Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make carbon mgt console & soap services disabled by default #20755

Open
darshanasbg opened this issue Jul 23, 2024 · 9 comments
Open

Make carbon mgt console & soap services disabled by default #20755

darshanasbg opened this issue Jul 23, 2024 · 9 comments
Labels
deprecation Team/Identity Server Core Type/Improvement

Comments

@darshanasbg
Copy link
Contributor

Is your suggestion related to an experience ? Please describe.
Carbon Management Console has been deprecated with IS 7.0.0
https://is.docs.wso2.com/en/latest/references/about-this-release/#deprecated-features

SOAP Services has been deprecated since IS 6.0.0
https://is.docs.wso2.com/en/6.1.0/references/about-this-release/#deprecated-features

As the first step retiring these functionality, its better to disable these two in the default pack.

Describe the improvement
Have soap services and the carbon management console not accessible in the default pack.

Need to consider giving a feature flag to enable soap services to keep the backward compatibility for anyone who is migrating from an old version.

Additional context
Fully retiring these features would possibly be done with next major IS version.
@janakamarasena
Copy link
Member

Would be good if soap services can be selectively enabled so anyone can enable only the ones they require.

@darshanasbg
Copy link
Contributor Author

Would be good if soap services can be selectively enabled so anyone can enable only the ones they require.

Yeah.. We can consider that..

@shashimalcse
Copy link
Contributor

Identified a couple of SOAP services used in IS7 management console features related to API access management and authroization. Giving a feature flag to enable these features would be ideal.

  • Entitlement (XACML)
    • EntitlementAdminService (PDP Configurations)
    • EntitlementService (PDP Endpoint)
    • EntitlementPolicyAdminService (PAP)
  • Roles List (Managing permissions of old roles. mail : Revamping Management Console in IS 7.0.0
    )
    • UserAdmin (role management)
  • Consent Purpose (Don't know the exact SOAP service used for this)

The following are some SOAP services not used in the console (We can disable these for the default pack):

  • OAuth2TokenValidationService (token validation)
  • ServerRolesManager (manage server roles)
  • OAuthAdminService (manage oauth apps)
  • IdentityApplicationManagementService (application mgt)
  • ResourceAdminService

@darshanasbg
Copy link
Contributor Author

Thanks for the analysis @shashimalcse..

IMO, we should not ask to access management console or soap services for any features that are not deprecated in the product.. We should have corresponding REST APIs and new UIs to use them..

We may allow selective access to soap services, considering the backward compatibility of the legacy deprecated features.. But that should be only used for that purpose..

@shashimalcse
Copy link
Contributor

@darshanasbg agree! there is an effort ongoing with XACML REST APIs and the new console UI. Let's track those.

@darshanasbg
Copy link
Contributor Author

Carbon products have a inbuilt capability to avoid registering the axis services that come through the OSGi bundles by setting a system property named optimize.
Ref: https://github.com/wso2/carbon-kernel/blob/6b7b18a83a551227bcda7484cf3735eb60dca52c/core/org.wso2.carbon.core/src/main/java/org/wso2/carbon/core/init/CarbonServerManager.java#L482

For example if we start the product using sh wso2server.sh -Doptimize=true, it will not register the soap services.

Although this does not have the capability to enable services selectively, IMO we should use this capability and have the all the soap services disabled as the default functionality of the product as the starting point giving the benefit of reduced exposed surface for the majority of the product users..

@darshanasbg darshanasbg mentioned this issue Feb 19, 2025
Open
@darshanasbg
Copy link
Contributor Author

darshanasbg commented Feb 19, 2025
edited
Loading

Carbon products have a inbuilt capability to avoid registering the axis services that come through the OSGi bundles by setting a system property named optimize. Ref: https://github.com/wso2/carbon-kernel/blob/6b7b18a83a551227bcda7484cf3735eb60dca52c/core/org.wso2.carbon.core/src/main/java/org/wso2/carbon/core/init/CarbonServerManager.java#L482

For example if we start the product using sh wso2server.sh -Doptimize=true, it will not register the soap services.

Although this does not have the capability to enable services selectively, IMO we should use this capability and have the all the soap services disabled as the default functionality of the product as the starting point giving the benefit of reduced exposed surface for the majority of the product users..

@darshanasbg
Copy link
Contributor Author

Disabling soap services restrict the use of the management console, thus management console landing page updated to look like following , if the soap services are disabled.. Note the header banner is updated and the sign-in form has been removed.

Image

@darshanasbg darshanasbg mentioned this issue Feb 19, 2025
Merged
@darshanasbg
Copy link
Contributor Author

In summary, with the changes

it will make the management console and the soap services disabled by default and in order to make them available, product needs to start with the system param-Doptimize=false added.

ex:

sh wso2server.sh -Doptimize=true

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
deprecation Team/Identity Server Core Type/Improvement
Projects
Identity Server-7.2.0
Status: No status
Milestone
No milestone
Development

No branches or pull requests
4 participants
@darshanasbg @janakamarasena @nilasini @shashimalcse