[wildfly-dev] problems with the Elytron permission-mapping config model

Mon Mar 26 08:40:29 EDT 2018

I run through Elytron subsystem and there are other "suspicious"
resources [1]. How it is guaranteed name/id/path attributes of
collections are unique identifiers? On subsystem code level? Because
this information is not in the model, as far as I know.

Is it possible to declare compound unique-key? I mean for example to
say that for permission resource (class-name,module) tuple is unique
key.

[1]
configurable-sasl-server-factory/filters
configurable-http-server-mechanism-factory/filters

sasl-authentication-factory/mechanism-configurations
sasl-authentication-factory/mechanism-configurations/mechanism-realm-configurations
http-authentication-factory/mechanism-configurations
http-authentication-factory/mechanism-configurations/mechanism-realm-configurations

mechanism-provider-filtering-sasl-server-factory/filters

ldap-realm/identity-mapping/attribute-mapping
jdbc-realm/principal-query
jdbc-realm/principal-query/attribute-mapping

security-domain/realms

On Fri, Mar 23, 2018 at 4:55 PM, Alexey Loubyansky
<alexey.loubyansky at redhat.com> wrote:
> While this is addressed mainly to the Elytron team, it seems like we would
> appreciate opinions from other colleagues since we are basically stuck
> discussing possible ways to resolve
> https://issues.jboss.org/browse/WFCORE-3596
>
> The description in the jira is pretty brief assuming people know what that
> is about, since it's been raised before multiple times. Here is what it is
> about fundamentally.
>
> If a configuration model (of a subsystem or any other component) includes a
> list of configurable units (let's assume XML elements for simplicity) that
> don't have any identity (unique id/name/path/etc) this is a big problem for
> supporting patching and version updates preserving user configuration
> changes. Or simply customizing the default config model using a tool. By a
> big problem I mean it's simply not going to work reliably.
>
> As a simple exercise that demonstrates the issue, imagine you have two
> configs each of which includes a list of these configurable units that have
> no identity. Now try to identify the difference between the two lists. Or
> merge them with one overwriting the other. Basically components w/o an
> identity can not be manipulated. You can only add them but not modify or
> even remove (unless their index in the list is a constant value of course).
>
> I don't think I've seen any issue of this kind in our (WF/EAP) configs
> except for the Elytron's permission-mapping's. (If somebody knows such
> components please let me know).
> If I misunderstand the Elytron config model or approaching this from a wrong
> angle, please let me know.
>
> Question for the Elytron team: is the problem I am describing clear? Do you
> admit it as a problem?
>
> Thanks,
> Alexey
>
> _______________________________________________
> wildfly-dev mailing list
> wildfly-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/wildfly-dev