directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vyacheslav Vakhlyuev <>
Subject [Apache Fortress] [FC-144] Questions on implementation of Role-to-Group relationship
Date Wed, 17 Aug 2016 16:15:18 GMT
Hi all,
I have recently started working on performing an integration between
Openstack Keystone and Fortress Core. Specifically, this improvement:

I am trying to figure out what would be the best way to create and manage
Group-to-Role relationship without major modifications of existing source
The source code inspection gave me the list of following questions.

1. There's a UserRole class, which is used to represent a relationship
between userId and name of the role assigned to this user. The list of such
UserRole entities is used inside User entity and as method argument for
many other entities like SDUtil, UserDAO etc.
        Q1. Should I create a similar GroupRole class and override existing
methods in auxiliary/utility classes like SDUtil? Or would it be a better
solution to introduce a boolean switch inside UserRole class and rename
userId field to memberId?
2. Currently Session entity only assumes User and UserRoles. The same set
of classes is used to test permissions inside checkAccess(Session,
Permission). Also, during the Session creation, a User should exist in
USERS pool, even when Session is trusted.
        Q2. Should I create a boolean switch distinguishing between Group
and User in Session object and modify methods like Session.getRoles()
return list of UserRoles or GroupRoles based on the switch value?
        Q3. In case of groups, Session is trusted and there's no password. What
would be the correct behavior for Session creation in this case? Just to
check the group with required name exists in GROUPS pool?
3. LDAP schema modifications. I assume that I will need to add attributes
similar to "ftRA" and "ftRC" to Group object class. I will also need an
attribute like "roleOccupant" in Role object class.
        Q4. Should I reuse existing attributes with or create a set of new
attrs intented to be used specifically for Groups? Like "ftGRA", "gtGRC"?
        Q5. Should I create "groupRoleOccupant" attribute in Role object
class? It seems that I can't reuse the existing one to store Groups having
this Role assigned.
4. Utility classes modifications. It seems that almost all utility classes
that work with User and Role objects (SDUtil, RoleUtil etc.) accept
UserRole as argument.
        Q6. I assume that I'll need to overload methods in these classes to
accept GroupRole. Is it correct or is there another way?
5. Delegated Admin functionality.
        Q7. Do we need to modify this in case we introduce Role for Groups?

As you see, I have a lot of questions and I would appreciate getting some
development guidelines and best practices. Actually, any advises are
greatly appreciated.
Thank you in advance!

Kind Regards,
Vyacheslav Vakhlyuev
Software Engineer
Mirantis, Inc
Skype: vahluev.vyacheslav

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message