eclipse / amlen Goto Github PK

Now the source code is open we need to get it set up to build on the Eclipse buildservers and get the code uploaded to the website.

Whilst the initial code contribution was going through legal review more code changes have happened so we need to get those sync'd across and get the internal IBM repos to point to this repo as the source of truth so that development happens here in future.

The source for the Amlen Docs went through legal review with the product code so now we need to get the build output from the docs hosted on the eclipse.org/amlen website

If you use the webui to update the certificate for the WebUI you get told:

error
An error occurred uploading the certificate file. CWLNA5001
Access to /config/webui/libertyCertificate was denied for user admin.

Summary:

Going to the messaging tab of a newly created Amlen instance shows an error with an incomplete error message.

Version:

0.1rc1

Details:

• Created 2 redhat8 instances in AWS using the free tier instances so does not meet the required memory which may be a contributing factor.
• Installed imaserver on one and added port 9089 into incoming rules
• Installed imawebui on the other and added port 9087 into incoming rules
• Logged into the webui and set it up
• Through the webui go to the messaging tab and it displays an error.
• Expanding the error and it shows:

error
An error occurred retrieving destination mapping rules. CWLNA0316
12:55:42 PM
The

So the error message is not all that useful

Get legal approval from IBM and Eclipse to deliver the initial code drop for Amlen.

We have a clustered Amlen, v1.0.0.1-20220622

Case 1 (working as intended)

• Consumer connects to node-0, subscribes to topic mask "testtopic/#"
• Producer connects to node-1, sends message "Hello" to topic "testtopic/0"
• Consumer receives the "Hello" message
  Actually consumer can connect to any node and still receive messages

Case 2 (not working as we expect)

• Two consumers connect to node-0, subscribe to topic mask "$SharedSubscription/shared/shared/#"
• Two consumers connect to node-1, subscribe to topic mask "$SharedSubscription/shared/shared/#"
• Producer connects to node-1, sends multiple messages "Hello" to topic "shared/0"
• Only consumers, connected to node-1, receive messages, distributed between those consumers
• Producer connects to node-0, sends multiple messages "Hello" to topic "shared/0"
• Only consumers, connected to node-0, receive messages, distributed between those consumers

We expect that case two would work in the same way as case 1, clients connected to any node and subscribe to a topic should receive messages from that topic that were published to any node.

Is this a bug or an intended scenario ?

It's possible to choose what user Amlen runs as, as described in the Dockerfiles:
https://github.com/eclipse/amlen/blob/main/server_build/docker_build/Dockerfile.imaserver

But by default if no user is specified - it runs as root. This is bad practice, under this issue we'll:

[ ] Change it to user user amlen, group amlen by default (and create them if they don't exist)
[ ] Use files with amlen rather that messagesight in the filename for usernames (but fail back to messagesight ones if they exist and the amlen ones don't)
[ ] Document better the ways to set the user (including the amlen->messagesight fallback)

OS : CentOS/RHEL 7.9
AMLEN Version : 1.1dev
AMLEN Build : 20231130-1152

Hello the Amlen team,

On the WebUI, in the Server -> Security Settings -> OAuth Profile, when we want create or edit an OAuth profile, it seems that it missing 2 attributes in the WebUI.
Here the screen of WebUI

The only way to complete the OAuth profile configuration is to use the Rest API on this endpoint : ima/v1/configuration with a POST method on OAuthProfile.

Heres the two missing attributes in the WebUI :
UserName
UserPassword

On my side, these attributes are used to perform a OAuth2 Introspection (between AMLEN and the OAuth federation) when a MQTT client open a new connection on the Amlen Broker.

There is a way to update the WebUI to add these parameters ?
Cheers

The current operator doesn't support persistent volume claim storage classes, this works fine for codeready containers which has very basic persistent volumes, but when running it on something a bit more realistic like AWS or Azure then specifying the persistent volume claim storage class is necessary. This should be a relativly simple change to make by adding the storageClass into the volumeClaimTemplate:

Then it will need to be added into the defauts file:
https://github.com/eclipse/amlen/blob/6900d64e8a425013f80e9246c0088549338c5d48/operator/roles/amlen/defaults/main.yml

Testing this is going to require access to a system with storage classes so using codeready containers wont be suitable. Tere are free trials and developer accounts available on different cloud providers that may be useful.

Work out how to show the status of amlen as currently it's not obvious if it's stalled for some reason eg if you set deploy_ldap to True but don't provide a config then it will stall waiting for the config with no obvious problem as all the pods will be marked as ready

Hello Amlen team,

I am interested in using the Amlen broker as an mqtt broker with basic auth(Username + Password) access. I have read that the broker supports LDAP, OAUTH and LTPA but as far as I understand there is no simple basic auth solution? Currently, I would not want to operate another Auth-Server if possible. If not, is it possible to add this as an extension/plugin? The protocol plugin does not seem to be an generic extension mechnism, isn't?

This only really matters when the node is starting up during creation where HA is disabled.

We can't log into the WebUI if Java 17 is used to run the liberty.

We need to warn people rather than start when we know it doesn't work
(and invetigate whether we can make it work)

At the moment changing the password via the rest API will cause the readiness probe to fail and that breaks pretty much everything in the operator

According to the issue tracking our progress/graduation review:
https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/261
The top level of the repo needs to contain a SECURITY.md and a CODE_OF_CONDUCT.md (and the above issue links to example content)

Having an option to deploy the WebUI as part of the operator would be really useful for getting people using Amlen. There are several parts to this:

• Add to the schema for an option to deploy the webui (1 per amlen CRD so multipe clusters would be accessed via a single WebUI) see
• Create a webui image in quay.io add to the jenkinsFile to build
• deploy the webui as part of the operator
• configure the webui to access the clusters (probably want an ansible module for this similar to the configure module)

Depending on the person picking this up and their skills could be a single issue or could split down into seperate issues if someone wants a smaller piece to work on.

There is something wrong in the jenkins job which means that builds that fail (ie the build step in the job fails) do not necessarily cause the job to fail. As long as the files needed in the deploy step have been created then the deploy step will pass and the job will be counted as a success. This is a particular problem when it comes to unit tests as those run after everything needed for deploying run so unit tests failures do not cause the job to fail (or even make it obvious they have failed).

Hopefully something small has been missed in the build step of the jenkinsFile:

Making a unit test fail is fairly easy, however you need to know which ones run standardly in a build so here is a new test that does run:

I've been a long time user of the Watson IoT Platform and am investigating options now that IBM has deprecated it.

I've been able to install the Amlen server but an hitting an issue with the Web UI requiring LDAP, and it appears that it requires package openldap-servers.

RHEL deprecated OpenLDAP in version 7, and has now completely removed any access to it in RHEL 9 unless you set up the CodeReady repo in RHEL 8 and upgrade.

What is the dependency on the OpenLDAP server package? Isn't the Web UI just an LDAP client?

Hi,

I have amlen installed within kubernetes in active/passive. It works fine except in one cluster. I think ot has something to do with the nfs volumes.

1. The psb-messagesight-0 goes to Maintenance after Restart of Pods. psb-messagesight-1 waits for sync.
2. I clean the store psb-messagesight-0. Now psb-messagesight-0 active.
3. I delete pod psb-messagesight-0. psb-messagesight-0 and psb-messagesight-1 goes to maintenance.
4. I clean the store psb-messagesight-0 and psb-messagesight-1. Now psb-messagesight-0 is active.

Can anyone help and point out what is the problem with the storage,

x.x.109.18:/psb_FS/psb-qa-psb-imaserver-data-psb-messagesight-0-pvc-7f22f362-4c70-4952-9186-04274e51188a on /var/lib/amlen-server type nfs4 (rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=x.x.184.20,local_lock=none,addr=
x.x.109.18)
x.x.109.18:/psb_FS/psb-qa-psb-imaserver-log-psb-messagesight-0-pvc-ee319c4d-2a82-41ec-abf0-43d29834b853 on /var/lib/amlen-server/diag type nfs4 (rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=x.x.184.20,local_lock=none,a
ddr=x.x.109.18)
x.x.109.18:/psb_FS/psb-qa-psb-imaserver-data-psb-messagesight-1-pvc-34925f78-0a0c-45d2-b66f-531b036712a8 on /var/lib/amlen-server type nfs4 (rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=x.x.184.21,local_lock=none,addr=
x.x.109.18)
x.x.109.18:/psb_FS/psb-qa-psb-imaserver-log-psb-messagesight-1-pvc-79e99cfb-443d-45b1-81a4-4e7f1f1dd87d on /var/lib/amlen-server/diag type nfs4 (rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=x.x.184.21,local_lock=none,a
ddr=x.x.109.18)

Various cleanups are required to pass the reviews for 1.0.
Issues are here:
https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/261
https://dev.eclipse.org/ipzilla/show_bug.cgi?id=24010

We need to:

1. add a download page rather than relying on the auto-directory listing
   Done here: #39
2. We need to tidy up the docs, removing outdated PDFs
3. We need to get rid of the get-pip.py scripts under client_python

Background: This only happen on Rhel 8, Alma 8, Centos 8 that uses
openldap-2.4.59-1.el8.x86_64
openldap-servers-2.4.59-1.el8.x86_64
openldap-clients-2.4.46-18.el8.x86_64

WebUI login fail with missing bindPassword="" parameter.

Failure in logs is:

[5/27/22 17:11:23:929 EEST] 00000011 LogService-148-com.ibm.ws.security.wim.adapter.ldap E CWWKE0701E: bundle com.ibm.ws.security.wim.adapter.ldap:1.0.57.cl211020210920-1900 (148)[com.ibm.ws.security.wim.adapter.ldap.LdapAdapter(352)] : The activated method has thrown an exception com.ibm.wsspi.security.wim.exception.MissingInitPropertyException: CWIML0004E: An error occurred during the user registry initialization. The initialization property bindPassword is missing from the server.xml file. Specify an initialization property in the server.xml file.

Looking in /var/lib/amlen-webui/wlp/usr/servers/ISMWebUI/ldap.xml bindPassword has an empty value:

<server description="${IMA_PRODUCTNAME_FULL} Web UI">
    <ldapRegistry id="ldap" host="127.0.0.1" port="9389" ignoreCase="true"
         reuseConnection="false"
         baseDN="ou=webui,dc=ism.ibm,dc=com" 
         bindDN="cn=Directory Manager,dc=ism.ibm,dc=com"
         bindPassword=""
                 userFilter="(&amp;(uid=%v)(objectclass=inetOrgPerson))" 
                 groupFilter="(&amp;(cn=%v)(objectclass=groupOfNames))"
         userIdMap="inetOrgPerson:uid"
         groupIdMap="*:cn"
                 ldapType="Custom">
        </ldapRegistry>
</server>

in /usr/share/amlen-webui/wlp/usr.org/servers/ISMWebUI/ldap.xml it is:

<server description="${IMA_PRODUCTNAME_FULL} Web UI">
    <ldapRegistry id="ldap" host="127.0.0.1" port="9389" ignoreCase="true"
         reuseConnection="false"
         baseDN="ou=webui,dc=ism.ibm,dc=com" 
         bindDN="cn=Directory Manager,dc=ism.ibm,dc=com"
         bindPassword="secret"
                 userFilter="(&amp;(uid=%v)(objectclass=inetOrgPerson))" 
                 groupFilter="(&amp;(cn=%v)(objectclass=groupOfNames))"
         userIdMap="inetOrgPerson:uid"
         groupIdMap="*:cn"
                 ldapType="Custom">
        </ldapRegistry>
</server>

If the empty value is filled up with secret, the 1) error goes away but once you try and login with admin/admin invalid credentials pop up.

[5/27/22 17:03:27:489 EEST] 00000022 com.ibm.ws.security.wim.registry.util.LoginBridge            E com.ibm.wsspi.security.wim.exception.WIMSystemException: CWIML4520E: The LDAP operation could not be completed. The LDAP naming exception javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]; resolved object com.sun.jndi.ldap.LdapCtx@7e7514b4 occurred during processing. 
com.ibm.wsspi.security.wim.exception.WIMSystemException: CWIML4520E: The LDAP operation could not be completed. The LDAP naming exception javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]; resolved object com.sun.jndi.ldap.LdapCtx@7e7514b4 occurred during processing.
com.ibm.ws.security.authentication.jaas.modules.UsernameAndPasswordLoginModule.login(UsernameAndPasswordLoginModule.java:76)
Caused by: com.ibm.wsspi.security.wim.exception.WIMSystemException: CWIML4520E: The LDAP operation could not be completed. The LDAP naming exception javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]; resolved object com.sun.jndi.ldap.LdapCtx@7e7514b4 occurred during processing.	
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
	[5/27/22 17:03:30:330 EEST] 00000022 y.authentication.jaas.modules.UsernameAndPasswordLoginModule A CWWKS1100A: Authentication did not succeed for user ID admin. An invalid user ID or password was specified.

Hi @jonquark ,

today I had an idea to overcome the ip problem in kubernetes using the cluster functionality because of floating ip's within pods. What about adding a property to server.conf which say DISABLE_LOCAL_CLUSTER_IP_CHECK=true/false?

If false all things stays as they are.

If yes amlen only check if it can reach itself via the ip. The only things you have to have is a service like this for any instance of the stateful set. Which can be add by the operator I currently develop.

kind: Service
apiVersion: v1
metadata:
  name: psb-amlennew-0
  namespace: speed-platform-qa
  labels:
    app: psb
    deployment: psb-amlennew
    psb-commit: 7109e7a
    psb-config-commit: 2c55186
    release: feature-823-rework-deployments
    service: psb-amlennew-0
    statefulset: psb-amlennew
    template: amlen
spec:
  externalTrafficPolicy: Cluster
  loadBalancerIP: 168.10.0.21
  ports:
    - name: control-port
      protocol: TCP
      port: 9099
      targetPort: 9099
    - name: messaging-port
      protocol: TCP
      port: 9084
      targetPort: 9084
  type: LoadBalancer

Cheers Jochen

If the data directory is on CephFS then things using Unix Domain Sockets (primarily MQConnectivity) fail as sockets are not supported by that file system.

We should use an ephemeral directory as per:
https://0pointer.net/blog/projects/tmp.html
for them.

Under this issue, I'll write code that figures out what ephemeral directory to use and alter code that should use it (e.g. for UDS sockets) to use it

Hey all,

did anyone manage to get a ready/compiled JMS client connected to Amlen and empty a JMS queue?

We are testing with jmstoolbox: https://github.com/jmstoolbox/jmstoolbox/releases/tag/v6.0.0.
This tool has a list of connector to different JMS Queue managers, but unfortunatelly no IMA/Amlen. Currently I am trying a connection with imaclientjms-2.0.jar based on their documentation. Will let you know how it goes.

I also have App Connect Enterprise connected to Amlen with the above JAR, but there is a need for a slim solution.

Could some part of the Amlen Code base here be used to compile a minimal JMS? Goal: connect. empty a queue of choise.
This looks close to what I need: https://github.com/eclipse/amlen/blob/main/client_jms/samples/com/ibm/ima/samples/jms/JMSSampleAdmin.java

Thanks!

It was reported on the forums that some fields in the WebUI are not being translated correctly:
https://www.eclipse.org/forums/index.php?t=rview&goto=1858141#msg_1858141
screenshot:

move LDAP password into a secret and turn off ldap port and only allow ldaps
config file assumes the password so will also need to get that from a secret

We started a series of blog posts with how to set up Amlen (e.g. for LDAP and TLS certs) but there is much more to write e.g. about HA pairs, clustering and shared subscriptions.

There are a couple of issues in HA compatibility between Message Gateway and Amlen. They don't apply to data like messages and subscriptions but do apply to things like certificates and config changes:

1. traditionally files like certs were sync'd by absolute path name
2. the location of the data directory has moved.

We need to change Amlen so it knows how to map from the to traditional Message Gateway paths so syncing config changes etc from Message Gateway works correctly.

We'll also put out an update for Message Gateway so it understands Amlen paths and knows how to map the to traditional Message Gateway paths so syncing config changes etc from Amlen works correctly.

Our build currently requires ant-contrib, This was fine a long time ago but upstream is dead and it's no longer included in Fedora 36 (and you had to enable a special stream in CentOS8).

We should figure out if we can remove our dependency on it and if not then document download the jars as part of the build setup rather than assuming the OS has it.

I think with some work we should be about to remove the dependency, the main thing we use in our build xmls that require it is the task but that can be replaced with the builtin condition task:
https://ant.apache.org/manual/Tasks/condition.html