Bug 733102

Summary: Dynamic loading of rules from Repo is broken
Product: [JBoss] JBoss Enterprise BRMS Platform 5 Reporter: Prakash Aradhya <paradhya>
Component: DocumentationAssignee: lcarlon <lcarlon>
Status: CLOSED WONTFIX QA Contact: ecs-bugs
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: BRMS 5.2.0-ER1CC: atangrin, brms-jira, gdesmet, lpetrovi, tschloss
Target Milestone: ---Keywords: Documentation
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-24 00:11:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Prakash Aradhya 2011-08-24 18:50:38 UTC
Description of problem:

- The process for dynamically loading rules from the BRMS repo is apparently fundamentally broken.  On the Guvnor pages, I can clearly see a link to a ChangeSet URL which, presumably, could be used to load rules from the repo. However, the server password protects this connection.  And the tool used to load those, the ResourceFactory, doesn't, apparently, include any method for passing a username and password for basic HTTP authentication (beyond encoding it in the URL, which I'm not sure is a good idea).  What's worse, perhaps, is that the ChangeSet files that are downloaded invariably refer to a repo location, also accessed via HTTP, and also password protected.  While it is possible to put the authentication info in the change set files if you download them and bundle them into your application, it seems a little . . . silly . . . to have to do that.  In the end, I'm trying to sort out if there is, in fact, any possible way to leverage the repo directly via these URLs, or if I'm essentially stuck with an export from the repo to an application-local bundle in order to get this functioning.  It seems to me that I have three options:
- turn off the login-config.xml settings for the brms deployment, effectively making the entire repo open to the world, which isn't a good idea, generally, I think.
- Download the changeset and bundle it, after making appropriate changes (which still doesn't work properly, more on this next).
- Download the rules themselves and bundle them, which, frankly, begs the question: why have a separate BRMS repository?

A better fix, of course, would be for the ResourceFactory to allow for usernames and passwords, or other authentication schemes, and for the BRMS server to include the same auth in the changesets by default when downloading.  Or something like that.  It seems that we've effectively secured the server without providing a cogent or obvious way for the client to access it.  That seems like a ship blocker to me.

- After fixing the changeset to use the authentication, I still have issues due to incompatibility of the libraries used on the client and server side.  Specifically, the MVELDecoder was giving me serialization ID issues.  I used the Drools runtime files generated by JBDS 4.0.0 to no avail.  I just downloaded JBDS 4.1 today, and I'll give that a try, but so far, the solution seems to be to copy out the runtime jars from the deployed application jboss-brms.war, because I'm not seeing those jars anywhere else in the 5.2.ER2 deployment I have running.  That's beyond frustrating.

These are the two big ones.  Consider, also, that Seam uses Drools libraries, and that that integration may not be very clean.  That's likely part of the problem I'm running in to here (it's basically a Seam app that's acting as the client - I'm wrapping the KnowledgeBase in an application-scoped Seam component).  It may get worse.  I'll keep you posted.

For now, I'm going to have to go with bundled rules for the sake of expediency.  I can file these in bugzilla as well, if you'd like.

Thanks,
Will


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Tomas Schlosser 2011-08-25 06:52:05 UTC
(In reply to comment #0)
> Description of problem:
> 
> - The process for dynamically loading rules from the BRMS repo is apparently
> fundamentally broken.  On the Guvnor pages, I can clearly see a link to a
> ChangeSet URL which, presumably, could be used to load rules from the repo.
> However, the server password protects this connection.  And the tool used to
> load those, the ResourceFactory, doesn't, apparently, include any method for
> passing a username and password for basic HTTP authentication (beyond encoding
> it in the URL, which I'm not sure is a good idea).  What's worse, perhaps, is
> that the ChangeSet files that are downloaded invariably refer to a repo
> location, also accessed via HTTP, and also password protected.  While it is
> possible to put the authentication info in the change set files if you download
> them and bundle them into your application, it seems a little . . . silly . . .
> to have to do that.  In the end, I'm trying to sort out if there is, in fact,
> any possible way to leverage the repo directly via these URLs, or if I'm
> essentially stuck with an export from the repo to an application-local bundle
> in order to get this functioning.  It seems to me that I have three options:
> - turn off the login-config.xml settings for the brms deployment, effectively
> making the entire repo open to the world, which isn't a good idea, generally, I
> think.
> - Download the changeset and bundle it, after making appropriate changes (which
> still doesn't work properly, more on this next).
> - Download the rules themselves and bundle them, which, frankly, begs the
> question: why have a separate BRMS repository?
> 
> A better fix, of course, would be for the ResourceFactory to allow for
> usernames and passwords, or other authentication schemes, and for the BRMS
> server to include the same auth in the changesets by default when downloading. 
> Or something like that.  It seems that we've effectively secured the server
> without providing a cogent or obvious way for the client to access it.  That
> seems like a ship blocker to me.
> 
> - After fixing the changeset to use the authentication, I still have issues due
> to incompatibility of the libraries used on the client and server side. 
> Specifically, the MVELDecoder was giving me serialization ID issues.  I used
> the Drools runtime files generated by JBDS 4.0.0 to no avail.  I just
> downloaded JBDS 4.1 today, and I'll give that a try, but so far, the solution
> seems to be to copy out the runtime jars from the deployed application
> jboss-brms.war, because I'm not seeing those jars anywhere else in the 5.2.ER2
> deployment I have running.  That's beyond frustrating.
> 
> These are the two big ones.  Consider, also, that Seam uses Drools libraries,
> and that that integration may not be very clean.  That's likely part of the
> problem I'm running in to here (it's basically a Seam app that's acting as the
> client - I'm wrapping the KnowledgeBase in an application-scoped Seam
> component).  It may get worse.  I'll keep you posted.
> 
> For now, I'm going to have to go with bundled rules for the sake of expediency.
>  I can file these in bugzilla as well, if you'd like.
> 
> Thanks,
> Will
> 
> 
> Version-Release number of selected component (if applicable):
> 
> 
> How reproducible:
> 
> 
> Steps to Reproduce:
> 1.
> 2.
> 3.
> 
> Actual results:
> 
> 
> Expected results:
> 
> 
> Additional info:

Hi Prakash,
problem is that you don't set up authentication. When accessing URL resources that need authentication you either have to provide username and password in URL or set Authenticator. I include a piece of code that might help you. If you run this before creating URL resource it will work (assuming you have an admin account with password admin). To ensure security more things should be done (encrypting the password in code, creating user with readonly access to resources etc.). Also please note that preffered way of accessing the Guvnor changeset is through KnowledgeAgent to allow dynamic changes.

Authenticator.setDefault(new Authenticator() {
    @Override
    protected PasswordAuthentication getPasswordAuthentication() {
        if (getRequestingPrompt().equals("users")) {
            return new PasswordAuthentication("admin", "admin".toCharArray());
        }
        return super.getPasswordAuthentication();
    }
});

Comment 2 Lukáš Petrovický 2011-08-25 07:16:02 UTC
Re-assigning to Documentation component since there is nothing development needs to do.

Comment 3 Geoffrey De Smet 2011-08-25 07:38:28 UTC
As for the second problem. If I recall correctly, the client and server should use the exact same drools version (which transitively includes the mvel version).
If they're using maven/gradle/ivy/buildr, then it's a matter to of specifying the same drools version on the client and the server pom's.
If not, then copying the jars from the distribution is probably the best thing you can do.

Comment 5 lcarlon 2012-09-06 05:56:55 UTC
Is this still an issue with 5.3.1?

Comment 6 lcarlon 2012-09-24 00:11:28 UTC
Closing this issue. If it's still an issue, please reopen with a comment explaining what is required from docs.