It includes:
- reworking Workspace Activity API to store timestamps of each status changes;
- add REST API endpoint to get workspaces ids by status and threshold timestamp;
* Adding support for @Traced annotation to enable whole method tracing
* Trace the creation and removal of workspace
* Trace the start of async start of the workspace
Note that this does not actually trace the async operations but merely
the "kick off" of those. For tracing the async operations, we need to
introduce support for propagating the span ids over the thread boundaries
using opentracing-concurrent.
* Enable tracing across the thread boundaries by augmenting the
WorkspaceSharedPool threadpool with tracing support.
Note that this does not add any new traces, merely enables the async
tracing.
* Add support for adding tags to @Traced methods.
The interceptor also reports the actual invoked class and method
(cleansed of Guice subclass name garbage)
* Trace the startup of pods during workspace startup.
* Trace stop of a workspace
* Introduce utility methods for tracing parts of methods.
* Trace provisioning of k8s objects (in both Kubernetes and Openshift
infrastructures).
* Create a common set of tags and enable strongly typed tags
* Apply the standard tags instead of hardcoded strings.
* Adding @Beta annotations for the tracing-related classes.
This needs to stabilize first.
* Replacing the "Traces" machinery with just annotated package private methods.
This way the code is easier to ready while we also keep all the flexibility
needed for the tag definitions.
* Rename CheTags to more descriptive TracingTags.
* Evaluate the tag values lazily.
This will reduce the load when tracing is switched off.
* Simplify the machine startup tracing logic and distinguish between
true error and mere cancellation due to prior errors.
* Trivial - applying formatting.
* Use getContext().getEnvironment().getMachines().size() to get the precise
number of machines that will be starting up.
* Trivial - change the name of the machine creation tag
* Use a formatted message instead of string concat.
* Update to the latest parent so that che-core-commons-tracing is correctly
incorporated into the full build.
* Fix tracing of the asynchronous stop of a workspace.
* Don't fall over when tracing is not available.
Allows running Che 7 workspace without any user environment but with Che 7 tooling set.
Workspace without environment has an empty list of environments and null value in `defaultEnv` field.
Field `activeEnv` is supposed to be `null` too.
What is changed:
- Migration of DB
- make defaultEnv nullable
- remove env_name from runtimes primary key
- make env_name in runtimes nullable
- Make code respect the fact that there are workspaces with no env
- settings API that returns the list of supported environment types returns no-environment type that - indicates that infrastructure support workspace with no environment at all.
Signed-off-by: Oleksandr Garagatyi <ogaragat@redhat.com>
Currently in Che there are still a number of requirements in upstream that are not required by the OIDC specification, so that Che still cannot be used with a number of OIDC compliant providers.
For example, in order to have Che working with the [`node-oidc-provider`](https://github.com/panva/node-oidc-provider), the following changes were necessary:
- Remove the requirement to have the email as a claim in the JWT access
token: this is not required the specification and is not supported by a
number of OIDC providers. Normally, the Id token contains such claims.
So now if the email is not in the JWT token the first time the user connects to Che, ten the email is retrieved from the OIDC provider through its `user-profile` endpoint.
- Explicitely specify the the `openid email profile` scope when requesting the access token. Because OIDC providers, when answering to the `userInfo` endpoint, are expected to return claims that corresponds to the scopes of the access token. So if an access token has the `openid` scope only, the `userinfo` might return no claim at all (according to the specification).
Until now it was working since keycloak allows adding claims to the returned tokens anyway.
- Allow supporting fixed redirect Uris: most OIDC providers support having a list of redirect URIs to come back to after the authorization step. But these authorized Uris don't necessarily support wildcards or prefix. Che doesn't support this currently, and these changes introduce 2 fixed callback HTML pages that redirect to the Dashboard / IDE URL of the final page we want to come back to after authentication. This makes Che compatible with more OIDC providers
We introduced a new boolean property to enable / disable fixed redirect URLs:
`che.keycloak.use_fixed_redirect_urls`
whose default value is `false`
- The previous points required some light changes in the Keycloak Javascript adapter file, that we will submit as a PR to the Keycloak project. I, the meantime the `OIDCKeycloak.js` file is still used, but has been updated to be now based on the `keycloak.js` file of the last `4.5.0-final` Keycloak release. This will make this Keycloak PR easier to get accepted.
Please keep in mind that this version upgrade only impacts the alternate OIDC provider case: when using a real Keycloak server, Che *always uses the `keycloak.js` file provided by the Keycloak server*.
Signed-off-by: David Festal <dfestal@redhat.com>
* Move wsnext flow in Kubernetes infra implementation
Now we need to start a broker and pass meta.yaml files to it.
Starting a broker is infra-specific stuff, so it has to be done
on the infra implementation side because we don't have a part
in the infra SPI that would allow us to start a broker.
Passing Meta files using InternalEnvironment object is more
invasive than passing only attributes. So, this commit applies
less invasive scheme.
* CHE-10202,10561: Add fetching of Che editor, plugins meta from the registry
Add fetching of Che editor ID from workspace attributes.
Add fetching of Che plugins IDs from workspace attributes.
Use colon sign for separating editor/plugin ID and version
instead of the slash.
Remove old Workspace.Next model objects.
* CHE-10561: Share WS.NEXT between k8s and OS infras
Use WS.NEXT in both k8s and OS infrastructure implementations.
* CHE-10561: fix fetching meta.yaml files from che-plugin-registry
* CHE-10561: Fix sidecar model serialization
Fixes the fact that some fields in workspace sidecar tooling model
POJOs were incorrectly named or required custom serialization of
fields.
* CHE-10561: Add listening of che-plugin-broker
Add code that allows listening for events from Che plugin broker.
An event might contain workspace tooling config as a result if the broker
finished successfully or error otherwise.
* CHE-10561: Add PluginBrokerManager to control broker lifecycle
Adds PluginBrokerManager that configures/starts/waits Che plugin
broker.
Remove unused code.
Remove notion of Workspace next.
* Align plugin registry property between different components
* Fix extra path in che plugin registry URL
Signed-off-by: Oleksandr Garagatyi <ogaragat@redhat.com>
The files are reformatted in order to suit the requirements of coveo maven fmt plug-in of v.2.5.1
Signed-off-by: Victor Rubezhny <vrubezhny@redhat.com>
Previously, it banned only update profile attributes of the specified user
(PUT /profile/{USER_ID}/attributes) but methods related to current user
were still available (DELETE /profile/attributes and PUT
/profile/attributes)
* Improve wsmaster OpenIdConnect configurability, and helm deployment scripts
- Make username claim configurable in cases
Oidc provider does not support the default claim (default is "preferred_user")
- Introduce fallback for username (issuer+subject) if the username claim is not present
in the token
- Extend helm scripts to take customOidcProvider and customOidcUsernameClaim
parameters into account when deploying che master.
- Introduce cheDedicatedKeycloak global param, conditioning if dedicated che
keycloak server should be deployed, and waited on by the master.
- default value for cheDedicatedKeycloak (if not defined) is true
if the cheDedicatedKeycloak parameter is defined and is false,
customOidcProvicer must be supplied, when using multiuser mode.
Signed-off-by: Sergey Kuperman <sergey.kuperman@sap.com>
* Code review fixes
Remove the extra if condition in configmap.yaml
Remove extra line in requirements.yaml
fix typo in deployment.yaml
* Add che.keycloak.username_claim property as NULL into multiuser.properties
* Simplify helm conditions, when deploying che master with or without keycloak
if multiuser = true, and .Values.customOidcProvider was supplied, assumption is that
we work with no keycloak (no waiting in deployment)
global.cheDedicatedKeycloak is still needed as separate variable for requirements.yaml to determine whether keycloak chart should be installed
so for keycloak deployment, no parameters need to be passed beside global.multiuser=true,
for custom OIDC :
.Values.customOidcProvider=http://url, and global.cheDedicatedKeycloak=false
both need to be set
* Support identity provider token retrieval in both JSON or URL formats.
That's required because some identity providers (such a `openshift-v3`)
correctly return the token information in JSON, as expected. So
switching to the url-based syntax should only used when the returned
json is invalid.
Signed-off-by: David Festal <dfestal@redhat.com>
* Introduce an `OpenShiftClientConfigFactory` to allow customizing the OpenShift config returned according to the current context (workspace ID, current user)
Signed-off-by: David Festal <dfestal@redhat.com>
* Openshift Infra + Multi-user => allow using OpenShift identity provider to connect to openshift with the OS oauth token of the current Che user.
This introduces a new property:
`che.infra.openshift.oauth_identity_provider`
Signed-off-by: David Festal <dfestal@redhat.com>
* Notify the user when a workspace cannot be started from the nav bar.
Signed-off-by: David Festal <dfestal@redhat.com>
* Add the ability to install the Openshift certificate into Keycloak
Signed-off-by: David Festal <dfestal@redhat.com>
* Add a yaml file to provide the openshift certificate as a secret,
in case it has to be installed into the dedicated Keycloak server.
Then the commands to install Che multiuser on Minishift with this
certificate are:
```
oc new-project che
oc process -f multi/openshift-certificate-secret.yaml -p
CERTIFICATE="$(minishift ssh docker exec origin /bin/cat
./openshift.local.config/master/ca.crt)" | oc apply -f -; \
oc new-app -f multi/postgres-template.yaml; \
oc new-app -f multi/keycloak-template.yaml -p ROUTING_SUFFIX=$(minishift
ip).nip.io; \
oc apply -f pvc/che-server-pvc.yaml; \
oc new-app -f che-server-template.yaml -p ROUTING_SUFFIX=$(minishift
ip).nip.io -p CHE_MULTIUSER=true -p
CHE_INFRA_OPENSHIFT_OAUTH__IDENTITY__PROVIDER=openshift-v3; \
oc set volume dc/che --add -m /data --name=che-data-volume
--claim-name=che-data-volume
```
Of course it's still needed to register the `openshift-v3` identity
provider in the Keycloak server, as well as, add the corresponding
`OAuthClient` object in Minihshift.
Signed-off-by: David Festal <dfestal@redhat.com>
* Add processing of runtime exceptions during JWT tokens validation
It is needed to set correct 403 response code instead of 500.
Also added response message to notify a client about error reason.
Allow switching to an alternate OIDC provider (provided that it emits access tokens as JWT tokens).
This is the implementation required in upstream Che, for issues
redhat-developer/rh-che#502 and
redhat-developer/rh-che#525
Signed-off-by: David Festal <dfestal@redhat.com>
* Introduce logger REST API to manage log level at runtime
It's possible to create new logger with log level, list all loggers defined with log level, change level on a given logger, etc
Change-Id: I1c105aca33cc88f90270ade4d792d3a75191740a
Signed-off-by: Florent BENOIT <fbenoit@redhat.com>
Extract default machine memory limit setting from
InternalEnvironmentFactory to recipe specific environment
factories.
Make memory limit attribute optional by respecting it by
resource API subsystem.
Signed-off-by: Oleksandr Garagatyi <ogaragat@redhat.com>
- Workspace projects are now stored in folders, named after their workspace id, rather than name,
to prevent issues with workspace renaming. Applies to Docker infrastructure only.
- Add migration, that would move workspace projects to their new location. Occurs on Che startup.
- Added configuration property to enable/disable this migration.
- Improved Workspace DAO/Manager to use pagination for methods, that return lists of workspaces
* Make it possible to tell IDE to use a different "wsagent" server passing server's ref prefix through query parameter
Signed-off-by: Artem Zatsarynnyi <azatsary@redhat.com>
Adapted modules to gwt-lib/gwt-app lifecycle;
shared libs have been cleaned up from the GWT related stuff;
enabled launching Super DevMode with a reactor goal gwt:codeserver;
enabled launching Super DevMode inside a dev-machine (for Che in Che development);
separate compiling IDE GWT app from packaging IDE Web app.
Signed-off-by: Artem Zatsarynnyi <azatsary@redhat.com>
- errorprone : ignore test methods that are using testxyz() pattern but are not annotated by @Test
- Remove deprecated stuff (for example use descriptors/descriptor for maven-assembly plugin
- Remove unnecessary stubbing
- fix dependencies
Change-Id: I16f512fc3bfd542463d3b0d3c062f45ceb5ac6b2
Signed-off-by: Florent BENOIT <fbenoit@redhat.com>
Some changes are required like
- anyString() --> nullable(String.class) for many tests as in fact we provide null values
- add class for VerificationMode as there are more than one method now (can't use lambdas)
- remove cast on ArgumentMatcher (now we can use lambdas as there is generics)
- remove unecessary stubbing (mockito is now reporting un-needed stubs)
Change-Id: I69c7ccc86bc85a4401d5e33671229ae0ce560dbb
Signed-off-by: Florent BENOIT <fbenoit@redhat.com>
Some changes are required like
- anyString() --> nullable(String.class) for many tests as in fact we provide null values
- add class for VerificationMode as there are more than one method now (can't use lambdas)
- remove cast on ArgumentMatcher (now we can use lambdas as there is generics)
- remove unecessary stubbing (mockito is now reporting un-needed stubs)
Change-Id: I69c7ccc86bc85a4401d5e33671229ae0ce560dbb
Signed-off-by: Florent BENOIT <fbenoit@redhat.com>
Moved async operations from WorkspaceManager to WorkspaceRuntimes
to have async facility in one place instead of two.
Moved workspace start/stop logging from WorkspaceManager
to WorkspaceRuntimes since WorkspaceManager can not correctly log
them.
Improved logging of workspace start/stop including addition of new logs.
Fixed logging of exception thrown by RuntimeInfrastructure on runtime
start/stop.
Fix docker image deletion bug on stop of a workspace.
Signed-off-by: Oleksandr Garagatyi <ogaragat@redhat.com>
* Fixed possible constraint violation with an existed organization.
Usecase is following:
If we have already an organization with name, let's say "org" and the new user also has name "org" then we will have constraint violation.
In this case, we will try to create the user with name "org"+random string.
* Port AppStatesPreferenceCleaner from master branch. Class has been missed as a result of previous merges.
* Move AppStatesPreferenceCleaner to che-core-api-workspace.
* Move WorkspaceRemovedEvent and WorkspaceCreatedEvent to che-core-api-workspace-shared;
Move AppStatesPreferenceCleaner to che-core-api-user
Multi-user Eclipse Che (#6441)
#### How to run it.
```docker run -it -e CHE_MULTIUSER=true -e CHE_HOST=<your ip> -e CHE_KEYCLOAK_AUTH-SERVER-URL=http://<your ip>:5050/auth -v /var/run/docker.sock:/var/run/docker.sock -v ~/.che-multiuser:/data eclipse/che:nightly start --skip:pull --skip:nightly```
#### How to manage it
- Keycloak configured with two realms. ```Master``` and ```che```. Also we have one user admin/admin in both realm. Admin user in master realm is - super admin.
- Eclipse Che configured for che realm
- We enabled user registration in ```Che``` realm
#### Known limitation
- swagger would not work. We need to upgrade a version. to support openid authentification https://github.com/eclipse/che/issues/6015
- It's working on local docker. We are going to provide scalable version based on OpenShift on next versions.
- Invitation of non-existent users to Eclipse Che organization https://github.com/eclipse/che/issues/6335
#### How to run it when it is in a branch
To run an multiuser Che version, the following steps are required after building the branch:
- Rebuild init, cli and che images (in the given sequence). To do that, proceed to folder _dockerfiles/<image_name>_ and run _build.sh_
- Run Che in a usual way using cli, with additional parameters: `-e CHE_MULTIUSER=true` and `--skip:pull --skip:nightly`
Full command example:
`docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock -v /home/user/.che:/data -e CHE_MULTIUSER=true eclipse/che-cli:nightly start --skip:pull --skip:nightly`
- MacOS users may need to edit _che.env_ file in the data folder, changing `CHE_HOST` and `CHE_KEYCLOAK_AUTH__SERVER__URL` values to their specific IP.
When start is succeeded, the following docker containers should be created:
- che, exposing 8080 port;
- che_keycloak, exposing 5050 port;
- che_postgres, exposing 5432 port;
It is needed since it is secured by permissions system which requires
an authenticated user.
Also, use base API endpoint for checking Che in OpenShift deploy
script since system state API which was used before is secured now.
Signed-off-by: Oleksandr Garagatyi <ogaragat@redhat.com>
* Use different Sql schemas for che and che-multiuser
* Move Resource API
* Move Organization API
* Move personal account
* Add Che Multiuser integration tests
* Fix integration tests
* Set 5.19.0-SNAPSHOT version for moved modules
* Fix multiuser packaging
Roman Iuvshyn