Daily Log for #alfresco IRC Channel

Alfresco discussion and collaboration. Stick around a few hours after asking a question.

Official support for Enterprise subscribers: support.alfresco.com.

Joining the Channel:

Join in the conversation by getting an IRC client and connecting to #alfresco at Freenode. Our you can use the IRC web chat.

More information about the channel is in the wiki.

Getting Help

More help is available in this list of resources.

Daily Log for #alfresco

2019-08-14 07:56:34 GMT <alfresco-discord> <bhagyas> about to embark on a SDK 4 exploration journey from SDK 2.2 😉

2019-08-14 07:56:48 GMT <alfresco-discord> <bhagyas> Let's see which beasts and fountains I might find 😄

2019-08-14 07:57:23 GMT <alfresco-discord> <bhagyas> If you know any, let me know

2019-08-14 08:21:55 GMT <alfresco-discord> <bhagyas> 1 - mvn install makes the default all-in-one archetype do a belly flop at the time of integration tests

2019-08-14 08:25:11 GMT <alfresco-discord> <bhagyas> had to run with -DskipTests=true

2019-08-14 09:02:25 GMT <AFaust> Argh... you can only have one variant of the RemoteUserMapper active in Alfresco. So if Identity Service is already active as a subsystem, you can't have any other external subsystem handling (legacy) header / cookie based auths by non-Keycloak enabled clients

2019-08-14 09:08:59 GMT <alfresco-discord> <bhagyas> AFaust: then you starting to wish if the source code was open so you can finally fix it 😉

2019-08-14 09:09:11 GMT <alfresco-discord> <bhagyas> and then you realise the source is open, but the contrib process is broken

2019-08-14 09:09:12 GMT <alfresco-discord> <bhagyas> xD

2019-08-14 09:37:06 GMT * AFaust is now writing a SubystemChainingRemoteUserMapper similar to the SubsystemChainingAuthenticationService

2019-08-14 09:37:59 GMT <alfresco-discord> <bhagyas> my god

2019-08-14 09:38:02 GMT <alfresco-discord> <bhagyas> don't go that path

2019-08-14 09:38:30 GMT <alfresco-discord> <bhagyas> The subsystemchaining is a neverending road

2019-08-14 09:39:10 GMT <alfresco-discord> <bhagyas> The subsystem chaining authentication chains other authentication subsystems that inherit the same class structure

2019-08-14 09:39:21 GMT <alfresco-discord> <bhagyas> if that's not circular dependencies, im not sure which are not

2019-08-14 09:48:49 GMT <AFaust> I don't think you understood what I was doing.

2019-08-14 09:49:28 GMT <AFaust> I simply wrote a small class that iterates over the chain, asking every instance (instead just the first), and as soon as one instance is able to authenticate a remote user, it completes / short-circuits

2019-08-14 09:50:11 GMT <alfresco-discord> <bhagyas> what is your view on short circuiting?

2019-08-14 09:50:42 GMT <alfresco-discord> <bhagyas> for auth, I know short circuiting is not the right way to do it, since there might be another subsystem user is denied access to

2019-08-14 09:52:07 GMT <AFaust> For auth, if any auth subsystem is able to authenticate a user and the operation does not allow for any side-effects, short-circuit is required and without alternative...

2019-08-14 09:53:01 GMT <alfresco-discord> <bhagyas> why not, if a user is denied by a subsystem that is far late in the chain, the user must be denied

2019-08-14 09:53:08 GMT <AFaust> If some feature needs to provide cross-cutting concerns to auth, then that would probably have to be dealt with using AOP on the global, chaining proxy.

2019-08-14 09:53:12 GMT <alfresco-discord> <bhagyas> taking the first auth is introducing a risk

2019-08-14 09:53:36 GMT <alfresco-discord> <bhagyas> except the global chaining proxy is not global, its a subsystem

2019-08-14 09:53:52 GMT <AFaust> the chaining proxy is global...

2019-08-14 09:54:17 GMT <AFaust> Looking right at it, as the org.alfresco.repo.security.authentication.subsystems.SubsystemChainingAuthenticationService in the global context

2019-08-14 09:54:25 GMT <alfresco-discord> <bhagyas> nope

2019-08-14 09:54:36 GMT <alfresco-discord> <bhagyas> its redefined in each subsystem as a subsystem specific bean

2019-08-14 09:54:40 GMT <alfresco-discord> <bhagyas> (in xml)

2019-08-14 09:55:00 GMT <AFaust> Well, yeah, that are the subsystem instance. But there is still a global authenticationService bean which is the chaining proxy.

2019-08-14 09:55:05 GMT <alfresco-discord> <bhagyas> the class might be global, but instances are defined in each subsystem

2019-08-14 09:55:29 GMT <alfresco-discord> <bhagyas> nope its not

2019-08-14 09:55:47 GMT <AFaust> Not going to argue with you on something that is as clear as day...

2019-08-14 09:56:12 GMT <AFaust> Subsystems contexts cannot override a global bean. They can only be called from one or call to one...

2019-08-14 09:56:13 GMT <alfresco-discord> <bhagyas> the authenticationService again is instantiated in each subsystem

2019-08-14 09:56:48 GMT <AFaust> Sure, they can define a bean that "hides" the global bean. But still, any bean in the global context will still see the global bean, not any of the subsystem ones.

2019-08-14 09:57:05 GMT <AFaust> And the global bean is the entry point to all subsystem beans.

2019-08-14 09:58:05 GMT <alfresco-discord> <bhagyas> O_O

2019-08-14 09:58:21 GMT <alfresco-discord> <bhagyas> but there isn't one for auth

2019-08-14 09:59:07 GMT <alfresco-discord> <bhagyas> The primary authenticationcomponent is merely an interface redefined in subsystems

2019-08-14 10:00:30 GMT <AFaust> Not sure what you are looking at.... There is https://github.com/Alfresco/alfresco-repository/blob/master/src/main/resources/alfresco/authentication-services-context.xml#L166 and https://github.com/Alfresco/alfresco-repository/blob/master/src/main/resources/alfresco/authentication-services-context.xml#L210, which one could easily wrap via a post processor to add some kind of AOP handling.

2019-08-14 10:00:31 GMT <alfbot> Title:alfresco-repository/authentication-services-context.xml at master · Alfresco/alfresco-repository · GitHub (at github.com)

2019-08-14 10:01:20 GMT <alfresco-discord> <bhagyas> those two are redefined in each auth subsystem

2019-08-14 10:02:47 GMT <AFaust> I give up. It's enough for me to know that it works and to see it in practice. Don't know if you are using some strange other version of Spring where subsystems in child application contexts can re-define beans in the global context, or what gives you the idea it works that way...

2019-08-14 10:55:42 GMT <alfresco-discord> <bhagyas> 🤷🏻‍♂️

2019-08-14 14:26:24 GMT <alfresco-discord> <dgradecak> @AFaust, you remember my jira report about the "node ref" for the T Engines

2019-08-14 14:26:33 GMT <AFaust> Yes.

2019-08-14 14:26:35 GMT <alfresco-discord> <dgradecak> that was accepted and added ... yee

2019-08-14 14:26:46 GMT <AFaust> Surprise, surprise...

2019-08-14 14:27:06 GMT <angelborroy> Congrats! (to everyone) :D

2019-08-14 14:29:18 GMT <alfresco-discord> <dgradecak> although I added a comment without receiving an answer, but that would be too much work to add what I had in mind. Like adding the metadata names in the transformation options list. Anyhow it is enough

2019-08-14 14:29:50 GMT <alfresco-discord> <dgradecak> yep @angelborroy thank you for letting us know about the T Engines etc ... it would take ages to know that without you

2019-08-14 14:31:33 GMT <alfresco-discord> <dgradecak> btw ... I am working to finally releas my BI tool for alfresco. I made a lightning talk about it but never released the sources

2019-08-14 14:33:18 GMT <alfresco-discord> <dgradecak> angel just do not annouce it yet 😉 https://github.com/PleoSoft/peltas-community I am finishing the docker documentation and image

2019-08-14 14:33:19 GMT <alfbot> Title:GitHub - PleoSoft/peltas-community (at github.com)

2019-08-14 14:34:16 GMT <angelborroy> 404

2019-08-14 14:34:34 GMT <angelborroy> https://github.com/PleoSoft/peltas-community

2019-08-14 14:34:35 GMT <alfbot> Title:GitHub - PleoSoft/peltas-community (at github.com)

2019-08-14 14:34:49 GMT <alfresco-discord> <dgradecak> 404 ?

2019-08-14 14:35:07 GMT <angelborroy> Nope, it works

2019-08-14 14:35:09 GMT <angelborroy> Reading

2019-08-14 14:50:47 GMT <alfresco-discord> <dgradecak> any idea why an url like this http://localhost:8080/alfresco/s/api/solr/transactions?minTxnId=1&maxResults=1 would be blocked by nginx on docker-compose?

2019-08-14 14:53:50 GMT <AFaust> Because it should not be accessible publicly?

2019-08-14 14:54:00 GMT <AFaust> Only for SOLR...

2019-08-14 14:54:13 GMT <alfresco-discord> <dgradecak> hm well ..

2019-08-14 14:57:50 GMT <alfresco-discord> <dgradecak> I guess this is only blocked by nginx (I am on the 6.2 version) and who wants to protect it correctly would add ssl or block it in purpose

2019-08-14 14:58:13 GMT <alfresco-discord> <dgradecak> I remember you said there are some "defaults" changing for the next version, about solr

2019-08-14 14:58:27 GMT <alfresco-discord> <dgradecak> wasn't ssl one of them?

2019-08-14 15:01:41 GMT <alfresco-discord> <dgradecak> running ACS (6.2)+ ASS locally does not block that url, so my guess is about nginx ... I start no like this anymore 😄

2019-08-14 15:07:40 GMT <angelborroy> Sorry

2019-08-14 15:07:56 GMT <angelborroy> Yes SOLR API is blocked by nginx

2019-08-14 15:08:27 GMT <alfresco-discord> <dgradecak> any chance it would not be? or a decision has been made?

2019-08-14 15:08:38 GMT <angelborroy> I tried to promote a change...

2019-08-14 15:08:43 GMT <angelborroy> … but it was rejected

2019-08-14 15:08:48 GMT <angelborroy> I’m searching the source code

2019-08-14 15:09:05 GMT <alfresco-discord> <dgradecak> that is killing "creativity"

2019-08-14 15:09:13 GMT <angelborroy> Here it is

2019-08-14 15:09:13 GMT <angelborroy> https://github.com/Alfresco/acs-ingress/tree/acs-community-ingress

2019-08-14 15:09:14 GMT <alfbot> Title:GitHub - Alfresco/acs-ingress at acs-community-ingress (at github.com)

2019-08-14 15:09:28 GMT <angelborroy> https://github.com/Alfresco/acs-ingress/blob/acs-community-ingress/nginx.conf#L29

2019-08-14 15:09:29 GMT <alfbot> Title:acs-ingress/nginx.conf at acs-community-ingress · Alfresco/acs-ingress · GitHub (at github.com)

2019-08-14 15:09:44 GMT <alfresco-discord> <dgradecak> acs-ingress great 😄 I was looking where is nginx and now here it is 😄

2019-08-14 15:10:09 GMT <angelborroy> Community TAG

2019-08-14 15:10:09 GMT <angelborroy> https://github.com/Alfresco/acs-ingress/tree/acs-community-ngnix-1.0.0

2019-08-14 15:10:11 GMT <alfbot> Title:GitHub - Alfresco/acs-ingress at acs-community-ngnix-1.0.0 (at github.com)

2019-08-14 15:10:12 GMT <alfresco-discord> <dgradecak> indeed .. that is the line .. damn

2019-08-14 15:10:24 GMT <angelborroy> Enterprise tag

2019-08-14 15:10:25 GMT <angelborroy> https://github.com/Alfresco/acs-ingress/tree/alfresco-acs-nginx-3.0.1

2019-08-14 15:10:26 GMT <alfbot> Title:GitHub - Alfresco/acs-ingress at alfresco-acs-nginx-3.0.1 (at github.com)

2019-08-14 15:10:30 GMT <angelborroy> Both on the same project

2019-08-14 15:11:56 GMT <alfresco-discord> <dgradecak> @AFaust how do you swear in japanees

2019-08-14 15:12:10 GMT <alfresco-discord> <dgradecak> ?!=@@__#

2019-08-14 15:13:06 GMT <alfresco-discord> <dgradecak> could you consider talking to the team again about this @angelborroy?

2019-08-14 15:13:15 GMT <angelborroy> nope

2019-08-14 15:13:20 GMT <AFaust> kuso (くそ) is an easy option

2019-08-14 15:13:22 GMT <angelborroy> It was my boss who decided :(

2019-08-14 15:13:33 GMT <alfresco-discord> <dgradecak> name? address?

2019-08-14 15:13:39 GMT <alfresco-discord> <dgradecak> 😉

2019-08-14 15:15:04 GMT <alfresco-discord> <dgradecak> so it is like that form 6.2 right?

2019-08-14 15:15:42 GMT <angelborroy> right

2019-08-14 15:16:19 GMT <alfresco-discord> <dgradecak> incredible

2019-08-14 15:18:02 GMT <alfresco-discord> <dgradecak> I am thinking of asking a "new feature" on Jira or so ... but no idea if it makes sense

2019-08-14 15:18:05 GMT <alfresco-discord> <MorganP> Just add one line in the dockerfile to remove it if you want to

2019-08-14 15:18:41 GMT <alfresco-discord> <dgradecak> sure @MorganP but that complicates for people to test with the official alfresco image

2019-08-14 15:19:10 GMT <angelborroy> You can always skip the port

2019-08-14 15:19:16 GMT <alfresco-discord> <MorganP> What do you want to test on the Solr API?

2019-08-14 15:19:23 GMT <angelborroy> exposing internal 8983 will allow you to use SOLR API

2019-08-14 15:19:40 GMT <alfresco-discord> <dgradecak> I have an application that uses the solr api for BI

2019-08-14 15:20:00 GMT <alfresco-discord> <dgradecak> and just releasing it to open source and now I saw this on 6.2

2019-08-14 15:20:14 GMT <alfresco-discord> <dgradecak> yes angel, indeed, might be just added in the howto

2019-08-14 15:20:27 GMT <angelborroy> You can add your application to Docker compose and use internal network for communications

2019-08-14 15:20:40 GMT <alfresco-discord> <dgradecak> yes thinking of that too

2019-08-14 15:20:41 GMT <alfresco-discord> <MorganP> Yes docker compose would be sufficient too

2019-08-14 15:20:59 GMT <alfresco-discord> <MorganP> so you don't reduce security and your BI is still working

2019-08-14 15:21:17 GMT <alfresco-discord> <dgradecak> maybe the easiest is that

2019-08-14 15:21:23 GMT * AFaust is really glad with his choice not to use any default images, unless customer (stupidly) requires it...

2019-08-14 15:21:29 GMT <alfresco-discord> <MorganP> but it forces you to use docker compose...

2019-08-14 15:22:32 GMT <alfresco-discord> <dgradecak> well not an issue for me, but if angel says a decision has been made and it cannot be revoked, than it makes harder for others (sure not you or Afaust or angel) to manipulate all this

2019-08-14 15:23:03 GMT <alfresco-discord> <dgradecak> untill now it was easy, just attach to the same network as the docker compose and it worked without being part of docker compose

2019-08-14 15:23:05 GMT <alfresco-discord> <MorganP> That's also my approach AFaust, I already saw so much things going wrong in so-called "official" images...

2019-08-14 15:23:37 GMT <alfresco-discord> <dgradecak> I agree guys, but blocking this on the nginx level is quite fune

2019-08-14 15:23:52 GMT <angelborroy> “Security by default”

2019-08-14 15:24:00 GMT <angelborroy> And don’t ask me what it means

2019-08-14 15:24:20 GMT <AFaust> You always have to keep in mind that one of the long term goals of Alfresco is to turn the default install into more of a black-grey box for unskilled users / customers, to avoid having a huge support overhead because they did not secure something they should have done themselves (because it was not secure by default) or changed something that was "too accessible" without understanding it at all...

2019-08-14 15:24:51 GMT <AFaust> angelborroy: I think it means exactly this ^^

2019-08-14 15:24:56 GMT <alfresco-discord> <dgradecak> indeed, I know where it is going ... but still 😉

2019-08-14 15:26:18 GMT <AFaust> Especially with the various reseller-only partners or large generic consulting orgs jumping on the wagon (as far as I understand the partner model evolving in the last years), you have even more completely unqualified implementers / integrators that need protection from themselves...

2019-08-14 15:28:25 GMT <alfresco-discord> <lars> I think it makes a lot of sense to block those URLs by default. If they are accessible, everyone can pull all your documents. And if you don't know about those endpoints, you don't even know you are totally exposed

2019-08-14 15:29:02 GMT <angelborroy> Agree

2019-08-14 15:29:04 GMT <alfresco-discord> <dgradecak> I do not disagree

2019-08-14 15:29:09 GMT <angelborroy> But you can always read also documentation

2019-08-14 15:29:10 GMT <angelborroy> https://community.alfresco.com/community/ecm/blog/2019/07/09/alfresco-61-is-coming-with-mutual-tls-authentication-by-default

2019-08-14 15:29:12 GMT <alfbot> Title:Alfresco 6.1 is coming with Mutual TLS Authenti... | Alfresco Community (at community.alfresco.com)

2019-08-14 15:29:21 GMT <angelborroy> If you were a “serious” partner or integrator

2019-08-14 15:29:38 GMT <AFaust> Oh snap...

2019-08-14 15:29:55 GMT <angelborroy> https://dictionary.cambridge.org/grammar/british-grammar/especially-or-specially

2019-08-14 15:29:56 GMT <alfbot> Title:Especially or specially ? - English Grammar Today - Cambridge Dictionary (at dictionary.cambridge.org)

2019-08-14 15:30:06 GMT <angelborroy> Your English is so accurate, AFaust…

2019-08-14 15:31:09 GMT <alfresco-discord> <dgradecak> so just to undertsand ... when is that "ssl" by default coming? and if it is coming why than it is disabled in docker and blocked on ngingx

2019-08-14 15:31:36 GMT <angelborroy> SSL is coming to Community with 6.2

2019-08-14 15:31:58 GMT <alfresco-discord> <dgradecak> so I have no issues with SSL since we can still talk to that url

2019-08-14 15:31:59 GMT <angelborroy> Enterprise from 6.1.0.5 / 1.3.0.5

2019-08-14 15:32:07 GMT <alfresco-discord> <dgradecak> will they unbloock on ngingx than?

2019-08-14 15:32:37 GMT <alfresco-discord> <dgradecak> I have no installation of "peltas" on 6.x yet only 4 and 5

2019-08-14 15:32:40 GMT <angelborroy> They blocked the URLs in NGINX (when using HTTP) to provide “security by default"

2019-08-14 15:33:11 GMT <alfresco-discord> <dgradecak> but in docker images you will also add SSL ?

2019-08-14 15:33:22 GMT <alfresco-discord> <dgradecak> or it will stay http with nginx blocking?

2019-08-14 15:33:25 GMT <angelborroy> Docker Images are also SSL by default

2019-08-14 15:33:35 GMT <angelborroy> But you can add a parameter to disable this behaviour

2019-08-14 15:33:48 GMT <alfresco-discord> <dgradecak> well the 6.2-A2 has -Dsolr.secureComms=none

2019-08-14 15:33:49 GMT <angelborroy> That is done in “official” Docker Compose and Helm Charts

2019-08-14 15:33:50 GMT <alfresco-discord> <dgradecak> so it is not

2019-08-14 15:33:59 GMT <angelborroy> righ

2019-08-14 15:34:05 GMT <angelborroy> But the Docker Image is SSL

2019-08-14 15:34:46 GMT <alfresco-discord> <lars> Oh, was the default until 6.2 really to use plain http? Our images default to using mutual TLS since forever.

2019-08-14 15:35:18 GMT <angelborroy> Probably my blog post is not that clear…

2019-08-14 15:35:31 GMT <angelborroy> Let’s see…

2019-08-14 15:36:03 GMT <angelborroy> From ACS 6.1.0.5 / ACS 6.2 the Docker Image is built with SSL by Default

2019-08-14 15:36:09 GMT <AFaust> lars: Yes. plain http was the default since somewhere around 5.0 or so, I believe.

2019-08-14 15:36:13 GMT <angelborroy> The same for SS 1.3.0.5 / 1.4

2019-08-14 15:36:25 GMT <angelborroy> But you can disable it by configuration

2019-08-14 15:36:43 GMT <angelborroy> 5.2 was the last SSL by Default

2019-08-14 15:36:55 GMT <angelborroy> So if you are migrating from 6.0, you have to review your configuration

2019-08-14 15:37:20 GMT <AFaust> Used to make sense since SOLR + Repo URLs were only used for indexing and no one should ever need to access it, and it could easily be protected.

2019-08-14 15:37:28 GMT <alfresco-discord> <dgradecak> your blog is actually completely clear now when I re-read it

2019-08-14 15:38:11 GMT <AFaust> At least since Insight Engine, I think that SSL by default makes more sense. But I haven't worked with it yet to know what kind of access to SOLR is required to use it.

2019-08-14 15:38:55 GMT <alfresco-discord> <dgradecak> well, my solution started with audit logs and than someone asked me can we do the same with "workspace" data, I said let's see ... and the solr urls made sense for that (imagine that you are indexing to something else)

2019-08-14 15:39:41 GMT <alfresco-discord> <dgradecak> those APIs are actually quite valuable and IMHO underestimated (or too protected right now) 😄

2019-08-14 15:40:40 GMT <AFaust> For a customer I recently created a custom ReST API for tracking transactions, re-using about 85% of the existing code / components.

2019-08-14 15:41:13 GMT <alfresco-discord> <dgradecak> indeed that is a solution but reusing 100% also is a solution

2019-08-14 15:41:32 GMT <AFaust> In that case they actually do some external indexing, but we needed to provide the data in a more generic, non-Alfresco-specific way. And also needed to efficiently filter for only a sub-set of the overall content (currently ~3 million out of 15 million nodes)

2019-08-14 15:41:49 GMT <alfresco-discord> <dgradecak> but that is what this does exactly

2019-08-14 15:42:05 GMT <alfresco-discord> <dgradecak> filtering data, I call it cherry picking

2019-08-14 15:42:22 GMT <AFaust> But I believe you are filtering on the client side, right?

2019-08-14 15:42:29 GMT <alfresco-discord> <dgradecak> yes

2019-08-14 15:42:41 GMT <alfresco-discord> <dgradecak> gdpr ... welcome 😉 you mean

2019-08-14 15:42:52 GMT <AFaust> In our case, the endpoint is already doing the filtering on the server side, as best as possible even during the DB calls

2019-08-14 15:43:52 GMT <alfresco-discord> <dgradecak> anyhow, here there is a "highly" configurable way to filter the nodes you want to store and also a pipeline to execute DB scripts to insert the data in custom db schema if needed

2019-08-14 15:44:17 GMT <alfresco-discord> <dgradecak> so it is similar but no "amps"

2019-08-14 15:47:19 GMT <alfresco-discord> <dgradecak> btw, why not blocking the DB either than? 😉 who should access it?

2019-08-14 15:48:32 GMT <AFaust> Ehm, in any real deployment, the DB should also be blocked or only allow connection from defined hosts.

2019-08-14 15:48:48 GMT <alfresco-discord> <dgradecak> sure, I am talking about docker-compose

2019-08-14 15:48:54 GMT <alfresco-discord> <dgradecak> just "heating"

2019-08-14 15:49:12 GMT <AFaust> Sure, it is harder to do in the default Docker / Kubernetes images, especially when using the default postgresql image without customisations

2019-08-14 15:50:01 GMT <AFaust> The database is one of the most likely components to be custom provided / set up in any production environment, so it makes less sense to adapt. And compared to SOLR it is already "secured" by a password.

2019-08-14 15:50:15 GMT <AFaust> Even though the default is known / simple (should always be changed)

2019-08-14 15:52:54 GMT <alfresco-discord> <dgradecak> I do not see their docker-compose images as gighly secure or whatever, I see them as a quickly testable system. Although I completely agree with you about security and stuff

2019-08-14 15:59:44 GMT <AFaust> you have to keep in mind that at Alfresco, non-dev focussed product marketing has more say in what is done with dev artifacts than is normal / expected by us

2019-08-14 16:00:05 GMT <AFaust> it can be annoying at times, but certainly not going to change

2019-08-14 16:16:33 GMT <alfresco-discord> <dgradecak> hopefully with emedding my image in ACS docker compose it is quite a good solution for me

2019-08-14 16:16:45 GMT <alfresco-discord> <dgradecak> until they block the DB in the future 😉

2019-08-14 17:22:45 GMT *** jelly-home is now known as jelly

End of Daily Log

The other logs are at http://esplins.org/hash_alfresco