Daily Log for #alfresco IRC Channel

Alfresco discussion and collaboration. Stick around a few hours after asking a question.

Official support for Enterprise subscribers: support.alfresco.com.

Joining the Channel:

Join in the conversation by getting an IRC client and connecting to #alfresco at Freenode. Our you can use the IRC web chat.

More information about the channel is in the wiki.

Getting Help

More help is available in this list of resources.

Daily Log for #alfresco

2020-01-22 10:07:03 GMT <alfresco-discord> <lars> Is anyone else having problems downloading artifacts from the Alfresco nexus? I am having seemingly random build failures since this morning. > Could not resolve all files for configuration ':baseAlfrescoWar'. > Could not download content-services-community.war (org.alfresco:content-services-community:6.0.a) > Could not get resource

2020-01-22 10:07:03 GMT <alfresco-discord> 'https://artifacts.alfresco.com/nexus/content/groups/public/org/alfresco/content-services-community/6.0.a/content-services-community-6.0.a.war'. > Premature end of Content-Length delimited message body (expected: 138044101; received: 61218816

2020-01-22 10:35:34 GMT <AFaust> Am I crazy? I seem to remember Alfresco always recommending / pushing for -XX:+UseConcMarkSweepGC as part of JVM settings / tuning, but in documentation, I can only find it until version 3.4 or related to SOLR 4...

2020-01-22 10:36:08 GMT <angelborroy> I guess this setting is not recommended for SOLR 6

2020-01-22 10:38:53 GMT <AFaust> Well ... at this point I don't care about SOLR 6. I just wanted to collect some links as reference for what I remembered, and was surprised to not find anything on this apart from old version docs and SOLR 4

2020-01-22 10:39:14 GMT <alfresco-discord> <MorganP> I'm pretty sure it was only for Solr 4 recently

2020-01-22 10:39:29 GMT <alfresco-discord> <MorganP> And no specific JVM settings for Alfresco, no?

2020-01-22 10:39:41 GMT <AFaust> And I distinctly remember always using that setting (before I switched over to G1GC by default) in customer installations because of those recommendations...

2020-01-22 10:40:07 GMT <AFaust> Too bad I don't have all the partner webinar recordings from back in the day...

2020-01-22 10:48:05 GMT <AFaust> MorganP: Yeah, much like DBA optimisations, Alfresco leaves quite a lot of sensible defaults to be set by the implementer / customer...

2020-01-22 10:58:56 GMT <angelborroy> https://github.com/apache/lucene-solr/blob/master/solr/bin/solr.in.sh#L48

2020-01-22 10:58:57 GMT <alfbot> Title:lucene-solr/solr.in.sh at master · apache/lucene-solr · GitHub (at github.com)

2020-01-22 10:59:19 GMT <angelborroy> We could try this settings, just to see if this helps in terms of performance

2020-01-22 10:59:30 GMT <angelborroy> I’m going to open an issue for this

2020-01-22 11:13:15 GMT <angelborroy> https://issues.alfresco.com/jira/browse/SEARCH-2066

2020-01-22 11:13:28 GMT <angelborroy> Feel free to add any information to this ticket

2020-01-22 11:32:10 GMT <AFaust> angelborroy: Ideally, I would want to move toward G1, not tuning CMS for SOLR 6

2020-01-22 11:32:30 GMT <angelborroy> https://github.com/apache/lucene-solr/blob/releases/lucene-solr/6.6.5/solr/bin/solr#L1813

2020-01-22 11:32:31 GMT <alfbot> Title:lucene-solr/solr at releases/lucene-solr/6.6.5 · apache/lucene-solr · GitHub (at github.com)

2020-01-22 11:32:48 GMT <angelborroy> These are the settings we are using in Docker Image

2020-01-22 12:15:59 GMT <AFaust> Argh - somewhere, Alfresco TMQ messes up with query parsing / generation for =cm:name:"XXX - *" so it does not match anything

2020-01-22 12:44:52 GMT <AFaust> great - the query parser does not recognize the * as a placeholder in this case, and does not generate a LIKE condition - rather it does an exact match check on "XXX - *" which is obviously not what I want

2020-01-22 12:47:18 GMT <vbgn_> Doesn't = mean "exact match"? So wildcards are ignored?

2020-01-22 12:49:38 GMT <alfresco-discord> <yreg> @AFaust I think that behaviour is also consistent with how solr interprets it... isn't that the case (any more) ?

2020-01-22 12:51:11 GMT <alfresco-discord> <yreg> As far as I remember, in TMQ, wildcards are only possible with CMIS QL using a special contain predicate or something

2020-01-22 12:52:36 GMT <alfresco-discord> <yreg> I tried implementing support for wildcards for TMQ once, when I did implement support for range queries for it, but someone on the team told me not to bother since due to the DataModel of Alfresco DB it will be so slow it won't be useful

2020-01-22 12:57:38 GMT <AFaust> Well - = means exact match in terms of upper/lower case, but it still supports wildcards if explicitely used

2020-01-22 12:58:49 GMT <AFaust> And TMQ does support =cm:name:XXX* correctly

2020-01-22 12:59:39 GMT <AFaust> It may be that the special case of * within a phrase instead of a term is not supported

2020-01-22 12:59:47 GMT <AFaust> But that is somewhat arbitrary

2020-01-22 13:00:40 GMT <AFaust> Well... I can use term instead of phrase query for my case, but then I have to escape every whitespace

2020-01-22 13:01:23 GMT <AFaust> e,g, =cm:name:XXX\ -\ * works, but looks extremely crazy and brittle...

2020-01-22 13:02:08 GMT <AFaust> or change this one little query into CMIS

2020-01-22 13:02:51 GMT <AFaust> FTS TMQ wildcard support is limited to "exact prefix + wildcard at the end" use cases, which is what I have in this case

2020-01-22 13:03:10 GMT <AFaust> CMIS TMQ can have wildcard anywhere due to having a direct suport of LIKE in the QL

2020-01-22 13:05:36 GMT <AFaust> As per the de-facto (only) documentation via http://beecon.orderofthebee.net/2017/assets/files/E10/Making%20proper%20use%20of%20transactional%20metadata%20queries.pdf (which, I now realise, does not include "prefix-phrases" - so I should check the docs I wrote myself before complaining here)

2020-01-22 13:06:52 GMT <AFaust> Though again, it feels arbitrary and an oversight to not support phrases at least in the form of "match beginning phrases", especially since the behaviour now is simply to do an exact match on the full value anyway

2020-01-22 13:07:52 GMT * AFaust adds "fix FTS TMQ phrase" query rewrite on his backlog of uncountable items...

2020-01-22 13:11:11 GMT <alfresco-discord> <dgradecak> Since CFP has been extended (thanks to @AFaust) I just submitted a talk

2020-01-22 13:12:26 GMT <alfresco-discord> <dgradecak> btw, is anyone using AIS/Keycloack in production?

2020-01-22 13:14:20 GMT <AFaust> Well, close to, yes. At the one customer, for which I created my own Keycloak addon, it is running in a production environment, though it is their "our demo towards the customers to which we want to sell this platform" kind of demo (Alfresco is part of a higher level service platform)

2020-01-22 13:14:49 GMT <AFaust> "kind of demo" => "kind of production system"

2020-01-22 13:15:25 GMT <alfresco-discord> <dgradecak> I never checked how alfresco validates the token, do you know if it validates it locally or remotely by keyloack? I guess it is remotely

2020-01-22 13:15:38 GMT <AFaust> Not using AIS at all... and going forward, I doubt I will ever use AIS (in its bare "minimum viable integration" form)

2020-01-22 13:16:03 GMT <alfresco-discord> <dgradecak> I am asking that since I am planning to do some testing with that but the idea is to create a JWT by another system

2020-01-22 13:18:44 GMT <AFaust> It depends on what you configure in the identity-services subsystem and in Keycloak/AIS. They are using the proper Keycloak libraries that will do the proper validation internally (e.g. checking encryption key, verifying caller etc) if configured

2020-01-22 13:20:11 GMT <AFaust> What they do NOT support is handling Keycloak session invalidation (neither on global nor user nor auth session / token basis)

2020-01-22 13:20:27 GMT <alfresco-discord> <dgradecak> ok will check that, but anyhow it oculd be a good authentication module for custom JWTs

2020-01-22 13:21:42 GMT <alfresco-discord> <dgradecak> sure, oauth2 logout is "complex", but the JWT should expire in a reasonable time so should "not be a problem"

2020-01-22 13:21:54 GMT <AFaust> So once a user has been authenticated in Alfresco via Keycloak, it does not matter if you hit the "logout" action in Keycloak, end the client-session, as an admin force-invalidate a user session, or set the "not before" timestamp to invalidate all tokens issued before X

2020-01-22 13:22:30 GMT <alfresco-discord> <dgradecak> well that is why asked if alfresco does valdiate the tokens locally or remotely

2020-01-22 13:22:34 GMT <AFaust> I have not pushed yet my recent changes to my Keycloak addon, which includes all of that + roles / claims mapping, user / group synch

2020-01-22 13:22:45 GMT <alfresco-discord> <dgradecak> if it is locally, that logout cannot work, but remotely it can be done of course

2020-01-22 13:23:43 GMT <alfresco-discord> <dgradecak> so you made another auth subsystem at the end?

2020-01-22 13:24:10 GMT <AFaust> Yes...

2020-01-22 13:24:21 GMT <alfresco-discord> <dgradecak> aha ok

2020-01-22 13:25:21 GMT <alfresco-discord> <dgradecak> I ave put in production my Spring Cloud Gateway (+social logins) with Alfresco ext auth

2020-01-22 13:25:28 GMT <AFaust> And token validation in oauth2 / OIDC is always local, isn't it? The only scenario where remote validation would come in is if you have an authorization code passed to Alfresco and would need to obtain the client-specific access token

2020-01-22 13:26:03 GMT <alfresco-discord> <dgradecak> it should be always indeed

2020-01-22 13:26:25 GMT <alfresco-discord> <dgradecak> but ... before being sure how they built it I cannot bet on that

2020-01-22 13:27:17 GMT <alfresco-discord> <dgradecak> planning to work on that this week

2020-01-22 13:27:26 GMT <AFaust> Well... again, they haven't really built anything (much) themselves. They just use Keycloak Adapter lib

2020-01-22 13:28:09 GMT <alfresco-discord> <dgradecak> ok, let me reformulate my statement ... before knowing how they used the keycloack adapter libraries

2020-01-22 13:28:59 GMT <AFaust> So the main code for authentication via Keycloak in Alfresco is just two lines + result evaluation: https://github.com/Alfresco/alfresco-repository/blob/master/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceRemoteUserMapper.java#L176

2020-01-22 13:29:00 GMT <alfbot> Title:alfresco-repository/IdentityServiceRemoteUserMapper.java at master · Alfresco/alfresco-repository · GitHub (at github.com)

2020-01-22 13:29:45 GMT <AFaust> If you enable password-based login, it's essentially just one line more: https://github.com/Alfresco/alfresco-repository/blob/master/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceAuthenticationComponent.java#L80

2020-01-22 13:29:46 GMT <alfbot> Title:alfresco-repository/IdentityServiceAuthenticationComponent.java at master · Alfresco/alfresco-repository · GitHub (at github.com)

2020-01-22 13:30:38 GMT <AFaust> The rest is really just configuration handling and some facades to handle HTTP servlet request / response objects

2020-01-22 13:31:15 GMT <alfresco-discord> <dgradecak> and that last part sends a user/password to keycloack? nice ...

2020-01-22 13:32:28 GMT <AFaust> That last part is the only way that Identity Service currently supports Alfresco Share, by using the login form to authenticate against Keycloak

2020-01-22 13:34:23 GMT <alfresco-discord> <dgradecak> sounds great 🙂 anyway my task is find out how to create the JWT the same way as "AIS" and the rest should work seems

2020-01-22 13:47:02 GMT <alfresco-discord> <dgradecak> am I wrong ... it still uses only the username from AIS JWT? Did you add authorities extraction also or not? in your module

2020-01-22 13:55:55 GMT <AFaust> Yes, that is what I meant with claim / role mapping, and user / group synch

2020-01-22 13:56:13 GMT <alfresco-discord> <dgradecak> ah missed that

2020-01-22 13:56:44 GMT <alfresco-discord> <dgradecak> so the group sync you did is from KC?

2020-01-22 13:56:54 GMT <AFaust> Yes

2020-01-22 13:57:16 GMT <alfresco-discord> <dgradecak> nice

2020-01-22 13:57:42 GMT <AFaust> But would be optional. Ideally, everything would be handled via the role / claims mapping, and you would not need to synch groups etc.

2020-01-22 13:57:44 GMT <alfresco-discord> <dgradecak> not sure why it is not in ACS already, at leas group sync from AIS

2020-01-22 13:58:03 GMT <alfresco-discord> <dgradecak> ideally, but you need to have the groups in alfresco still

2020-01-22 13:58:05 GMT <AFaust> Oh, and I also extract the user's details from the JWT to create / update the user (without requiring user synch)

2020-01-22 13:58:26 GMT <alfresco-discord> <dgradecak> unless you would create the groups once the user is authenticated

2020-01-22 13:58:42 GMT <alfresco-discord> <dgradecak> or how would ACLs work in alfresco?

2020-01-22 13:59:07 GMT <AFaust> That is an option you'd have. I have a couple of interfaces / API defined for potential plugins during authentication + synch, so it can be customised quite heavily

2020-01-22 13:59:22 GMT <AFaust> ^^ refers to group creation on authentication

2020-01-22 13:59:41 GMT <alfresco-discord> <dgradecak> I see

2020-01-22 14:00:17 GMT <alfresco-discord> <dgradecak> once issue with that is how to setup ACLs on folders/documents beforehand than?

2020-01-22 14:00:27 GMT <AFaust> I allow roles / claims to be mapped to authorities, so these would be authorities the user "has" while authenticated via Keycloak, even if those authorities do not exist in Alfresco.

2020-01-22 14:00:30 GMT <alfresco-discord> <dgradecak> if the auth did not yet happen

2020-01-22 14:00:42 GMT <AFaust> These authorities can be used for setting up permissions on nodes, and would be respected during ACL evaluation.

2020-01-22 14:01:49 GMT <AFaust> That thing about setting up ACLs "in advance" is still an open feature / issue. Problem is that default UIs will do search only over groups which exist in Alfresco.

2020-01-22 14:02:56 GMT <AFaust> So there would need to be some form of hook / customisation to these UIs to allow a live lookup of roles / groups from Keycloak for handling the ACL assignments without having to synch them to Alfresco

2020-01-22 14:03:08 GMT <AFaust> That is actually the main reason why I chose to implement synch at all...

2020-01-22 14:03:28 GMT <AFaust> So I can move that feature off into the feature....

2020-01-22 14:03:32 GMT <alfresco-discord> <dgradecak> logically

2020-01-22 14:03:56 GMT <alfresco-discord> <dgradecak> would be too many "customizations" especially for existing UIs

2020-01-22 14:04:08 GMT <alfresco-discord> <dgradecak> and would be a nightmare for ADF I guess

2020-01-22 14:04:24 GMT <alfresco-discord> <dgradecak> I mena the existing components 😉

2020-01-22 14:04:39 GMT <AFaust> Not just UIs... AFAIK the Public ReST API has a nasty validation in their node handling that allows permissions to be set only for users / groups that do exist.

2020-01-22 14:05:25 GMT <alfresco-discord> <dgradecak> sure ...

2020-01-22 14:05:54 GMT <alfresco-discord> <dgradecak> probably snc is the easiest way

2020-01-22 14:06:00 GMT <alfresco-discord> <dgradecak> * sync

2020-01-22 14:06:31 GMT <AFaust> I already had to hack a bit in core to get the authorities mapped from claims / roles to stick, because guess what, Alfresco has a weird auth architecture that results in the "current user" context to be initialised twice for each SSO login.

2020-01-22 14:07:01 GMT <AFaust> And the second "current user" context initialisation would loose the authorities mapped in the first...

2020-01-22 14:07:39 GMT <alfresco-discord> <dgradecak> ah, when you say that it does not give me want to play with that

2020-01-22 14:08:14 GMT <AFaust> ,,, and then... the PermissionService respects the authorities mapped in the "current user" context for ACL checks, but the web script framework uses AuthorityService to check e.g. if you are an admin when accessing the Admin Console, and that service does NOT respect the mapped authorities.

2020-01-22 14:08:22 GMT <alfresco-discord> <dgradecak> will stick for now to the JWT only with username

2020-01-22 14:08:57 GMT <alfresco-discord> <dgradecak> did you use ADFS at the end with KC?

2020-01-22 14:09:06 GMT <alfresco-discord> <dgradecak> I remember you were talking about that

2020-01-22 14:09:09 GMT <AFaust> You can wait, and maybe hope my talk submission for DevCon on this topic will be picked up...

2020-01-22 14:09:40 GMT <alfresco-discord> <dgradecak> why hope? you will opensource it if it is accepted?

2020-01-22 14:09:54 GMT <AFaust> So in my customer setup, I do have Azure Active Directory Domain Services set up with Keycloak. Not the same as ADFS, but not so disimilar either.

2020-01-22 14:09:55 GMT <alfresco-discord> <dgradecak> or you mean to listen you talk 😉

2020-01-22 14:10:11 GMT <AFaust> No, it is already open sourced (the first version with the Share SSO support)...

2020-01-22 14:10:31 GMT <alfresco-discord> <dgradecak> and you sync the users from KC, why not from AD ?

2020-01-22 14:10:38 GMT <alfresco-discord> <dgradecak> I mean the groups

2020-01-22 14:10:42 GMT <alfresco-discord> <dgradecak> not users

2020-01-22 14:10:43 GMT <AFaust> Yes, the second part about listening to all the crazy crap you have to deal with when creating a custom SSO that is not a "bare minimum hack"

2020-01-22 14:10:56 GMT <AFaust> You can still sync users from AD via regular LDAP-AD.

2020-01-22 14:11:15 GMT <AFaust> But if you only have Keycloak without a backing directory, then you need to be able to synch from Keycloak directly.

2020-01-22 14:11:23 GMT <alfresco-discord> <dgradecak> well I submitted a talk for SSO/OAUTH and spring cloud gateway, so similar to you

2020-01-22 14:11:38 GMT <alfresco-discord> <dgradecak> but without keycloack

2020-01-22 14:12:12 GMT <AFaust> Also, you may have already set up Keycloak to aggregate many directories and filter users - then you'd get the pre-filtered (and potentially "enriched") users from Keycloak, instead of having to setup 2, 3 or 4 different LDAP subsystems

2020-01-22 14:12:30 GMT <alfresco-discord> <dgradecak> I still expect Alfresco to do that sync soon, but did not check if there is any ticket for that case

2020-01-22 14:12:43 GMT <AFaust> "enriched" - > you could have a Keycloak platform with custom user / group attributes not present in AD...

2020-01-22 14:12:53 GMT <alfresco-discord> <dgradecak> sure

2020-01-22 14:13:25 GMT <AFaust> Well, they said they were going to look at supporting Share SSO right after DevCon last year, and I even exchanged mails with them about it. Has there been any progress/feedback? I think you know the answer...

2020-01-22 14:13:25 GMT <alfresco-discord> <dgradecak> that is why I would expect alfresco to do the sync from AIS/KC. is that in enterprise maybe? I guess not

2020-01-22 14:14:10 GMT <AFaust> I believe they stated that they want to get away from doing sync at all in the long-term strategy for AIS.

2020-01-22 14:14:44 GMT <alfresco-discord> <dgradecak> with my setup, but you know that I only use the external auth in Alfresco, and all the rest is done in the gatway (social login or/and spring security login)

2020-01-22 14:15:37 GMT <alfresco-discord> <dgradecak> and that works pretty well, sure groups still come from ldap or local to alfresco, no custom sync. But I might do a sync for spring security, could be usefull

2020-01-22 14:16:15 GMT <alfresco-discord> <dgradecak> do you have a link to your KC sync?

2020-01-22 14:17:55 GMT <alfresco-discord> <dgradecak> btw, I started ome work on spring boot admin for Alfresco, will open source it once I have something working correctly

2020-01-22 14:18:23 GMT <alfresco-discord> <dgradecak> not sure if it is of interest for you, but I do a lot of spring boot stuff so it would have a value to have a module for "actuators"

2020-01-22 14:18:35 GMT <alfresco-discord> <dgradecak> any thoughts on that?

2020-01-22 14:21:21 GMT <AFaust> You know what - instead of waiting for a state that "feels ready" to be pushed, I just pushed everything I currently have: https://github.com/Acosix/alfresco-keycloak

2020-01-22 14:21:23 GMT <alfbot> Title:GitHub - Acosix/alfresco-keycloak: Alfresco addon to provide Keycloak-related extensions / customisations for Repository and Share (at github.com)

2020-01-22 14:22:11 GMT <AFaust> Sync entry point is https://github.com/Acosix/alfresco-keycloak/blob/master/repository/src/main/java/de/acosix/alfresco/keycloak/repo/sync/KeycloakUserRegistry.java

2020-01-22 14:22:12 GMT <alfbot> Title:alfresco-keycloak/KeycloakUserRegistry.java at master · Acosix/alfresco-keycloak · GitHub (at github.com)

2020-01-22 14:22:45 GMT <AFaust> Using the KC ReST API via https://github.com/Acosix/alfresco-keycloak/blob/master/repository/src/main/java/de/acosix/alfresco/keycloak/repo/client/IDMClientImpl.java

2020-01-22 14:22:46 GMT <alfbot> Title:alfresco-keycloak/IDMClientImpl.java at master · Acosix/alfresco-keycloak · GitHub (at github.com)

2020-01-22 14:23:18 GMT <alfresco-discord> <dgradecak> do not say I "pushed" you to do that 🙂

2020-01-22 14:23:27 GMT <alfresco-discord> <dgradecak> but cool, thank you

2020-01-22 14:24:28 GMT <AFaust> No, you did not push me, but I was wary of saying "I have something" and not being able to reference / show something, even if I still have quite a bit of polishing, documenting and testing to do

2020-01-22 14:24:54 GMT <AFaust> And then it was just "oh, what the hell" and be done with it (the "push")

2020-01-22 14:25:36 GMT <alfresco-discord> <dgradecak> it does not mean you have to opensource it

2020-01-22 14:25:57 GMT <alfresco-discord> <dgradecak> I know that feeling 😄

2020-01-22 14:27:01 GMT <AFaust> I was already planning to do that anyway - and the first version already was open...

2020-01-22 14:27:25 GMT <AFaust> That'd be a "stupid" addon to have behind a paywall...

2020-01-22 16:07:12 GMT <AFaust> Yeay, busting out my 8-year old ALF-11982 again to implement this (rejected) improvement again for a customer...

2020-01-22 16:08:11 GMT <AFaust> ...or at least partially

End of Daily Log

The other logs are at http://esplins.org/hash_alfresco