[
https://issues.apache.org/jira/browse/OAK-5210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15760636#comment-15760636
]
angela edited comment on OAK-5210 at 1/31/17 5:42 PM:
------------------------------------------------------
i gave option 1 a try... while it's straight forward for the resolution, the
result didn't make me feel comfortable because of the equals and hashcode
contract, which i didn't want to change (see comment regarding 'optional'
principal name before): the fact that a given {{ExternalIdentityRef}} was
considered equal even if a totally different principal name was present felt
wrong to me, while adding it made it even stranger. also there was no way to
create an {{ExternalIdentityRef}} from the string representation which included
the principal name.
summary: i found this option initially very compelling but ended up with major
concerns
was (Author: anchela):
i gave this option a try... while it's straight forward for the resolution, the
result didn't make me feel comfortable because of the equals and hashcode
contract, which i didn't want to change (see comment regarding 'optional'
principal name before): the fact that a given {{ExternalIdentityRef}} was
considered equal even if a totally different principal name was present felt
wrong to me, while adding it made it even stranger. also there was no way to
create an {{ExternalIdentityRef}} from the string representation which included
the principal name.
summary: i found this option initially very compelling but ended up with major
concerns
> Ability to resolve principal name from ExternalIdentityRef without IDP
> roundtrip
> --------------------------------------------------------------------------------
>
> Key: OAK-5210
> URL: https://issues.apache.org/jira/browse/OAK-5210
> Project: Jackrabbit Oak
> Issue Type: New Feature
> Components: auth-external
> Reporter: angela
> Assignee: angela
> Attachments: OAK-5210-benchmark.patch, OAK-5210-initialdraft.patch,
> sync_with_roundtrip_delay_1_for_groups.txt,
> sync_with_simplified_principal_resolution.txt
>
>
> Currently the only way to reliably determine the principal name for a given
> external identity is by calling {{ExternalIdentity.getPrincipalName()}}. This
> also means that there is currently no way to resolve the principal name from
> a given {{ExternalIdentityRef}}, without calling
> {{ExternalIdentityProvider.getIdentity(ExternalIdentityRef)}}.
> In the default sync mode a given identity-ref will always be resolved to the
> associated identity once a given identity is up for (re)sync and thus the
> identity resolution is part of the synchronization. On the other hand the
> partial sync as provided by the {{DynamicSyncContext}} doesn't require the
> resolution of group identities but only needs to be able to obtain the
> principal name, which is needed to proper populate the subject upon
> repository login (and for permission setup for those group principals). In
> this setup it would be preferrable if the principal name could be resolved
> from the {{ExternalIdentityRef}} without the intermediate identity resolution.
> This aim of this issue is to discuss the different options on how to achieve
> this improvement in a generic way that doesn't make any assumptions regarding
> the relationship between {{ExternalIdentity.getId}},
> {{ExternalIdentity.getPrincipalName}} and {{ExternalIdentityRef.getId}}.
> See also OAK-4930 and OAK-5200 for additional information.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
