[keycloak-dev] triple abstraction?
Bill Burke
bburke at redhat.com
Tue Jul 8 13:14:35 EDT 2014
On 7/8/2014 12:01 PM, Stian Thorgersen wrote:
> I thought we where at an agreement with splitting the model. If that's not the case, and to be able to actually do a release sometime soon, I propose we just revert back to how it was before.
>
I did not know you were going to write a completely new persistence
abstraction underneath our existing persistence abstraction. I thought
the existing Model interfaces were going to be retained/refactored and
you were just going to split out how UserModel, Realm, and UserSessions
were looked up.
> For argument sake the benefits for this split include:
>
> * Users are what we need to federate, this split makes that a lot simpler IMO
> * Users are what people may want to store in their own schema, again this makes it a lot simpler IMO
> * Can store different things in different store types. For example realms in a json file, users in a relational database and sessions in a in-mem data-grid
> * Realms store can be changed if we need to. Relative quick and easy to export/import to update.
> * Users store shouldn't be changed frequently. Updating a database with 20 million entries is non-trivial
All you did to improve the 20 million use case was remove secondary key
constraints from UserEntity and UserRoleMappingEntity, which could have
been done in the existing model.
> * Model was getting pretty big and complex, with loads of tables. Splitting makes it simpler IMO
>
Bah! our data model is not complex!
Summary of my perspective
* Model API was written so that the implementation details of storage
wouldn't be exposed to the service layer. So, if we retired the Model
API in favor of using the Hybrid API, the service layer would be dealing
with user ids, role ids, realm ids, client ids, instead of UserModel,
RoleModel, RealmModel, and ClientModel.
* The Adapter classes existed to bridge between the Model API and the
persistence API. I think you lost that notion in the Hybrid model as it
is completely String ID based.
* The line between AuthentcationProvider and UserProvider is now blurred
and confusing as they both provide a mechanism to create and look up
users. I'm not even sure you could have a LDAP store that is both a
UserProvider and AuthenticationProvider.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list