HI Bhathiya, On Thu, Jul 20, 2017 at 4:50 PM, Bhathiya Jayasekara <[email protected]> wrote:
> Hi Sathya, > > On Thu, Jul 20, 2017 at 2:34 PM, Sathya Bandara <[email protected]> wrote: > >> Hi all, >> >> With the current user core implementation we do not include a SCIM >> user_id for admin users (Since SCIM is not used in all products) which >> prevents SCIM based CRUD operations on admin users. In order to implement >> this we have identified the following two approaches. >> >> *#option 1* >> >> Generate admin users' SCIM userId in SCIM component activator at server >> start up (for admin users in super tenant domain). For tenant admins we can >> configure a listener on tenant admin creation in TenantMgtService[2] to >> generate user_id if SCIM is enabled. >> > > The super tenant case is fine, but when you use a listener for tenants, if > someone enable SCIM later, existing tenant admins will not be SCIM > compatible. To avoid that, can't we skip the "if SCIM is enabled" part of > your suggestion? Will that be a problem? > To support SCIM user store should support to store scim_id attribute and other attributes. So If they enable it later they should explicitly configure the IDs, Whether to support SCIM or not is a organization decision which should take before you setup the environments. And primary user store for tenants also get the configuration of supper tenant primary store (apart from tenant partitioning) so this should be fine. -Ishara > > Another option is to use the same approach as super tenant. Get all active > tenants at component activation and set them SCIM ids. But I don't think > that's a good idea as it can slow down the server startup (unless you do > that in a seperate thread). > > Thanks, > Bhathiya > > >> >> *#option 2* >> >> In AbstractUserStoreManager [1] modify addInitialAdminData() operation >> to apply SCIM user_id claim when adding a new admin user. For the default >> LDAP admin we can check the already existing claims for the user_id claim >> and generate a random id if it doesn't exist. For tenant admins this can be >> done via the above mentioned listener. In this approach we expose SCIM on >> all the other products which do not support SCIM since we implement this at >> kernel level. >> >> In my opinion, option 1 would be more suitable since in this approach we >> do not need to additionally provide this feature on products that do not >> support SCIM. >> >> Highly appreciate your suggestions on this. >> >> [1] https://github.com/wso2/carbon-kernel/blob/4.4.x/core/org.ws >> o2.carbon.user.core/src/main/java/org/wso2/carbon/user/core >> /common/AbstractUserStoreManager.java#L3835 >> [2] https://github.com/wso2/carbon-multitenancy/blob/master/comp >> onents/tenant-mgt/org.wso2.carbon.tenant.mgt/src/main/ >> java/org/wso2/carbon/tenant/mgt/services/TenantMgtAdminService.java#L57 >> >> >> Thanks, >> Sathya >> -- >> Sathya Bandara >> Software Engineer >> WSO2 Inc. http://wso2.com >> Mobile: (+94) 715 360 421 <+94%2071%20411%205032> >> >> <+94%2071%20411%205032> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > *Bhathiya Jayasekara* > *Associate Technical Lead,* > *WSO2 inc., http://wso2.com <http://wso2.com>* > > *Phone: +94715478185 <+94%2071%20547%208185>* > *LinkedIn: http://www.linkedin.com/in/bhathiyaj > <http://www.linkedin.com/in/bhathiyaj>* > *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* > *Blog: http://movingaheadblog.blogspot.com > <http://movingaheadblog.blogspot.com/>* > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: [email protected], blog: isharaaruna.blogspot.com, mobile: +94717996791
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
