Daily Log for #alfresco IRC Channel

Alfresco discussion and collaboration. Stick around a few hours after asking a question.

Official support for Enterprise subscribers: support.alfresco.com.

Joining the Channel:

Join in the conversation by getting an IRC client and connecting to #alfresco at Freenode. Our you can use the IRC web chat.

More information about the channel is in the wiki.

Getting Help

More help is available in this list of resources.

Daily Log for #alfresco

2019-08-07 06:17:12 GMT <alfresco-discord> <bhagyas> I jumped into this ad today as well and I'm not very sure if this message is shown to the right audience. Maybe the posted could have tried LinkedIn instead 😉

2019-08-07 06:18:01 GMT <alfresco-discord> <bhagyas> It's also asking if I'm speaking French and I feel hurt :p

2019-08-07 06:19:52 GMT <alfresco-discord> <bhagyas> Asking about learning another european language after you learn another three is a little too much xD

2019-08-07 06:52:24 GMT <alfresco-discord> <lars> @dgradecak I don't think so. Mostly because we want/need to support everything from Alfresco 4.2 onwards. And there just isn't any public API that has enough functionality and is available in all those versions.

2019-08-07 07:14:48 GMT <alfresco-discord> <dgradecak> @lars sure that make sense

2019-08-07 08:16:31 GMT <angelborroy> Hey

2019-08-07 08:16:52 GMT <angelborroy> We’re starting to define how custom associations can be indexed in SOLR

2019-08-07 08:17:15 GMT <angelborroy> Any feedback from you will be appreciated

2019-08-07 08:17:35 GMT <angelborroy> FTS language will allow expressions like:

2019-08-07 08:17:36 GMT <angelborroy> ASSOC:'qname' AND TARGETID:'NodeRef'

2019-08-07 08:17:42 GMT <angelborroy> ASSOC:'qname' AND SOURCEID:'NodeRef'

2019-08-07 08:17:49 GMT <angelborroy> And CMIS QL language:

2019-08-07 08:17:55 GMT <angelborroy> SELECT cmis:objectId FROM assoc:custom WHERE cmis:sourceId=NodeRef

2019-08-07 08:18:00 GMT <angelborroy> SELECT cmis:objectId FROM assoc:custom WHERE cmis:targetId=NodeRef

2019-08-07 08:18:08 GMT <angelborroy> Let me know your opinion on this

2019-08-07 08:18:09 GMT <angelborroy> Thanks

2019-08-07 08:20:42 GMT <angelborroy> Or even:

2019-08-07 08:20:42 GMT <angelborroy> SELECT cmis:objectId FROM cmis:document AS D JOIN assoc:custom AS A ON D.cmis:objectId = A.cmis:sourceId

2019-08-07 08:29:46 GMT <AFaust> angelborroy: Hmm, in FTS I would really like something simple for associations, e.g. similar to the d:content mimetype/size/locale meta-fields, I would like to be able to do conditions like cm:original.target:"<nodeRef>" or cm:original.source:"<nodeRef>"

2019-08-07 08:30:03 GMT <AFaust> And don't forget TMQ support, because that should be really trivial and obvious to do.

2019-08-07 08:32:10 GMT <AFaust> For child-associations, there should be a way to do cm:contains.child:"<nodeRef>" or cm:contains.parent:"<nodeRef>", which would be way more precise than the current PARENT field.

2019-08-07 08:32:22 GMT <angelborroy> So

2019-08-07 08:32:23 GMT <angelborroy> ASSOC:'qname' AND cm:original.target:'NodeRef'

2019-08-07 08:33:13 GMT <AFaust> Noo... no ASSOC should be necessary, because that is already part of the second condition (the assoc is cm:original)

2019-08-07 08:33:23 GMT <angelborroy> ah, ok

2019-08-07 08:34:15 GMT <AFaust> For child-associations, you may have to consider the special case of wanting to look for a parent/child with a specific NodeRef AND a specific qname for the relation. That might get tricky

2019-08-07 08:34:43 GMT <AFaust> But you could support high level and low-level fields for that

2019-08-07 08:35:03 GMT <angelborroy> I think that child-associations are out of scope for now

2019-08-07 08:35:08 GMT <angelborroy> But good to know

2019-08-07 08:35:27 GMT <AFaust> Well, if you are going to tackle associations, you should do a complete job and tackle child associations as well.

2019-08-07 08:35:39 GMT <AFaust> Not the typical half-assed Alfresco thing...

2019-08-07 08:35:50 GMT <angelborroy> Don’t make me explain you internals :-P

2019-08-07 08:35:58 GMT <AFaust> You don't have to...

2019-08-07 08:36:49 GMT <AFaust> I am just doing my community duty of reminding an Alfresco person (albeit a Community-turned-Alfresco one) of the typical short comings of their engineering process that we all "dislike"

2019-08-07 08:37:43 GMT <angelborroy> CMIS notation is fine?

2019-08-07 08:37:44 GMT <angelborroy> SELECT cmis:objectId FROM cmis:document AS D JOIN assoc:custom AS A ON D.cmis:objectId = A.cmis:sourceId

2019-08-07 08:37:54 GMT <AFaust> And honestly, it would be way less effort to do it now, then to have someone re-investigate and plan this in 4-5 years time....

2019-08-07 08:38:37 GMT <angelborroy> Let’s see if I can launch this story this year…

2019-08-07 08:38:42 GMT <AFaust> CMIS notation looks fine. I mean, you have way less freedom there due to the spec already defining how relations are to be modelled

2019-08-07 08:39:08 GMT <angelborroy> Ok, I’ll keep you posted

2019-08-07 08:39:22 GMT <angelborroy> Currently we are only investigating the feature

2019-08-07 08:49:00 GMT <alfresco-discord> <bhagyas> Does anyone have tips on overriding a subsystem bean in Alfresco?

2019-08-07 08:49:01 GMT <AFaust> While you are investigating that, I am checking if we (team at my customer) can port our SOLR 4 adaptions over to ASS by just recompiling against new API versions...

2019-08-07 08:49:33 GMT <AFaust> bhagyas: Yes, do it via a *context.xml in the extension directory using the specific instance config path...

2019-08-07 08:49:56 GMT <angelborroy> AFaust I didn’ test that, but let me know if I can help

2019-08-07 08:49:59 GMT <AFaust> Any more specific things you want a tip on?

2019-08-07 08:50:13 GMT <angelborroy> Not really

2019-08-07 08:50:21 GMT <AFaust> angelborroy: So far it looks really straightforward. SOLR hasn't changed that much at all..

2019-08-07 08:50:22 GMT <alfresco-discord> <bhagyas> Thats exactly how i tried, but doesn't seem to work 😄

2019-08-07 08:51:18 GMT <angelborroy> bhagyas you can always use the PostProcessor approach

2019-08-07 08:51:21 GMT <AFaust> bhagyas: It has worked in all cases I had to use in all these years. In some subsystems, it can be a bit tricky to find the correct instance path for the override due to default names only defined in source.

2019-08-07 08:51:38 GMT <alfresco-discord> <bhagyas> I'm trying to override the Authentication/alfrescoNtlm

2019-08-07 08:51:52 GMT <alfresco-discord> <bhagyas> authenticationComponent bean 😐

2019-08-07 08:52:09 GMT <AFaust> Yeah, PostProcessor would work as well... But would have to be registered similarily in a specific instance path in extension, unless you want to apply the same override to all instances globally...

2019-08-07 08:52:44 GMT <alfresco-discord> <bhagyas> I'm not sure about the PostProcessor approach, since subsystems have an isolated context

2019-08-07 08:52:56 GMT <AFaust> (of course, if you make the post processor configurable via properties, a global addition would not be so problematic)

2019-08-07 08:53:20 GMT <AFaust> PostProcessors work just the same in the isolated subsystem context as they do in the default context.

2019-08-07 08:53:31 GMT <alfresco-discord> <bhagyas> hmm

2019-08-07 08:53:49 GMT <AFaust> Using a post processor in my simple content stores addon to dynamically generate bean definitions in the subsystem context

2019-08-07 08:55:05 GMT <alfresco-discord> <bhagyas> going through it now

2019-08-07 08:55:08 GMT <angelborroy> @bhagyas something like following doesn’t work?

2019-08-07 08:55:09 GMT <angelborroy> alfresco/extension/subsystems/Authentication/alfrescoNtlm/alfrescoNtlm1/custom-context.xml

2019-08-07 08:56:09 GMT <alfresco-discord> <bhagyas> @angel.borroy wouldn't that mean it's going to be needed to be configured separately?

2019-08-07 08:56:28 GMT <alfresco-discord> <bhagyas> I want to override the 'real' auth context bean

2019-08-07 08:56:37 GMT <angelborroy> ah, ok

2019-08-07 08:56:40 GMT <alfresco-discord> <bhagyas> let me give some context

2019-08-07 08:56:53 GMT <alfresco-discord> <bhagyas> so, we got this Alfresco 2FA add-on we've built over the years

2019-08-07 08:57:44 GMT <alfresco-discord> <bhagyas> right now, we have a chaining subsystem, that can validate the user on other authentication systems before trying the 2FA authentication

2019-08-07 08:58:11 GMT <alfresco-discord> <bhagyas> but the caveat is that users can bypass the 2fa to use FTP or basic http auth endpoints

2019-08-07 08:58:51 GMT <alfresco-discord> <bhagyas> so, thinking of introducing a new config flag for admins to disallow unsafe (non-2fa) endpoints

2019-08-07 08:59:24 GMT <alfresco-discord> <bhagyas> but in order for the flag to work, you have to override the core AuthenticationContextImpl

2019-08-07 08:59:36 GMT <alfresco-discord> <bhagyas> and that has been done already

2019-08-07 09:00:10 GMT <alfresco-discord> <bhagyas> but this breaks the chained subsystem auth validation

2019-08-07 09:00:35 GMT <alfresco-discord> <bhagyas> because it tries the auth with basic auth in order to make sure user is trying to auth for real

2019-08-07 09:01:01 GMT <AFaust> IMHO the 2FA add-on should probably be its separate type of Authentication subsystem, not modify one of the default types. It could still "inherit" from the default by using Spring include directive. And then the admin would have the choice to only enable the "safer" 2FA subsystem by only including it in the chain, and not any of the default type(s)

2019-08-07 09:01:37 GMT <alfresco-discord> <bhagyas> so I need to find a way to let the authComponent know that it's okay to bypass 2FA when its invoked through a chained subsystem

2019-08-07 09:02:47 GMT <alfresco-discord> <bhagyas> AFaust, that's exactly how its implemented right now

2019-08-07 09:03:30 GMT <alfresco-discord> <bhagyas> but the chained auth service methods are hardwired to accept on username/password as params

2019-08-07 09:05:07 GMT <alfresco-discord> <bhagyas> and unless I wanted to meddle with a way to encoding a 2fa code inside a username or password (which would probably work) i wanted to do it the proper way (by using actual java code to extend)

2019-08-07 09:06:06 GMT <alfresco-discord> <bhagyas> :[

2019-08-07 09:09:59 GMT <alfresco-discord> <bhagyas> the crazy side of things is that the chained authentication is a subclass of auth component on its own

2019-08-07 09:13:30 GMT <alfresco-discord> <bhagyas> https://cdn.discordapp.com/attachments/451644531323174914/608588520793178167/unknown.png

2019-08-07 09:13:59 GMT <alfresco-discord> <bhagyas> The two factor auth component is the auth component with an additional key param

2019-08-07 10:44:03 GMT <alfresco-discord> <dgradecak> @angelborroy with querying on associations it would almost become a graph db

2019-08-07 10:45:17 GMT <alfresco-discord> <dgradecak> I once did an "indexing" into neo4j with nodes associations and if you add this than itwo uld become quite powerful

2019-08-07 10:50:26 GMT <Tichodroma> Given a model with a type based on cm:content and some properties which is already deployed and used. Will it break things if I introduce an aspect and move the properties to this aspect? Will existing nodes of the type keep the properties or will this caues an error?

2019-08-07 10:59:44 GMT <alfresco-discord> <dgradecak> should not cause any error, although search by the new aspect on old nodes will not work but you know that ... not aware of any other issues but might be

2019-08-07 11:11:41 GMT <Tichodroma> OK, I will try this.

2019-08-07 11:47:04 GMT <AFaust> Maybe I should have asked here before my tweet (I had customer check support portal for info and that came up empty), but does anyone of you know how you / we are supposed to be able to integrate APS 1.9.x with ACS 6.x when using non-Keycloak SSO without using the discontinued Connector module?

2019-08-07 11:48:54 GMT <AFaust> We don't actually need the Share UI integration as we link directly to APS UI for working with processes, but the underlying Repository integration would still be required to handle the authentication secret handshake for users.

2019-08-07 11:49:37 GMT <AFaust> Otherwise every user will have to start managing their AD password in their APS user account, which certainly is a duplication that no one will accept.

2019-08-07 11:54:13 GMT <AFaust> Come to think of it. Even with Keycloak SSO, I can't find any code in the APS product that would enable any integration with ACS without having to separately maintain the user credentials in APS. There is no server-side code for passing any OIDC Bearer token to ACS, and the CMIS code always wants to use HTTP BASIC with ROLE_TICKET authentication...

2019-08-07 11:55:04 GMT <AFaust> Has APS 2.x really been delayed so long that there actually is no support currently for integrating any official APS releases with Alfresco 6.x?

2019-08-07 11:57:37 GMT <alfresco-discord> <dgradecak> same question here 😦

2019-08-07 11:58:24 GMT <alfresco-discord> <digcat> maybe @Francesco Corti can you help on the above points ?

2019-08-07 11:59:55 GMT <AFaust> Since the old connector was based almost entirely on web scripts with shared secrets, I think it is still compatible with 6.x and newer, and the only thing we may have to patch / override in the AMP is the module.properties file to change the declared repo.max.version

2019-08-07 12:00:42 GMT * AFaust gets out his handy decompiler to check for any compatibility issues in the JAR...

2019-08-07 12:02:30 GMT <AFaust> Oh my god... that was a mistake. First class I open and I almost get a heart attack by seeing something violating even the most simplest, basic and common patterns in Alfresco module development...

2019-08-07 12:04:12 GMT <AFaust> How do you guys register i18n bundles relevant for an Alfresco extension? (Just asking to see if someone else uses the same approach as I have just seen...)

2019-08-07 12:11:27 GMT <angelborroy> like this?

2019-08-07 12:11:27 GMT <angelborroy> https://github.com/keensoft/alfresco-esign-cert/tree/master/esign-cert-repo/src/main/amp/config/alfresco/module/esign-cert-repo/messages

2019-08-07 12:11:28 GMT <alfbot> Title:alfresco-esign-cert/esign-cert-repo/src/main/amp/config/alfresco/module/esign-cert-repo/messages at master · keensoft/alfresco-esign-cert · GitHub (at github.com)

2019-08-07 12:11:55 GMT <angelborroy> https://github.com/keensoft/alfresco-esign-cert/blob/master/esign-cert-repo/src/main/amp/config/alfresco/module/esign-cert-repo/context/bootstrap-context.xml#L15

2019-08-07 12:11:56 GMT <alfbot> Title:alfresco-esign-cert/bootstrap-context.xml at master · keensoft/alfresco-esign-cert · GitHub (at github.com)

2019-08-07 12:12:17 GMT <AFaust> Yeah, that is how I usually do it too...

2019-08-07 12:12:29 GMT <angelborroy> And what are you seeing?

2019-08-07 12:13:42 GMT <AFaust> I may tell later. Would like to see if maybe someone proves me wrong and demonstrate that what I have seen is not so "uncommon" as I consider it to be...

2019-08-07 12:15:03 GMT <AFaust> In the meantime, I can at least report I have seen some hard-coded magic CSRF tokens in the code in other places, because they could not be arsed to create a proper exemption from CSRF protection for a specific endpoint in APS...

2019-08-07 13:11:54 GMT <alfresco-discord> <dgradecak> for theb undles I do the same as angel shown of course, from the top of my head, for workflows I think you can define them in the workflow deployer bean etc, but it is the same thing as this

2019-08-07 13:12:20 GMT <alfresco-discord> <dgradecak> maybe that APS integration module is too advanced to be understood by simple mortals

2019-08-07 13:13:10 GMT <AFaust> Oh, it is quite trivial for the most part.

2019-08-07 13:14:11 GMT <alfresco-discord> <Francesco Corti> AFaust, @digcat happy to share info that I might know. AFaust do you still need an answer to any question?

2019-08-07 13:16:46 GMT <alfresco-discord> <dgradecak> @Francesco Corti the salesman never contacted me ... 😦

2019-08-07 13:17:09 GMT <alfresco-discord> <dgradecak> I am not AFasut but ... since you are there 😉

2019-08-07 13:19:59 GMT <alfresco-discord> <dgradecak> anyone know of a picker in share that shows values from a category?

2019-08-07 13:20:31 GMT <alfresco-discord> <dgradecak> instead of the category pciekr ... I mean a combo box list

2019-08-07 13:22:06 GMT <AFaust> Anyhow... Instead of using a message bootstrap bean, the guys used a different approach. The module has two Repository actions, which need i18n for their parameters. They actually register their i18n bundles via a method call from the action "addParameterDefinitions" methods (each of them) right before they call getParamDisplayLabel

2019-08-07 13:22:42 GMT <alfresco-discord> <dgradecak> where did you get the sources from ?

2019-08-07 13:22:44 GMT <AFaust> They even register the same bundle in each of these calls - and they register it every time the method gets called, which can be more than once for each action depending on internal caching of the action parameters list

2019-08-07 13:23:13 GMT <AFaust> Decompiler... Just had customer create a support issue to get the actual sources, so we can include the project into our code structure, and maintain it ourselves.

2019-08-07 13:23:29 GMT <alfresco-discord> <dgradecak> great 😄

2019-08-07 13:24:04 GMT <alfresco-discord> <dgradecak> maybe the decompiler did some optimisations 😉

2019-08-07 13:25:09 GMT <AFaust> Francesco Corti: My only question would be if you guys are aware that APS 1.9 does not work with ACS 6.x unless customer / users are willing to redundantly store their access credentials in APS? Even with AIS / Keycloak the integration is incomplete / lacking...

2019-08-07 13:26:09 GMT <alfresco-discord> <dgradecak> I was asking that same question months ago

2019-08-07 13:26:45 GMT <alfresco-discord> <dgradecak> and I thought that I must be so blind because I could not believe there is nothing like that yet

2019-08-07 13:27:18 GMT <alfresco-discord> <dgradecak> and as far as I remember, the answer was, we do not support SSO for APS/ACS ...

2019-08-07 13:28:58 GMT <AFaust> After they made such a big deal about AIS / Keycloak, that would be a moronic statement...

2019-08-07 13:29:09 GMT <alfresco-discord> <digcat> wow, can you remember who said that ? afaik @Francesco Corti has the mantle of APS now, so think he is working hard to get that straight and would im sure be glad for constructive input

2019-08-07 13:29:45 GMT <alfresco-discord> <dgradecak> I am talking about APS 1.x

2019-08-07 13:33:22 GMT <alfresco-discord> <digcat> so will alfresco help with upgrade from 1.x to 2.x ie provide an upgrade path

2019-08-07 13:35:15 GMT <alfresco-discord> <digcat> as i understood it, its better to do anything to wait till 2.x arrives, if possible

2019-08-07 13:35:47 GMT <alfresco-discord> <digcat> although i have to admit using flowable has been a pleasure

2019-08-07 13:35:49 GMT <alfresco-discord> <dgradecak> that is what I understood too ... but till when?

2019-08-07 13:36:02 GMT <alfresco-discord> <digcat> yep, thats the question for @Francesco Corti

2019-08-07 13:42:55 GMT <alfresco-discord> <dgradecak> my question might been missed: is there a way to show category (sub categories) values in a combo box (single/multivalue)?

2019-08-07 13:43:04 GMT <alfresco-discord> <dgradecak> without custom dev

2019-08-07 13:43:59 GMT <alfresco-discord> <dgradecak> and in share

2019-08-07 13:49:48 GMT <alfresco-discord> <Francesco Corti> AFaust we are aware.

2019-08-07 13:51:14 GMT <alfresco-discord> <Francesco Corti> (and it is a shame)

2019-08-07 13:51:46 GMT <alfresco-discord> <Francesco Corti> THe official position is that APS + ACS 6.1+ can work only together with AIS.

2019-08-07 13:53:59 GMT <AFaust> Which is a lie...

2019-08-07 13:54:01 GMT <alfresco-discord> <Francesco Corti> In terms of upgrade path from APS 1.x to ... the new BPM. The official position is not out yet, but I'm pretty sure they will be totally different... two different products (sharing the deep core), so it will be more a suggestion on how to migrate from one to the other. Infact, it won't be named as APS 2.x, but something different.

2019-08-07 13:54:36 GMT <alfresco-discord> <Francesco Corti> AFaust... mmm... where exactly.

2019-08-07 13:54:39 GMT <AFaust> Because even for that there is a backend integration missing which handles user authentication for publish tasks / form + process modellers

2019-08-07 13:55:42 GMT <AFaust> The only way APS + ACS 6.1 work is when each user explicitly stores the credentials which should be used for accessing ACS in APS

2019-08-07 13:56:08 GMT <alfresco-discord> <Francesco Corti> Yes, yes, I thought it was clear, but it is not probably.

2019-08-07 13:56:39 GMT <alfresco-discord> <Francesco Corti> Users must exist in all the three systems and the SSO then can work.

2019-08-07 13:56:39 GMT <AFaust> When a customer reads "work only together with AIS", they expect not to have to enter their credentials redundantly

2019-08-07 13:57:27 GMT <alfresco-discord> <Francesco Corti> It will happen with the next generation of BPM. ACS will continue to have its own repo for users... in the mid term.

2019-08-07 13:57:40 GMT <alfresco-discord> <Francesco Corti> Sorry.. it will NOT happen with the new BPM

2019-08-07 13:58:23 GMT <AFaust> Even if the user exists in all three systems, it will not work. How is APS passing on the identity? The code uses either stored credentials or the magic "trust me" feature of the connector module with the shared secret, which is not available in ACS 6.1

2019-08-07 13:59:28 GMT <AFaust> Unless I am missing some critical piece of code that passes on a Bearer token

2019-08-07 13:59:50 GMT <alfresco-discord> <Francesco Corti> Sorry, I'm not aware about this level of detail for APS 1 (I'm currently working on the new BPM beast) ... but I'm aware more than one customer is using it.

2019-08-07 14:00:15 GMT <alfresco-discord> <Francesco Corti> (also for relevant environments)

2019-08-07 14:00:20 GMT <alfresco-discord> <Francesco Corti> (and use cases)

2019-08-07 14:01:25 GMT <alfresco-discord> <Francesco Corti> AFaust : Dennis Koch is an expert on this. I think he can help

2019-08-07 14:01:47 GMT <alfresco-discord> <Francesco Corti> Let me know if someone has precise questions... I'm happy to ask him

2019-08-07 14:03:32 GMT <AFaust> Well, since Dennis also works in Support, he may see that customer support issue

2019-08-07 14:08:26 GMT <AFaust> Since we will neither wait for not consider to switch to APS 2.x any time soon, and we also may not deploy AIS / Keycloak anytime soon, we will probably just adapt the old AMP ourselves and continue to use that in ACS 6.1

2019-08-07 14:09:07 GMT <AFaust> not -> nor

2019-08-07 14:10:34 GMT <AFaust> And maybe I will add an APS sub-module to my Keycloak integration project to implement proper OIDC authentication integration with access token / client credentials delegation via CMIS...

2019-08-07 14:13:49 GMT <alfresco-discord> <IanW> Seems like you'd end up with 2x Keycloak both delegating up to a third, corporate SSO solution - messy, and a bit of a nightmare for maintenance, but would work...

2019-08-07 14:16:27 GMT <alfresco-discord> <IanW> But seeing as I'm abandoning Activiti and daren't go to version 6 (yet at least) I won't worry....

2019-08-07 14:24:51 GMT <AFaust> IanW: I did not mean Keycloak delegating to Keycloak, but APS using a token (from the authentication user performed to access APS), to obtain an access token for the backend access to ACS "in the name of" the user. All using the same Keycloak service.

2019-08-07 14:26:01 GMT <AFaust> User has already been authenticated by that point, so there would be no delegation to corporate SSO or whatever, just a request to obtain a token which ACS can then use to validate / verify user identity. So there would be no more need for any funky "shared secrets" and "ROLE_TICKET" authentication...

2019-08-07 14:27:45 GMT <AFaust> Only challenging thing would be handling the asynchronously executed service tasks using a stored user to publish documents from APS to ACS. Might have to setup a proper service account for APS so it can authenticate itself and then be allowed to impersonate a user for that backend call.

2019-08-07 14:31:21 GMT <alfresco-discord> <IanW> AFaust I didn't think you meant that.

2019-08-07 14:32:17 GMT <AFaust> No? I got the impression since you mentioned "2x Keycloak both delegating up to a third"...

2019-08-07 14:33:12 GMT <alfresco-discord> <IanW> I was talking more generally rather than responding to you - sorry for confusion!It should in theory be quite easy to get keycloak to delegate so the scenario I described might actually be the easiest in some circumstances

2019-08-07 14:33:29 GMT <AFaust> Ah, ok.

2019-08-07 14:34:03 GMT <AFaust> The old problem with "universal you" vs "specific you"

2019-08-07 14:36:48 GMT <alfresco-discord> <dgradecak> my position on that is just a JWT validated locally

2019-08-07 14:37:08 GMT <alfresco-discord> <dgradecak> in any system (APS/SHARE/ACS)

2019-08-07 14:38:05 GMT <alfresco-discord> <dgradecak> all the user/group info is crypted in the JWT anyhow and can be used for any kind of request

2019-08-07 14:39:11 GMT <alfresco-discord> <dgradecak> oauth with JWT is damn simple IMHO

2019-08-07 14:42:04 GMT <AFaust> Yes, but to validate the JWT in the use case of delegating from client A via system B to system C, system B has to obtain a new JWT so that validation on system C is successful and system C accepts the identity of the user from client A

2019-08-07 14:42:52 GMT <alfresco-discord> <dgradecak> not sure I get you? if the same key is used to validate the JWT, why obtaining a new one?

2019-08-07 14:43:02 GMT <alfresco-discord> <dgradecak> if it is part of a "platform"

2019-08-07 14:43:47 GMT <alfresco-discord> <dgradecak> transfering the same JWT would just work without issue, no need to call the "auth server" for each request or so

2019-08-07 14:46:38 GMT <AFaust> Which JWT do you pass on? The one from the initial authentication, which you would need to store in the session? That may time out at some point and be invalid for passing on....

2019-08-07 14:47:15 GMT <AFaust> Also, that JWT contains claims / data meant for one system. As a security admin, I may not want to have the same claims / data exposed to a different application.

2019-08-07 14:48:29 GMT <AFaust> Also, when security / trust between system and IdP may be based on a system-specific private/public key pair, so a different system would not be able to decode the JWT meant for the first system.

2019-08-07 14:48:45 GMT <alfresco-discord> <dgradecak> well indeed, timeout is something else and there oauth defines a refresh token, but with differently exposed data in a "platform (APS/ACS/AIS) I think is complicating

2019-08-07 14:50:10 GMT <alfresco-discord> <IanW> Having the group info as part of the auth is only partially useful anyway i.e. doesn't let you see any info about who else has permission to do something - which you sometimes need e.g. site member list in share, so you might as well have the user/group info held locally in the first place

2019-08-07 14:50:22 GMT <AFaust> I am looking at this not from a viewpoint of "this is all one enclosed Alfresco platform", but the potential scenario where a Keycloak (!= AIS) instance is set up as a central IdP system for many applications, and the customer wants a clean and granularly managed security layer.

2019-08-07 14:50:45 GMT <AFaust> +1 to IanW

2019-08-07 14:50:55 GMT <alfresco-discord> <dgradecak> @AFaust I know you are talking about that, I am not 😉

2019-08-07 14:51:43 GMT <alfresco-discord> <IanW> As of devcon you're supposed to have a dedicated keycloak for ACS, not reuse a different one

2019-08-07 14:52:04 GMT <AFaust> Well, dedicated Keycloak for ACS / APS, aka "AIS"

2019-08-07 14:52:17 GMT <AFaust> But yeah, not reuse an existing one that is != AIS

2019-08-07 14:53:18 GMT <AFaust> But that is an unacceptable restriction on the customer's ability to consolidate / integrate IT systems and decide how best to use their resources.

2019-08-07 14:53:48 GMT <AFaust> And currently AIS is nothing more than a theme, and some default configuration which you can recreate in 5-6 clicks.

2019-08-07 14:53:54 GMT <alfresco-discord> <IanW> +1

2019-08-07 14:55:02 GMT <alfresco-discord> <IanW> The example deployments, I've very briefly looked at, don't seem to cater for shared auth as yet

2019-08-07 14:55:23 GMT <alfresco-discord> <dgradecak> +2

2019-08-07 14:56:30 GMT <alfresco-discord> <dgradecak> I agree completely that noone would deploy such a "monster" just for that usage

2019-08-07 14:56:54 GMT <alfresco-discord> <dgradecak> that is why I said I am afraid of the thay Alfresco will come with AMS

2019-08-07 14:57:06 GMT <alfresco-discord> <dgradecak> alfresco messaging service (AMQ with specific code)

2019-08-07 15:07:36 GMT <AFaust> On the topic of ActiveMQ: Is there any documentation on the out-of-process behaviours stuff? Need to document why and how the customer needs to deal with ActiveMQ as part of the upgrade to 6.1, and want to link to some standard Alfresco documentation for relevant bits and pieces

2019-08-07 15:10:01 GMT <alfresco-discord> <dgradecak> I have a small list wait ...

2019-08-07 15:10:17 GMT <AFaust> I can find some example / PoC code on GitHub, but nothing official (not counting DevCon slides)

2019-08-07 15:11:46 GMT <alfresco-discord> <dgradecak> ah than that is what I have 😉

2019-08-07 15:12:19 GMT <AFaust> Yeah. So, general question then: Is the out-of-process behaviour / Event Gateway feature officially released or not?

2019-08-07 15:12:25 GMT <alfresco-discord> <dgradecak> geez I saw a "good" page but did not save it

2019-08-07 15:14:02 GMT <alfresco-discord> <dgradecak> https://docs.alfresco.com/transform/concepts/deploy-transform.html

2019-08-07 15:14:03 GMT <alfbot> Title:Deploying Transform Service | Alfresco Documentation (at docs.alfresco.com)

2019-08-07 15:14:34 GMT <AFaust> I already linked that page.

2019-08-07 15:14:55 GMT <alfresco-discord> <dgradecak> better than this I did not find

2019-08-07 15:15:16 GMT <alfresco-discord> <dgradecak> and I spent some time on it, since I was developing that for my tmeplating pleodox

2019-08-07 15:15:20 GMT <AFaust> That partially uses events as the basis for its functionality, but shouldn't there also be some documentation on that events queue in and by itself?

2019-08-07 15:15:28 GMT <alfresco-discord> <dgradecak> and honestly .... better I did not

2019-08-07 15:16:21 GMT <alfresco-discord> <dgradecak> well it should, but since they developed the new Rendition2Service all the old stuff are still there but marked as deprectaed and I could not find a doc explaining what is going on with that

2019-08-07 15:17:07 GMT <AFaust> That at least I can understand, because I know they weren't even sure about that at the time of release.

2019-08-07 15:17:11 GMT <alfresco-discord> <dgradecak> the transform core stuff on github are just simple spring boot + asbtract controllers and nothing else, no security nothing

2019-08-07 15:17:34 GMT <AFaust> But the events thingy is there already, part of core, theoretically useable by anyone in the partner / community / customer community...

2019-08-07 15:17:41 GMT <alfresco-discord> <dgradecak> and the concept of shared file store is "ambigous"

2019-08-07 15:18:36 GMT <alfresco-discord> <dgradecak> I did not check what is there in enterprise, but if it is what they open sourced, than ...

2019-08-07 15:18:50 GMT <AFaust> Well, if you used Kubernetes like the good boy that you are, it can be ambiguous, because only in your Kubernetes cluster setup will the ambiguity be resolved via the volume claim system...

2019-08-07 15:19:38 GMT <alfresco-discord> <dgradecak> yeah I read about that

2019-08-07 15:21:02 GMT <alfresco-discord> <dgradecak> I was expecting to do everything via simple transformation piplines on the repo side

2019-08-07 15:21:04 GMT <AFaust> And curse you if you are not using Kubernetes, the almighty and powerful silver bullet for all applications, because all applications must be cloud native, and Kubernetes is the only way to do this...

2019-08-07 15:21:14 GMT * AFaust may have triggered himself...

2019-08-07 15:24:14 GMT <AFaust> Whatever https://github.com/Alfresco/alfresco-event-gateway is, it was released as 1.0.0 in February, which would sort of coincide with 6.1

2019-08-07 15:24:15 GMT <alfbot> Title:GitHub - Alfresco/alfresco-event-gateway: Handles routing and delivery of events from the Alfresco Digital Business Platform. (at github.com)

2019-08-07 15:24:47 GMT <alfresco-discord> <dgradecak> aha so it is AEG

2019-08-07 15:25:09 GMT <alfresco-discord> <dgradecak> btw the sahred file service also uses this url : fileStoreUrl: ${FILE_STORE_URL:http://localhost:8099/alfresco/api/-default-/private/sfs/versions/1/file}

2019-08-07 15:26:44 GMT <AFaust> Event gateway is included in the alfresco-infrastructure-deployment Helm chart: https://github.com/Alfresco/alfresco-infrastructure-deployment/blob/master/helm/alfresco-infrastructure/values.yaml

2019-08-07 15:26:45 GMT <alfbot> Title:alfresco-infrastructure-deployment/values.yaml at master · Alfresco/alfresco-infrastructure-deployment · GitHub (at github.com)

2019-08-07 15:27:54 GMT <alfresco-discord> <dgradecak> might be time for nuxeo 😄

2019-08-07 15:29:14 GMT <alfresco-discord> <dgradecak> with the gateway we still need a separate AMQ

2019-08-07 15:29:23 GMT <alfresco-discord> <dgradecak> what a deployment ....

2019-08-07 15:29:48 GMT <alfresco-discord> <dgradecak> seems my 32 GB RAM is not enough anymore

2019-08-07 15:30:35 GMT <AFaust> Argh... Jamal Kaabi did not link his slides for his DevCon talk about the event gateway on https://community.alfresco.com/docs/DOC-8095-devcon-2019-speakers-slides

2019-08-07 15:30:37 GMT <alfbot> Title:DevCon 2019 - Speakers & Slides | Alfresco Community (at community.alfresco.com)

2019-08-07 15:30:37 GMT <alfresco-discord> <dgradecak> I talked to angel last week and by default my docker had 5GB, where for Alfresco 6.2 at least I had to put it to 20

2019-08-07 15:31:12 GMT <AFaust> Kubernetes or Compose?

2019-08-07 15:31:19 GMT <alfresco-discord> <dgradecak> compose

2019-08-07 15:32:43 GMT <AFaust> I guess all the transformer Spring boot applications are way overblown with regards to JVM memory, and of course having all those separate containers with the same OS loaded and processes that cannot share dynamic libraries will also increase efficiency / entropy

2019-08-07 15:33:02 GMT <AFaust> increase INefficience

2019-08-07 15:33:08 GMT <AFaust> darn... INefficiency

2019-08-07 15:35:05 GMT <alfresco-discord> <dgradecak> for what I need I still do local simple deployments with 6.2, bored with docker for now

2019-08-07 15:44:36 GMT <alfresco-discord> <IanW> I probably ought to try a 6.2 deployment at some point - got the Activiti 7 example working with microk8s quite easily...

2019-08-07 15:45:50 GMT <alfresco-discord> <dgradecak> when I tried Activiti 7 seems I had that docker memory issue and I stoped trying it

2019-08-07 15:46:19 GMT <alfresco-discord> <dgradecak> someone mentioned flowable, for "community" projects that is it for me right now

2019-08-07 15:52:48 GMT <alfresco-discord> <dgradecak> btw, how do you see your next integrations with ACS? still developing modules?

2019-08-07 15:53:30 GMT <alfresco-discord> <dgradecak> I try not to, just developing "boot applications" and calling ACS via rest

2019-08-07 16:00:20 GMT <AFaust> Yes, mostly still developing modules. The public ReST API is completely insufficient for anything but trivial solutions, and if I would have to create custom ReST APIs (via web scripts) in ACS to support my separate Spring Boot application, I could just as easily have written the whole extension / solution as a module instead.

2019-08-07 16:02:43 GMT <alfresco-discord> <dgradecak> I agree indeed, hopefully for now my stuff fall in the "trivial" part

2019-08-07 16:03:06 GMT <alfresco-discord> <dgradecak> for the rets calls I use my open feign stuff for ACS https://github.com/PleoSoft/acs-feign-client

2019-08-07 16:03:07 GMT <alfbot> Title:GitHub - PleoSoft/acs-feign-client: An OpenFEIGN client for Alfresco Content Services (ACS) (at github.com)

2019-08-07 16:03:38 GMT <alfresco-discord> <dgradecak> as reminder;) I quite like that, built the same thing for "flowable" and in the middle with spring boot it works quite well for now

2019-08-07 16:03:55 GMT <alfresco-discord> <dgradecak> but sure "no" single transaction for instance

2019-08-07 16:04:16 GMT <alfresco-discord> <dgradecak> and did some "rest api" patch on 6.x

2019-08-07 16:13:28 GMT <alfresco-discord> <IanW> I've probably got some workflow stuff coming up so I wanted to use Activiti 7 and ACS(I'm still on 5.2...) with an ADF app but ADF doesn't work with Activiti 7 and, again on a brief look, the docs seem pretty lacking for even fairly basic stuff so I expect I'll do something different perhaps flowable

2019-08-07 16:14:36 GMT <alfresco-discord> <dgradecak> yeah, there is a version "process cloud" of ADF for so for activiti 7

2019-08-07 16:14:58 GMT <alfresco-discord> <IanW> I tried that but the endpoints were all wrong....

2019-08-07 16:16:32 GMT <alfresco-discord> <dgradecak> I had difficult times with that too, but you know what I tried and did a POC, ADF "process" components with flowable 😉

2019-08-07 16:16:51 GMT <alfresco-discord> <dgradecak> but honestly, it is a big "no" for me right now ADF

2019-08-07 16:17:30 GMT <alfresco-discord> <dgradecak> it is so much faster angular material + alfresco JS api for instance

2019-08-07 16:17:34 GMT <alfresco-discord> <dgradecak> than dealing with ADF

2019-08-07 16:18:27 GMT <alfresco-discord> <IanW> That's my suspicion

2019-08-07 16:19:00 GMT <alfresco-discord> <dgradecak> I really wish I was wrong and probably in a year or two ADF will be good

2019-08-07 16:19:38 GMT <alfresco-discord> <dgradecak> but at the end what is it? just nagular components and the real value is the alfresco JS under the hood, which can be used separately

2019-08-07 16:20:50 GMT <alfresco-discord> <IanW> I think some components are probably quite good/useful just a matter of working out which ones and how to use them

2019-08-07 16:21:00 GMT <alfresco-discord> <dgradecak> of course

2019-08-07 16:21:25 GMT <alfresco-discord> <dgradecak> let me know which ones 😉

2019-08-07 16:22:52 GMT <alfresco-discord> <dgradecak> the big issue for me is "extensibility

2019-08-07 16:23:10 GMT <alfresco-discord> <dgradecak> I do not want to fork ACA and build on that, or ADW

2019-08-07 16:23:52 GMT <alfresco-discord> <dgradecak> that is where share even if it has it bad points made things straight forward

2019-08-07 16:24:49 GMT <alfresco-discord> <dgradecak> but with angular and typescrip, AOT vs JIT and so on ... pfff things are more complicated

End of Daily Log

The other logs are at http://esplins.org/hash_alfresco