4:55 p.m.
While this is addressed mainly to the Elytron team, it seems like we would
appreciate opinions from other colleagues since we are basically stuck
discussing possible ways to resolve
https://issues.jboss.org/browse/WFCORE-3596
The description in the jira is pretty brief assuming people know what that
is about, since it's been raised before multiple times. Here is what it is
about fundamentally.
If a configuration model (of a subsystem or any other component) includes a
list of configurable units (let's assume XML elements for simplicity) that
don't have any identity (unique id/name/path/etc) this is a big problem for
supporting patching and version updates preserving user configuration
changes. Or simply customizing the default config model using a tool. By a
big problem I mean it's simply not going to work reliably.
As a simple exercise that demonstrates the issue, imagine you have two
configs each of which includes a list of these configurable units that have
no identity. Now try to identify the difference between the two lists. Or
merge them with one overwriting the other. Basically components w/o an
identity can not be manipulated. You can only add them but not modify or
even remove (unless their index in the list is a constant value of course).
I don't think I've seen any issue of this kind in our (WF/EAP) configs
except for the Elytron's permission-mapping's. (If somebody knows such
components please let me know).
If I misunderstand the Elytron config model or approaching this from a
wrong angle, please let me know.
Question for the Elytron team: is the problem I am describing clear? Do you
admit it as a problem?
Thanks,
Alexey
5:15 p.m.
I think at the moment it is fair to say the issue manipulating the default
configuration is understood and agreed, a very minor change from an
administrator can prevent further automated modifications and the
modifications that are made need to duplicated as the current default
configuration.
We do have a proposal to move the default permissions into a new resource
permission-set which will be referenced by the mapper, this will be a
resource that is addressable by name. As subsystems are added to the
server this will be the single place to add the permissions, as subsystems
are removed this will be the single resource to remove the permission
from.
If an administrator has chosen to use their own permission mappings instead
of this permission set then they will not be affected by any automated
updates.
The change we have proposed will also be compatible with previous versions
using transformers as we can just in-line these permission sets in the
transformed model.
We have been at this stage a couple of times but although we have an option
to provide a single named resource that can be manipulated by patching this
does not seem to be sufficient - I think that is where the sticking point
is in achieving a solution for this.
Regards,
Darran Lofthouse.
On Fri, 23 Mar 2018 at 15:55 Alexey Loubyansky <alexey.loubyansky(a)redhat.com>
wrote:
While this is addressed mainly to the Elytron team, it seems like we
would
appreciate opinions from other colleagues since we are basically stuck
discussing possible ways to resolve
https://issues.jboss.org/browse/WFCORE-3596
The description in the jira is pretty brief assuming people know what that
is about, since it's been raised before multiple times. Here is what it is
about fundamentally.
If a configuration model (of a subsystem or any other component) includes
a list of configurable units (let's assume XML elements for simplicity)
that don't have any identity (unique id/name/path/etc) this is a big
problem for supporting patching and version updates preserving user
configuration changes. Or simply customizing the default config model using
a tool. By a big problem I mean it's simply not going to work reliably.
As a simple exercise that demonstrates the issue, imagine you have two
configs each of which includes a list of these configurable units that have
no identity. Now try to identify the difference between the two lists. Or
merge them with one overwriting the other. Basically components w/o an
identity can not be manipulated. You can only add them but not modify or
even remove (unless their index in the list is a constant value of course).
I don't think I've seen any issue of this kind in our (WF/EAP) configs
except for the Elytron's permission-mapping's. (If somebody knows such
components please let me know).
If I misunderstand the Elytron config model or approaching this from a
wrong angle, please let me know.
Question for the Elytron team: is the problem I am describing clear? Do
you admit it as a problem?
Thanks,
Alexey
6:20 p.m.
A solution to part of the problem mentioned in WFCORE-3596 that was
discussed is to introduce the concept of named permission sets. In
particular, instead of having a permission-mapping reference permissions,
it would instead reference named permission-sets. This would allow the
provisioning tool to be able to add/remove permissions to/from a default
permission-set based on the presence/absence of a specific subsystem when
generating the default configuration. However, as Alexey pointed out, this
doesn't solve the problem of knowing which permission-mapping a
permission-set should be added to when attempting to preserve user
configuration changes for patching, version updates, etc.
Thanks,
Farah
On Fri, Mar 23, 2018 at 11:55 AM, Alexey Loubyansky <
alexey.loubyansky(a)redhat.com> wrote:
While this is addressed mainly to the Elytron team, it seems like we
would
appreciate opinions from other colleagues since we are basically stuck
discussing possible ways to resolve https://issues.jboss.org/
browse/WFCORE-3596
The description in the jira is pretty brief assuming people know what that
is about, since it's been raised before multiple times. Here is what it is
about fundamentally.
If a configuration model (of a subsystem or any other component) includes
a list of configurable units (let's assume XML elements for simplicity)
that don't have any identity (unique id/name/path/etc) this is a big
problem for supporting patching and version updates preserving user
configuration changes. Or simply customizing the default config model using
a tool. By a big problem I mean it's simply not going to work reliably.
As a simple exercise that demonstrates the issue, imagine you have two
configs each of which includes a list of these configurable units that have
no identity. Now try to identify the difference between the two lists. Or
merge them with one overwriting the other. Basically components w/o an
identity can not be manipulated. You can only add them but not modify or
even remove (unless their index in the list is a constant value of course).
I don't think I've seen any issue of this kind in our (WF/EAP) configs
except for the Elytron's permission-mapping's. (If somebody knows such
components please let me know).
If I misunderstand the Elytron config model or approaching this from a
wrong angle, please let me know.
Question for the Elytron team: is the problem I am describing clear? Do
you admit it as a problem?
Thanks,
Alexey
6:28 p.m.
Why would the permission-mapping resource need to be modified by tooling?
The purpose of the named permission-set is that that becomes the resource
automatically manipulated, the permission mappings should not need to be
manipulated as they either will or will not already reference the
permission-set and that should be automatically changed.
Regards,
Darran Lofthouse.
On Fri, 23 Mar 2018 at 17:21 Farah Juma <fjuma(a)redhat.com> wrote:
A solution to part of the problem mentioned in WFCORE-3596 that was
discussed is to introduce the concept of named permission sets. In
particular, instead of having a permission-mapping reference permissions,
it would instead reference named permission-sets. This would allow the
provisioning tool to be able to add/remove permissions to/from a default
permission-set based on the presence/absence of a specific subsystem when
generating the default configuration. However, as Alexey pointed out, this
doesn't solve the problem of knowing which permission-mapping a
permission-set should be added to when attempting to preserve user
configuration changes for patching, version updates, etc.
Thanks,
Farah
On Fri, Mar 23, 2018 at 11:55 AM, Alexey Loubyansky <
alexey.loubyansky(a)redhat.com> wrote:
> While this is addressed mainly to the Elytron team, it seems like we
> would appreciate opinions from other colleagues since we are basically
> stuck discussing possible ways to resolve
> https://issues.jboss.org/browse/WFCORE-3596
>
> The description in the jira is pretty brief assuming people know what
> that is about, since it's been raised before multiple times. Here is what
> it is about fundamentally.
>
> If a configuration model (of a subsystem or any other component) includes
> a list of configurable units (let's assume XML elements for simplicity)
> that don't have any identity (unique id/name/path/etc) this is a big
> problem for supporting patching and version updates preserving user
> configuration changes. Or simply customizing the default config model using
> a tool. By a big problem I mean it's simply not going to work reliably.
>
> As a simple exercise that demonstrates the issue, imagine you have two
> configs each of which includes a list of these configurable units that have
> no identity. Now try to identify the difference between the two lists. Or
> merge them with one overwriting the other. Basically components w/o an
> identity can not be manipulated. You can only add them but not modify or
> even remove (unless their index in the list is a constant value of course).
>
> I don't think I've seen any issue of this kind in our (WF/EAP) configs
> except for the Elytron's permission-mapping's. (If somebody knows such
> components please let me know).
> If I misunderstand the Elytron config model or approaching this from a
> wrong angle, please let me know.
>
> Question for the Elytron team: is the problem I am describing clear? Do
> you admit it as a problem?
>
> Thanks,
> Alexey
>
6:49 p.m.
On Fri, Mar 23, 2018 at 6:20 PM, Farah Juma <fjuma(a)redhat.com> wrote:
A solution to part of the problem mentioned in WFCORE-3596 that was
discussed is to introduce the concept of named permission sets. In
particular, instead of having a permission-mapping reference permissions,
it would instead reference named permission-sets. This would allow the
provisioning tool to be able to add/remove permissions to/from a default
permission-set based on the presence/absence of a specific subsystem when
generating the default configuration. However, as Alexey pointed out, this
doesn't solve the problem of knowing which permission-mapping a
permission-set should be added to when attempting to preserve user
configuration changes for patching, version updates, etc.
Right. It does not change the permission-mappings, they remain to be a list
of items with no identity. Which is the fundamental problem.
Thanks,
Alexey
Thanks,
Farah
On Fri, Mar 23, 2018 at 11:55 AM, Alexey Loubyansky <
alexey.loubyansky(a)redhat.com> wrote:
> While this is addressed mainly to the Elytron team, it seems like we
> would appreciate opinions from other colleagues since we are basically
> stuck discussing possible ways to resolve https://issues.jboss.org/brows
> e/WFCORE-3596
>
> The description in the jira is pretty brief assuming people know what
> that is about, since it's been raised before multiple times. Here is what
> it is about fundamentally.
>
> If a configuration model (of a subsystem or any other component) includes
> a list of configurable units (let's assume XML elements for simplicity)
> that don't have any identity (unique id/name/path/etc) this is a big
> problem for supporting patching and version updates preserving user
> configuration changes. Or simply customizing the default config model using
> a tool. By a big problem I mean it's simply not going to work reliably.
>
> As a simple exercise that demonstrates the issue, imagine you have two
> configs each of which includes a list of these configurable units that have
> no identity. Now try to identify the difference between the two lists. Or
> merge them with one overwriting the other. Basically components w/o an
> identity can not be manipulated. You can only add them but not modify or
> even remove (unless their index in the list is a constant value of course).
>
> I don't think I've seen any issue of this kind in our (WF/EAP) configs
> except for the Elytron's permission-mapping's. (If somebody knows such
> components please let me know).
> If I misunderstand the Elytron config model or approaching this from a
> wrong angle, please let me know.
>
> Question for the Elytron team: is the problem I am describing clear? Do
> you admit it as a problem?
>
> Thanks,
> Alexey
>
6:55 p.m.
BTW, I want to highlight an important point here. I don't care about how it
will look like in the XML. It may remain this list in the XML. What I care
about is how it appears in the domain management model and its description.
Thanks,
Alexey
On Fri, Mar 23, 2018 at 6:49 PM, Alexey Loubyansky <
alexey.loubyansky(a)redhat.com> wrote:
On Fri, Mar 23, 2018 at 6:20 PM, Farah Juma <fjuma(a)redhat.com>
wrote:
> A solution to part of the problem mentioned in WFCORE-3596 that was
> discussed is to introduce the concept of named permission sets. In
> particular, instead of having a permission-mapping reference permissions,
> it would instead reference named permission-sets. This would allow the
> provisioning tool to be able to add/remove permissions to/from a default
> permission-set based on the presence/absence of a specific subsystem when
> generating the default configuration. However, as Alexey pointed out, this
> doesn't solve the problem of knowing which permission-mapping a
> permission-set should be added to when attempting to preserve user
> configuration changes for patching, version updates, etc.
>
Right. It does not change the permission-mappings, they remain to be a
list of items with no identity. Which is the fundamental problem.
Thanks,
Alexey
Thanks,
> Farah
>
> On Fri, Mar 23, 2018 at 11:55 AM, Alexey Loubyansky <
> alexey.loubyansky(a)redhat.com> wrote:
>
>> While this is addressed mainly to the Elytron team, it seems like we
>> would appreciate opinions from other colleagues since we are basically
>> stuck discussing possible ways to resolve https://issues.jboss.org/brows
>> e/WFCORE-3596
>>
>> The description in the jira is pretty brief assuming people know what
>> that is about, since it's been raised before multiple times. Here is what
>> it is about fundamentally.
>>
>> If a configuration model (of a subsystem or any other component)
>> includes a list of configurable units (let's assume XML elements for
>> simplicity) that don't have any identity (unique id/name/path/etc) this is
>> a big problem for supporting patching and version updates preserving user
>> configuration changes. Or simply customizing the default config model using
>> a tool. By a big problem I mean it's simply not going to work reliably.
>>
>> As a simple exercise that demonstrates the issue, imagine you have two
>> configs each of which includes a list of these configurable units that have
>> no identity. Now try to identify the difference between the two lists. Or
>> merge them with one overwriting the other. Basically components w/o an
>> identity can not be manipulated. You can only add them but not modify or
>> even remove (unless their index in the list is a constant value of course).
>>
>> I don't think I've seen any issue of this kind in our (WF/EAP) configs
>> except for the Elytron's permission-mapping's. (If somebody knows such
>> components please let me know).
>> If I misunderstand the Elytron config model or approaching this from a
>> wrong angle, please let me know.
>>
>> Question for the Elytron team: is the problem I am describing clear? Do
>> you admit it as a problem?
>>
>> Thanks,
>> Alexey
>>
>
>
6:56 p.m.
On Fri, 23 Mar 2018 at 17:50 Alexey Loubyansky <alexey.loubyansky(a)redhat.com>
wrote:
On Fri, Mar 23, 2018 at 6:20 PM, Farah Juma <fjuma(a)redhat.com>
wrote:
> A solution to part of the problem mentioned in WFCORE-3596 that was
> discussed is to introduce the concept of named permission sets. In
> particular, instead of having a permission-mapping reference permissions,
> it would instead reference named permission-sets. This would allow the
> provisioning tool to be able to add/remove permissions to/from a default
> permission-set based on the presence/absence of a specific subsystem when
> generating the default configuration. However, as Alexey pointed out, this
> doesn't solve the problem of knowing which permission-mapping a
> permission-set should be added to when attempting to preserve user
> configuration changes for patching, version updates, etc.
>
Right. It does not change the permission-mappings, they remain to be a
list of items with no identity. Which is the fundamental problem.
But why is that a problem? I think that is the piece still missing.
By moving the list of the permissions into a single named resource the
tooling no longer has a need to be performing the manipulation within the
simple permission mapper so that can be left to the administrator to look
after independently.
Thanks,
Alexey
Thanks,
> Farah
>
> On Fri, Mar 23, 2018 at 11:55 AM, Alexey Loubyansky <
> alexey.loubyansky(a)redhat.com> wrote:
>
>> While this is addressed mainly to the Elytron team, it seems like we
>> would appreciate opinions from other colleagues since we are basically
>> stuck discussing possible ways to resolve
>> https://issues.jboss.org/browse/WFCORE-3596
>>
>> The description in the jira is pretty brief assuming people know what
>> that is about, since it's been raised before multiple times. Here is what
>> it is about fundamentally.
>>
>> If a configuration model (of a subsystem or any other component)
>> includes a list of configurable units (let's assume XML elements for
>> simplicity) that don't have any identity (unique id/name/path/etc) this is
>> a big problem for supporting patching and version updates preserving user
>> configuration changes. Or simply customizing the default config model using
>> a tool. By a big problem I mean it's simply not going to work reliably.
>>
>> As a simple exercise that demonstrates the issue, imagine you have two
>> configs each of which includes a list of these configurable units that have
>> no identity. Now try to identify the difference between the two lists. Or
>> merge them with one overwriting the other. Basically components w/o an
>> identity can not be manipulated. You can only add them but not modify or
>> even remove (unless their index in the list is a constant value of course).
>>
>> I don't think I've seen any issue of this kind in our (WF/EAP) configs
>> except for the Elytron's permission-mapping's. (If somebody knows such
>> components please let me know).
>> If I misunderstand the Elytron config model or approaching this from a
>> wrong angle, please let me know.
>>
>> Question for the Elytron team: is the problem I am describing clear? Do
>> you admit it as a problem?
>>
>> Thanks,
>> Alexey
>>
>
>
9:52 p.m.
On Fri, Mar 23, 2018 at 12:56 PM, Darran Lofthouse <
darran.lofthouse(a)jboss.com> wrote:
On Fri, 23 Mar 2018 at 17:50 Alexey Loubyansky <
alexey.loubyansky(a)redhat.com> wrote:
> On Fri, Mar 23, 2018 at 6:20 PM, Farah Juma <fjuma(a)redhat.com> wrote:
>
>> A solution to part of the problem mentioned in WFCORE-3596 that was
>> discussed is to introduce the concept of named permission sets. In
>> particular, instead of having a permission-mapping reference permissions,
>> it would instead reference named permission-sets. This would allow the
>> provisioning tool to be able to add/remove permissions to/from a default
>> permission-set based on the presence/absence of a specific subsystem when
>> generating the default configuration. However, as Alexey pointed out, this
>> doesn't solve the problem of knowing which permission-mapping a
>> permission-set should be added to when attempting to preserve user
>> configuration changes for patching, version updates, etc.
>>
>
> Right. It does not change the permission-mappings, they remain to be a
> list of items with no identity. Which is the fundamental problem.
>
But why is that a problem? I think that is the piece still missing.
By moving the list of the permissions into a single named resource the
tooling no longer has a need to be performing the manipulation within the
simple permission mapper so that can be left to the administrator to look
after independently.
Is your question why is it a problem to give these things an identity? If
so, I have the same question, although I don't think Alexey's the one to
come up with the identity.
Or is your question why is not having an identity a problem? If so, is it
correct to say that getting rid of this bit of wrongness is the problem:
https://github.com/wildfly/wildfly-core/blob/master/elytron/src/main/reso...
Basically right there elytron is speculatively providing configuration
rightly owned by other subsystems. To do this correctly, each of those
permissions should be part of the config established by other parts of the
system. The provisioning tool is expected to do it correctly. And doing
that requires some sort of identity for each item in the set. . Installing
a feature should involve adding independent, identifiable chunks of config,
not manipulating an attribute of some chunk of config owned by a different
feature. Manipulating an attribute is not feasible and isn't correct.
>
> Thanks,
> Alexey
>
> Thanks,
>> Farah
>>
>> On Fri, Mar 23, 2018 at 11:55 AM, Alexey Loubyansky <
>> alexey.loubyansky(a)redhat.com> wrote:
>>
>>> While this is addressed mainly to the Elytron team, it seems like we
>>> would appreciate opinions from other colleagues since we are basically
>>> stuck discussing possible ways to resolve https://issues.jboss.org/
>>> browse/WFCORE-3596
>>>
>>> The description in the jira is pretty brief assuming people know what
>>> that is about, since it's been raised before multiple times. Here is
what
>>> it is about fundamentally.
>>>
>>> If a configuration model (of a subsystem or any other component)
>>> includes a list of configurable units (let's assume XML elements for
>>> simplicity) that don't have any identity (unique id/name/path/etc) this
is
>>> a big problem for supporting patching and version updates preserving user
>>> configuration changes. Or simply customizing the default config model using
>>> a tool. By a big problem I mean it's simply not going to work reliably.
>>>
>>> As a simple exercise that demonstrates the issue, imagine you have two
>>> configs each of which includes a list of these configurable units that have
>>> no identity. Now try to identify the difference between the two lists. Or
>>> merge them with one overwriting the other. Basically components w/o an
>>> identity can not be manipulated. You can only add them but not modify or
>>> even remove (unless their index in the list is a constant value of course).
>>>
>>> I don't think I've seen any issue of this kind in our (WF/EAP)
configs
>>> except for the Elytron's permission-mapping's. (If somebody knows
such
>>> components please let me know).
>>> If I misunderstand the Elytron config model or approaching this from a
>>> wrong angle, please let me know.
>>>
>>> Question for the Elytron team: is the problem I am describing clear? Do
>>> you admit it as a problem?
>>>
>>> Thanks,
>>> Alexey
>>>
>>
>>
_______________________________________________
wildfly-dev mailing list
wildfly-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/wildfly-dev
--
Brian Stansberry
Manager, Senior Principal Software Engineer
Red Hat
12:40 p.m.
Ok so lets switch this another way.
If the addition from other subsystems was to be eliminated is there still a
provisioning issue?
On Fri, 23 Mar 2018 at 20:52 Brian Stansberry <brian.stansberry(a)redhat.com>
wrote:
On Fri, Mar 23, 2018 at 12:56 PM, Darran Lofthouse <
darran.lofthouse(a)jboss.com> wrote:
> On Fri, 23 Mar 2018 at 17:50 Alexey Loubyansky <
> alexey.loubyansky(a)redhat.com> wrote:
>
>> On Fri, Mar 23, 2018 at 6:20 PM, Farah Juma <fjuma(a)redhat.com> wrote:
>>
>>> A solution to part of the problem mentioned in WFCORE-3596 that was
>>> discussed is to introduce the concept of named permission sets. In
>>> particular, instead of having a permission-mapping reference permissions,
>>> it would instead reference named permission-sets. This would allow the
>>> provisioning tool to be able to add/remove permissions to/from a default
>>> permission-set based on the presence/absence of a specific subsystem when
>>> generating the default configuration. However, as Alexey pointed out, this
>>> doesn't solve the problem of knowing which permission-mapping a
>>> permission-set should be added to when attempting to preserve user
>>> configuration changes for patching, version updates, etc.
>>>
>>
>> Right. It does not change the permission-mappings, they remain to be a
>> list of items with no identity. Which is the fundamental problem.
>>
>
> But why is that a problem? I think that is the piece still missing.
>
> By moving the list of the permissions into a single named resource the
> tooling no longer has a need to be performing the manipulation within the
> simple permission mapper so that can be left to the administrator to look
> after independently.
>
Is your question why is it a problem to give these things an identity? If
so, I have the same question, although I don't think Alexey's the one to
come up with the identity.
Or is your question why is not having an identity a problem? If so, is it
correct to say that getting rid of this bit of wrongness is the problem:
https://github.com/wildfly/wildfly-core/blob/master/elytron/src/main/reso...
Basically right there elytron is speculatively providing configuration
rightly owned by other subsystems. To do this correctly, each of those
permissions should be part of the config established by other parts of the
system. The provisioning tool is expected to do it correctly. And doing
that requires some sort of identity for each item in the set. . Installing
a feature should involve adding independent, identifiable chunks of config,
not manipulating an attribute of some chunk of config owned by a different
feature. Manipulating an attribute is not feasible and isn't correct.
>
>>
>> Thanks,
>> Alexey
>>
>> Thanks,
>>> Farah
>>>
>>> On Fri, Mar 23, 2018 at 11:55 AM, Alexey Loubyansky <
>>> alexey.loubyansky(a)redhat.com> wrote:
>>>
>>>> While this is addressed mainly to the Elytron team, it seems like we
>>>> would appreciate opinions from other colleagues since we are basically
>>>> stuck discussing possible ways to resolve
>>>> https://issues.jboss.org/browse/WFCORE-3596
>>>>
>>>> The description in the jira is pretty brief assuming people know what
>>>> that is about, since it's been raised before multiple times. Here is
what
>>>> it is about fundamentally.
>>>>
>>>> If a configuration model (of a subsystem or any other component)
>>>> includes a list of configurable units (let's assume XML elements for
>>>> simplicity) that don't have any identity (unique id/name/path/etc)
this is
>>>> a big problem for supporting patching and version updates preserving
user
>>>> configuration changes. Or simply customizing the default config model
using
>>>> a tool. By a big problem I mean it's simply not going to work
reliably.
>>>>
>>>> As a simple exercise that demonstrates the issue, imagine you have two
>>>> configs each of which includes a list of these configurable units that
have
>>>> no identity. Now try to identify the difference between the two lists.
Or
>>>> merge them with one overwriting the other. Basically components w/o an
>>>> identity can not be manipulated. You can only add them but not modify or
>>>> even remove (unless their index in the list is a constant value of
course).
>>>>
>>>> I don't think I've seen any issue of this kind in our (WF/EAP)
configs
>>>> except for the Elytron's permission-mapping's. (If somebody knows
such
>>>> components please let me know).
>>>> If I misunderstand the Elytron config model or approaching this from a
>>>> wrong angle, please let me know.
>>>>
>>>> Question for the Elytron team: is the problem I am describing clear?
>>>> Do you admit it as a problem?
>>>>
>>>> Thanks,
>>>> Alexey
>>>>
>>>
>>>
> _______________________________________________
> wildfly-dev mailing list
> wildfly-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/wildfly-dev
>
--
Brian Stansberry
Manager, Senior Principal Software Engineer
Red Hat
10:39 p.m.
Apparently all your responses to this thread Darran didn't show up in my
view of the thread. No idea why. If not Brian's response to your email I
wouldn't have found out that.
Copying your email from the list archive:
"But why is that a problem? I think that is the piece still missing.
By moving the list of the permissions into a single named resource the
tooling no longer has a need to be performing the manipulation within the
simple permission mapper so that can be left to the administrator to look
after independently."
It doesn't work like that. It's not like "you can manage this part of the
config and this part should be left out".
About the permission-mappings and why this list is a problem. We need to be
able to compute a diff between two Elytron subsystem configs. They may
match, may be slightly different, may be completely different. To do that
we need to be able to identify comparable pieces the config consists of.
Named permission-sets are no problem. Now I get to the list of
permission-mappings, as it is a part of the Elytron's subsystem config. How
can I compare these lists?
Well, naturally a list is a collection of items in a specific order. So
what I am going to do is assume that I should be comparing the items in the
order they appear in two lists. And generate the diff based on that order.
Which in some cases will be useless. The thing is that, I will not only be
calculating the diff I will also be applying it to the config. In some
cases the result will be pretty much unexpected. Does it make any sense to
you?
Thanks,
Alexey
On Fri, Mar 23, 2018 at 6:49 PM, Alexey Loubyansky <
alexey.loubyansky(a)redhat.com> wrote:
On Fri, Mar 23, 2018 at 6:20 PM, Farah Juma <fjuma(a)redhat.com>
wrote:
> A solution to part of the problem mentioned in WFCORE-3596 that was
> discussed is to introduce the concept of named permission sets. In
> particular, instead of having a permission-mapping reference permissions,
> it would instead reference named permission-sets. This would allow the
> provisioning tool to be able to add/remove permissions to/from a default
> permission-set based on the presence/absence of a specific subsystem when
> generating the default configuration. However, as Alexey pointed out, this
> doesn't solve the problem of knowing which permission-mapping a
> permission-set should be added to when attempting to preserve user
> configuration changes for patching, version updates, etc.
>
Right. It does not change the permission-mappings, they remain to be a
list of items with no identity. Which is the fundamental problem.
Thanks,
Alexey
Thanks,
> Farah
>
> On Fri, Mar 23, 2018 at 11:55 AM, Alexey Loubyansky <
> alexey.loubyansky(a)redhat.com> wrote:
>
>> While this is addressed mainly to the Elytron team, it seems like we
>> would appreciate opinions from other colleagues since we are basically
>> stuck discussing possible ways to resolve https://issues.jboss.org/brows
>> e/WFCORE-3596
>>
>> The description in the jira is pretty brief assuming people know what
>> that is about, since it's been raised before multiple times. Here is what
>> it is about fundamentally.
>>
>> If a configuration model (of a subsystem or any other component)
>> includes a list of configurable units (let's assume XML elements for
>> simplicity) that don't have any identity (unique id/name/path/etc) this is
>> a big problem for supporting patching and version updates preserving user
>> configuration changes. Or simply customizing the default config model using
>> a tool. By a big problem I mean it's simply not going to work reliably.
>>
>> As a simple exercise that demonstrates the issue, imagine you have two
>> configs each of which includes a list of these configurable units that have
>> no identity. Now try to identify the difference between the two lists. Or
>> merge them with one overwriting the other. Basically components w/o an
>> identity can not be manipulated. You can only add them but not modify or
>> even remove (unless their index in the list is a constant value of course).
>>
>> I don't think I've seen any issue of this kind in our (WF/EAP) configs
>> except for the Elytron's permission-mapping's. (If somebody knows such
>> components please let me know).
>> If I misunderstand the Elytron config model or approaching this from a
>> wrong angle, please let me know.
>>
>> Question for the Elytron team: is the problem I am describing clear? Do
>> you admit it as a problem?
>>
>> Thanks,
>> Alexey
>>
>
>
2:40 p.m.
I run through Elytron subsystem and there are other "suspicious"
resources [1]. How it is guaranteed name/id/path attributes of
collections are unique identifiers? On subsystem code level? Because
this information is not in the model, as far as I know.
Is it possible to declare compound unique-key? I mean for example to
say that for permission resource (class-name,module) tuple is unique
key.
[1]
configurable-sasl-server-factory/filters
configurable-http-server-mechanism-factory/filters
sasl-authentication-factory/mechanism-configurations
sasl-authentication-factory/mechanism-configurations/mechanism-realm-configurations
http-authentication-factory/mechanism-configurations
http-authentication-factory/mechanism-configurations/mechanism-realm-configurations
mechanism-provider-filtering-sasl-server-factory/filters
ldap-realm/identity-mapping/attribute-mapping
jdbc-realm/principal-query
jdbc-realm/principal-query/attribute-mapping
security-domain/realms
On Fri, Mar 23, 2018 at 4:55 PM, Alexey Loubyansky
<alexey.loubyansky(a)redhat.com> wrote:
While this is addressed mainly to the Elytron team, it seems like we
would
appreciate opinions from other colleagues since we are basically stuck
discussing possible ways to resolve
https://issues.jboss.org/browse/WFCORE-3596
The description in the jira is pretty brief assuming people know what that
is about, since it's been raised before multiple times. Here is what it is
about fundamentally.
If a configuration model (of a subsystem or any other component) includes a
list of configurable units (let's assume XML elements for simplicity) that
don't have any identity (unique id/name/path/etc) this is a big problem for
supporting patching and version updates preserving user configuration
changes. Or simply customizing the default config model using a tool. By a
big problem I mean it's simply not going to work reliably.
As a simple exercise that demonstrates the issue, imagine you have two
configs each of which includes a list of these configurable units that have
no identity. Now try to identify the difference between the two lists. Or
merge them with one overwriting the other. Basically components w/o an
identity can not be manipulated. You can only add them but not modify or
even remove (unless their index in the list is a constant value of course).
I don't think I've seen any issue of this kind in our (WF/EAP) configs
except for the Elytron's permission-mapping's. (If somebody knows such
components please let me know).
If I misunderstand the Elytron config model or approaching this from a wrong
angle, please let me know.
Question for the Elytron team: is the problem I am describing clear? Do you
admit it as a problem?
Thanks,
Alexey
_______________________________________________
wildfly-dev mailing list
wildfly-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/wildfly-dev
6:17 p.m.
Hi Martin,
thanks for the list. Right, some of those suffer from the same problem and
some seem to have an identity (not explicitly expressed since we don't have
a way to do that for a member of a complex type yet but once we do it won't
be a problem).
Ok, I had a hope we were going to address these relatively quick (given
that the issue was raised back in autumn). I don't see it happening next
month neither. So for now I am going to handle these kind of config
structures (i.e. lists of complex types) as atomic pieces (although
potentially big). They won't be mergeable during updates but one will be
replacing completely the other with the one coming in last winning.
In perspective though, I think this is going to remain a critical issue.
Thanks,
Alexey
On Mon, Mar 26, 2018 at 2:40 PM, Martin Choma <mchoma(a)redhat.com> wrote:
I run through Elytron subsystem and there are other
"suspicious"
resources [1]. How it is guaranteed name/id/path attributes of
collections are unique identifiers? On subsystem code level? Because
this information is not in the model, as far as I know.
Is it possible to declare compound unique-key? I mean for example to
say that for permission resource (class-name,module) tuple is unique
key.
[1]
configurable-sasl-server-factory/filters
configurable-http-server-mechanism-factory/filters
sasl-authentication-factory/mechanism-configurations
sasl-authentication-factory/mechanism-configurations/mechani
sm-realm-configurations
http-authentication-factory/mechanism-configurations
http-authentication-factory/mechanism-configurations/mechani
sm-realm-configurations
mechanism-provider-filtering-sasl-server-factory/filters
ldap-realm/identity-mapping/attribute-mapping
jdbc-realm/principal-query
jdbc-realm/principal-query/attribute-mapping
security-domain/realms
On Fri, Mar 23, 2018 at 4:55 PM, Alexey Loubyansky
<alexey.loubyansky(a)redhat.com> wrote:
> While this is addressed mainly to the Elytron team, it seems like we
would
> appreciate opinions from other colleagues since we are basically stuck
> discussing possible ways to resolve
> https://issues.jboss.org/browse/WFCORE-3596
>
> The description in the jira is pretty brief assuming people know what
that
> is about, since it's been raised before multiple times. Here is what it
is
> about fundamentally.
>
> If a configuration model (of a subsystem or any other component)
includes a
> list of configurable units (let's assume XML elements for simplicity)
that
> don't have any identity (unique id/name/path/etc) this is a big problem
for
> supporting patching and version updates preserving user configuration
> changes. Or simply customizing the default config model using a tool. By
a
> big problem I mean it's simply not going to work reliably.
>
> As a simple exercise that demonstrates the issue, imagine you have two
> configs each of which includes a list of these configurable units that
have
> no identity. Now try to identify the difference between the two lists. Or
> merge them with one overwriting the other. Basically components w/o an
> identity can not be manipulated. You can only add them but not modify or
> even remove (unless their index in the list is a constant value of
course).
>
> I don't think I've seen any issue of this kind in our (WF/EAP) configs
> except for the Elytron's permission-mapping's. (If somebody knows such
> components please let me know).
> If I misunderstand the Elytron config model or approaching this from a
wrong
> angle, please let me know.
>
> Question for the Elytron team: is the problem I am describing clear? Do
you
> admit it as a problem?
>
> Thanks,
> Alexey
>
> _______________________________________________
> wildfly-dev mailing list
> wildfly-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/wildfly-dev
2221
days inactive
2225
days old
11 comments
6 participants
participants (6)
-
Alexey Loubyansky -
Brian Stansberry -
Darran Lofthouse -
Darran Lofthouse -
Farah Juma -
Martin Choma