...

Caching User Attributes

The AUTHENTICATION service can be configured to exclude the authorization and abac sections from the JWT. Instead, the full set of user attributes including authorization and abac sections is stored for 5 minutes in a userAttributes Redis cache for each logged-in user.

All services within the yuuvis® Momentum cluster that need the authorization and abac information retrieve them from the userAttributes Redis cache.

Within the cluster, the userAttributes cache is available via Redis CLI:

• The command

  Code Block
  redis-cli keys 'userAttributes*'

  
retrieves a list of all user attributes-related keys for all tenants. Each key contains the tenant und the user ID for a logged-in user. If only one user is currently logged-in, the response could be, e.g.,

  Code Block
  redis-cli keys 'userAttributes*' 1) "userAttributes::yuuvistest,3cfaf962-b254-45c8-b0e9-82f79f2c26ee"

  


  • userAttributes is the cache name. It is the same for all keys.
  • yuuvistest is the example tenant name.
  • 3cfaf962-b254-45c8-b0e9-82f79f2c26ee is the example user ID.

• For each key, the stored value contains the full set of user attributes for the corresponding user. For the example user, it can be retrieved via

  Code Block
  redis-cli get userAttributes::yuuvistest,d90b12d5-1288-4a73-92fc-d9b6872df812

  
  

  The response is a string containing the encoded JSON object, e.g.,
  

  Code Block

  "\"{\\\"username\\\":\\\"root\\\",\\\"id\\\":\\\"d90b12d5-1288-4a73-92fc-d9b6872df812\\\",\\\"title\\\":\\\"First User\\\",\\\"email\\\":\\\"testroot@yuuvis\\\",\\\"firstname\\\":\\\"First\\\ ",\\\"lastname\\\":\\\"User\\\",\\\"domain\\\":\\\"dd\\\",\\\"tenant\\\":\\\"yuuvistest\\\",\\\"authorities\\\":[\\\"YUUVIS_DEFAULT\\\",\\\"YUUVIS_SYSTEM_INTEGRATOR\\\",\\\"YUUVIS_TENANT_ADMI N\\\"],\\\"accountNonExpired\\\":true,\\\"accountNonLocked\\\":true,\\\"credentialsNonExpired\\\":true,\\\"enabled\\\":true}\""

  
  

Furthermore, an internal endpoint of the AUTHENTICATION service GET /session/updateUserAttributeCache/{tenant}/{userId} is available. It can be called by services within the cluster to retrieve user information and refresh the cache in case a logged-in user is missing (e.g., if the maximum item storage time of 5 minutes is exceeded).

To activate the userAttributes cache, the following points have to be considered:

• The authorization.cacheUserAttributes parameter has to be configured to true in the authentication-prod.yml configuration file.
• All services that need authorization and abac information require the redis profile. This applies to the following core services:
  
  • API gateway
  • AUDIT service
  • AUTHENTICATION service
  • INDEX service
  • REGISTRY service
  • REPOSITORY service
  • SEARCH service
  • SYSTEM service
• Custom services that might run within the yuuvis® Momentum cluster can retrieve authorization and abac information from Redis or via the endpoint GET /session/updateUserAttributeCache/{tenant}/{userId} if necessary.

Validation of internal JWTs

...

server.servlet.session.cookie.same-site: 'None'
server.servlet.session.cookie.secure: true

Refresh the CONFIGSERVICE

Restart the AUTHENTICATION service.

Configuration

The yuuvis® Momentum configuration files for the operation in the Kubernetes cluster are stored on the Git Server configured in the system. In order to change the configuration of a service, you need to access the Git repository. 

Parameters in Profiles

The following parameters are referenced from the corresponding profiles. Click a profile in order to display descriptions and default values of the corresponding parameters.

The values for the parameters can be modified as described here.
>> Configuring Services using Profiles.