Re: James 3.8 one OpenSuSE 15.5
Hi Benoit, Not sure to follow you. I really don't think it is necessary to implement OpenID connect auth for a webadmin UI panel, that sounds like a lot of unnecessary complicated work, likely overkill. Could start by just maybe some basic auth configurable admin creds in James, like I believe most admin UI panels in most softwares do? I think first version should just stay simple anyways. Regards, Rene. On 2/6/24 22:14, Benoit TELLIER wrote: Hi cryptearth, I can't help for OpenSuse problems. Regarding web-admin API access control, a design I would live to see is actually relying on OpenID connect. This would enable to use OIDC providers like LemonLDAP or Keycloack to be used in order to manage users, and which user can access which application. We did implement something very similar for JMAP: - Set up Apisix as an API gateway to validate JWT tokens: https://github.com/apache/james-project/tree/master/examples/oidc - And have a dumb code in James following what the API gateway decided: https://github.com/apache/james-project/blob/7536d45ada1d3b7ba83cd2020ba862f294125c6d/server/protocols/jmap/src/main/java/org/apache/james/jmap/http/XUserAuthenticationStrategy.java#L39 I would love to have this approach being explored. Or... It could be possible to go faster. And just not expose the webadmin port publicly, but on a private docker network. Then no need to protect it. We could rework the web-admin api in a second time in order t make it compatible. This would be the way I would follow first. Regards On 06/02/2024 01:02, cryptearth wrote: Well, just as an update: As the OpenSuSE forums are as helpful as always: not at all - I looked up options to change James listen directly on TCP/25 itself - and had not much luck. I don't want to spam the list with the details as it doesn't belong here, the short version is: The packet filter doesn't seem to work the way I expected it to according to its own docs. There also seem other options such as privilege dropping or enabling non-root processes to bind to ports below 1024 - but the former isn't supported by Java and the latter works not on a per-process basis but global on a per-executable scope: When I allow James to bind to ports below 1024 so can any other Java process, not exactly what I wanted. I'm also not quite sure if it's just OpenSuSE biting me once again as it did for so many years with the somehow screwed up MySQL/MariaDB packages as when testing in a VM with Arch it works as expected. I guess I should start to reconsider keep using OpenSuSE for my servers as it keeps throwing rocks into my path, its community isn't really helpful and many informations one finds just don't work for one reason or another with no clue why or how to fix it. Anyway ... As for developing a client for the web-admin api: As its only security seems to be the JWT I still have to get my head around how to implement that securely so that only authorized admins with access to a valid token can access the web-admin. I also plan to keep it modular so that each function can get implemented independently without much spaghetti code. I'm aware about some sort of markup languages so one can just write a simple parser and then define such functionalities via config files. But I guess that's something for someone with more experience in that style of coding. Unfortunately I won't have much time in the next few weeks as overtime and extra work is planed throughout february. But I'll keep it in mind as I want to give something back to such a great project. So long, have a good one y'all. Matt On 15.01.24 03:45, Rene Cordier wrote: Hi Matt, Happy to see the transition didn't look too hard for you ! Regarding the webadmin, no there is no UI at the moment. It's been a task in the backlog for a long time though. But if you want to take a look, and even contribute, the task is here: https://issues.apache.org/jira/browse/JAMES-1931 . I'm sure people would be happy to see a contribution about this and support you regarding the coding standards of the project with reviews, even if the UI is not really good looking, it is ok I think. It's destined more to sys admins than lambda users for a backend software, as long as it does the job, it's enough already IMO :) Cheers, Rene. On 1/14/24 09:07, cryptearth wrote: Hi everyone, so, I had a look into Guice+JPA and it's quite easy to setup by just reuse the configs I have for the Spring build. And although I still can use james-cli (although a bit different) I now have access to the REST-api via the webadmin (until now it seems I misunderstood it: I thought the "web admin" to be some browser admin panel instead of just an REST-api). And although it seems rather easy to use it to do the same as with the james-cli and even more - looking in the list archive: Is there any "client" for it like some webpage or some standalone gui? Guess if not it'd be a
Re: James 3.8 one OpenSuSE 15.5
Hi cryptearth, I can't help for OpenSuse problems. Regarding web-admin API access control, a design I would live to see is actually relying on OpenID connect. This would enable to use OIDC providers like LemonLDAP or Keycloack to be used in order to manage users, and which user can access which application. We did implement something very similar for JMAP: - Set up Apisix as an API gateway to validate JWT tokens: https://github.com/apache/james-project/tree/master/examples/oidc - And have a dumb code in James following what the API gateway decided: https://github.com/apache/james-project/blob/7536d45ada1d3b7ba83cd2020ba862f294125c6d/server/protocols/jmap/src/main/java/org/apache/james/jmap/http/XUserAuthenticationStrategy.java#L39 I would love to have this approach being explored. Or... It could be possible to go faster. And just not expose the webadmin port publicly, but on a private docker network. Then no need to protect it. We could rework the web-admin api in a second time in order t make it compatible. This would be the way I would follow first. Regards On 06/02/2024 01:02, cryptearth wrote: Well, just as an update: As the OpenSuSE forums are as helpful as always: not at all - I looked up options to change James listen directly on TCP/25 itself - and had not much luck. I don't want to spam the list with the details as it doesn't belong here, the short version is: The packet filter doesn't seem to work the way I expected it to according to its own docs. There also seem other options such as privilege dropping or enabling non-root processes to bind to ports below 1024 - but the former isn't supported by Java and the latter works not on a per-process basis but global on a per-executable scope: When I allow James to bind to ports below 1024 so can any other Java process, not exactly what I wanted. I'm also not quite sure if it's just OpenSuSE biting me once again as it did for so many years with the somehow screwed up MySQL/MariaDB packages as when testing in a VM with Arch it works as expected. I guess I should start to reconsider keep using OpenSuSE for my servers as it keeps throwing rocks into my path, its community isn't really helpful and many informations one finds just don't work for one reason or another with no clue why or how to fix it. Anyway ... As for developing a client for the web-admin api: As its only security seems to be the JWT I still have to get my head around how to implement that securely so that only authorized admins with access to a valid token can access the web-admin. I also plan to keep it modular so that each function can get implemented independently without much spaghetti code. I'm aware about some sort of markup languages so one can just write a simple parser and then define such functionalities via config files. But I guess that's something for someone with more experience in that style of coding. Unfortunately I won't have much time in the next few weeks as overtime and extra work is planed throughout february. But I'll keep it in mind as I want to give something back to such a great project. So long, have a good one y'all. Matt On 15.01.24 03:45, Rene Cordier wrote: Hi Matt, Happy to see the transition didn't look too hard for you ! Regarding the webadmin, no there is no UI at the moment. It's been a task in the backlog for a long time though. But if you want to take a look, and even contribute, the task is here: https://issues.apache.org/jira/browse/JAMES-1931 . I'm sure people would be happy to see a contribution about this and support you regarding the coding standards of the project with reviews, even if the UI is not really good looking, it is ok I think. It's destined more to sys admins than lambda users for a backend software, as long as it does the job, it's enough already IMO :) Cheers, Rene. On 1/14/24 09:07, cryptearth wrote: Hi everyone, so, I had a look into Guice+JPA and it's quite easy to setup by just reuse the configs I have for the Spring build. And although I still can use james-cli (although a bit different) I now have access to the REST-api via the webadmin (until now it seems I misunderstood it: I thought the "web admin" to be some browser admin panel instead of just an REST-api). And although it seems rather easy to use it to do the same as with the james-cli and even more - looking in the list archive: Is there any "client" for it like some webpage or some standalone gui? Guess if not it'd be a nice project to get something together - although I'm only a hobbyist and hence the "most advanced" I was able to get done was a simple networked battle ships game with some very ugly ui-code for the placement of the ships. So I guess if at all I can only provide some simple stuff and far from the code standards of ASF. The next will now be to switch over to Guice+JPA and also upgrade my backup server. Nice to see I still can learn about James -
