Project

General

Profile

Actions

Task #1972

closed

Export - import -(Role, System, IdM configuration)

Added by Vít Švanda about 5 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Vít Švanda
Category:
Export Import
Target version:
Start date:
12/04/2019
Due date:
% Done:

100%

Estimated time:
120.00 h
Owner:
Actions #1

Updated by Vít Švanda about 5 years ago

  • Estimated time set to 160.00 h
Actions #2

Updated by Vít Švanda about 5 years ago

  • Estimated time changed from 160.00 h to 120.00 h
Actions #3

Updated by Vít Švanda almost 5 years ago

  • Status changed from New to In Progress
Actions #4

Updated by Vít Švanda almost 5 years ago

  • % Done changed from 0 to 20
Actions #5

Updated by Vít Švanda almost 5 years ago

  • % Done changed from 20 to 30
Actions #6

Updated by Vít Švanda almost 5 years ago

  • % Done changed from 30 to 50

Conclusion from presentation:

  • Authoritative mode should be turned off.
  • Only EAV attributes mapped in attribute should be exported (not all definition as now).
  • Problem with wrong charset was discovered.
  • Structured logs are required (not only count of object).
Actions #7

Updated by Vít Švanda almost 5 years ago

I found problem if many different systems are imported to new IdM:

  • If one system doesn't have created schema, mapping, sync and second has, then export order in manifest is wrong.
  • If one system has sync for identity and second for contracts, then all syncs are deleting. Problem is with inheritance of different sync types.

I found solution for this ... I hope ..

Actions #8

Updated by Vít Švanda almost 5 years ago

  • Target version changed from 10.1.0 to 10.2.0
Actions #9

Updated by Vít Švanda almost 5 years ago

I started implementing an advanced paring field strategy = searching a entity by code from field in a DTO (in batch).

  • I have extended the export descriptor for field fields to support this strategy.
  • I need to distribute the target DTO as embedded data in the batch.
  • I now have an obstacle to deserialization built into DTO.
Actions #10

Updated by Vít Švanda almost 5 years ago

  • I implemented mechanism for make some DTO optional. It means in some cases we need to continue if some exported DTO was not found on target system. For example SysRoleSystem (only some roles was exported from test to production, not all, but we don't want stop whole import of systems).
  • Advanced pairing mode was used in system-break-recipient (for role and identity field).
  • Only related (defined in system-attribute-mapping) attribute definition is exported now.
Actions #11

Updated by Vít Švanda almost 5 years ago

  • I implemented import for DTO with tree structures (because role-catalogue). -> I implemented detection of DTO type with itself type relation and sorting by "parentId".
  • I started with export of roles:
    • Role,
    • EAVs,
    • Bussines roles,
    • Incompatible roles,
    • role-catalogue (include catalogue itself),
    • guarantees by identity,
    • guarantees by role,
    • permissions.
  • In role is not implemented export for: Definition of role attributes, automatic roles.
Actions #12

Updated by Vít Švanda almost 5 years ago

  • Export of role attributes (and parent definition) implemented.
  • I started with implementation of loging imports events and presentation to the user.
Actions #13

Updated by Vít Švanda almost 5 years ago

  • % Done changed from 50 to 60
  • I implemented persisting of import logs for modified DTOs as JSON file (next attachment). I had to create BaseDtoDeserializer for deserialize BaseDto from this log file.
  • I added new property to the AbstractDto "_dtotype". This property keeps DTO class type (uses in the BaseDtoDeserializer).
  • I had problem with deserializing of sync config DTOs, because property "_type" is not persisted. I made HARD workaround in BaseDtoDeserializer for this usecase (now works fine).
Actions #14

Updated by Vít Švanda almost 5 years ago

Dry run mode is implemented.

Actions #15

Updated by Vít Švanda almost 5 years ago

- Implemented check: Only admin can execute import.
- UI: sorting by type and operation, add column with content of batch.

Actions #16

Updated by Vít Švanda almost 5 years ago

  • % Done changed from 60 to 70
Actions #17

Updated by Vít Švanda almost 5 years ago

- Implemented check on READ permission for all exported DTOs. Only whole role/system can be exported now.
- Added filter on type, operation to import log table.
- Fixed problem with load the log tree.

Actions #18

Updated by Vít Švanda almost 5 years ago

  • Import task show count now,
  • created change scripts for Postgres and MSSQL,
  • detail for Import extracted to the new component.
Actions #19

Updated by Vít Švanda almost 5 years ago

- First tests for exporte implemented.
- 5 info cards for system entities implemented.
- Integrity for LRT implemented.

Actions #20

Updated by Vít Švanda almost 5 years ago

  • 3 info cards (compositions, incompatibilities, permissions) implemented
  • Advanced paring for business and incompatible roles implemented.
  • Fixies
Actions #21

Updated by Vít Švanda almost 5 years ago

  • 5 Business cards implemented.
  • Implemented skip for not found DTO during Dry-run mode.
  • Fixed order in export for role-catalog.
  • Added parent relation to the catalog export.
Actions #22

Updated by Vít Švanda almost 5 years ago

  • Added paging to tree,
  • Zip name using batch name now,
  • Advanced paring implemented for guarantee by identity and role.
  • Result codes (during dryrun) improved.
Actions #23

Updated by Vít Švanda almost 5 years ago

  • Added filter by operationState (to import logs),
  • Not_executed logs has correct result code now.
  • Fixed problem with duplicated import's logs in dry run mode (syncs).
Actions #24

Updated by Vít Švanda almost 5 years ago

Actions #25

Updated by Vít Švanda almost 5 years ago

I created next 3 tests for role export (for check incompatibilities, guarantors by identity, guarantor by role).

Actions #26

Updated by Vít Švanda almost 5 years ago

  • I completed tests for role and created 12 new tests for export/import systems.
  • Remains tests for export of configurations and documentation.
Actions #27

Updated by Vít Švanda almost 5 years ago

  • % Done changed from 70 to 80
Actions #28

Updated by Vít Švanda almost 5 years ago

  • Fixed problem with export empty system (without connector).
  • Implemented tests for export and import configurations.
  • I have problem with test DefaultAttachmentManagerIntegrationTest doesn't pass.

I merged all changes to the develop.

Commit: https://github.com/bcvsolutions/CzechIdMng/commit/9433b3d0653ae9757c76bae6a59f3a12019a07b2

Actions #29

Updated by Vít Švanda almost 5 years ago

  • I fixed problem with export password in application configurations.
Actions #30

Updated by Vít Švanda almost 5 years ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Vít Švanda to Radek Tomiška
  • % Done changed from 80 to 90
Actions #31

Updated by Vít Švanda almost 5 years ago

I solved problem with the failed test "DefaultAttachmentManagerIntegrationTest.testCreateAndPurgeTempFiles". Test fail was caused by export/import feature. I use temp directory for work with batch. Purge function deleting only file with extension ".tmp" so my batchs were not deleted.

I modified Export and Import for cleaning this temp files directly. I had to modified "testCreateAndPurgeTempFiles" too, because some temp files are deleted after IdM is trunned off. After that some empty directories remains -> This directories are skip in the test now.

Commit: https://github.com/bcvsolutions/CzechIdMng/commit/78b86610e9e7f545fe4027fc80a027e80c49f054

Actions #33

Updated by Radek Tomiška over 4 years ago

  • Category set to Export Import
  • Status changed from Needs feedback to In Progress
  • Assignee changed from Radek Tomiška to Vít Švanda

I did test and review. This feature is very complex, good job. A lot of new info card were added, awesome. Icon was added to some agendas, cool.

Review notes:
Major:
- RoleExportBulkAction#exportEAVs - AUTOCOMPLETE permission should be used for loading form definitions (you not work with form definitions itself, you read values only, FE and other places are secured the same way). READ permission will gain access to form definition agenda on the other hand.
- SystemExportBulkAction#exportDto - systemService.get(dto.getId(), IdmBasePermission.READ, IdmBasePermission.UPDATE) can be used istead evaluating permissions twice (permissions to evaluate (AND)).
- I'm not sure, why system export requires UPDATE permission too, when other exports not?
- authorization policies configuration notes missing in documentation (export agenda and each export - how to enable).
- DefaultIdmImportLogService#saveDistinct - @Transactional is missing.
- IdmExportImportController#uploadImport - is not secured by authorization policies (authority is given olny).
- IdmExportImportController#download is not secured by authority (but authorization policies are ok).
- Result code localization is missiong (e.g. IMPORT_VALIDATION_FAILED_NO_MANIFEST, EXPORT_ZIP_FAILED)
Minor:
- czech documetation is forgotten: https://wiki.czechidm.com/devel/documentation/adm/export_import#export_descriptors :)
- export modularity is not implemented (future improvement in wiki can be noted or related ticket can be created).
- ExportManager#exportDTO - camelCase should be used in method name (camelCase is used in other places, e.g. IdmExportImportDto#getExportedDtos, AbstractExportBulkAction#exportDto).
- RoleExportBulkAction#exportEAVs - camelCase should be used in method name.
- ImportContext#setImportLRT, getImportLRT - camelCase should be used in method name (maybe 'setImportTaskExecutor' can be used, is not task itself).
- ExportManager#BLANK_UUID - could by defined as UUID instead String - UUID.fromString(ExportManager.BLANK_UUID) will not be necessary(called in every usage).
- AbstractExportBulkAction#OWNER_TYPE - LookupService#getOwnerType method can be used instead hardcoded string.
- ReadDtoService#export - javadoc is missing
- IdmFormInstanceDto - id was added equlas form definition id, so id should be consistent, if formdefinition is changed (set id together with form definition).
- DefaultIdmImportLogService#toDto - the same note as here #2014 :)
- DefaultImportManager#executeImport - is secured internally for admins. BasePermission can be added into api instead. Then can be used from controller layer only (=> the same pattern as other services). Maybe prepared CoreGroupPermission#EXPORTIMPORT group with ADMIN permission could be use too (prevent to any customer have some dangerous APP_ADMIN user).
- AbstractEntityInfo#getNiceLabel - UiUtils can be used for short text.
Notes only:
- i removed reverted external identifiers used in filters, fix some typos, css etc. - https://github.com/bcvsolutions/CzechIdMng/commit/4fced78a0a787931686d32e82760489c211593e8
- export - show full detail link leeds to whole agenda, modal can be opened automatically (future).
- cancel import button can be added in future - e.q. if some user accidentially starts different (and big) import (or dry run).
- is not good to test import large data on environment with in memory h2 database :)

I'm was not able to review it row by row, just notes what blinked into my eyes and they are different that our coding conventions.
I'm not sure any other developer will be able to add this awesome feature to other agenda (what methods and actions has to be implemented, added etc.. maybe quick notes as developer guide will be suffiscient only).

Actions #34

Updated by Vít Švanda over 4 years ago

- ☑ RoleExportBulkAction#exportEAVs - I don't aggre with add the AUTOCOMPLETE, because I exporting form value and also form definition on this place. But correct way should be remove also READ permission, because I checking READ permissions after DTO is exported, so thanks for the hint. AUTOCOMPLETE permission should be used for loading form definitions (you not work with form definitions itself, you read values only, FE and other places are secured the same way). READ permission will gain access to form definition agenda on the other hand.
- ✅ UPDATE permission was removed SystemExportBulkAction#exportDto - systemService.get(dto.getId(), IdmBasePermission.READ, IdmBasePermission.UPDATE) can be used istead evaluating permissions twice (permissions to evaluate (AND)).
- ✅ UPDATE permission was removed - I'm not sure, why system export requires UPDATE permission too, when other exports not?
- ✅ Documentation added here: https://wiki.czechidm.com/devel/documentation/adm/export_import#authorization_policies. authorization policies configuration notes missing in documentation (export agenda and each export - how to enable).
- ✅ DefaultIdmImportLogService#saveDistinct - @Transactional is missing.
- ✅ IdmExportImportController#uploadImport - is not secured by authorization policies (authority is given olny).
- ✅ IdmExportImportController#download is not secured by authority (but authorization policies are ok).
- ✅ Result code localization is missiong (e.g. IMPORT_VALIDATION_FAILED_NO_MANIFEST, EXPORT_ZIP_FAILED)

Minor:
- ✅ czech documetation is forgotten: https://wiki.czechidm.com/devel/documentation/adm/export_import#export_descriptors :)
- ✅ export modularity is not implemented (future improvement in wiki can be noted or related ticket can be created).
- ✅ ExportManager#exportDTO - camelCase should be used in method name (camelCase is used in other places, e.g. IdmExportImportDto#getExportedDtos, AbstractExportBulkAction#exportDto).
- ✅ RoleExportBulkAction#exportEAVs - camelCase should be used in method name.
- ✅ ImportContext#setImportLRT, getImportLRT - camelCase should be used in method name (maybe 'setImportTaskExecutor' can be used, is not task itself).
- ✅ ExportManager#BLANK_UUID - could by defined as UUID instead String - UUID.fromString(ExportManager.BLANK_UUID) will not be necessary(called in every usage).
- ✅ Nice hint._AbstractExportBulkAction#OWNER_TYPE - LookupService#getOwnerType method can be used instead hardcoded string._
- ✅ ReadDtoService#export - javadoc is missing
- ❓IdmFormInstanceDto - id was added equlas form definition id, so id should be consistent, if formdefinition is changed (set id together with form definition).
- :-) DefaultIdmImportLogService#toDto - the same note as here #2014 :)
- ❎ Use APP_ADMIN was a agreement. But in future can be this improve how you suggesting. DefaultImportManager#executeImport - is secured internally for admins. BasePermission can be added into api instead. Then can be used from controller layer only (=> the same pattern as other services). Maybe prepared CoreGroupPermission#EXPORTIMPORT group with ADMIN permission could be use too (prevent to any customer have some dangerous APP_ADMIN user).
- AbstractEntityInfo#getNiceLabel - UiUtils can be used for short text.

Commit: https://github.com/bcvsolutions/CzechIdMng/commit/115725b5db390b2d5940100c5de22d342f5a5351

Actions #35

Updated by Vít Švanda over 4 years ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Vít Švanda to Radek Tomiška
Actions #36

Updated by Radek Tomiška over 4 years ago

  • Status changed from Needs feedback to Resolved
  • Assignee changed from Radek Tomiška to Vít Švanda
  • % Done changed from 90 to 100

I've added permissions to public ExportManager methods callable from controllers. Export / import admin is needed now only.

Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/1f4136be117a4a6b9962b3a77f5b39125b885708

Actions #37

Updated by Radek Tomiška over 4 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF