With Bug #50732 the openapi.json is now potentially restricted to authenticated users. In Bug #51066 the update_openapi_script was extended to accept credentials to access the UDM REST API. We need to adapt Kelvin to use credentials when updating the openapi client. The following steps are necessary: * Create new group for (App) machine accounts to access the UDM REST API --> Done in AppCenter inst script * Create group (I chose the name "UDM API enabled Machines". Please advise for a better name if there are ideas) * Create UCRV (directory/manager/rest/authorized-groups/udm-api-enabled-machines) * Add Apps machine account to said group * Use credentials in configure script * Use credentials in listener * Update Requirement to udm-rest-client>=0.4.0 * Kelvin App Release
Changes implemented in oschwieg/kelvin/51072
Branch merged and currently being build as a new Kelvin version in the TestAppCenter. Please QA as soon as the build is finished. To be tested: New installation of Kelvin on a current UCS works without any manual changes New installation of Kelvin on a current UCS works if directory/manager/rest/require-auth=no
The Docker container could not be build anymore and the update failed to run the join script and rebuild the OpenAPI client lib. [feature/kelvin] e024ac401 Bug #51072: improve build (version info) [feature/kelvin] ee45cf761 Bug #51072: improve build (container build) [feature/kelvin] 0c6dabf2c Bug #51072: fix openapi build calls and deps [feature/kelvin] 390478616 Bug #51072: cleanup [feature/kelvin] 6fe722f3f Bug #51072: build OpenAPI client library in join script, as authentication group will not be available earlier The Docker container for the app has been built and pushed to the Univention test Docker registry, the appcenter scripts have been uploaded to the app provider portal.
QA -> all ok [feature/kelvin] bff5bc9c1 Bug #51072: cannot build OpenAPI client library at sinatll time, will fail the 1st time upgrading [feature/kelvin] ae31d96d6 Bug #51072: Provide credentials in configure and listener as well as modify required version of udm-rest-api [feature/kelvin] 3dbdbbace Bug #51072: Create authorized group for UDM REST API [feature/kelvin] e024ac401 Bug #51072: improve build (version info) [feature/kelvin] ee45cf761 Bug #51072: improve build (container build) [feature/kelvin] 0c6dabf2c Bug #51072: fix openapi build calls and deps [feature/kelvin] 390478616 Bug #51072: cleanup [feature/kelvin] 6fe722f3f Bug #51072: build OpenAPI client library in join script, as authentication group will not be available earlier New installation of Kelvin on a current UCS works without any manual changes @ok New installation of Kelvin on a current UCS works if directory/manager/rest/require-auth=no @ok upgrade of Kelvin working @ok kelvin-rest-api machine in group UDM-API-enabled-machines @ok Functionality tested with the following code @ok ucr set directory/manager/rest/require-auth=yes univention-app shell ucsschool-kelvin-rest-api MACHINE_USER="$HOSTNAME\$" MACHINE_PASSWORD=$(cat /etc/machine.secret) echo "Building OpenAPI client library using host ${DOCKER_HOST_NAME}..." . /kelvin/venv/bin/activate update_openapi_client \ --generator java \ --jar /kelvin/openapi-generator/jar/openapi-generator-cli-*.jar \ --insecure \ --username "$MACHINE_USER" \ --password "$MACHINE_PASSWORD" \ "$DOCKER_HOST_NAME"
Released with App Update - UCS@school Kelvin REST API 1.1.0