KB 2.9.0
- Last updated on March 5, 2024 at 6:02 PM
Date : January 9th, 2024
Reminder :
Since KB 2.7.0, the servers packaged in the KB distribution have been updated and require Java 11 :
- Neo4j 3.5.35
- Elasticsearch 6.8.23
- Apache Tomcat 9.0.84
Important improvement (required)
Integration of Keycloak is required to secure the data-modifying endpoints of the API with authentication. See the upgrade notes at the end of this document.
Fixes
- The tooltips showing the properties description, introduced in version version 2.8.2, now support locale with regional subtag (KB-462). For a given property, if a description does not exist in the browser locale, then find a fallback value , with the following logic :
- if the browser locale has no regional subtag, then look for a description in a locale with the same language with a regional subtag, by taking the first subtag in the alphabetical order
- if the browser locale has a regional subtag, then look for a description in the locale with the same language without the subtag
- if the browser locale has a regional subtag, then look for a description in the locale with the same language but with another regional subtag, taking the first subtag in the alphabetical order .
- Fixed displaying the internal links as HTML links (KB-463)
- Fixed the graph visualization which incorrectly applied the filter on the pointer types (KB-464)
Upgrade notes
This version requires to upgrade the scripts that are used to manage KB repository.
Please follow these steps when upgrading from a previously installed KB :
- Create a new client called "kb-cli" in Keycloak, with Service Account setting. You can copy the settings from the existing client kb-ui :
kb-cli client settings
In the Authentication flow: check "Service accounts roles"
In the Credentials tab, pick "Client Id and Secret" and generate a secret. Copy the secret, to be used later in this procedure.
Save the kb-cli client.
2. In the new admin-scripts
directory, adjust the setenv.sh file :
Provide the URL to your Keycloak server, and paste the secret of the kb-cli client.
...
# Authentication to Keycloak is mandatory since KB 2.9.0
export USE_AUTH=true
export KEYCLOAK_URL=https://YOUR_KEYCLOAK_SERVER_DNS
export KEYCLOAK_REALM=mondeca
export CLIENT_ID=kb-cli
export CLIENT_SECRET=PROVIDE_KB-CLI_CLIENT_SECRET
3. In Tomcat, update the bin/setenv.sh
file, to set the configuration expected for the integration with Keycloak.
... #URL to Keycloak export CATALINA_OPTS="$CATALINA_OPTS -Dkeycloak.auth-server-url=https://YOUR_KEYCLOAK_SERVER_DNS/auth" ...
Vulnerabilities
- CVE-2023-31418 and CVE-2023-31419 : These vulnerabilities are related to the HTTP API of Elasticsearch. They are mitigated in KB in that the Elasticsearch HTTP endpoints are not exposed directly but used internally by KB with the transport API. The vulnerabilities will be resolved during S1 2024 when the version of Elasticsearch that is bundled with KB is upgraded to the latest version 8.