Yair Zaslavsky has posted comments on this change. Change subject: aaa: Adding resolve groups ......................................................................
Patch Set 2: (3 comments) http://gerrit.ovirt.org/#/c/28368/2/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/AuthzUtils.java File backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/AuthzUtils.java: Line 126: Authz.QueryEntity.PRINCIPAL Line 127: ).mput( Line 128: Authz.InvokeKeys.RESOLVE_GROUPS_RECURSIVE, Line 129: recursiveGroupsResolving Line 130: ).mput(Authz.InvokeKeys.RESOLVE_GROUPS, > well, while I am thinking about it... About 3 - Let's see - how do you handle the following case? I need to sync users a,b,c a and b are members of g1 c is a member of g2 g2 and g1 are members of g3. So, what you suggest for sync is - 1. fetch a,b,c, from authz - you will notice a,b are members of g1 , c is member of g2. 2. resolve for g1, g2 - both are members of g3. Now, this sounds ok to me, however - 1. the groups table (ad_groups, bad name, i know.. :) ) has no indication of group membership. the reason it is coded this way is that currently recurisve group fetching is perfromed for users, so you can simply add the group membership (direct or indirect) at the groups table. This means that we will have to fix the ad_groups table, the MLA stored procedures , in addition of course to the fixes in sync. I would suggest to defer this work at this moment. Line 131: recursiveGroupsResolving Line 132: ).mput( Line 133: Authz.InvokeKeys.QUERY_FILTER, Line 134: filter http://gerrit.ovirt.org/#/c/28368/2/backend/manager/modules/extensions-api-root/extensions-api/src/main/java/org/ovirt/engine/api/extensions/aaa/Authz.java File backend/manager/modules/extensions-api-root/extensions-api/src/main/java/org/ovirt/engine/api/extensions/aaa/Authz.java: Line 47: Line 48: /** Line 49: * Resolve groups. Line 50: * Resolve groups information. Line 51: * */ > - Done Line 52: public static final ExtKey RESOLVE_GROUPS = new ExtKey("AAA_AUTHZ_RESOLVE_GROUPS", Boolean.class, "97d226e9-8d87-49a0-9a7f-af689320907b"); Line 53: Line 54: /** Principal record. */ Line 55: public static final ExtKey PRINCIPAL_RECORD = new ExtKey("AAA_AUTHZ_PRINCIPAL_RECORD", ExtMap.class, "ebc0d5ca-f1ea-402c-86ae-a8ecbdadd6b5"); Line 49: * Resolve groups. Line 50: * Resolve groups information. Line 51: * */ Line 52: public static final ExtKey RESOLVE_GROUPS = new ExtKey("AAA_AUTHZ_RESOLVE_GROUPS", Boolean.class, "97d226e9-8d87-49a0-9a7f-af689320907b"); Line 53: > can you please move it before the recursive? Done Line 54: /** Principal record. */ Line 55: public static final ExtKey PRINCIPAL_RECORD = new ExtKey("AAA_AUTHZ_PRINCIPAL_RECORD", ExtMap.class, "ebc0d5ca-f1ea-402c-86ae-a8ecbdadd6b5"); Line 56: /** Line 57: * AuthResult of operation. -- To view, visit http://gerrit.ovirt.org/28368 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I3249b7f18c8bf609c9577e60aafa948a0aa55101 Gerrit-PatchSet: 2 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Yair Zaslavsky <[email protected]> Gerrit-Reviewer: Alon Bar-Lev <[email protected]> Gerrit-Reviewer: Yair Zaslavsky <[email protected]> Gerrit-Reviewer: [email protected] Gerrit-Reviewer: oVirt Jenkins CI Server Gerrit-HasComments: Yes _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
