02.13.2023 TT Agenda - QualitativeDataRepository/TechnicalTeam GitHub Wiki

Seba

Notes

  • S3 backup tool is working - a few small bugs but these are fixed
  • Committed the terraform changes needed for the eventbridge tool
  • Terraform wasn't working on Jenkins - weirdly a missing SSH key (but re-added)
  • Link that is in agenda for infratools -

Discussion / Coordination

From Jim:

I'm seeing 504 timeouts on dev that come from the AWS ELB (server: awselb/2.0 according to the browser). They occur sometimes with Drupal (where dev does not aggregate the js and css calls so there can be a quick rush of requests) and now with the Keycloak admin console (again, lots of css and js calls being made - it isn't clear that Keycloak has a way to aggregate those). These occur after 10 seconds. I've checked the dev ELB settings that I know and don't see any timeouts that are less than 600 seconds, so I'm not sure where this is coming from. It may become a showstopper with the Keycloak v20 server.

It's not clear that it will be easy to keep the LDAP entries exactly as they are, e.g. with entries being posixAccounts, a unique numeric identifier has to be sent. We do this in custom code in Drupal, but I don't think we use it anywhere. Do we have requirements on LDAP beyond keeping the current SSO functionality?

  • Keycloak to read LDAP - but it might not be possible for Keycloak to write back data as posixAccounts (we don't use these at all)... So as long as we get same functionality we don't need LDAP stores
  • Keycloak can cache info in PostGres - if we can get people to reset their passwords - we can get them to drop LDAP

Jim

Keylcoak

  • Can do many logic-based exercises for credentialling
  • Could replace the registration forms, etc. Instead of happening within Drupal iframe - user taken to different web component.

Etc

  • a few Drupal security issues on Stage
  • 5.13 this week and 5.14 is slated for June (before community meeting)