Hi Sean, Thank you for the guidance.
"Again I am thinking of a simpler path. We discussed adding the following > method: > Session createSession (Group group, boolean isTrusted); > So instead of passing in a userid, we pass a group name. The session > maybe needs a new element, groupName, or maybe we just add a boolean field, > isGroup, and use the userId to contain the groupName instead." This is definetely looks much simpler than adding a separate GroupRole class. > "Now that I think more, the userroles may need boolean isGroup field, in > addition to session, so that it is clear the value in userid field maps to > group name." Wouldn't this confuse clients-side programmers? Would it be a good idea to rename it to "memberId" and introduce a switch? "I don’t think we have to modify the ldap schema at all. The current group > object class should work. Again it will contains role dn’s instead of user > dn’s. The only question in my mind is should we add a new container, i.e. > ou=rolegroups. I am leaning towards ‘yes’." I'm not quite clear why we might need this container. Could you please explain? I.e. we still should be able to search for Role groups in groups container by filtering with memberId and type attributes. "It depends, do we need a canAssign ( group , role ) or canDeassign? If so > it would require changes to group entity to allow for organization > ownership." As I see now, we don't need this functionality in our case. I'll need to ask our team more about this. "I should have pointed out earlier I have done some of the prep work for > managing groups of roles. Here are the corresponding commits where you can > see the changes that have been made:" Thank you, this is really facilitates the development for our use-case! I'll use these code samples as examples. "You will want to get comfortable running the junit tests. Any new methods > will need tests to verify their functionality. Will mirantis be > contributing this code?" I will definitely cover new code with tests. Also, I was trying to assign https://issues.apache.org/jira/browse/FC-144 to myself, but it seems that I don't have permissions. -- Kind Regards, Vyacheslav Vakhlyuev Software Engineer Mirantis, Inc www.mirantis.com Skype: vahluev.vyacheslav
