Versions Compared

Old Version 11

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

compared with

New Version 12

changes.mady.by.user Shilen Patel (duke.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

GroupType.createType(session, name)
 - deprecated
GroupType.createType(session, name, exceptionIfExists)
 - deprecated
GroupType.internal_createType(session, name, isAssignable, isInternal, exceptionIfExists, changed, uuid)
 - rewrite
 - Remove isAssignable and isInternal?
 - Create new 2 attributeDefs and attributeDefName in etc:attribute:legacy
   - One attributeDef assignable to groups.  Maybe call it legacyGroupTypeDef_<name>.  The other assignable to assignments on groups.  Maybe call it legacyAttributeDef_<name>.
   - attributeDefName as marker attribute for group type.  Maybe call it legacyGroupType_<name>.
   - Add scope:
     - legacyAttributeDef_<name>.getAttributeDefScopeDelegate().assignScope(AttributeDefScopeType.idEquals, legacyGroupType_<name>.getId(), null);
 - Maybe the groupType uuid should become the uuid of the attributeDefName legacyGroupType_<name>.
GroupType.addAttribute(session, name, read, write, required)
 - deprecate
GroupType.addAttribute(session, name, read, write, required, exceptionIfExists)
 - deprecate
 - rewrite - the current code creates a field for this, but we're not doing that.
 - Ignore required?
 - Ignore read and write privileges? Should users be forced to set up privileges using the new API when creating new attributes?
 - Create attribute in new framework.  Maybe call it legacyAttribute_<name>.
GroupType.addOrUpdateAttribute(session, name, read, write, required)
 - same as above
GroupType.addList(session, name, read, write)
 - We're still supporting custom lists.  Still deprecate in favor of separate groups.
 - Going forward, expecting a properties file config to link up the groupType with the field.
 - Maybe the admin needs to add the config first, then run this to add the field?
GroupType.delete(session)
 - deprecate
 - Delete the two attribute definitions.
GroupType.deleteField(session, name)
 - deprecate
 - Continue to delete the field as before if this is a field for a list.  Admin needs to remove config.
 - If the field is for an attribute, if there aren't any assignments, delete the legacyAttribute_<name>.
GroupType.getFields()
 - deprecate
 - Note that attributes are no longer fields.

...

- Create attributeDefs and attributeDefNames in the new attribute framework based on the adjusted API above.

- Note that if custom lists are used, the migration will involve config additions as well.

Privileges

One of the challenges with the migration is going to be dealing with privileges.  The old and new attribute frameworks have different ways of dealing with read and write privileges on attributes. 

...

With the new attribute framework, read access on an attribute assigned to a group requires view privilege on the group and attr_read privilege on the attribute definition.  And update access requires admin privilege on the group and attr_update privilege on the attribute definition.

Steps to migrate read privileges

...

privilege

...

on the

...

attribute definition

...

.

...

...

Steps to migrate update privileges

...

  1. For the list of groups, determine the effective update privilege for each group.
  2. Excluding GrouperSystem, if the effective update privilege for all groups is based on a list of groups (not necessarily the same list for each group), then give that list of groups (a union of all) attr_update privilege to the attribute definition in the new attribute framework.
  3. Excluding GrouperSystem, if the effective update privilege for all groups is based on a list of subjects, then give that list of subjects (a union of all) attr_update privilege to the attribute definition in the new attribute framework.  Also, during the migration, output a warning message to indicate that update privileges have been migrated but would need to be handled differently by the users going forward.  The output can contain the groups that were problematic (i.e. the ones that contain update privileges that were not solely based on a list of groups).
  4. In either case, if a subject had update privileges in the old attribute framework but no longer does in the new attribute framework because the subject does not have admin privileges to the group, then output a warning message for each subject/group.

...

Also note that privileges in general for attributes are changing for 2.2.  More information.