I think this takes us all back to the start.
Why do you need to be modifying the simple-permission-mapper resource.
The proposed changes are to give you a named resource that can be safely
manipulated without the simple-permission-mapper needing to be touched at
all.
On Tue, 27 Mar 2018 at 16:37 Alexey Loubyansky <alexey.loubyansky(a)redhat.com>
wrote:
On Tue, Mar 27, 2018 at 2:06 PM, Darran Lofthouse <
darran.lofthouse(a)redhat.com> wrote:
> How do you cope with things like a login module stack in the security
> subsystem? That is also ordered where the order has a very specific
> meaning. I haven't checked the configuration recently but doesn't
> configuration for jgroups also handle the configuration in an ordered way
> that an administrator could choose to modify?
>
They (login module stack and jgroup's protocol stack) are different in
that every item on the stack has an identity. So I can see whether an item
has been removed, modified or a new one added. I can't see how I can do
that with the permission-mapping. This is my main problem at the moment.
Isn't there a way for an equality check to be performed? In the case of
the login module stacks once modules have been added or removed it is no
longer safe for you to make changes to that stack - this resource is no
different.
About the ordered collections in general, yes, there is an issue. Like you
mentioned, for a start the order can be pre-defined (it can later be
re-defined although that appears to be not as easy as it should be). This
is actually how it currently works.
The proposal we have so far is to remove the need for the manipulation of
> permissions in the ordered list as other subsystems are added / removed -
> at this point the remaining config in the permission mapper should either
> match the default we ship or if it is modified this should be as a result
> of administrator action so should be preserved as is.
>
Right, I get that. The thing is that if it is modified, it has to be fully
re-defined, meaning it's not a fine-grained adjustment. Because if you want
to add another permission (or the named permission-set) how to can the
target permission-mapping be determined?
Why do you need to know this? The proposed change is so you can just
modify the permission-set - once the administrator updates the
simple-permission-mapper they have taken ownership of that resource and we
should not be automating any further changes to it.
> The problem we have with the resource now is it must be preserved for
> backwards compatibility. Broadly this means we have the following two
> requirements: -
> 1 - Any changes we make must be transformable to the prior version of
> the resource.
> 2 - XML configuration for a prior version of the resource must be
> convertible to the new version.
>
The good thing is that XML is not what is being manipulated, the
representation of the resource in the domain management model is. Not
meaning it gives a complete freedom but it's a good thing.
Yes but my point is we can not choose to simplify the resource as we still
have to support the various permutations that could have been represented
in XML against the previous version.
> Alternatively we could redesign a new resource from scratch to provide
> model based permission mapping but a redesign from scratch is unlikely to
> completely cover #1 and #2 so we could end up with a deprecated resource
> which is not immediately removable although if we can achieve #1 removal
> possibly could be faster.
>
> But is all this necessary at the moment? Especially as at the moment we
> do have a proposal that moves the permissions we know need to be updated to
> an identifiable resource.
>
What about the permission-mapping? Are there plans to do anything with
them?
The plan is to update the simple-permission-mapper so the
permission-mapping can map to a permission-set instead of containing the
permission names directly.
To me, it depends on what you mean by "at the moment". If you mean whether
the changes need to be implemented and usable in a few weeks, no. But
I
think not giving it a priority now is a bad thing, because as you wrote
above then we have to support the structure which limits the ability to
customize the default configs, perform integration, updates and preserving
user changes.
I would propose we go ahead and add the new permission-set resource and
update the simple-permission-mapper so these can be referenced instead of
listing the permission classes.
Based on the default configuration we ship we can then restructure the
configuration so you have a single named resource to add and remove the
permissions as appropriate where order is not relevant.
We can then look as a separate RFE at redefining permission mapping, which
could mean tweaks to the existing resource or could even consider some
clean designs and deprecate the current resource if we think that makes
sense.
Thanks,
Alexey
>
> Darran.
>
>
> On Tue, 27 Mar 2018 at 12:45 Alexey Loubyansky <
> alexey.loubyansky(a)redhat.com> wrote:
>
>> On Tue, Mar 27, 2018 at 1:23 PM, Darran Lofthouse <
>> darran.lofthouse(a)redhat.com> wrote:
>>
>>> The part that I am still missing is if we remove the need to manipulate
>>> an ordered list as other subsystems are added and removed how is the
>>> presence of the ordered list still an issue? I am sure we have other
>>> examples of ordered lists out there.
>>>
>>
>> Actually, mainly in Elytron. The list in itself is not an issue, the
>> identity of the items is. If there is a list that can be modified by
>> various parties (end user, as a consequence of integration of other
>> components, etc) there is a problem of merging these modifications or even
>> identifying them in terms which items changed and how. Identifying user
>> changes since the last official update (with the goal to preserve them
>> after the next update) becomes a problem as well.
>>
>> Alexey
>>
>>
>>> Darran.
>>>
>>>
>>> On Tue, 27 Mar 2018 at 12:15 Alexey Loubyansky <
>>> alexey.loubyansky(a)redhat.com> wrote:
>>>
>>>> On Tue, Mar 27, 2018 at 12:34 PM, Darran Lofthouse <
>>>> darran.lofthouse(a)redhat.com> wrote:
>>>>
>>>>> Ok so lets switch this another way.
>>>>>
>>>>> If the addition from other subsystems was to be eliminated is there
>>>>> still a provisioning issue?
>>>>>
>>>>
>>>> The provisioning issue is related to the structure of the
>>>> configuration model (to be more precise the representation of the
resource
>>>> in the domain management model since this is what is being manipulated).
>>>> There are other examples of subsystems requiring configuration of other
>>>> features, e.g. some subsystems may require specific socket-bindings.
There
>>>> is no problem with that from the provisioning perspective because the
model
>>>> allows to check whether the required socket-binding is already present
in
>>>> the config, whether its parameters need any adjustments and if the
>>>> socket-binding is missing from the config it can be added.
>>>>
>>>> Thanks,
>>>> Alexey
>>>>
>>>>
>>>>>
>>>>> On Fri, 23 Mar 2018 at 20:52 Brian Stansberry <
>>>>> brian.stansberry(a)redhat.com> wrote:
>>>>>
>>>>>> On Fri, Mar 23, 2018 at 12:56 PM, Darran Lofthouse <
>>>>>> darran.lofthouse(a)jboss.com> wrote:
>>>>>>
>>>>>>> On Fri, 23 Mar 2018 at 17:50 Alexey Loubyansky <
>>>>>>> alexey.loubyansky(a)redhat.com> wrote:
>>>>>>>
>>>>>>>> On Fri, Mar 23, 2018 at 6:20 PM, Farah Juma
<fjuma(a)redhat.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> A solution to part of the problem mentioned in
WFCORE-3596 that
>>>>>>>>> was discussed is to introduce the concept of named
permission sets. In
>>>>>>>>> particular, instead of having a permission-mapping
reference permissions,
>>>>>>>>> it would instead reference named permission-sets.
This would allow the
>>>>>>>>> provisioning tool to be able to add/remove
permissions to/from a default
>>>>>>>>> permission-set based on the presence/absence of a
specific subsystem when
>>>>>>>>> generating the default configuration. However, as
Alexey pointed out, this
>>>>>>>>> doesn't solve the problem of knowing which
permission-mapping a
>>>>>>>>> permission-set should be added to when attempting to
preserve user
>>>>>>>>> configuration changes for patching, version updates,
etc.
>>>>>>>>>
>>>>>>>>
>>>>>>>> Right. It does not change the permission-mappings, they
remain to
>>>>>>>> be a list of items with no identity. Which is the
fundamental problem.
>>>>>>>>
>>>>>>>
>>>>>>> But why is that a problem? I think that is the piece still
missing.
>>>>>>>
>>>>>>> By moving the list of the permissions into a single named
resource
>>>>>>> the tooling no longer has a need to be performing the
manipulation within
>>>>>>> the simple permission mapper so that can be left to the
administrator to
>>>>>>> look after independently.
>>>>>>>
>>>>>>
>>>>>> Is your question why is it a problem to give these things an
>>>>>> identity? If so, I have the same question, although I don't
think Alexey's
>>>>>> the one to come up with the identity.
>>>>>>
>>>>>> Or is your question why is not having an identity a problem? If
so,
>>>>>> is it correct to say that getting rid of this bit of wrongness is
the
>>>>>> problem:
>>>>>>
>>>>>>
>>>>>>
https://github.com/wildfly/wildfly-core/blob/master/elytron/src/main/reso...
>>>>>>
>>>>>> Basically right there elytron is speculatively providing
>>>>>> configuration rightly owned by other subsystems. To do this
correctly, each
>>>>>> of those permissions should be part of the config established by
other
>>>>>> parts of the system. The provisioning tool is expected to do it
correctly.
>>>>>> And doing that requires some sort of identity for each item in
the set. .
>>>>>> Installing a feature should involve adding independent,
identifiable chunks
>>>>>> of config, not manipulating an attribute of some chunk of config
owned by a
>>>>>> different feature. Manipulating an attribute is not feasible and
>>>>>> isn't correct.
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Alexey
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>> Farah
>>>>>>>>>
>>>>>>>>> On Fri, Mar 23, 2018 at 11:55 AM, Alexey Loubyansky
<
>>>>>>>>> alexey.loubyansky(a)redhat.com> wrote:
>>>>>>>>>
>>>>>>>>>> While this is addressed mainly to the Elytron
team, it seems
>>>>>>>>>> like we would appreciate opinions from other
colleagues since we are
>>>>>>>>>> basically stuck discussing possible ways to
resolve
>>>>>>>>>>
https://issues.jboss.org/browse/WFCORE-3596
>>>>>>>>>>
>>>>>>>>>> The description in the jira is pretty brief
assuming people know
>>>>>>>>>> what that is about, since it's been raised
before multiple times. Here is
>>>>>>>>>> what it is about fundamentally.
>>>>>>>>>>
>>>>>>>>>> If a configuration model (of a subsystem or any
other component)
>>>>>>>>>> includes a list of configurable units (let's
assume XML elements for
>>>>>>>>>> simplicity) that don't have any identity
(unique id/name/path/etc) this is
>>>>>>>>>> a big problem for supporting patching and version
updates preserving user
>>>>>>>>>> configuration changes. Or simply customizing the
default config model using
>>>>>>>>>> a tool. By a big problem I mean it's simply
not going to work reliably.
>>>>>>>>>>
>>>>>>>>>> As a simple exercise that demonstrates the issue,
imagine you
>>>>>>>>>> have two configs each of which includes a list of
these configurable units
>>>>>>>>>> that have no identity. Now try to identify the
difference between the two
>>>>>>>>>> lists. Or merge them with one overwriting the
other. Basically components
>>>>>>>>>> w/o an identity can not be manipulated. You can
only add them but not
>>>>>>>>>> modify or even remove (unless their index in the
list is a constant value
>>>>>>>>>> of course).
>>>>>>>>>>
>>>>>>>>>> I don't think I've seen any issue of this
kind in our (WF/EAP)
>>>>>>>>>> configs except for the Elytron's
permission-mapping's. (If somebody knows
>>>>>>>>>> such components please let me know).
>>>>>>>>>> If I misunderstand the Elytron config model or
approaching this
>>>>>>>>>> from a wrong angle, please let me know.
>>>>>>>>>>
>>>>>>>>>> Question for the Elytron team: is the problem I
am describing
>>>>>>>>>> clear? Do you admit it as a problem?
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>> Alexey
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> wildfly-dev mailing list
>>>>>>> wildfly-dev(a)lists.jboss.org
>>>>>>>
https://lists.jboss.org/mailman/listinfo/wildfly-dev
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Brian Stansberry
>>>>>> Manager, Senior Principal Software Engineer
>>>>>> Red Hat
>>>>>>
>>>>>