...
Anchor | ||||
---|---|---|---|---|
|
Caching User Attributes
Note | ||
---|---|---|
| ||
As of 2023 Summer, client and BPM components of yuuvis® Momentum do NOT yet support caching user attributes. |
The AUTHENTICATION service can be configured to exclude the authorization
and abac
sections from the JWT. Instead, the full set of user attributes including authorization
and abac
sections is stored for 5 minutes in a userAttributes
Redis cache for each logged-in user.
All services within the yuuvis® Momentum cluster that need the authorization
and abac
information retrieve them from the userAttributes
Redis cache.
Within the cluster, the userAttributes
cache is available via Redis CLI:
The command
Code Block redis-cli keys 'userAttributes*'
retrieves a list of all user attributes-related keys for all tenants. Each key contains the tenant und the user ID for a logged-in user. If only one user is currently logged-in, the response could be, e.g.,Code Block redis-cli keys 'userAttributes*' 1) "userAttributes::yuuvistest,3cfaf962-b254-45c8-b0e9-82f79f2c26ee"
userAttributes
is the cache name. It is the same for all keys.yuuvistest
is the example tenant name.3cfaf962-b254-45c8-b0e9-82f79f2c26ee
is the example user ID.
For each key, the stored value contains the full set of user attributes for the corresponding user. For the example user, it can be retrieved via
Code Block redis-cli get userAttributes::yuuvistest,d90b12d5-1288-4a73-92fc-d9b6872df812
The response is a string containing the encoded JSON object, e.g.,
Code Block "\"{\\\"username\\\":\\\"root\\\",\\\"id\\\":\\\"d90b12d5-1288-4a73-92fc-d9b6872df812\\\",\\\"title\\\":\\\"First User\\\",\\\"email\\\":\\\"testroot@yuuvis\\\",\\\"firstname\\\":\\\"First\\\ ",\\\"lastname\\\":\\\"User\\\",\\\"domain\\\":\\\"dd\\\",\\\"tenant\\\":\\\"yuuvistest\\\",\\\"authorities\\\":[\\\"YUUVIS_DEFAULT\\\",\\\"YUUVIS_SYSTEM_INTEGRATOR\\\",\\\"YUUVIS_TENANT_ADMI N\\\"],\\\"accountNonExpired\\\":true,\\\"accountNonLocked\\\":true,\\\"credentialsNonExpired\\\":true,\\\"enabled\\\":true}\""
Furthermore, an internal endpoint of the AUTHENTICATION service GET /session/updateUserAttributeCache/{tenant}/{userId} is available. It can be called by services within the cluster to retrieve user information and refresh the cache in case a logged-in user is missing (e.g., if the maximum item storage time of 5 minutes is exceeded).
To activate the userAttributes
cache, the following points have to be considered:
- The
authorization.cacheUserAttributes
parameter has to be configured totrue
in the authentication-prod.yml configuration file. - All services that need
authorization
andabac
information require theredis
profile. This applies to the following core services:- API gateway
- AUDIT service
- AUTHENTICATION service
- INDEX service
- REGISTRY service
- REPOSITORY service
- SEARCH service
- SYSTEM service
- Custom services that might run within the yuuvis® Momentum cluster can retrieve
authorization
andabac
information from Redis or via the endpoint GET /session/updateUserAttributeCache/{tenant}/{userId} if necessary.
Validation of internal JWTs
...
Code Block |
---|
server.servlet.session.cookie.same-site: 'None' server.servlet.session.cookie.secure: true |
Refresh the CONFIGSERVICE
Restart the AUTHENTICATION service.
Configuration
The yuuvis® Momentum configuration files for the operation in the Kubernetes cluster are stored on the Git Server configured in the system. In order to change the configuration of a service, you need to access the Git repository.
Parameters in Profiles
The following parameters are referenced from the corresponding profiles. Click a profile in order to display descriptions and default values of the corresponding parameters.
Profile | Parameter |
---|---|
application-oauth2.yml | keycloak.host |
authentication.oauth2.tenants | |
authentication-prod.yml | routing.defaultEntryPoint |
management.endpoints | |
management.endpoint | |
routing.endpoints | |
authorization.accesses | |
spring.session.store-type (as of 2022 Spring) | |
management.health.redis.enabled (as of 2022 Spring) |
The values for the parameters can be modified as described here.
>> Configuring Services using Profiles.
Info | ||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||
Read on
|