Hi Ishara, On Thu, Jul 20, 2017 at 4:57 PM, Ishara Karunarathna <[email protected]> wrote:
> HI Bhathiya, > > On Thu, Jul 20, 2017 at 4:50 PM, Bhathiya Jayasekara <[email protected]> > wrote: > >> Hi Sathya, >> >> On Thu, Jul 20, 2017 at 2:34 PM, Sathya Bandara <[email protected]> wrote: >> >>> Hi all, >>> >>> With the current user core implementation we do not include a SCIM >>> user_id for admin users (Since SCIM is not used in all products) which >>> prevents SCIM based CRUD operations on admin users. In order to implement >>> this we have identified the following two approaches. >>> >>> *#option 1* >>> >>> Generate admin users' SCIM userId in SCIM component activator at server >>> start up (for admin users in super tenant domain). For tenant admins we can >>> configure a listener on tenant admin creation in TenantMgtService[2] to >>> generate user_id if SCIM is enabled. >>> >> >> The super tenant case is fine, but when you use a listener for tenants, >> if someone enable SCIM later, existing tenant admins will not be SCIM >> compatible. To avoid that, can't we skip the "if SCIM is enabled" part of >> your suggestion? Will that be a problem? >> > To support SCIM user store should support to store scim_id attribute and > other attributes. So If they enable it later they should explicitly > configure the IDs, Whether to support SCIM or not is a organization > decision which should take before you setup the environments. > And primary user store for tenants also get the configuration of supper > tenant primary store (apart from tenant partitioning) so this should be > fine. > I missed the fact that we have enabled SCIM by default in primary user store. With that, this is fine. Thanks, Bhathiya > > -Ishara > >> >> Another option is to use the same approach as super tenant. Get all >> active tenants at component activation and set them SCIM ids. But I don't >> think that's a good idea as it can slow down the server startup (unless you >> do that in a seperate thread). >> >> Thanks, >> Bhathiya >> >> >>> >>> *#option 2* >>> >>> In AbstractUserStoreManager [1] modify addInitialAdminData() operation >>> to apply SCIM user_id claim when adding a new admin user. For the default >>> LDAP admin we can check the already existing claims for the user_id claim >>> and generate a random id if it doesn't exist. For tenant admins this can be >>> done via the above mentioned listener. In this approach we expose SCIM on >>> all the other products which do not support SCIM since we implement this at >>> kernel level. >>> >>> In my opinion, option 1 would be more suitable since in this approach we >>> do not need to additionally provide this feature on products that do not >>> support SCIM. >>> >>> Highly appreciate your suggestions on this. >>> >>> [1] https://github.com/wso2/carbon-kernel/blob/4.4.x/core/org.ws >>> o2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/ >>> common/AbstractUserStoreManager.java#L3835 >>> [2] https://github.com/wso2/carbon-multitenancy/blob/master/comp >>> onents/tenant-mgt/org.wso2.carbon.tenant.mgt/src/main/java/ >>> org/wso2/carbon/tenant/mgt/services/TenantMgtAdminService.java#L57 >>> >>> >>> Thanks, >>> Sathya >>> -- >>> Sathya Bandara >>> Software Engineer >>> WSO2 Inc. http://wso2.com >>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032> >>> >>> <+94%2071%20411%205032> >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> *Bhathiya Jayasekara* >> *Associate Technical Lead,* >> *WSO2 inc., http://wso2.com <http://wso2.com>* >> >> *Phone: +94715478185 <+94%2071%20547%208185>* >> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >> <http://www.linkedin.com/in/bhathiyaj>* >> *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* >> *Blog: http://movingaheadblog.blogspot.com >> <http://movingaheadblog.blogspot.com/>* >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Ishara Karunarathna > Associate Technical Lead > WSO2 Inc. - lean . enterprise . middleware | wso2.com > > email: [email protected], blog: isharaaruna.blogspot.com, mobile: > +94717996791 <071%20799%206791> > > > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- *Bhathiya Jayasekara* *Associate Technical Lead,* *WSO2 inc., http://wso2.com <http://wso2.com>* *Phone: +94715478185* *LinkedIn: http://www.linkedin.com/in/bhathiyaj <http://www.linkedin.com/in/bhathiyaj>* *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* *Blog: http://movingaheadblog.blogspot.com <http://movingaheadblog.blogspot.com/>*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
