Kuali Rice Development
  1. Kuali Rice Development
  2. KULRICE-4303

Document initiator check fails when KIM is run in remote mode

    Details

    • Similar issues:
      KULRICE-6919Location module can not be run in REMOTE mode
      KULRICE-3721The "remote" run mode for KIM (and other Rice modules?) does not allow proper consumption of services from the bus
      KULRICE-2721Add switch on KIM Configurer to make run in local or remote modes
      KULRICE-4667Evaluate remote KIM services: analysis & decision
      KULRICE-9221Invalid bean name "matchAllTxInterceptor" for KIM Remote mode
      KULRICE-12993Update run mode related documentation for KEW to mention KRAD as well as KNS
      KULRICE-4140KimTypeInfoService cannot be accessed by "remote" KIM clients directly
      KULRICE-4641Fix Remote Mode in KIM
      KULRICE-3428Review all services published from each module and determine which should be exported to the bus under which run modes (local, embedded, remote)
      KULRICE-3785KEWConfigurer is still loading the full KEWSpringBeans.xml file even when in "remote" mode.
    • Rice Module:
      KNS, KEW, KIM

      Description

      When an application has configured KIM in "remote" mode, permission checks that cross the service bus and occur in the Rice server and that depend on observing client Rice state (such as the document route header for initiator) will fail because client changes have not yet been committed to the database.

      For example, RouteLogDerivedRoleTypeServiceImpl.hasApplicationRole:

      if (INITIATOR_ROLE_NAME.equals(roleName)){
      isUserInRouteLog =
      principalId.equals(workflowInfo.getDocumentInitiatorPrincipalId(documentNumberLong));

      This will always fail for newly initiated documents, and the result will be that all new documents will be read only (because the current user is not seen to be the "initiator") regardless of any other permission setting.

      This is one such example, but it seems like a general problem and could be more widespread (any other state a client may save and the Rice standalone instance may be requested to operate on).

        Issue Links

          Activity

          Hide
          Aaron Hamid (Inactive) added a comment -

          Increasing to critical as this is significantly impacting our KFS implementation project.

          Show
          Aaron Hamid (Inactive) added a comment - Increasing to critical as this is significantly impacting our KFS implementation project.
          Hide
          Eric Westfall added a comment -

          I'm not sure how much this is going to take, but I'm going to set to 1.0.3 for now. If it proves too impacting then i'll push to 1.1.

          Show
          Eric Westfall added a comment - I'm not sure how much this is going to take, but I'm going to set to 1.0.3 for now. If it proves too impacting then i'll push to 1.1.
          Hide
          Eric Westfall added a comment -

          For documentation purposes, wanted to mention on here that I discussed this with aaron via email, and I think that KIM in embedded mode is the best way for them to proceed in light of these issues as I'm not sure there is an easy solution to this one. I'd like to discuss with the KTI though and see what ideas everyone might have.

          Show
          Eric Westfall added a comment - For documentation purposes, wanted to mention on here that I discussed this with aaron via email, and I think that KIM in embedded mode is the best way for them to proceed in light of these issues as I'm not sure there is an easy solution to this one. I'd like to discuss with the KTI though and see what ideas everyone might have.
          Hide
          Eric Westfall added a comment -

          I think this is going to be too much to chew for 1.0.3. Moving to 1.1

          Show
          Eric Westfall added a comment - I think this is going to be too much to chew for 1.0.3. Moving to 1.1
          Hide
          Aaron Hamid (Inactive) added a comment -

          FWIW we decided to switch to a batch feed integration for KIM identity data with KIM (at least identity service) in embedded mode, so this is not a blocker for us at the moment.

          Show
          Aaron Hamid (Inactive) added a comment - FWIW we decided to switch to a batch feed integration for KIM identity data with KIM (at least identity service) in embedded mode, so this is not a blocker for us at the moment.

            People

            • Assignee:
              Unassigned
              Reporter:
              Aaron Hamid (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:

                Structure Helper Panel