Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Search our knowledge base, curated by global Support, for answers ranging from account questions to troubleshooting error messages.
Qlik offers a wide range of channels to assist you in troubleshooting, answering frequently asked questions, and getting in touch with our technical experts. In this article, we guide you through all available avenues to secure your best possible experience.
For details on our terms and conditions, review the Qlik Support Policy.
Index:
We're happy to help! Here's a breakdown of resources for each type of need.
Support | Professional Services (*) | |
Reactively fixes technical issues as well as answers narrowly defined specific questions. Handles administrative issues to keep the product up-to-date and functioning. | Proactively accelerates projects, reduces risk, and achieves optimal configurations. Delivers expert help for training, planning, implementation, and performance improvement. | |
|
|
(*) reach out to your Account Manager or Customer Success Manager
Your first line of support: https://community.qlik.com/
Looking for content? Type your question into our global search bar:
Leverage the enhanced and continuously updated Knowledge Base to find solutions to your questions and best practice guides. Bookmark this page for quick access!
Subscribe to maximize your Qlik experience!
The Support Updates Blog
The Support Updates blog delivers important and useful Qlik Support information about end-of-product support, new service releases, and general support topics. (click)
The Qlik Design Blog
The Design blog is all about product and Qlik solutions, such as scripting, data modelling, visual design, extensions, best practices, and more! (click)
The Product Innovation Blog
By reading the Product Innovation blog, you will learn about what's new across all of the products in our growing Qlik product portfolio. (click)
Q&A with Qlik
Live sessions with Qlik Experts in which we focus on your questions.
Techspert Talks
Techspert Talks is a free webinar to facilitate knowledge sharing held on a monthly basis.
Technical Adoption Workshops
Our in depth, hands-on workshops allow new Qlik Cloud Admins to build alongside Qlik Experts.
Qlik Fix
Qlik Fix is a series of short video with helpful solutions for Qlik customers and partners.
Suggest an idea, and influence the next generation of Qlik features!
Search & Submit Ideas
Ideation Guidelines
Get the full value of the community.
Register a Qlik ID:
Incidents are supported through our Chat, by clicking Chat Now on any Support Page across Qlik Community.
To raise a new issue, all you need to do is chat with us. With this, we can:
Log in to manage and track your active cases in the Case Portal. (click)
Please note: to create a new case, it is easiest to do so via our chat (see above). Our chat will log your case through a series of guided intake questions.
When creating a case, you will be prompted to enter problem type and issue level. Definitions shared below:
Select Account Related for issues with your account, licenses, downloads, or payment.
Select Product Related for technical issues with Qlik products and platforms.
If your issue is account related, you will be asked to select a Priority level:
Select Medium/Low if the system is accessible, but there are some functional limitations that are not critical in the daily operation.
Select High if there are significant impacts on normal work or performance.
Select Urgent if there are major impacts on business-critical work or performance.
If your issue is product related, you will be asked to select a Severity level:
Severity 1: Qlik production software is down or not available, but not because of scheduled maintenance and/or upgrades.
Severity 2: Major functionality is not working in accordance with the technical specifications in documentation or significant performance degradation is experienced so that critical business operations cannot be performed.
Severity 3: Any error that is not Severity 1 Error or Severity 2 Issue. For more information, visit our Qlik Support Policy.
If you require a support case escalation, you have two options:
When other Support Channels are down for maintenance, please contact us via phone for high severity production-down concerns.
A collection of useful links.
Qlik Cloud Status Page
Keep up to date with Qlik Cloud's status.
Support Policy
Review our Service Level Agreements and License Agreements.
Live Chat and Case Portal
Your one stop to contact us.
If you utilize the aws-java-sdk to customize utility classes under Repository-->Code -> Routines and use this customized class within the components such as tJava / tJavaRow etc, please be aware that the aws-java-sdk is an all-in-one JAR. You might overlook the significance of SDK modularity and opt for an all-in-one JAR, potentially leading to the adverse effects detailed in the article.
1. Increased Application Size:
The all-in-one JAR bundles all AWS service SDKs together, significantly increasing the size of your application. This results in larger deployment artifacts, slower download times, and increased storage consumption, due to the increased size of the Job design (aws-java-sdk.jar: 100-400MB), thereby intensifying the network transfer burden for deployment.
2.Higher Memory Usage:
During application startup, loading the all-in-one JAR into memory demands additional memory, as all AWS service classes are loaded, including those not in use. This can result in increased memory consumption and footprint, and may lead to out-of-memory errors in resource-constrained environments.
3.Reduced Modularity and Flexibility:
Using the all-in-one JAR reduces the modularity of your application. It limits your ability to customize or optimize the inclusion of specific AWS services, leading to a less flexible and maintainable codebase.
Instead of including the entire aws-java-sdk JAR, opt for individual service modules. Include only the specific AWS SDK modules your application needs. For instance, if your application interacts only with S3 and DynamoDB, include only aws-java-sdk-s3 and aws-java-sdk-dynamodb dependencies.
This approach helps minimize the application size, reduces memory footprint, and enhances overall performance by loading only the necessary classes at runtime.
Qlik Sense Enterprise on Windows creates a subfolder on app import from the Qlik Sense Management Console. The folder uses the hostname of the server machine and will include a subdirectory named after the user carrying out the import.
The folder is emptied after the import has been completed. Unless the imported app is large and requires a long time to process, users will not see the temporary file being created.
In this example, we imported a 2 GB large file:
This article provides step-by-step instructions for implementing Azure AD as an identify provider for Qlik Cloud. We cover configuring an App registration in Azure AD and configuring group support using MS Graph permissions.
It guides the reader through adding the necessary application configuration in Azure AD and Qlik Sense Enterprise SaaS identity provider configuration so that Qlik Sense Enterprise SaaS users may log into a tenant using their Azure AD credentials.
Content:
Throughout this tutorial, some words will be used interchangeably.
The tenant hostname required in this context is the original hostname provided to the Qlik Enterprise SaaS tenant.
Copy the "value of the client secret" and paste it somewhere safe.After saving the configuration the value will become hidden and unavailable.
In the OpenID permissions section, check email, openid, and profile. In the Users section, check user.read.
Failing to grant consent to GroupMember.Read.All may result in errors authenticating to Qlik using Azure AD. Make sure to complete this step before moving on.
In this example, I had to change the email claim to upn to obtain the user's email address from Azure AD. Your results may vary.
While not hard, configuring Azure AD to work with Qlik Sense Enterprise SaaS is not trivial. Most of the legwork to make this authentication scheme work is on the Azure side. However, it's important to note that without making some small tweaks to the IdP configuration in Qlik Sense you may receive a failure or two during the validation process.
For many of you, adding Azure AD means you potentially have a bunch of clean up you need to do to remove legacy groups. Unfortunately, there is no way to do this in the UI but there is an API endpoint for deleting groups. See Deleting guid group values from Qlik Sense Enterprise SaaS for a guide on how to delete groups from a Qlik Sense Enterprise SaaS tenant.
Qlik Cloud: Configure Azure Active Directory as an IdP
Users are not able to see their alerts after upgrading Qlik Alerting. Alerts are visible only to the Qlik Alerting Admin.
This issue can be diagnosed by reviewing the Qlik Alerting logs (How to collect the Qlik Alerting log files).
ERROR Wrong password for user QVSERVICE.
ERROR Access denied
ERROR User qvservice@domain.local not found.
ERROR Wrong password for user User qvservice@domain.local.
ERROR History not found
To resolve this issue, follow these steps to restore the Qlik Alerting database:
Reference articles:
During the upgrade, Qlik Alerting was unable to locate the admin account, resulting in the need for the admin to reset the password. Consequently, all user accounts were affected, leading to the removal of user passwords. As a result, each user will need to recover their password using the "Forgot Password" link.
QB-28235
This article provides an example of how to retrieve user attributes from Excel.
For more information on the Qlik Sense User Directory Connector and its options for reading user attributes from different sources, see User directory connectors.
Synchronizing user data and attributes does not carry out authentication. It is intended to enable the use of additional attributes which may not otherwise be synchronized or to pre-emtively distribute licenses. Authentication must be handled by your choice of identity provider. In the Excel example, this would typically be Windows.
Each data source has a different configuration and the following example (Excel) of adding an ODBC user directory connector.
Do the following:
Verify that the Microsoft Excel Driver is installed.
Set up an ODBC source on the server.
You need to store the data in two separate sheets in the same excel file, for example, for example you can place it in this location: %ProgramData%\Qlik\Sense\temp.
The temp folder is not included in the default installation. You need to create the temp folder, if not already done by another QMC administrator.
SheetA contains the users and SheetB the user attributes.
Example:
SheetA
userid | name |
1 |
John |
2 |
Bill |
3 |
Tom |
SheetB
userid | type | value |
1 | jd@email.com | |
1 | lastname | Doe |
2 | bg@email.com | |
2 | lastname | Gates |
3 | th@email.com | |
3 | lastname | Hanks |
Select User directory connectors on the QMC start page or from the Start drop-down menu to display the overview. Create a new user directory connector (ODBC) and edit the properties.
Identification
All fields are mandatory and must not be empty.
Property DescriptionName | The name of the UDC configuration, defined from the QMC. |
Type |
The UDC type. |
User sync settings
Property Description Default valueSync user data for existing users |
|
Selected |
Connection
Property Description Default valueUser directory name |
The name of the user directory. Must be unique, otherwise the connector will not be configured. The name must not contain spaces. |
- |
Users table name | The name of the table containing the users. Include the file extension in the table name, for example: [SheetA$]. | - |
Attributes table name | The name of the table containing the user attributes. Include the file extension in the table name, for example: [SheetB$]. | - |
Visible connection string |
The visible part of the connection string that is used to connect to the data source. |
- |
Encrypted connection string |
The encrypted part of the connection string that is used to connect to the data source. Typically, this string contains user name and password. The two connection strings are concatenated into a single connection string when making the connection to the database. |
- |
Synchronization timeout (seconds) | The timeout for reading data from the data source. | 240 |
Example:
User table name: [SheetA$]
Attributes table name: [SheetB$]
Visible connections string: Driver={Microsoft Excel Driver (*.xls, *.xlsx, *.xlsm, *.xlsb)};Dbq=%ProgramData%\Qlik\Sense\temp
Click Apply to apply your changes.
Go to the User directory connectors overview and check if the user directory is displayed as Configured and Operational.
If the User directory name is not unique the connector will not be configured. If not operational, check the repository system log in: %ProgramData%\Qlik\Sense\Log\Repository\Trace.You have added an ODBC data source and initial synchronization will be performed within five minutes (by default).
Qlik ODBC connector package (database connector built-in Qlik Sense) fails to reload with error Connector reply error:
Executing non-SELECT queries is disabled. Please contact your system administrator to enable it.
The issue is observed when the query following SQL keyword is not SELECT, but another statement like INSERT, UPDATE, WITH .. AS or stored procedure call.
See the Qlik Sense February 2019 Release Notes for details on item QVXODBC-1406.
By default, non-SELECT queries are disabled in the Qlik ODBC Connector Package and users will get an error message indicating this if the query is present in the load script. In order to enable non-SELECT queries, allow-nonselect-queries setting should be set to True by the Qlik administrator.
To enable non-SELECT queries:
As we are modifying the configuration files, these files will be overwritten during an upgrade and will need to be made again.
Only apply !EXECUTE_NON_SELECT_QUERY if you use the default connector settings (such as bulk reader enabled and reading strategy "connector"). Applying !EXECUTE_NON_SELECT_QUERY to non-default settings may lead to unexpected reload results and/or error messages.
More details are documented in the Qlik ODBC Connector package help site.
Feature Request Delivered: Executing non-SELECT queries with Qlik Sense Business
Execute SQL Set statements or Non Select Queries
Qlik Replicate can use SAP HANA as the Backend Database, which you can define on the SAP Application (DB) Source Endpoint setting with Triggers in SAP HANA.
PM-13722
It may be necessary to migrate, backup, or otherwise move a Qlik Sense Enterprise on Windows app with its community and personal sheets included. This option is not available when using the default Export of the app in the Qlik Sense Enterprise Management Console, as this only experts a version of the app without personal and community sheets.
Note:
Community sheets can be promoted to public (base) sheets. See Adding sheets to the public sheets of an app.
Community and Personal sheets are kept in the binary file (.qvf) file stored in the Qlik Sense share storage.
This location is stated under Qlik Management Console (QMC) > Service Cluster > App folder:
The binary file is given the app ID (32 hexadecimal digit string) as the naming convention without the extension .qvf, you can find the ID of the app under QMC > Apps, there you can activate ID as a column and look for the ID of the app you need to import:
In order to backup community and private sheets (besides the base sheets), this binary file needs to be backed up following these steps:
Copy the file in any other location, e.g. desktop, downloads, etc.
All objects in the app (including bookmarks, snapshots, and so on) will be assigned to the App owner (admin importing the app), and all prior ownership information and publish states will be lost.
Are you looking to download your purchased Qlik Products or download a Trial? All supported on-premise Qlik Products can be downloaded from Qlik's Product Download Site.
To access the Download Site, you need an active QlikID. You will be able to see all products your account is eligible for.
You can access the Download Page directly here, or navigate to it from the Community Home page:
This shows the download page with the Latest release and patch preselected.
Unsupported versions are not available for download. See Product Lifecycle for details on what versions have reached end of support.
Alternatively, instead of selecting your product directly, you can also search all available columns:
If you encounter issues with the download site, start a chat with us and we will be able to help you right away.
Click here for video transcript
When working with the Oracle source endpoint, there is consistently a 30-minute latency. After an update is performed on the source, it takes 30 minutes for the changes to be reflected in the target Kafka. No configuration in the task explicitly sets this delay.
To address this issue, consider one of the following options:
Qlik Replicate captures changes from archived redo logs only. If changes on the source are still stored in Online Redo Logs during a given period, Qlik Replicate cannot retrieve them from the archived redo logs until approximately 30 minutes have passed.
In the Oracle source endpoint advanced property, Use archived redo logs only is ticked:
The task log reads:
2024-08-18T11:22:33 [SOURCE_CAPTURE ]I: Oracle CDC will access Archived Redo logs only
00293052
For almost all services or APIs running in production, the requirement exists to secure access to the service. In the rest of this article, we will look at how to ensure the following security requirements:
This article shows you how to implement these concepts when running data services or Routes in the Talend Runtime. The focus is on the cloud runtime, but also applies to on-premises environments. Microservices are not handled in this article.
The attached security.zip file contains a Talend Studio v7.0 project with a sample service and Route to experiment with. It can be imported into any Talend Studio v7.x. In addition, it contains sample configuration files for the LDAP login module described later.
For REST-based services, in a cloud environment, Talend provides support only for basic authentication, where the user name and password are sent in an HTTP header alongside the request in clear text. Therefore it is mandatory to use HTTPS instead of HTTP as the protocol to ensure that the password is encrypted. Contrary to on-premises, for cloud environments, SAML token and OAuth are not supported. If more sophisticated solutions are required, Talend recommends using an API Gateway to secure and control access to the services and APIs. Talend Help provides information on how to integrate with API Gateways and examples for deployment on AWS API Gateway and Azure API Management.
Activating basic authentication for a service or a Route is done in Talend Studio in the corresponding REST component (tRESTRequest in a data service, or cREST in a Route). A data service where authentication is enabled is shown below:
Figure 1: Authentication enabled data service
Enforcing authentication information when sending the request to the service is only half the story. The provided identity must be validated and compared to the set of accepted identities. Talend Runtime provides an authentication framework based on Java Authentication and Authorization Service (JAAS), which allows you to plug in different modules targeting a specific backend to validate identity information. Out of the box, Talend Runtime is configured to support a file-based backend, but among others LDAP can also be used to validate. For a complete list of supported backends, see the Apache Karaf documentation.
The PropertiesLoginModule login module is the one configured by default in the Talend Runtime. It is based on the ${Runtime_Home}/etc/users.properties file, which uses the properties file format. Each property represents an identity. The format of the property is as follows:
user=password[,role][,role]...
Several roles may also be grouped together and the group can be referenced in the user entry:
_g_\:group=role[,role]... user=password[,role][,_g_\:group]...
The figure below shows the users.properties file, which is part of the Talend Runtime installation. In addition to the standard users tadmin, tesb, and karaf, two users alice and bob were added.
Figure 2: Sample users file
Passwords in the properties file are in clear text by default, but can be hashed to ensure protection. To automatically hash passwords after restarting the runtime, open and edit the <Runtime_Home>/etc/org.apache.karaf.jaas.cfg file.
The encryption.enabled property must be set to true. Furthermore, the encryption algorithm in the property encryption.algorithm should be set to something like SHA-256. The configuration file should look like this:
Figure 3: org.apache.karaf.jaas.cfg
The properties file solution is fine to quickly get some identity information defined, for example, when testing, but does not scale well. Furthermore, in many cases, identity information is stored in some LDAP server or Active Directory. Talend runtime provides an LDAP module to validate identity information using the information stored in LDAP or Active Directory.
The security.zip file includes the OSGi Blueprint bundle file authentication/LDAP-login-config.xml, which activates the LDAP login module when deployed into the runtime, and the authentication/org.talend.esb.jaas.ldap.cfg file to configure the login module and adapt it to the specific environment.
Table 1: LDAP login parameters for authentication
Name |
Description |
connection.url |
The LDAP URL, for example, ldap://ldap-host.example.com:389 |
connection.username |
Username to connect to LDAP, for example, cn=admin,dc=example,dc=com. The user requires read access to the part of the Directory Information Tree (DIT) where the user information is stored. |
connection.password |
User password to connect to LDAP. |
user.base.dn |
The LDAP base DN used to look up users, for example, ou=users,dc=example,dc=com. |
user.filter |
The LDAP filter used to locate the user applied to the subtree specified in user.base.dn, for example, (uid=%u) where %u will be replaced by the username. |
user.search.subtree |
If “true”, the user lookup will be recursive (sub). If “false”, the user lookup will be performed only at the first level (one). |
authentication |
Specifies the authentication method used when binding to the LDAP server. The default is simple, where a username and password is required. To enable anonymous, set to none and leave username and password blank. |
Edit the configuration file and adapt the settings to your environment. Table 1 provides a list of the properties to be configured and their meaning. The configuration file also contains the description for each property. The sample values in Table 1 and in the configuration file correspond to the Directory Information Tree (DIT) structure shown in Figure 4.
When finished with editing, copy the configuration file to the directory <Runtime_Home>/etc.
Deploy the authentication/LDAP-login-config.xml file into the Talend Runtime. The easiest way to deploy it is to copy the file to the deploy folder of the Talend Runtime, <Runtime_Home>/deploy.
Often the LDAP server or Active Directory requires the use of Secure LDAP (LDAPS) to ensure the communication is encrypted. The LDAP login module also supports LDAPS, but in addition requires a keystore containing the X.509 certificate of the LDAP server. The location of the keystore and required passwords are specified in the OSGi Blueprint bundle file, which contains the specification of the LDAP login module.
security.zip includes an extended version of the OSGi Blueprint bundle file ldaps/LDAP-login-config.xml with an additional section for the keystore, and ldaps/org.talend.esb.jaas.ldap.cfg with additional properties to configure the keystore-related parameters. Table 2 provides a list of the additional properties that need to be configured.
Name |
Description |
truststore.path |
Absolute path to a trust store containing required Active Directory certificates, for example, /opt/talend/7.2.1/runtime/etc/keystores/ldaptruststore |
truststore.password |
Password for the specified trust store. |
The article Authorization for REST service based routes with HTTP Basic Authentication describes how to enable authorization for a Route, and how to configure the user properties file. If LDAP is used for identity validation, the user information is stored in the roles for authorization. Figure 5 shows a container object groups and three child objects that represent the different groups or roles. Users belonging to a group are referenced through the member attribute, where the fully qualified distinguished name of the user is specified.
Figure 5: Sample LDAP for groups/roles
security.zip includes an extended version of the OSGi Blueprint bundle file authorization/LDAP-login-config.xml with additional configuration parameters to retrieve roles, and authorization/org.talend.esb.jaas.ldap.cfg with additional properties to configure the parameters. Table 3 provides a list of the additional properties that need to be configured.
Table 3: LDAP login parameters for authorization
Name |
Description |
role.base.dn |
The LDAP base DN used to looking for groups/roles, for example, ou=groups,dc=example,dc=com |
role.filter |
The LDAP filter used to look for user’s role, for example, (member=%fqdn) where %fqdn will be replaced by the user's full qualified distinguished name |
role.name.attribute |
The LDAP role attribute containing the group/role string used by Talend Runtime, for example, cn |
Currently, the sample Route provided in article Authorization for REST service based routes with HTTP Basic Authentication and also included in security.zip does not work for Talend version 7.1, 7.2, and 7.3.
In the default configuration of the Talend Runtime, both HTTP and HTTPS are enabled, and the private key used for HTTPS is a well-known standard key provided by Talend. If you use HTTPS, replacing the key is a must.
org.osgi.service.http.enabled=false
The file should now look like:
The Server HTTP Configuration section of the Talend ESB Container Administration Guide provides documentation for the HTTP settings in org.ops4j.pax.web.cfg.
After the Remote Engine microservice is invoked over 100+ times intensely, the microservice becomes unresponsive, with threads getting stuck and not progressing. There are a total of 12 microservices deployed.
The customer has to un-deploy the affected microservice and redeploy it to restore functionality. However, after another period of intensive service usage, the same problem reoccurs.
Log trace and thread dump
http-nio-5081-exec-1
Stack Trace is:
java.lang.Thread.State: RUNNABLE
at java.net.SocketOutputStream.socketWrite0(java.base@11.0.24/Native Method)
at java.net.SocketOutputStream.socketWrite(java.base@11.0.24/SocketOutputStream.java:110)
at java.net.SocketOutputStream.write(java.base@11.0.24/SocketOutputStream.java:150)
at org.apache.logging.log4j.core.net.TcpSocketManager.writeAndFlush(TcpSocketManager.java:253)
at org.apache.logging.log4j.core.net.TcpSocketManager.write(TcpSocketManager.java:219)
- locked <0x00000006c72c6ed0> (a org.apache.logging.log4j.core.net.TcpSocketManager
As Microservice is an always-on daemon process that will occupy a dedicated log collector worker thread, with the Microservice deployment increasing and considering there will be other concurrent task executions that consuming more log collector workers, the default ms.worker.thread.number=10
will not meet the performance requirement and it should be adapted with a bigger size to avoid the race condition of the log collection process.
Please review the thread dump and make some adjustments to the configuration:
ms.worker.thread.number
in /etc/org.talend.ipaas.rt.dsrunner.log4jsocket.collector.cfg
file from 10 to 20.ms.worker.thread.number
should consider the total number of microservice deployed + concurrent tasks in high-load situations. For more information about Data Service Runner configuration files, please refer to Talend Help Documentation
Configuring-data-service-runner
Beginning with the Qlik Sense Enterprise on Windows May 2024 release, the Hub and DevHub no longer display an About menu option.
Previous versions allowed for access to the About information from their respective menus:
Any versions at or beyond May 2024 had the option removed:
To access version information or other product details, use the Qlik Sense Management Console or the About Service API (System Info: Get).
Example use from a supported browser:
https://<server name>/api/about/v1/systeminfo
The About menu option has been removed from the Hub and DevHub to address security concerns.
IM-6008
The purpose of this article is to provide details about enabling Full Load Passthru filter in Qlik Cloud Data Integration (QCDI) and get the selected data from the source during the initial load of the Landing or Replication Tasks.
The information in this article is provided as-is and will be used at your discretion. Depending on the tool(s) used, customization(s), and/or other factors, ongoing support on the solution below may not be provided by Qlik Support.
A connection through a Snowflake connector may fail if:
Qlik Sense Enterprise on Windows
Set up proxy as a system environment variable instead of using it as a connector-level advanced parameter.
This can be done by running the command below in an admin command prompt on the affected system(s), and rebooting the system
setx https_proxy "http://proxyserver.company.com:port" /M
Adding system-wide environment variables risks breaking other vendor's apps.
This document is a general guide and is provided as is. Modifications to the process may be necessary depending on your individual database setup.
If you have installed a standalone PostgreSQL database, or if you have used the Qlik PostgreSQL Installer (QPI) to upgrade and decouple your previously bundled database, then you can upgrade PostgreSQL at any time. This means you control maintenance and can immediately react to potential PostgreSQL security concerns by upgrading to a later service release or a later major version.
Content
This document covers the following scenario:
Run a complete backup of Qlik Sense Enterprise on Windows site as described in Backup and restore Qlik Sense Enterprise on Windows.
These steps apply if you are upgrading within a major PostgreSQL release (example: 14.5 to 14.8).
No further steps are required.
If you are moving to a higher major version, an in-place upgrade will not be possible. Instead, we will install the the new version in parallel, then then migrate the old database and eventually uninstall the old version. Our example is written using PostgreSQL 12 to 14.
Upgrading and unbundling the Qlik Sense Repository Database using the Qlik PostgreSQL Installer
How to manually upgrade the bundled Qlik Sense PostgreSQL version to 12.5 version
Changing the Database Superuser Password without Qlik Sense Installed
When implementing a REST service in a Mediation route using the cREST component as route consumer, Studio provides three ways to authenticate the service: HTTP Basic, SAML token, and OpenID Connect. Only the SAML token provides an option to enable authorization. Unfortunately, the SAML token is not an adequate solution in many use cases because third-party service clients cannot be expected to acquire a SAML token and integrate it into the request. Often HTTP basic authentication, together with HTTPS, is the only way to integrate third-party clients.
Studio does not support authorization when selecting HTTP basic authentication as an authentication type.
In Routes, you can enhance the cRest component to implement role-based authorization with the help of an authorizing filter.
Sources for the project are available in the attached Authorization.zip file.
The cREST component is based on the Camel CXFRS component and the JAX-RS implementation of CXF. In JAX-RS, the runtime is extended and customized through providers. CXF JAX-RS provides a SimpleAuthorizingFilter, extending a REST endpoint with role-based authorization.
One way to add providers in CXFRS is to add the providers option to the endpoint URL of the CXFRS component. The providers are registered as beans in the Camel registry and referenced by name in the providers option. For more information on the exact syntax in the providers option and a complete list of all other options, see the Apache Camel, CXF-RS Component page.
Figure 1 shows a Mediation route in Studio that implements a web service with authentication and authorization.
Figure 1. REST service with authentication and authorization
In the cREST component, you can enforce authentication on the Basic settings tab by enabling the Use Authentication check box and selecting HTTP Basic as the authentication protocol.
Figure 2. Basic settings of the REST endpoint
Enforcing authorization in the cREST component is slightly more involved. It requires setting the additional "providers" option, which is implemented by the bean registered under the name of "authFilter" in the Advanced settings tab, as shown in Figure 3.
Figure 3. Advanced settings of the REST endpoint
In this example, the cBeanRegister component initializes the SimpleAuthorizingFilter, and registers it under the name "authFilter", as shown in Figure 4.
Figure 4. Definition and registration of the authorizing filter
The filter is mainly a wrapper around the SimpleAuthorizingInterceptor, which does the actual work. It is also the interceptor where the roles are specified that authorize the service to execute. In this article, the setGlobalRoles method specifies the roles manager and admin in the beans definition code, which allows them to execute the service. In a real-world use case, you would specify them through a context variable.
The Authorization.zip file, attached to this article, contains an executable sample project (v6.5.1). You can experiment with the project by deploying it in a Talend Runtime and trying different outcomes. For example, you could add a few users to the etc/users.properties file with corresponding roles.
Figure 5 shows a users.properties file where the user alice has the manager and employee role, and user bob only has the employee role. Call the deployed service using the URL (http://localhost:8040/services/test). If authenticating with user alice the call is successful. If authenticating with user bob you should get HTTP return code 403. The sample not only works with the JAAS PropertiesLoginModule but also with the other login modules supported by the Talend Runtime, such as LDAPLoginModule or SyncopeLoginModule.
Figure 5. Sample users file
Database previews are not shown successfully when loading Google BigQuery tables. An Unknown Error is shown.
The data load itself is successful.
Upgrade to a Qlik Sense version which includes updated Google BigQuery drivers that support the snapshot table type.
Upgrade to:
Avoid using the snapshot table type.
Information provided on this defect is given as is at the time of documenting. For up to date information, please review the most recent Release Notes, or contact support with the ID QB-28365 for reference.
Product Defect ID: QB-28365
When connecting to a MySQL database via JDBC, there will occur below connection error message from TAC or Talend tMysqlConnection, tMysqlInput and tMysqlOutput components.
java.sql.SQLNonTransientConnectionException: Public Key Retrieval is not allowed
The error message java.sql.SQLNonTransientConnectionException: Public Key Retrieval is not allowed
typically occurs when you're trying to connect to a MySQL database using JDBC and the connection URL is not correctly configured to allow public key retrieval for SSL connections. This is a regular setting when using MySQL 8.0+ with certain security configurations.
Add client option to your connection URL mysql-connector allowPublicKeyRetrieval=true to allow the client to automatically request the public key from the server.
jdbc:mysql://localhost:3306/db?allowPublicKeyRetrieval=true&useSSL=false