Hi,
I fixed the operations wrt Pierre-Arnaud comments. Here is the new version :
Add operation
=============
+--+
|AP|
+--+
We don't have to do anything except to update the apCache as the added
AP is a new entry with no child
>>>-------------------------------------------
update the apCache for the given AP role
-------------------------------------------<<<
+--------+
|Subentry|
+--------+
We can't add a subentry if the immediate parent is not an AP and if the
parent AP does not have the same role (or of the parent is an IAP and
there are no higher parent with the same role).
Otherwise, adding a subentry is just a matter to update the parent's AP
seqNumber (and all the hierarchy up to the first SAP if it's an IAP)
As a subentry is only associated with one single role, we don't have to
loop on all the roles
>>>-------------------------------------------
check the parentAP for the role
get a new new seqNumber
update the parentAP and all its IAP subordinate with the same role with
the new seqNumber
continue down the chain
-------------------------------------------<<<
+-----+
|Entry|
+-----+
When we add an entry, we have to check if it depends on an AP for each
roles. If so, we have to add the AP seqNumber into the entry, and add
references to all the subentry it is related too.
>>>-------------------------------------------
for each role
for each parent AP(role)
get the parentAP(role) seqNumber, store it into the entry
for each subentry associated with the AP(role) do
if the entry is part of the subtree
then add the subentry entryUUID into the entry references
done
done
done
continue down the chain
-------------------------------------------<<<
Delete operation
================
Deleting an entry is somehow easier, as we don't update anything, except
when we delete a Subentry.
+--+
|AP|
+--+
We can't delete an AP if it has any child. So deleting an AP is a
straightforward operation : we just remove the AP, and update the AP cache.
>>>-------------------------------------------
check that the AP has no children
if the AP is an AAP
then
for each role do
remove the AP(role) from the AP(role) cache
done
else
remove the AP(role) from the AP(role) cache
remove the AP from the backend
-------------------------------------------<<<
+--------+
|Subentry|
+--------+
Removing a subentry is slightly more complex, as we will have to update
the associated AP SeqNumber, so that the entries part of the subtree can
be updated later.
>>>-------------------------------------------
get a new seqNumber
update the parentAP(role) with the new seqNumber
for each parentAP IAP descendant
update IAP with new seqNumber
done
remove the subentry from the backend
-------------------------------------------<<<
+-----+
|Entry|
+-----+
Deleting an entry is a straightforward operation. Nothing has to be done
>>>-------------------------------------------
continue down the chain
-------------------------------------------<<<
Search operation
================
The base idea is to check if an entry selected as a candidate is up to
date wrt the Administrative perspective. If we grab an entry from the
backend, and if there is an AP higher in the tree, then we will check
the entry seqNumber :
- if there is no seqNumber, then the entry need to be updated
- if there is a seqNumber which is below then its parent's AP, then the
entry need to be updated
- otherwise, the entry is already up to date
An entry might have a seqNumber with no reference to any subentry, that
just means the entry is not part of any subentry's subtree.
One other thing : we will have to deal with entries only when they have
been selected, so the entry filtering should be done during the
candidate evaluation. Here, we just update the entry adding the
references to the associated subentries (if any), and we will let the
ACI search filter to determinate if the entry is a valid candidate.
+--+
|AP|
+--+
An AP is always searchable by anyone, if one can reach it (ie, no higher
AP limit the access to a parent entry)
There is nothing to do
+--------+
|Subentry|
+--------+
Subentries are not returned to the user unless the Subentries control
has been sent with the request.
A Subentry is always searchable by anyone, if one can reach it (ie, no
higher AP limit the access to a parent entry)
There is nothing to do
+-----+
|Entry|
+-----+
We have to check if the entry is up to date for each role.
>>>----------------------------------------
for each role do
if entry has a parent AP(role)
then take the entry(role) seqNumber (entrySN) and the AP(role)
seqNumber (apSN)
else
continue
if entry has a seqNumber
then
if the entrySN equals the apSN
then
continue
else
remove the entrySN
remove the entry references to Subentries
store the apSN in the entry
update the references to Subentries
continue
else
add the apSeqNumber to the entry
update the references to Subentries
continue
done
if the entry has been updated
then
store the entry
continue up the chain
----------------------------------------<<<
Modify operation
================
A modification done on an AP may impact the AP hierarchy, and make it
becoming inconsistent. We will check that before updating the seqNulbers.
+--+
|AP|
+--+
We can only add or delete administrative roles from an AP. If a removal
let the AP hierarchy inconsistent, the the removal is rejected. This has
to be pre-checked before we actually apply the modification.
We don't support the replace change for APs
>>>-------------------------------------------
if operation == ADD
then
get a new seqNumber
store the seqNumber in the AP
update the AP cache
if the added AP is an IAP
then
propagate the seqNumber all its descendant IAP
else
if the added AP is an AAP
then
for each existing AP do
remove the AP
update the AP cache
done
else
if we have some subentry associated with the removed AP
then
reject the operation
else
if the deleted AP is an AAP
then
remove the AP
update the AP cache
else
if the deleted role is the last one
then
remove the AP
update the AP cache
else
get a new seqNumber
store the seqNumber in the AP
remove the role
update the AP cache
-------------------------------------------<<<
+--------+
|Subentry|
+--------+
Modifying a subentry is just about modifying the subtreeSpecification AT
or the ObjectClass (adding or removing some auxiliary classes) In both
cases, we have to update the parent AP. If the modification impact any
other attribute, then we don't d anything, as it won't change the
subtree, so no entry will be impacted
>>>-------------------------------------------
if modified attributes = ObjectClass or subtreeSpecification
then
if the modified attribute is ObjectClass
then
get new seqNumber
for each modified role do
get the parentAP( role )
update the parentAP( role ) seqNumber
update the APcache(role)
done
continue down the chain
else
get new seqNumber
for each existing role do
get the parentAP( role )
update the parentAP( role ) seqNumber
update the APcache(role)
done
else
continue down the chain
-------------------------------------------<<<
+-----+
|Entry|
+-----+
We have to check if the entry is up to date, or not. For that, we
compare its seqNumber (if any) with it's parents AP (IAP *and* SAP).
This is basically the same processing than for a search operation
>>>-------------------------------------------
if entry has a parent AP
then take the entry seqNumber (entrySN) and the AP seqNumber (apSN)
else
continue down the chain
if entry has a seqNumber
then
if the entrySN equals the apSN
then
continue down the chain
else
remove the entrySN
remove the entry references to Subentries
store the apSN in the entry
update the references to Subentries
continue down the chain
else
add the apSeqNumber to the entry
update the references to Subentries
continue down the chain
-------------------------------------------<<<
Rename operation
================
The rename operation will only impact the entry and the AP, not the
Subentry.
+--+
|AP|
+--+
If the AP is an IAP, then we have to reevaluate all the underlying children.
>>>-------------------------------------------
if the AP is an IAP
then
get a new seqNumber
update the IAP with the new SeqNumber
store the AP
else
continue down the chain
-------------------------------------------<<<
+--------+
|Subentry|
+--------+
Renaming a subentry has no impact
+-----+
|Entry|
+-----+
Renaming an entry implies we reevaluate all the children too, as the
subtree specification may change.
We can do that recursively, updating all the entries, or modifying the
parent AP for each role why a new SeqNumber.
Right now, the second option will be applied
>>>-------------------------------------------
if the entry has a parentAP
then
remove the entry seqNumbers
remove the ref to subentries
for each role do
get a new seqNumber(role)
update the parentAP(role) with the new seqNumber
update the ref to the subentries(role)
done
done
-------------------------------------------<<<
Move and Rename operation
=========================
The Move and Rename operation is a combinaison of both operations,
applied one after the other.
Compare operation
=================
The compare operation uses the same algorithm than the search operation
Move operation
==============
The move operation has a limited impact if we move the AP, except if we
move an IAP. For subentries and entreeies, it's slightly more complex
+--+
|AP|
+--+
If the AP is an IAP, we have to check that the new position is valid. If
so, we can move it. Then, as the the new parent AP may have changed, we
have to modify the IAP seqNumber so that the underlying entries can be
updated later. This has to be done for all the IAP descendants too.
>>>-------------------------------------------
if AP is an IAP
then
check that the new position is valid
if the parentAP is not the same
then
get a new seqNumber
update the IAP with the new seqNumber
for each IAP in the IAP descendant do
update the IAP with the new seqNumber
done
continue down the chain
-------------------------------------------<<<
+--------+
|Subentry|
+--------+
Moving a subentry implies we update the old parentAP and the new one. Of
course, we have to check first that the changed AP are not inconsistent
after the change.
>>>-------------------------------------------
get a new seqNumber
update the old parentAP with the seqNumber (and all the IAP descendants)
update the new parentAP with the seqNumber (and all the IAP descendants)
continue down the chain
-------------------------------------------<<<
+-----+
|Entry|
+-----+
Moving an entry might impact it, as it may not pertain to the subentries
subtree. We have to reevaluate them.
This has to be done for each possible roles.
>>>-------------------------------------------
for each role
get the old parentAP(role)
get the new parentAP(role)
remove the entrySN(role)
remove the entry references to Subentries
store the new parent SN in the entry
update the references to the new parentAP Subentries
done
continue down the chain
-------------------------------------------<<<
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
