Uploaded image for project: 'Cloud Enablement'
  1. Cloud Enablement
  2. CLOUD-1949

[JDG71] Protobuf indexing is not working due to security changes

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Critical
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: JDG7
    • Labels:
    • Target Release:
    • Workaround:
      Workaround Exists
    • Workaround Description:
      Hide

      This problem can be addressed by adding the ___schema_manager role to the users requiring access to protobuf caches.

      1. For remote clients, you must specify USERNAME and PASSWORD environment variables and that user must be used when accessing the caches remotely.
      2. Ensure the ___schema_manager role is set for the user (by default, only the admin and REST roles are set for the user). This can be accomplished by setting the ADMIN_GROUP environment variable on the DeploymentConfig, e.g.: 

        $ oc env dc/datagrid-app ADMIN_GROUP=REST,admin,___schema_manager

      Show
      This problem can be addressed by adding the ___schema_manager role to the users requiring access to protobuf caches. For remote clients, you must specify USERNAME and PASSWORD environment variables and that user must be used when accessing the caches remotely. Ensure the ___schema_manager role is set for the user (by default, only the admin and REST roles are set for the user). This can be accomplished by setting the ADMIN_GROUP environment variable on the DeploymentConfig, e.g.: $ oc env dc/datagrid-app ADMIN_GROUP=REST,admin,___schema_manager
    • Sprint:
      CLOUD Maintenance Sprint 26

      Description

      If user is using protobuf indexing it needs to write data into metdata protobuf cache. Due to security changes it is not possible to access the cache without authentication. Two changes are necessary

      • The client needs to be logged in
      • The client must be in role ___protobuf_metadata

      We need to document this restriction and a question is - should the given role be provided OOTB as is the case of REST role? This would mitigate migration work in some cases

      Product documentation seems to be incomplete in this regard.

      More details
      http://infinispan.org/docs/9.0.x/user_guide/user_guide.html#indexing_of_protobuf_encoded_entries
      https://blog.kenthua.com/2016/08/03/jdg-7-remote-query-register-proto-schema-marshallers.html

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                vblagojevic Vladimir Blagojevic
                Reporter:
                jpechanec Jiri Pechanec
                Tester:
                Pavel Drobek
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated: