Unable to connect after upgrade from 4.6.11 to AxonServer 2023.2.x

Simon_Zambrovski · January 16, 2024, 8:33pm

Hi folks,

In my setup I upgraded from AxonServer 4.6.11-dev-jdk11 to 2023.2.2-jdk11 (both SE). I have developer mode and access control enabled. After the upgrade the application (running Axon Framework 4.9.2) is not abbe to connect to the server.

The token has not changed (is still in the properties). During the upgrade I deleted the control db and the server created a new one and I re-created the admin user via cli giving it ADMIN@* permissions.

If I deactivate access control the connection can be established, if I activate it - the connection is not possible with PERMISSION_DENIED: Invalid token for io.axoniq.axonserver.grpc.control.PlatformService/GetPlatformServer

Any ideas what I missed? How can I recover from this situation and activate access control again? Are there any special requirements for the token?

Here are the server settings:

axoniq.axonserver.name={{ hostname }}
axoniq.axonserver.hostname={{ fqdn_hostname }}
axoniq.axonserver.standalone=true
axoniq.axonserver.devmode.enabled=true
axoniq.axonserver.accesscontrol.enabled=true
axoniq.axonserver.accesscontrol.admin-token={{ axonserver_admin_token }}
axoniq.axonserver.accesscontrol.token={{ axonserver_token }}
axoniq.axonserver.default-command-timeout=600000
axoniq.axonserver.max-message-size=8MB
axoniq.axonserverkeep-alive-timeout=0

logging.file=/axonserver/data/axonserver.log
logging.file.max-history=10
logging.file.max-size=10MB

For the client settings I specified:

axon:
  axonserver:
    servers: {{ address }}:8124
    max-message-size: 8388608
    context: default
    token: {{ axonserver_token }}

Is token only a secret using as a pasword or is it womehow used in the server itself? Could I just change the token to some better value?

Cheers,

Simon

Simon_Zambrovski · January 22, 2024, 4:41pm

@allardbz @Marc_Gathier could you give me any hint?

allardbz · January 22, 2024, 5:07pm

If I’m not mistaken, ADMIN gives you administrative rights, but not rights to process messages. USE_CONTEXT is the permission you can assign to allow dispatching and subscribing.

Simon_Zambrovski · January 22, 2024, 7:52pm

As far the docs say, I don‘t need users at all to connect as an application. And in SE it should be sufficient to have the token only…

At least it was working like this till 4.6.11…
As the current server is the codebase of EE server I wonder if the access control is working at all with SE. Should I file an issue somewhere?

Marc_Gathier · January 23, 2024, 7:28am

Hi Simon,
As of AS 2023 Axon Server no longer uses the tokens in the Axon Server properties file. Instead you should define applications, either through the UI or through the CLI.
If you would have upgraded by just replacing the jar file (without removing the controldb) Axon server would have created 2 applications for you, one with the ADMIN rights with the admin-token and one with user rights (with the normal token).
To create the applications manually through the CLI, it is easiest to run the CLI on the Axon Server node, from the same directory as where you started Axon Server.
The command to use for a client application is:

java -jar axonserver-cli.jar register-application -a “name” -r USE_CONTEXT@default -T “the-token”

Marc

Simon_Zambrovski · January 24, 2024, 4:28pm

Thank you Marc,

This solved the issue.
I believe in the docs the description of the token and admin-token should be changed then. I created an issue on that: Documentation Inaccuracy: Access Control in Axon Server SE · Issue #696 · AxonIQ/axon-server-se · GitHub

Simon_Zambrovski · January 24, 2024, 5:52pm

By the way - not deleting the controldb was leading to a situation where my existing admin user was not able to login to AxonServer console anymore, so I had to delete those…