-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Breaking Change in CKAN v2.10.3: Missing beaker.session.validate_key Parameter Causes Errors #7999
Comments
Additional Comment: Acknowledgement of Changelog and Further Concerns Acknowledgement: Concern Regarding Package Versioning and Breaking Changes: Implications:
Recommendations:
|
Note for person who will work on this issue: validate-key must be set to |
You are correct. CKAN does not follow Semantic Versioning; the move from 2.8 to 2.9 was full of breaking changes, and the move from 2.9 to 2.10 likewise. (It would be nice if that changed, but I've seen no sign of appetite for it.) |
[#7999] Optional session.validate_key
I'm going to close this as the actual issue (error when missing For historical reasons CKAN doesn't follow Semantic Versioning strictly, as described in the docs minor releases (e.g. 2.8 -> 2.9 or 2.9->2.10) do contain backwards incompatible changes, although we try to minimize them as much as possible. Patch releases (eg. 2.10.3 -> 2.10.4) should not contain backwards incompatible changes, but sometimes we are forced to introduce them for security reasons, either to fix an active vulnerability or because the tech team decides that the default behavior of CKAN exposes users unnecessarily. The Regarding the pinning of patch versions in the package registry, we will likely revisit how packages are built really soon and we can consider adding patch versions to allow pinning (as we do with our Docker images). But in any case, it's important to remember that the latest patch release is the only one supported and that running an old one might mean being exposed to vulnerabilities. |
Perhaps it's just because we run a few dozen plugins, but my team's experience has been that the upgrades from 2.8 to 2.9, and from 2.9 to 2.10, were a whole program of work each. I really think it's worth reconsidering the current distinction between major and minor version increments. |
CKAN version
2.10.3
Describe the bug
We have recently encountered a breaking change in CKAN version 2.10.3 related to the
beaker.session.validate_key
configuration parameter. In our setup, CKAN runs under an NGINX Proxy server, and we use Docker for deployment.Previous Behavior (v2.10.1):
In CKAN version 2.10.1, which we were using, the command for generating the
ckan.ini
configuration file did not include thebeaker.session.validate_key
parameter. This led us to believe that the parameter was not mandatory or automatically handled by CKAN.Current Issue (v2.10.3):
Upon updating to version 2.10.3, we faced accessibility issues with CKAN. It could not accept requests due to an error stemming from the absence of the
beaker.session.validate_key
parameter in the configuration. This parameter is now enforced as mandatory inconfig_declaration.yaml
as per commit06d72d2d8cfb61e4773097cd80f768a323b1ffef
.Impact:
This change has caused significant disruption as our application, which was expected to run smoothly post-upgrade, failed to do so. It took us a considerable amount of time to identify the root cause of the issue.
Proposed Solution:
beaker.session.validate_key
in theirckan.ini
file.The text was updated successfully, but these errors were encountered: