You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »


Wiki Home

Grouper Release Announcements

Grouper Guides

Grouper Deployment Guide

Community Contributions

Internal Developer Resources

Current functionality

Group types:

 - Grouper allows administrators to create group types (typically using GSH or the API)
 - There are several internal/built-in group types -- base, naming, attributeDef.  There's also requireInGroups, addIncludeExclude, and grouperLoader.
 - Group types can have one more more attributes and one or more custom lists.
 - There are change log events when group types are created, updated, or deleted.  The change log processor doesn't do anything with them.
 - Special group type called grouperGroupMembershipSettings that's used to help users skin the lite membership UI.
 - Hooks
 - User audit

Group type assignments (GroupTypeTuple):

 - In general, all users can assign a group type to groups that they admin.
 - There are built-in hooks to limit who can assign a specific group type or edit attributes of a group associated with that group type.
 - When assigning a group type to a group, a bundle of attributes and lists become available for that group.  For example with the gruopLoader type.
 - There are change log events when group types are assigned or unassigned.  The change log processor does look at these events.
 - Hooks
 - User audit

Fields:

 - Attributes and custom lists are fields.  (Just like the fields used for group memberships and group/stem/attributeDef privileges.)
 - Fields are associated with a group type.
 - Fields have properties for read and write privilege.
   - e.g. You must have read (or opt-in or update or admin, etc) privilege on a group to read an attribute value on a group.
   - e.g. You must have update (or read or opt-in or admin, etc) privilege on a group to update/delete an attribute value on a group.
   - Same with addMember, deleteMember, and getMembers on custom lists.  You can have crazy settings like requiring opt-out privilege on a group to be able to add member to a custom list.
 - Fields have a nullable property.  This prevents deleting an attribute from a group if failOnRequiredAttribute is true in the API call and the nullable property is true on the field.
 - Change log
 - Hooks
 - PIT audit

Attributes:

 - Stored in the grouper_attributes table.  Has a reference to the group and field.
 - Single valued only.
 - Can be copied when copying groups.
 - Hooks
 - User audit

Custom lists:

 - Stored in the grouper_memberships table like regular memberships and privileges.  Again has a reference to the group and field.
 - Can be copied when copying groups.
 - Change log
 - Hooks
 - User audit
 - PIT audit

Requirements

 - Prevent use of legacy attributes.
 - Create old style attributes in the new attribute framework within a configurable folder (e.g. etc:attribute:legacy).  By default, everybody can read and assign the attribute.
 - Preserve the API methods that allow setting and getting an attribute from a group.
 - Web services and UI should continue to work when dealing with getting and setting attributes.
 - Hooks should continue to fire when setting and deleting attributes.
 - Preserve existing views as much as possible.

Design and API Changes

GroupType

- Get rid of grouper_types table.  The default, base, naming, and attributeDef types will no longer be represented in the API.

GroupType.createType(session, name)
 - deprecated
GroupType.createType(session, name, exceptionIfExists)
 - deprecated
GroupType.internal_createType(session, name, isAssignable, isInternal, exceptionIfExists, changed, uuid)
 - rewrite
 - Ignore isAssignable and isInternal?
 - Create new 2 attributeDefs and attributeDefName in etc:attribute:legacy
   - One attributeDef assignable to groups.  Maybe call it legacyGroupTypeDef_<name>.  The other assignable to assignments on groups.  Maybe call it legacyAttributeDef_<name>.
   - attributeDefName as marker attribute for group type.  Maybe call it legacyGroupType_<name>.
   - Add scope:
     - legacyAttributeDef_<name>.getAttributeDefScopeDelegate().assignScope(AttributeDefScopeType.idEquals, legacyGroupType_<name>.getId(), null);
 - Maybe the groupType uuid should become the uuid of the attributeDefName legacyGroupType_<name>.
GroupType.addAttribute(session, name, read, write, required)
 - deprecate
GroupType.addAttribute(session, name, read, write, required, exceptionIfExists)
 - deprecate
 - rewrite - the current code creates a field for this, but we're not doing that.
 - Ignore required?
 - Ignore read and write privileges? Should users be forced to set up privileges using the new API when creating new attributes?
 - Create attribute in new framework.  Maybe call it legacyAttribute_<name>.
GroupType.addOrUpdateAttribute(session, name, read, write, required)
 - same as above
GroupType.addList(session, name, read, write)
 - We're still supporting custom lists.  Still deprecate in favor of separate groups.
 - Going forward, expecting a properties file config to link up the groupType with the field.
 - Maybe the admin needs to add the config first, then run this to add the field?
GroupType.delete(session)
 - deprecate
 - Delete the two attribute definitions.
GroupType.deleteField(session, name)
 - deprecate
 - Continue to delete the field as before if this is a field for a list.  Admin needs to remove config.
 - If the field is for an attribute, if there aren't any assignments, delete the legacyAttribute_<name>.
GroupType.getFields()
 - deprecate
 - Note that attributes are no longer fields.

GroupTypeFinder

GroupTypeFinder.find(name, exceptionIfNotFound)
 - deprecate
 - Create GroupType objects based on attributeDefNames in etc:attribute:legacy that start with legacyGroupType_.
 - The GroupType name and uuid would be accurate.  But other fields would be left null. Hmm
GroupTypeFinder.findByUuid(uuid, exceptionIfNotFound)
 - deprecate
 - Same as above
GroupTypeFinder.findAll()
 - deprecate
 - Just return all
GroupTypeFinder.findAllAssignable()
 - deprecate
 - Just return all

GroupTypeTuple

 - Get rid of the grouper_group_types table.
 - Everything is essentially deprecated.
 - Should the uuid of a GroupTypeTuple be the uuid of the attribute assignment of legacyGroupType_<name>?

Field

 - In general, I'm assuming that we're not going to try to treat legacy attributes as fields anymore or try to support current 2.1 API that does.
 - Getting rid of the column grouptype_uuid.

 - Field.isAttributeName()
   - deprecate
   - Would always return false since legacy attributes are no longer fields.

FieldFinder

 - FieldFinder.findFieldIdForAttribute(attributeName, exceptionIfNull)
   - deprecate
   - This won't work anymore since attributes aren't fields.

FieldType

 - "attribute" is no longer a valid field type.

Group

 - Group.initGroupAttributes(groups)
   - Seems like this was set up to address a performance issue with getting legacy attributes.
   - Maybe deprecate and allow it to continue to work.  That is, efficiently query for legacy attributes in etc:attribute:legacy.
 - Group.deleteAttribute(attributeName)
   - deprecate
 - Group.deleteAttribute(attributeName, failOnRequiredAttribute)
   - deprecate
   - Ignore failOnRequiredAttribute?
   - rewrite to delete from new attribute framework.
 - Group.getAttributeValue(attributeName, checkSecurity, exceptionIfNotFound)
   - deprecate
   - exceptionIfNotFound is currently based on a field check.  Since legacy attributes won't be fields, this needs to change to instead check all the attributeDefNames starting with legacyAttribute_ under etc:attribute:legacy that are applicable for this group.
   - checkSecurity needs to check security based on new attribute framework.
 - Group.getAttribute(attributeName)
   - already deprecated.  why doesn't this just call getAttributeValue???
 - Group.getAttributes()
   - already deprecated.  why doesn't this just call getAttributesMap???
 - Group.setAttribute(attributeName, value)
   - deprecate
 - Group.setAttribute(attributeName, value, checkPrivileges)
   - deprecate
 - Group.setAttribute(attributeName, value, checkPrivileges, uuid)
   - deprecate
   - Change to use new framework.  Should the uuid be used as the uuid of the attribute assignment?
 - Group.getAttributesMap(checkSecurity)
   - deprecate
   - Change to use new framework.
 - Group.getAttributesDb()
   - already deprecated.  why doesn't this just call getAttributesMap???
 - Group.internal_setAttributes(attributes)
   - deprecate
 - Group.setAttributes(attributes)
   - deprecate
 - Group.internal_copy()
   - Perhaps assume that this continues to only work with legacy attributes for now.
   - Privilege checks on attributes need to use new framework.
 - Group.addType(type)
   - deprecate
 - Group.addType(type, exceptionIfAlreadyHasType)
   - deprecate
   - Assign legacyGroupType_<typeName> to group.
 - Group.canReadField(subj, field) and various other similar methods
   - Okay to make this no longer work for legacy attributes?
 - Group.deleteType(type)
   - deprecate
   - Change to use new framework (including privilege checks).
 - Group.getRemovableTypes()
   - deprecate
   - assume all types are removable.
 - Group.getTypes()
   - deprecate
   - Assume no types are "internal"
 - Group.getTypesDb()
   - deprecate
   - Return all assignments within etc:legacy:attribute.
 - Group.hasType(type)
   - deprecate
 - Group.setTypes(types)
   - deprecate

Attribute

- Basically deprecate everything.
- Get rid of grouper_attributes table.
- Perhaps the attribute id should be the uuid of the attribute assignment.
- field id is no longer applicable therefore always null.

Migration

  • No labels