Decision Management (ODM,ADS)

 View Only
Expand all | Collapse all

Decision Service default security is different when migrating ODM to Kubernetes

  • 1.  Decision Service default security is different when migrating ODM to Kubernetes

    Posted Tue May 03, 2022 02:03 PM

    Default configuration o Decision Service web application on liberty does not protect resources with basic authentication (unless you use OIDC, that has specific security configuration instructions).

    <application type="war" id="DecisionService" name="DecisionService"
        location="${server.config.dir}/apps/DecisionService.war">
    </application>
    

    When moving to Kubernetes ¿why the official image in cp.icr.io/cp/cp4a/odm/odm-decisionserverruntime:8.11.0.0-amd64 is protecting Decision Service execution resources with basic authentication?

    <application type="war" context-root="${ODM_CONTEXT_ROOT}/DecisionService" autoStart="true" id="DecisionService" name="DecisionService" location="${server.config.dir}/apps/DecisionService.war">
       <application-bnd>
          <security-role name="resExecutors">
             <group name="resExecutors" />
          </security-role>
       </application-bnd>
    ...
    </application>
    

    I'm migrating several decision services from current ODM 8.10 on-premises install to ODM811 on OCP and the customer is complaining because now they have to modify every client application to add authentication headers. 

    Note that I'm using ODM Helm Chart to configure ODM on OCP, ¿is there a way to un-protect decision service executions removing the requirement for authentication without modifying the official ODM 11 image like it is in cp.icr.io repository?
    I search the doc looking for a Helm Chart parameter to change this default configuration of the DecisionService web application, but I couldn't find any. There're some Optional user access configurations in the doc, but none seem to be related to my purpose.

    Can you help please?

     





    ------------------------------
    Eduardo Izquierdo Lázaro
    Automation Architect
    DECIDE
    Madrid
    609893677
    ------------------------------


  • 2.  RE: Decision Service default security is different when migrating ODM to Kubernetes

    Posted Wed May 04, 2022 03:08 AM
    Hello,
    You can configure ODM to use basic auth if needed, here is an example in this page => Configuring user access without OpenID - IBM Documentation

    You cannot specify this inside the helm chart value directly. You first need to create a secret with your wanted security.xml file inside and reference this secret when doing ODM installation on K8S. Everything is explained in the doc linked above.

    Hope this helps, 
    Anthony

    ------------------------------
    Anthony Damiano
    ------------------------------



  • 3.  RE: Decision Service default security is different when migrating ODM to Kubernetes

    Posted Wed May 04, 2022 03:27 AM
    Hi Antony, 

    This is not the point, i read the documentation and these settings allow you to configure groups for user access, but I need a setting to decide to protect or not to protect execution resources in web application DecisionService.
    My purpose is replicate the default settings of an on-premises installation, that is no authentication required to execute HTDS
    So, instead of having: 

    <application type="war" 
     context-root="${ODM_CONTEXT_ROOT}/DecisionService" autoStart="true" 
     id="DecisionService" name="DecisionService" 
     location="${server.config.dir}/apps/DecisionService.war"> 
        <application-bnd>
           <security-role name="resExecutors">
               <group name="resExecutors" />
           </security-role> 
         </application-bnd> 
      ... 
     </application>
    ​

    Having this:

    <application type="war" 
     context-root="${ODM_CONTEXT_ROOT}/DecisionService" autoStart="true" 
     id="DecisionService" name="DecisionService" 
     location="${server.config.dir}/apps/DecisionService.war"> 
      ... 
     </application>
    

    And I would like to do that without modifying the official ODM images. 

    BTW, just to explore the possibility, If the customer modifies modifies the the official image of decisionserverruntime to create the required configuration not allowed by the helm chart, ¿Does it affect anyway the warranty and producto support?



    ------------------------------
    Eduardo Izquierdo Lázaro
    Automation Architect
    DECIDE
    Madrid
    609893677
    ------------------------------