Closed oburd closed 7 months ago
ryanemerson
commented
7 months ago user with Role admin dont have tab with creation Cache Setup user with Role application has tab with creation Cache Setup
The admin role shouldn't definitely have the ability to create caches. Can you paste the batch command you're using to create the users?
We want to connect keycloak to our external infinispan, what role we need to choose ?
The "application" role should be sufficient.
oburd
commented
7 months ago The admin role shouldn't definitely have the ability to create caches. Can you paste the batch command you're using to create the users?
Well, i use user create name_user -p password_user -g admin
I understand that i create user with group admin
I thought he can do anything Quote from documantation
Superuser with all permissions including control of the Cache Manager lifecycle.
The "application" role should be sufficient.
Thank you, understood
ryanemerson
commented
7 months ago I thought he can do anything Quote from documantation
Yes that should be the case.
@karesti Any thoughts?
karesti
commented
7 months ago Cache Setup in 14 is only for users that can't create a cache the create cache button is in the caches list
karesti
commented
7 months ago by the way, this has changed in 15.x
oburd
commented
7 months ago @karesti
Cache Setup in 14 is only for users that can't create a cache the create cache button is in the caches list
Hello! Didn't understand your answer, i thought that superuser can create everything ?
by the way, this has changed in 15.x
is this officially pulled to repos and i can change it in helm chart ? Thank you
karesti
commented
7 months ago @oburd the button to create a cache is in the data container page in the cache list tab. If it's not there, there is a bug.
oburd
commented
7 months ago @oburd the button to create a cache is in the data container page in the cache list tab. If it's not there, there is a bug.
Okay, what about Cache Setup, is admin role don't have it like application role ?
karesti
commented
7 months ago Create Cache: The Create Cache Wizard is a tool for configuring and immediately creating caches if you want to (or download the configuration file instead).
Cache Setup: Cache Setup configures caches but does not allow creating them. Instead, it generates a downloadable or copy-pasteable configuration file.
Version 15.0 Update: In version 15.0, we simplified access by adapting button names. Despite user permissions, the interface remains consistent. Test for any issues and report bugs promptly for resolution.
oburd
commented
7 months ago Create Cache: The Create Cache Wizard is a tool for configuring and immediately creating caches if you want to (or download the configuration file instead).
Cache Setup: Cache Setup configures caches but does not allow creating them. Instead, it generates a downloadable or copy-pasteable configuration file.
Version 15.0 Update: In version 15.0, we simplified access by adapting button names. Despite user permissions, the interface remains consistent. Test for any issues and report bugs promptly for resolution. Hello! Okay, thank you very much for help!
oburd
commented
7 months ago @karesti
There is a bug i think
admin or anyone else i can't create cache
Unexpected error creating the cache with the provided configuration. "Unauthorized action."
I login to console Data Container - Create a cache and i received error upper
We have a two users: user create user_administrator -p -g admin user create user_keycloak -p -g application
one admin another application
oburd
commented
7 months ago There is an example of error on screenshot
karesti
commented
7 months ago @oburd are you connecting with user_administrator/password ? on the top I read "admin"
karesti
commented
7 months ago @oburd which version of infinispan are you running exactly ?
oburd
commented
7 months ago @oburd are you connecting with user_administrator/password ? on the top I read "admin"
This is screenshot is an example of error how its looks I have the same error with my user with ADMIN role
@oburd which version of infinispan are you running exactly ?
Version 14 version server: quay.io/infinispan/server:14.0
karesti
commented
7 months ago @oburd can you please tell me which version exactly ? in the about. 14.0 image has been updated to latests. how did you reproduce the bug exactly ? the interface is not Infinispan 14.0.20.Final for example. If you are using Infinispan 14.0, pull the latest image, and clean the browser cache data (interface changes can be tricky)
oburd
commented
7 months ago @oburd can you please tell me which version exactly ? in the about. 14.0 image has been updated to latests. how did you reproduce the bug exactly ? the interface is not Infinispan 14.0.20.Final for example. If you are using Infinispan 14.0, pull the latest image, and clean the browser cache data (interface changes can be tricky)
1) About image I have used default image variable in helm chart:
images:
# [USER] The container images for server pods.
server: quay.io/infinispan/server:14.0
initContainer: registry.access.redhat.com/ubi8-microI have tried to use image with LATEST tag, same error present
2)About Error I'm deploy infinispan through helm chart https://github.com/infinispan/infinispan-helm-charts After deploy, i can enter to console my administrator user and keycloak administrator has a role ADMIN keycloak has a role APPLICATION
administrator with role ADMIN can't create cache in Data Container - Cache template
This is my error
This is my value.yml:
images:
# [USER] The container images for server pods.
server: quay.io/infinispan/server:latest
initContainer: registry.access.redhat.com/ubi8-micro
deploy:
# [USER] Specify the number of nodes in the cluster.
replicas: 2
clusterDomain: cluster.local
container:
extraJvmOpts: ""
libraries: ""
# [USER] Define custom environment variables using standard K8s format
# env:
# - name: STANDARD_KEY
# value: standard value
# - name: CONFIG_MAP_KEY
# valueFrom:
# configMapKeyRef:
# name: special-config
# key: special.how
# - name: SECRET_KEY
# valueFrom:
# secretKeyRef:
# name: special-secret
# key: special.how
env:
storage:
size: 1Gi
storageClassName: ""
# [USER] Set `ephemeral: true` to delete all persisted data when clusters shut down or restart.
ephemeral: true
resources:
# [USER] Specify the CPU limit and the memory limit for each pod.
limits:
cpu: 1000m
memory: 1024Mi
# [USER] Specify the maximum CPU requests and the maximum memory requests for each pod.
requests:
cpu: 1000m
memory: 1024Mi
security:
secretName: ispn-user-batch
batch: ""
expose:
# [USER] Specify `type: ""` to disable network access to clusters.
type: Route
nodePort: 0
host: dummy
annotations:
- key: kubernetes.io/ingress.class
value: alb
- key: alb.ingress.kubernetes.io/group.name
value: dummy
- key: alb.ingress.kubernetes.io/group.order
value: dummy
- key: alb.ingress.kubernetes.io/scheme
value: internal
- key: alb.ingress.kubernetes.io/target-type
value: ip
- key: alb.ingress.kubernetes.io/listen-ports
value: '[{"HTTP": 80}, {"HTTPS":443}]'
- key: alb.ingress.kubernetes.io/certificate-arn
value: dummy
- key: alb.ingress.kubernetes.io/ssl-redirect
value: '443'
- key: alb.ingress.kubernetes.io/healthcheck-path
value: /rest/v2/cache-managers/default/health/status
monitoring:
enabled: false
logging:
categories:
# [USER] Specify the FQN of a package from which you want to collect logs.
- category: com.arjuna
# [USER] Specify the level of log messages.
level: warn
# No need to warn about not being able to TLS/SSL handshake
- category: io.netty.handler.ssl.ApplicationProtocolNegotiationHandler
level: error
makeDataDirWritable: false
nameOverride: ""
resourceLabels: []
podLabels:
- key: microservice
value: infinispan
svcLabels: []
tolerations: []
nodeAffinity: {}
nodeSelector: {}
infinispan:
cacheContainer:
# [USER] Add cache, template, and counter configuration.
name: default
statistics: "true"
replicatedCacheConfiguration:
name: "replicated-template"
mode: "ASYNC"
statistics: "true"
encoding:
mediaType: "application/x-protostream"
memory:
storage: HEAP
security:
authorization:
enabled: true
roles:
- application
caches:
realms:
replicatedCache:
configuration: "replicated-template"
users:
replicatedCache:
configuration: "replicated-template"
sessions:
replicatedCache:
configuration: "replicated-template"
authenticationSessions:
replicatedCache:
configuration: "replicated-template"
offlineSessions:
replicatedCache:
configuration: "replicated-template"
clientSessions:
replicatedCache:
configuration: "replicated-template"
offlineClientSessions:
replicatedCache:
configuration: "replicated-template"
loginFailures:
replicatedCache:
configuration: "replicated-template"
authorization:
replicatedCache:
configuration: "replicated-template"
work:
replicatedCache:
configuration: "replicated-template"
keys:
replicatedCache:
configuration: "replicated-template"
actionTokens:
replicatedCache:
configuration: "replicated-template"
# [USER] Specify `security: null` to disable security authorization.
security:
authorization: {}
transport:
cluster: ${infinispan.cluster.name:cluster}
node-name: ${infinispan.node.name:}
stack: kubernetes
server:
endpoints:
# [USER] Hot Rod and REST endpoints.
- securityRealm: default
socketBinding: default
connectors:
rest:
restConnector:
authentication:
mechanisms: BASIC
hotrod:
hotrodConnector:
# [MEMCACHED] Uncomment to enable Memcached endpoint
# memcached:
# memcachedConnector:
# socketBinding: memcached
# [METRICS] Metrics endpoint for cluster monitoring capabilities.
- connectors:
rest:
restConnector:
authentication:
mechanisms: BASIC
securityRealm: metrics
socketBinding: metrics
interfaces:
- inetAddress:
value: ${infinispan.bind.address:127.0.0.1}
name: public
security:
credentialStores:
- clearTextCredential:
clearText: secret
name: credentials
path: credentials.pfx
securityRealms:
# [USER] Security realm for the Hot Rod and REST endpoints.
- name: default
# [USER] Comment or remove this properties realm to disable authentication.
propertiesRealm:
groupProperties:
path: groups.properties
groupsAttribute: Roles
userProperties:
path: users.properties
# [METRICS] Security realm for the metrics endpoint.
- name: metrics
propertiesRealm:
groupProperties:
path: metrics-groups.properties
relativeTo: infinispan.server.config.path
groupsAttribute: Roles
userProperties:
path: metrics-users.properties
relativeTo: infinispan.server.config.path
socketBindings:
defaultInterface: public
portOffset: ${infinispan.socket.binding.port-offset:0}
socketBinding:
# [USER] Socket binding for the Hot Rod and REST endpoints.
- name: default
port: 11222
# [METRICS] Socket binding for the metrics endpoint.
- name: metrics
port: 11223
# [MEMCACHED] Uncomment to enable Memcached endpoint
# - name: memcached
# port: 11221@oburd @tristantarrant there is something that I'm missing here.
The REST API connector uses BASIC rest: restConnector: authentication: mechanisms: BASIC
However, Keycloak is not BASIC, but token based. Something might be wrong in this config. I'm not excluding a bug from the console on the case of Keycloak + Infinispan + REST by saying this :)
karesti
commented
7 months ago @oburd maybe I'm just getting confused here by speaking reading keycloak
karesti
commented
7 months ago @oburd why are you using two different properties realms ? default and metrics
karesti
commented
7 months ago @oburd another question, which is the rest console you are accessing ? port: 11222 or port: 11223 ?
karesti
commented
7 months ago Let me know which is the result of this endpoint please (you should see it in the network call) http://localhost:11222/rest/v2/security/user/acl
oburd
commented
7 months ago @oburd @tristantarrant there is something that I'm missing here.
The REST API connector uses BASIC rest: restConnector: authentication: mechanisms: BASIC
However, Keycloak is not BASIC, but token based. Something might be wrong in this config. I'm not excluding a bug from the console on the case of Keycloak + Infinispan + REST by saying this :)
@karesti About this your post We dont speak about Keycloak at all, we are talking about INFINISPAN helm chart https://github.com/infinispan/infinispan-helm-charts I using your default value.yml https://github.com/infinispan/infinispan-helm-charts/blob/main/values.yaml with secret which consist of batch of users which can access to console and infinspan About BASIC, why it's shoudn't work ? If in your docs https://infinispan.org/docs/helm-chart/main/helm-chart.html#server-configuration-values_configuring-servers wrote same
server:
endpoints:
# [USER] Hot Rod and REST endpoints.
- securityRealm: default
socketBinding: default
# [METRICS] Metrics endpoint for cluster monitoring capabilities.
- connectors:
rest:
restConnector:
authentication:
mechanisms: BASICI have another problem if i will not use this BASIC because DIGEST dont work correct when i have 2 replicas and expose to AWS ALB https://github.com/infinispan/infinispan-helm-charts/issues/93 - this my issue was and with help of @ryanemerson was resolved
The problem IS not with authentication, the problem is that Authorization is not working and i dont know why. Why my user with ADMIN role can't create Cache in Data Container
@oburd maybe I'm just getting confused here by speaking reading keycloak
It's not about keycloak
@oburd why are you using two different properties realms ? default and metrics
Because it's in default configuration https://infinispan.org/docs/helm-chart/main/helm-chart.html#server-configuration-values_configuring-servers
Let me know which is the result of this endpoint please (you should see it in the network call) http://localhost:11222/rest/v2/security/user/acl
I dont have localhost because it's in kubernetes
I guess i will close this issue because i have another one opened, i guess better to split them Thank you
P.S. There is an issue https://github.com/infinispan/infinispan-helm-charts/issues/98
Hello! There is a strange thing user with Role admin dont have tab with creation Cache Setup user with Role application has tab with creation Cache Setup
Is this okay ?
user with application role
User with admin role
We want to connect keycloak to our external infinispan, what role we need to choose ? Thank you