eclipse / amlen Goto Github PK
View Code? Open in Web Editor NEWMessage Broker for IoT/Mobile/Web. Mainly uses MQTT v3.x and v5. Aims to be easy to use, scalable and reliable
License: Eclipse Public License 2.0
Message Broker for IoT/Mobile/Web. Mainly uses MQTT v3.x and v5. Aims to be easy to use, scalable and reliable
License: Eclipse Public License 2.0
Now the source code is open we need to get it set up to build on the Eclipse buildservers and get the code uploaded to the website.
Whilst the initial code contribution was going through legal review more code changes have happened so we need to get those sync'd across and get the internal IBM repos to point to this repo as the source of truth so that development happens here in future.
The source for the Amlen Docs went through legal review with the product code so now we need to get the build output from the docs hosted on the eclipse.org/amlen website
If you use the webui to update the certificate for the WebUI you get told:
error
An error occurred uploading the certificate file. CWLNA5001
Access to /config/webui/libertyCertificate was denied for user admin.
Going to the messaging tab of a newly created Amlen instance shows an error with an incomplete error message.
0.1rc1
error
An error occurred retrieving destination mapping rules. CWLNA0316
12:55:42 PM
The
So the error message is not all that useful
Get legal approval from IBM and Eclipse to deliver the initial code drop for Amlen.
We have a clustered Amlen, v1.0.0.1-20220622
Case 1 (working as intended)
Case 2 (not working as we expect)
We expect that case two would work in the same way as case 1, clients connected to any node and subscribe to a topic should receive messages from that topic that were published to any node.
Is this a bug or an intended scenario ?
It's possible to choose what user Amlen runs as, as described in the Dockerfiles:
https://github.com/eclipse/amlen/blob/main/server_build/docker_build/Dockerfile.imaserver
But by default if no user is specified - it runs as root. This is bad practice, under this issue we'll:
[ ] Change it to user user amlen, group amlen by default (and create them if they don't exist)
[ ] Use files with amlen rather that messagesight in the filename for usernames (but fail back to messagesight ones if they exist and the amlen ones don't)
[ ] Document better the ways to set the user (including the amlen->messagesight fallback)
OS : CentOS/RHEL 7.9
AMLEN Version : 1.1dev
AMLEN Build : 20231130-1152
Hello the Amlen team,
On the WebUI, in the Server -> Security Settings -> OAuth Profile, when we want create or edit an OAuth profile, it seems that it missing 2 attributes in the WebUI.
Here the screen of WebUI
The only way to complete the OAuth profile configuration is to use the Rest API on this endpoint : ima/v1/configuration with a POST method on OAuthProfile.
Heres the two missing attributes in the WebUI :
UserName
UserPassword
On my side, these attributes are used to perform a OAuth2 Introspection (between AMLEN and the OAuth federation) when a MQTT client open a new connection on the Amlen Broker.
There is a way to update the WebUI to add these parameters ?
Cheers
The current operator doesn't support persistent volume claim storage classes, this works fine for codeready containers which has very basic persistent volumes, but when running it on something a bit more realistic like AWS or Azure then specifying the persistent volume claim storage class is necessary. This should be a relativly simple change to make by adding the storageClass into the volumeClaimTemplate:
amlen/operator/roles/amlen/templates/statefulset.j2
Lines 86 to 93 in 6900d64
Then it will need to be added into the defauts file:
https://github.com/eclipse/amlen/blob/6900d64e8a425013f80e9246c0088549338c5d48/operator/roles/amlen/defaults/main.yml
Testing this is going to require access to a system with storage classes so using codeready containers wont be suitable. Tere are free trials and developer accounts available on different cloud providers that may be useful.
Work out how to show the status of amlen as currently it's not obvious if it's stalled for some reason eg if you set deploy_ldap to True but don't provide a config then it will stall waiting for the config with no obvious problem as all the pods will be marked as ready
Hello Amlen team,
I am interested in using the Amlen broker as an mqtt broker with basic auth(Username + Password) access. I have read that the broker supports LDAP, OAUTH and LTPA but as far as I understand there is no simple basic auth solution? Currently, I would not want to operate another Auth-Server if possible. If not, is it possible to add this as an extension/plugin? The protocol plugin does not seem to be an generic extension mechnism, isn't?
This only really matters when the node is starting up during creation where HA is disabled.
We can't log into the WebUI if Java 17 is used to run the liberty.
We need to warn people rather than start when we know it doesn't work
(and invetigate whether we can make it work)
At the moment changing the password via the rest API will cause the readiness probe to fail and that breaks pretty much everything in the operator
According to the issue tracking our progress/graduation review:
https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/261
The top level of the repo needs to contain a SECURITY.md and a CODE_OF_CONDUCT.md (and the above issue links to example content)
Having an option to deploy the WebUI as part of the operator would be really useful for getting people using Amlen. There are several parts to this:
Depending on the person picking this up and their skills could be a single issue or could split down into seperate issues if someone wants a smaller piece to work on.
There is something wrong in the jenkins job which means that builds that fail (ie the build step in the job fails) do not necessarily cause the job to fail. As long as the files needed in the deploy step have been created then the deploy step will pass and the job will be counted as a success. This is a particular problem when it comes to unit tests as those run after everything needed for deploying run so unit tests failures do not cause the job to fail (or even make it obvious they have failed).
Hopefully something small has been missed in the build step of the jenkinsFile:
Lines 58 to 76 in 6900d64
Making a unit test fail is fairly easy, however you need to know which ones run standardly in a build so here is a new test that does run:
amlen/server_admin/test/security_test.c
Lines 148 to 163 in 6900d64
I've been a long time user of the Watson IoT Platform and am investigating options now that IBM has deprecated it.
I've been able to install the Amlen server but an hitting an issue with the Web UI requiring LDAP, and it appears that it requires package openldap-servers.
RHEL deprecated OpenLDAP in version 7, and has now completely removed any access to it in RHEL 9 unless you set up the CodeReady repo in RHEL 8 and upgrade.
What is the dependency on the OpenLDAP server package? Isn't the Web UI just an LDAP client?
Hi,
I have amlen installed within kubernetes in active/passive. It works fine except in one cluster. I think ot has something to do with the nfs volumes.
Can anyone help and point out what is the problem with the storage,
x.x.109.18:/psb_FS/psb-qa-psb-imaserver-data-psb-messagesight-0-pvc-7f22f362-4c70-4952-9186-04274e51188a on /var/lib/amlen-server type nfs4 (rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=x.x.184.20,local_lock=none,addr=
x.x.109.18)
x.x.109.18:/psb_FS/psb-qa-psb-imaserver-log-psb-messagesight-0-pvc-ee319c4d-2a82-41ec-abf0-43d29834b853 on /var/lib/amlen-server/diag type nfs4 (rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=x.x.184.20,local_lock=none,a
ddr=x.x.109.18)
x.x.109.18:/psb_FS/psb-qa-psb-imaserver-data-psb-messagesight-1-pvc-34925f78-0a0c-45d2-b66f-531b036712a8 on /var/lib/amlen-server type nfs4 (rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=x.x.184.21,local_lock=none,addr=
x.x.109.18)
x.x.109.18:/psb_FS/psb-qa-psb-imaserver-log-psb-messagesight-1-pvc-79e99cfb-443d-45b1-81a4-4e7f1f1dd87d on /var/lib/amlen-server/diag type nfs4 (rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=x.x.184.21,local_lock=none,a
ddr=x.x.109.18)
Various cleanups are required to pass the reviews for 1.0.
Issues are here:
https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/261
https://dev.eclipse.org/ipzilla/show_bug.cgi?id=24010
We need to:
Background: This only happen on Rhel 8, Alma 8, Centos 8 that uses
openldap-2.4.59-1.el8.x86_64
openldap-servers-2.4.59-1.el8.x86_64
openldap-clients-2.4.46-18.el8.x86_64
WebUI login fail with missing bindPassword="" parameter.
Failure in logs is:
[5/27/22 17:11:23:929 EEST] 00000011 LogService-148-com.ibm.ws.security.wim.adapter.ldap E CWWKE0701E: bundle com.ibm.ws.security.wim.adapter.ldap:1.0.57.cl211020210920-1900 (148)[com.ibm.ws.security.wim.adapter.ldap.LdapAdapter(352)] : The activated method has thrown an exception com.ibm.wsspi.security.wim.exception.MissingInitPropertyException: CWIML0004E: An error occurred during the user registry initialization. The initialization property bindPassword is missing from the server.xml file. Specify an initialization property in the server.xml file.
Looking in /var/lib/amlen-webui/wlp/usr/servers/ISMWebUI/ldap.xml bindPassword has an empty value:
<server description="${IMA_PRODUCTNAME_FULL} Web UI">
<ldapRegistry id="ldap" host="127.0.0.1" port="9389" ignoreCase="true"
reuseConnection="false"
baseDN="ou=webui,dc=ism.ibm,dc=com"
bindDN="cn=Directory Manager,dc=ism.ibm,dc=com"
bindPassword=""
userFilter="(&(uid=%v)(objectclass=inetOrgPerson))"
groupFilter="(&(cn=%v)(objectclass=groupOfNames))"
userIdMap="inetOrgPerson:uid"
groupIdMap="*:cn"
ldapType="Custom">
</ldapRegistry>
</server>
in /usr/share/amlen-webui/wlp/usr.org/servers/ISMWebUI/ldap.xml it is:
<server description="${IMA_PRODUCTNAME_FULL} Web UI">
<ldapRegistry id="ldap" host="127.0.0.1" port="9389" ignoreCase="true"
reuseConnection="false"
baseDN="ou=webui,dc=ism.ibm,dc=com"
bindDN="cn=Directory Manager,dc=ism.ibm,dc=com"
bindPassword="secret"
userFilter="(&(uid=%v)(objectclass=inetOrgPerson))"
groupFilter="(&(cn=%v)(objectclass=groupOfNames))"
userIdMap="inetOrgPerson:uid"
groupIdMap="*:cn"
ldapType="Custom">
</ldapRegistry>
</server>
If the empty value is filled up with secret, the 1) error goes away but once you try and login with admin/admin invalid credentials pop up.
[5/27/22 17:03:27:489 EEST] 00000022 com.ibm.ws.security.wim.registry.util.LoginBridge E com.ibm.wsspi.security.wim.exception.WIMSystemException: CWIML4520E: The LDAP operation could not be completed. The LDAP naming exception javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]; resolved object com.sun.jndi.ldap.LdapCtx@7e7514b4 occurred during processing.
com.ibm.wsspi.security.wim.exception.WIMSystemException: CWIML4520E: The LDAP operation could not be completed. The LDAP naming exception javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]; resolved object com.sun.jndi.ldap.LdapCtx@7e7514b4 occurred during processing.
com.ibm.ws.security.authentication.jaas.modules.UsernameAndPasswordLoginModule.login(UsernameAndPasswordLoginModule.java:76)
Caused by: com.ibm.wsspi.security.wim.exception.WIMSystemException: CWIML4520E: The LDAP operation could not be completed. The LDAP naming exception javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]; resolved object com.sun.jndi.ldap.LdapCtx@7e7514b4 occurred during processing.
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
[5/27/22 17:03:30:330 EEST] 00000022 y.authentication.jaas.modules.UsernameAndPasswordLoginModule A CWWKS1100A: Authentication did not succeed for user ID admin. An invalid user ID or password was specified.
Hi @jonquark ,
today I had an idea to overcome the ip problem in kubernetes using the cluster functionality because of floating ip's within pods. What about adding a property to server.conf which say DISABLE_LOCAL_CLUSTER_IP_CHECK=true/false?
If false all things stays as they are.
If yes amlen only check if it can reach itself via the ip. The only things you have to have is a service like this for any instance of the stateful set. Which can be add by the operator I currently develop.
kind: Service
apiVersion: v1
metadata:
name: psb-amlennew-0
namespace: speed-platform-qa
labels:
app: psb
deployment: psb-amlennew
psb-commit: 7109e7a
psb-config-commit: 2c55186
release: feature-823-rework-deployments
service: psb-amlennew-0
statefulset: psb-amlennew
template: amlen
spec:
externalTrafficPolicy: Cluster
loadBalancerIP: 168.10.0.21
ports:
- name: control-port
protocol: TCP
port: 9099
targetPort: 9099
- name: messaging-port
protocol: TCP
port: 9084
targetPort: 9084
type: LoadBalancer
Cheers Jochen
If the data directory is on CephFS then things using Unix Domain Sockets (primarily MQConnectivity) fail as sockets are not supported by that file system.
We should use an ephemeral directory as per:
https://0pointer.net/blog/projects/tmp.html
for them.
Under this issue, I'll write code that figures out what ephemeral directory to use and alter code that should use it (e.g. for UDS sockets) to use it
Hey all,
did anyone manage to get a ready/compiled JMS client connected to Amlen and empty a JMS queue?
We are testing with jmstoolbox: https://github.com/jmstoolbox/jmstoolbox/releases/tag/v6.0.0.
This tool has a list of connector to different JMS Queue managers, but unfortunatelly no IMA/Amlen. Currently I am trying a connection with imaclientjms-2.0.jar based on their documentation. Will let you know how it goes.
I also have App Connect Enterprise connected to Amlen with the above JAR, but there is a need for a slim solution.
Could some part of the Amlen Code base here be used to compile a minimal JMS? Goal: connect. empty a queue of choise.
This looks close to what I need: https://github.com/eclipse/amlen/blob/main/client_jms/samples/com/ibm/ima/samples/jms/JMSSampleAdmin.java
Thanks!
It was reported on the forums that some fields in the WebUI are not being translated correctly:
https://www.eclipse.org/forums/index.php?t=rview&goto=1858141#msg_1858141
screenshot:
move LDAP password into a secret and turn off ldap port and only allow ldaps
config file assumes the password so will also need to get that from a secret
We started a series of blog posts with how to set up Amlen (e.g. for LDAP and TLS certs) but there is much more to write e.g. about HA pairs, clustering and shared subscriptions.
There are a couple of issues in HA compatibility between Message Gateway and Amlen. They don't apply to data like messages and subscriptions but do apply to things like certificates and config changes:
We need to change Amlen so it knows how to map from the to traditional Message Gateway paths so syncing config changes etc from Message Gateway works correctly.
We'll also put out an update for Message Gateway so it understands Amlen paths and knows how to map the to traditional Message Gateway paths so syncing config changes etc from Amlen works correctly.
Our build currently requires ant-contrib, This was fine a long time ago but upstream is dead and it's no longer included in Fedora 36 (and you had to enable a special stream in CentOS8).
We should figure out if we can remove our dependency on it and if not then document download the jars as part of the build setup rather than assuming the OS has it.
I think with some work we should be about to remove the dependency, the main thing we use in our build xmls that require it is the task but that can be replaced with the builtin condition task:
https://ant.apache.org/manual/Tasks/condition.html
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.