type":"WildcardDomainVerifier",
"enabled":true
}]}</pre>
For more information about this endpoint, see [Retrieving a list of install time
verifiers for a specific
product](http://docs.pivotal.io/pivotalcf/2-3/opsman-api/#retrieving-a-list-of-install-time-verifiers-for-a-specific-product100)
in the Ops Manager API documentation.
1. Record the product and the verifier type that you disabled in a secure location.
<%= vars.company_name %> recommends recording and routinely revisiting which verifiers you disable.
## <a id="re-enable"></a> Re-enable Verifiers by Type
<%= vars.company_name %> recommends recording and routinely revisiting which verifiers you disable.
The Ops Manager UI does not indicate which verifiers you disable. Disabled verifiers
persist through upgrades.
To re-enable verifiers, follow the steps detailed in [Use the Ops Manager API](#api-put)
above. Instead of setting `enabled` to `false`, set it to `true`.
If you do not know what verifiers are disabled, `curl` the `verifiers` endpoint for each
installed product. For more information, see [Retrieving a list of install time verifiers
for a specific
product](http://docs.pivotal.io/pivotalcf/2-3/opsman-api/#retrieving-a-list-of-install-time-verifiers-for-a-specific-product100)
in the Ops Manager API documentation.