Daily Log for #alfresco IRC Channel

Alfresco discussion and collaboration. Stick around a few hours after asking a question.

Official support for Enterprise subscribers: support.alfresco.com.

Joining the Channel:

Join in the conversation by getting an IRC client and connecting to #alfresco at Freenode. Our you can use the IRC web chat.

More information about the channel is in the wiki.

Getting Help

More help is available in this list of resources.

Daily Log for #alfresco

2018-03-06 05:42:46 GMT <qw> hi how we can pull task from one user to other user

2018-03-06 07:01:26 GMT <kkore> how can we pull task from one user to other user ?? not in workflow

2018-03-06 08:23:21 GMT <manisha_> Hello

2018-03-06 08:24:29 GMT <manisha_> I am trying to scan the files for virus

2018-03-06 08:25:26 GMT <manisha_> so,I am exploring the Addon https://addons.alfresco.com/addons/alfresco-virus-alert

2018-03-06 08:25:28 GMT <alfbot> Title: Alfresco Virus Alert | Alfresco Add-ons - Alfresco Customizations (at addons.alfresco.com)

2018-03-06 08:25:41 GMT <manisha_> the action in this is running perfectly

2018-03-06 08:26:38 GMT <manisha_> but when I am trying to run the scheduler,It is showing the exception "Caused by: java.lang.NullPointerException at com.fegor.alfresco.services.AntivirusServiceImpl.scanFile(AntivirusServiceImpl.java:145)"

2018-03-06 08:51:12 GMT <Younes> Morning everyone

2018-03-06 08:51:16 GMT *** Younes is now known as yreg

2018-03-06 08:54:37 GMT <qwebirc78465> are there security issues installing the "Javascript console" in a production environment?

2018-03-06 08:55:50 GMT <qwebirc78465> has the console been pen-tested once ?

2018-03-06 08:55:51 GMT <Tichodroma> we use it all the time in production environment. Without it many support cases would be much harder to handle.

2018-03-06 08:58:54 GMT <MorganP> Pen test what exactly? You define which access should be needed to use it, don't you?

2018-03-06 08:59:30 GMT <yreg> qwebirc78465, one thing for sure, any one with admin rights can do way more damage to the system with it onboard than without it...

2018-03-06 09:00:20 GMT <MorganP> I would consider removing all documents as the more damage possible...

2018-03-06 09:00:31 GMT <MorganP> and it is still possible with or without the JS console

2018-03-06 09:00:32 GMT <MorganP> so

2018-03-06 09:00:46 GMT <yreg> but as Tichodroma highlighted, most of us use it in production anyway and count on the administrators not to abuse it

2018-03-06 09:01:47 GMT <yreg> MorganP, but when you have access for remote code execution you can definitely do more damage : sniffing network adding files to classpath executing malware ....

2018-03-06 09:02:29 GMT <yreg> for removed content you can have backups, but the remote code execution thingy can be a real beast

2018-03-06 09:03:57 GMT <yreg> MorganP, also when an admin does something from the repo (removing content / consulting / altering ...) such operations can't bypass audit log if configured

2018-03-06 09:04:21 GMT <MorganP> Well alf admin usually have OS access too

2018-03-06 09:04:23 GMT <yreg> while going through the code you can do whatever without leaving a single trace

2018-03-06 09:04:33 GMT <MorganP> So you can remove the audit or whatever

2018-03-06 09:04:43 GMT <MorganP> execute code too

2018-03-06 09:04:52 GMT <MorganP> so yes it is harder but clearly not unfeasible

2018-03-06 09:05:14 GMT <MorganP> If you can't trust your admin, then you should already do something about it

2018-03-06 09:05:55 GMT <yreg> MorganP, most big clients I have, have monitoring on their systems and audit trail over everything that happens on the system, so they can trace a config change to a particular user

2018-03-06 09:06:38 GMT <yreg> exactly, What I said is that most of us have it in production as well, and we trust admins not to abuse it

2018-03-06 09:07:18 GMT <MorganP> I also never use the afresco default permissions when I can

2018-03-06 09:07:27 GMT <MorganP> I always define my own roles

2018-03-06 09:07:44 GMT <MorganP> and there is there a kind of "sub-admin"

2018-03-06 09:08:19 GMT <MorganP> which is really useful to prevent this kind of access to be too widely given

2018-03-06 09:11:36 GMT <kkore> how can we pull task from one user to other user ??

2018-03-06 09:31:20 GMT <Tichodroma> I am still struggling with the problem I had yesterday: In a SSO/Kerberos setup a browser that has no Kerberos ticket requests CSS/JS via /share/service from /share/page?pt=login. Requests like this are returned as 401 Unauthorized with WWW-Authenticate

2018-03-06 09:31:33 GMT <Tichodroma> with WWW-Authenticate: Negotiate

2018-03-06 09:31:59 GMT <Tichodroma> This causes some browser to prompt the Basic Auth dialog which makes no sense and distracts the user.

2018-03-06 09:33:03 GMT <Tichodroma> My configuration: Extension https://bpaste.net/show/22caa4c1b9b8, inserted HTML https://bpaste.net/show/812564810e9e, Share web script description: https://bpaste.net/show/e5ba809671a9

2018-03-06 09:33:06 GMT <alfbot> Title: show at bpaste (at bpaste.net)

2018-03-06 09:34:51 GMT <Tichodroma> Yesterday some of already had some ideas how to not insert this HTML on the login page. Sadly this part of Share is one part of Alfresco I failed to understand so far.

2018-03-06 09:35:31 GMT <Tichodroma> Do you have any idea how to *not* include the @markup of https://bpaste.net/show/812564810e9e on the login page?

2018-03-06 09:35:32 GMT <alfbot> Title: show at bpaste (at bpaste.net)

2018-03-06 09:39:37 GMT <AFaust> Tichodroma: Is there a reason you include it as literal <script> and not use the directive <@script>? Same with <link>...

2018-03-06 09:39:45 GMT <Tichodroma> no reason

2018-03-06 09:40:02 GMT <AFaust> I wonder though if <@script> can handle non-/res/ resources...

2018-03-06 09:40:33 GMT <Tichodroma> I would put the CSS/JS to /res but it is dynamically generated depending on the current user

2018-03-06 09:41:12 GMT <Tichodroma> static assets under /res of course don't trigger the 201/WWW-Authenticate: Negotiate response

2018-03-06 09:41:45 GMT <AFaust> Yeah - that's what I have in one of my customers customisation to the login page

2018-03-06 09:44:09 GMT <Tichodroma> are there any FTL conditions I could use to not include the @markup on the login page?

2018-03-06 09:47:12 GMT <AFaust> Nope - would have to do all with extension evaluator only

2018-03-06 09:48:16 GMT <Tichodroma> can you give me a hint how such an evaluator would be forumated in the extension.xml?

2018-03-06 09:48:58 GMT <Tichodroma> s/forumated/formulated/

2018-03-06 10:23:55 GMT <AFaust> Tichodroma: It would be a Java implementation and only referenced / parameterised in the extension.xml

2018-03-06 10:24:57 GMT <AFaust> Example evaluator (from Records Management): https://github.com/Alfresco/records-management/blob/master/rm-community/rm-community-share/config/alfresco/site-data/extensions/alfresco-rm-extension.xml#L35

2018-03-06 10:24:58 GMT <alfbot> Title: records-management/alfresco-rm-extension.xml at master · Alfresco/records-management · GitHub (at github.com)

2018-03-06 10:25:08 GMT <Tichodroma> thanks, I will take a look

2018-03-06 10:27:09 GMT <AFaust> Implementation: https://github.com/Alfresco/share/blob/2d4d902c1de5010e5467dbd75669638214dd686c/share/src/main/java/org/alfresco/web/extensibility/SlingshotSiteModuleEvaluator.java

2018-03-06 10:27:10 GMT <alfbot> Title: share/SlingshotSiteModuleEvaluator.java at 2d4d902c1de5010e5467dbd75669638214dd686c · Alfresco/share · GitHub (at github.com)

2018-03-06 10:35:06 GMT <Tichodroma> AFaust: That's how it is done :) Thanks, great help!

2018-03-06 10:40:12 GMT <twen> hello

2018-03-06 10:56:33 GMT *** Younes is now known as yreg

2018-03-06 11:17:01 GMT <kkore> admin can able to see all workflow tasks which are currently running server in alfresco??

2018-03-06 11:23:14 GMT <kkore> like jbpm all user task will be shown to admin if admin want to delegate task then he will forward

2018-03-06 11:23:43 GMT <kkore> in alfresco also this feature is available??

2018-03-06 11:36:18 GMT <AFaust> kkore: Well, an admin can see all the tasks in Share UI, but reassignment is filtered based on state / model.

2018-03-06 11:37:17 GMT <AFaust> kkore: But via the Repository Workflow Console an admin should always be able to reassign task, because this partially circumvents the high-level API abstraction Alfresco imposes on the workflow engine(s)

2018-03-06 11:49:18 GMT <AFaust> kkore: I believe this one is your question? https://community.alfresco.com/thread/236029-admin-can-able-to-see-all-workflow-tasks-which-are-currently-running-server

2018-03-06 11:49:20 GMT <alfbot> Title: admin can able to see all workflow tasks which ... | Alfresco Community (at community.alfresco.com)

2018-03-06 11:49:28 GMT <kkore> AFaust: In share UI where all workflow task are visible and in workflow console how to reassign task ??

2018-03-06 11:50:03 GMT <AFaust> Type "help" in workflow console and you will see all the commands that are available. "How to reassign task" => by using these commands.

2018-03-06 11:50:10 GMT <kkore> AFaust:Yes its me

2018-03-06 11:53:09 GMT <AFaust> It is typically a good idea to wait a bit for an answer before plastering a question somewhere else. I hope you will remember to put a summary of the things you are being told in other platforms and however you finally solved your specific issue in that thread so others can benefit. There are few things that are worse than a question without any reply / solution on it.

2018-03-06 12:01:55 GMT <kkore> AFaust: surely from next time onwards

2018-03-06 12:27:50 GMT <kkore> AFaust: update task activiti$187046 cm:owner=kumar

2018-03-06 12:28:25 GMT <kkore> if I use that getting owner not found

2018-03-06 12:29:59 GMT <kkore> var {http://www.alfresco.org/model/content/1.0}owner not found. like this

2018-03-06 13:45:57 GMT <AFaust> kkore: I guess that is just a weird detail of the workflow console - I believe you must first list the variables before you can update them...

2018-03-06 15:38:10 GMT <hi-ko> yet another try: did anybody succeed to work around ALF-21521 in Alfresco 5.2 to fall back to basic auth in kerberos sso config?

2018-03-06 15:38:51 GMT <hi-ko> to get external users involved with webdav / aos?

2018-03-06 15:40:55 GMT <hi-ko> the work around (deactivate global auth filter) is still working for CMIS but not for webdav / aos

2018-03-06 15:44:47 GMT <AxelFaust> hi-ko: Why not simply have a second servlet mapping for webdav without SSO filters?

2018-03-06 15:45:29 GMT <AxelFaust> Though for AOS that would be difficult with the generated "Edit in Office" link..

2018-03-06 15:47:49 GMT <hi-ko> <AxelFaust> you mean it should work to (additionally) register webdav with basic auth filter?

2018-03-06 15:48:28 GMT <AxelFaust> I don't see a reason why it shouldn't. Again, AOS might be a different beast due to the nasty MS-specific / proprietary implementation

2018-03-06 15:49:09 GMT <hi-ko> Unfortunately the jira tickets are closed as 'not a bug' without any comment: https://issues.alfresco.com/jira/browse/MNT-17858

2018-03-06 15:49:56 GMT <AxelFaust> Ideally though, Alfresco / the community should consider implementing an "Aggregating SSO authentication filter" which supports pluggable mechanisms and could support NEGOTIATE / BASIC / XYZ at the same time...

2018-03-06 15:50:00 GMT <hi-ko> but I don't see a solution for organisations having sso in place trying to include external users

2018-03-06 15:50:39 GMT <AxelFaust> The current split in subsystem-provided filters is a bit moronic and blocks such a composite use case as yours.

2018-03-06 15:51:15 GMT <hi-ko> totally agree. There are lots of jira tickets comlaining for fall back strategies from NEGOTIATE to BASIC and or different stack elements

2018-03-06 15:51:46 GMT <hi-ko> s/comlaining/complaining/

2018-03-06 15:52:24 GMT <hi-ko> but: what is the reason why kerberos auth does not support chaining?

2018-03-06 15:52:43 GMT <hi-ko> when configured in sso mode?

2018-03-06 15:52:54 GMT <AxelFaust> Even for NEGOTIATE, Alfresco could support the NTLMSSP variant (non-Kerberos) against the local database by combining calls to different mechanisms backends in a global filter

2018-03-06 15:53:25 GMT <AxelFaust> SSO in Alfresco has never supported chaining - the first in the chain to support SSO wins.

2018-03-06 15:53:35 GMT <AxelFaust> Provided SSO is enabled...

2018-03-06 15:53:50 GMT <AxelFaust> I.e. you could never combine passthru with kerberos either...

2018-03-06 15:53:51 GMT <hi-ko> wrong assumptions ... :(

2018-03-06 15:54:32 GMT <hi-ko> passthru is out of the game since alfresco doesn't support to be a domain member

2018-03-06 15:55:04 GMT <AxelFaust> Well - that isn't really an issue - more that NTLMv1 is extremely insecure and not recommended

2018-03-06 15:55:31 GMT <hi-ko> I'll try you suggestion with an additional filter mapping for dav

2018-03-06 16:03:10 GMT <hi-ko> AxelFaust: given NTLMv1 is not an option ;-)

2018-03-06 16:05:35 GMT <hi-ko> <AxelFaust> maybe the first use case for your cluster I agree on to have two alfresco repos running with different auth stacks ;-)

2018-03-06 16:07:25 GMT <AxelFaust> I had an employee of a customer in the AD / SSO team recently suggest that we should provide an alternative entrypoint URL for their Azure SSO use case, since that we currently cannot get that to work with Alfresco...

2018-03-06 16:07:48 GMT <AxelFaust> That entrypoint would be used to work with SAML instead of Kerberos (Azure SSO also supports SAML)

2018-03-06 16:08:30 GMT <AxelFaust> Of course that would also mean adding new server(s) to the cluster since the Alfresco SAML module cannot coexist with any of the other authentication methods.

2018-03-06 16:09:22 GMT <AxelFaust> After I already told him that is quite unreasonable and not an option in the short term, he came back with that suggestion end of last week.

2018-03-06 16:10:05 GMT <hi-ko> similar problem. SAML / Shibboleth is a today common use case in larger orgs but if we don't support fall back to basic or digest it's also not a solution

2018-03-06 16:10:09 GMT <AxelFaust> End of the story: Today I have written an "AzureWorkaroundSSOAuthenticationFilter" for Share to support both internal (regular) Kerberos and the Azure-specific Kerberos use case

2018-03-06 16:10:46 GMT <AxelFaust> In the latter case we simply extract the user name from Kerberos and forward to Alfresco using HTTP header + "external" authentication subsystem

2018-03-06 16:11:22 GMT <hi-ko> nice ;-) so you combine kerberos with external aproach

2018-03-06 16:11:57 GMT <AxelFaust> right - and save me the Kerberos delegation step in Share, where the Azure stuff fails...

2018-03-06 16:12:03 GMT <hi-ko> but unfortunately no solution for my use case :-(

2018-03-06 16:12:38 GMT <AxelFaust> Yeah - just a long-winded way of saying "I understand and share in your pain of handling SSO"

2018-03-06 16:14:44 GMT <AxelFaust> It'll be interesting to see in how far the planned Alfresco Common Authentication Services (or whatever it is going to be called) will actually support real-life use cases instead of just the "current best practice approach" or large, homogeneous organisations...

2018-03-06 16:15:02 GMT <AxelFaust> s/or/for/

2018-03-06 16:15:30 GMT <hi-ko> Today/yesterday we had the discussion about the changes in 6.0: longterm desupport for MT, Activity, Share. So we had the idea to also remove transformations, search, Auth subsystems and then we have a painless, scaleable dms but witout any use case

2018-03-06 16:16:19 GMT <hi-ko> I bet these upcoming changes will play only in EE

2018-03-06 16:16:36 GMT <AxelFaust> I mean, Search and Transformations are already sort-of "removed"... Search with SOLR is already external and Transformations exist via th Transformation Server (though proprietary only)

2018-03-06 16:17:51 GMT <hi-ko> I don't agree: transformations are not external as long they block threads and solr is a nightmare without features in terms of dms

2018-03-06 16:17:59 GMT <AxelFaust> And search + auth are already part of the "Common XY Services" collection of components that will be generalised between Alfresco Content / Process Services

2018-03-06 16:19:28 GMT <AxelFaust> I did not realise your definition of "remove XY" implicitly required that those features be non-blocking. Would be interesting to know how this should work for search / auth.

2018-03-06 16:22:00 GMT <AxelFaust> I agree on most of the issues with long running transformations, but if a request requires the result to be delivered as the response, I don't see a problem with it being blocked while it is being worked on a different server. The problem with this is primarily that the clients should never force / request access to a transformed content in a way that does not work with queuing and asynchronicity...

2018-03-06 16:22:04 GMT <hi-ko> ok. we should separate the discussion: remove blocking/not scaling concepts and concepts not meeting business driven use cases like the solr integration which only document centric not supporting context or auth not supporting a stack

2018-03-06 16:23:33 GMT <hi-ko> blocking requests: there are better patterns in place to simulate synchron response without spawning new blocking threads.

2018-03-06 16:23:48 GMT <AxelFaust> With Alfresco focus being on pure content services, I doubt that we'll ever see any context support in search...

2018-03-06 16:24:44 GMT <hi-ko> but many other dms systems support that which causes a lot of frutration on business users side

2018-03-06 16:25:21 GMT <AxelFaust> Sure, there are better patterns to deal that - but they also need to work within the confines of the web application container, and as far as I am aware, there is no support in Tomcat to suspend a request in a thread, and process another one while waiting on an asynch result of a transformation...

2018-03-06 16:25:49 GMT <hi-ko> the only work around we have today in alfresco is to copy metadata down on every node or to overwrite the solr tracker to copy all relevant metadata to the solr doc

2018-03-06 16:26:23 GMT <AxelFaust> true, though that is the "only work around" with out-of-the-box tooling

2018-03-06 16:27:10 GMT <AxelFaust> In one customer project I used AOP to collect "inherited properties" based on associations / parent-child relationships, which transparently copied the metadata without data redundancy on the DB

2018-03-06 16:27:33 GMT <AxelFaust> Worked on the NodeDAO layer, so it was transparent for both regular API and SOLR tracker.

2018-03-06 16:27:48 GMT <hi-ko> and thats the beginning of the idea to remove alfresco's search system and to solve everything in the database incl. fulltext

2018-03-06 16:27:48 GMT <AxelFaust> Only thing that was - of course - not supported was Transactional Metadata Queries...

2018-03-06 16:28:57 GMT <hi-ko> but your "inherited properties" produces a lot of redundant data in solr, right?

2018-03-06 16:30:03 GMT <AxelFaust> Depends on what you call "redundant" in SOLR. It does not increase the size of the index significantly, since all of the same terms have already been indexed for other (master) nodes. The only thing that grows are the term-to-doc reference lists

2018-03-06 16:30:45 GMT <hi-ko> not to keep this discussion in irq only we should collect ideas and concepts in a common blog roll or in a bee wiki to plan required steps and budgets.

2018-03-06 16:31:51 GMT <hi-ko> So it would be a very nice blog article describing your work done with "inherited properties".

2018-03-06 16:33:48 GMT <hi-ko> We follow another aproach: we move as much metadata out of alfresco as possible to support relational like concepts and relations to data managed in other systems

2018-03-06 16:34:13 GMT <AxelFaust> Hehe, I have been planning to either revive my personal blog or use the new community platform for such posts for a while now. So far, I have not been able to find the time to deal with any of this...

2018-03-06 16:34:51 GMT <AxelFaust> Yeah, we talked about your master data hub a couple of times if I remember...

2018-03-06 16:35:44 GMT <AxelFaust> of course such concepts can be combined... as far as I understood, you do not expose the external data in Alfresco via properties, but have special form controls to show it loaded from the external source

2018-03-06 16:36:07 GMT <AxelFaust> the inherited properties / AOP thingy could make them transparent 1st class properties, provided a mapping exists...

2018-03-06 16:36:59 GMT <hi-ko> exactly. some day we may need to implement an independant company wide search engins also supporting document resources and metadata from alfresco ...

2018-03-06 16:39:20 GMT <hi-ko> but having the restriction of lucene/solr in mind I would prefer to use a full text aware, scalable relational db.

2018-03-06 16:40:37 GMT <hi-ko> <AxelFaust> thanks for sharing ideas, let's continue on that ...

2018-03-06 16:53:18 GMT <alfbot> angelborroy: Sent 1 day, 3 hours, and 51 minutes ago: <hi-ko> alf-21757-repo

2018-03-06 19:14:00 GMT <eswbitto> Hello fellow humans, I'm wondering if there is a way to restrict the search functionality in alfresco to where the user can only search items that they have access to. Right now when users do a search they get results of files/folders from Repository. I want to limit their search to only Sites they are a part of and files/folders they have access to.

2018-03-06 22:10:43 GMT <AFaust> eswbitto: Not sure I understand - search is always only restricted to those files / folders they have access to, i.e. read permission... By default that happens to include files / folders in Repository too which are of public visibility.

2018-03-06 22:13:44 GMT <AFaust> But if you want / need to filter based on specific locations (like sites), then I would advise you to introduce some transparent filter queries using PATH or SITE...

2018-03-06 22:14:25 GMT <AFaust> If you are dealing with the faceted-search page (Aikau), you may have to extend the SearchService / AlfSearchList widget and transparently add these filters to the search payload (in addition to selected facets).

2018-03-06 22:14:54 GMT <AFaust> Or you override the Repository-tier search.get.js via the extension path and add those filters there (might be simpler)

2018-03-06 22:25:55 GMT <eswbitto> AFaust I had users telling me that they did search results that included files that they shouldn't have had access to. Turns out they had permissions set incorrectly. So that part is fine, the main part is the amount of search results....instead of 1000's of results I want like....200. I hate it that it defaults to the repository (users don't understand what repository is).

End of Daily Log

The other logs are at http://esplins.org/hash_alfresco