Project

General

Profile

Task #2883

Cross-domains

Added by Vít Švanda 3 months ago. Updated 29 days ago.

Status:
Closed
Priority:
High
Assignee:
Vít Švanda
Category:
Systems
Target version:
Start date:
07/12/2021
Due date:
% Done:

100%

Estimated time:
Milestones:

Related issues

Related to CzechIdM - Task #2875: Cross-domains - analysisClosed07/08/2021

History

#2 Updated by Vít Švanda 3 months ago

  • Related to Task #2875: Cross-domains - analysis added

#3 Updated by Vít Švanda 3 months ago

  • Priority changed from Normal to High

#4 Updated by Vít Švanda 3 months ago

  • Status changed from New to In Progress

#5 Updated by Vít Švanda 3 months ago

  • % Done changed from 0 to 10

#6 Updated by Vít Švanda 3 months ago

  • % Done changed from 10 to 30
  • Automatic and business roles create accounts even if default creation is disabled!
  • Role deduplication supports idm-role-system now.
  • Concept detail show system (in edit mode too).

#7 Updated by Vít Švanda 3 months ago

The system is displayed in the IdentityRole table. The IdentityRole table now has configurable columns.

#8 Updated by Vít Švanda 2 months ago

  • % Done changed from 30 to 40

#9 Updated by Vít Švanda 2 months ago

  • % Done changed from 40 to 50

#10 Updated by Vít Švanda 2 months ago

  • % Done changed from 50 to 60

#11 Updated by Vít Švanda about 2 months ago

I found big issue with overridding attributes in case where UID attribute is overridden. In this scenario, I am unable to evaluate which group (to which account) the attribute belongs to because I don't have a link between the account and the identity. As a workaround, I made a decision/constraint:

A role that is in a cross-domain group and or is no-login cannot overload a UID attribute.

The implementation solves the problem by looking up the overloaded attributes to see if any of the standard attributes overloads the UID attribute, if so I don't look for any additional attributes. If not, I find any attributes that are in a cross-domain group or are no-login.

#12 Updated by Vít Švanda about 2 months ago

  • % Done changed from 60 to 70

Solved problem with IdmRoleThin entity. Disable filter validation in IC module.

#13 Updated by Vít Švanda about 2 months ago

With Roman, we successfully tested cross-domains with using IdM and WinRM connector together.
  • I implemented first 3 tests for cross-domains in IdM.

#14 Updated by Vít Švanda about 2 months ago

  • After discussion, I implemented new feature. Values from others cross-domain systems are returned on FE (on a detail of Account) now.
  • Provisioning was redesigned for this feature and for prevent useless loadings (performance).
  • Next complex test for cross-domain was added.

#15 Updated by Vít Švanda about 2 months ago

  • % Done changed from 70 to 80
  • Implemented next tests for cross-domains and no-login role feature.
  • I changed implementation for automatic and business role - accounts are not created now (for roles in cross-domain groups or for no-login roles).
  • Tests for automatic and business roles implemented too.

All changes are merged in the develop now.
Commit: https://github.com/bcvsolutions/CzechIdMng/commit/dfc8c58f400c4854602c4d4deb4318fddd479d01

#17 Updated by Vít Švanda about 2 months ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Vít Švanda to Radek Tomiška
  • % Done changed from 80 to 90

#18 Updated by Radek Tomiška about 1 month ago

  • Status changed from Needs feedback to In Progress
  • Assignee changed from Radek Tomiška to Vít Švanda

I did code review and test basic functionality. Feature is really complex, good job.

I found only minor review notes:
- [minor] MSSQL change script - varchar data type is forgotten for description (=> nvarchar(2000))
- [minor] SYSTEMGROUP - ADMIN permission is missing in enumeration (=> item missing on FE for configuration)
- [minor] DefaultSysSystemGroupSystemService#saveInternal - @Transactional annotation is missing
- [minor] I like assigned role table columns are configurable now, awesome! Add pls new configuration property with available columns descrition into doc https://wiki.czechidm.com/devel/documentation/application_configuration/dev/backend#applicationserver
- [trivial] IdmRoleSystemFilter - constructors are before fields
- [trivial] SystemGroup and SystemGroupService shares the same permission group - I'm not sure if this will work in all use cases (~ on FE are two permissions anyway)
- [trivial] Help icon is missing on filter with like usage in system group agenda
- [note only] I like count method usage, this can improve performance.
- [note only] I like newly created data filters (e.g. SysSystemGroupSystemFilter.java ), thx :) !
- [note only] Warnings are in code (unused imports, unused fields, missing serial version id etc.)
- [note only] Rest test for newly created controllers (e.g. SysSystemGroupController) and bulk actions are missing (~ find / getPredicates method is not fully tested)
- [note only] #applyContext method can be used instead #toDto method (~ no functional impact, just possibility to arrange code)

#19 Updated by Vít Švanda about 1 month ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Vít Švanda to Radek Tomiška

Thanks for feedback. You have good eye (MS SQL script for example).

I fixed all minor and trivial issues (I hope) and I tried remove all unused imports.

Commits:

https://github.com/bcvsolutions/CzechIdMng/commit/a2e1799bdc63b0a9c26505552f8d3e8ec11275ef
https://github.com/bcvsolutions/CzechIdMng/commit/9eb2ff9e8ca6999b092114f58bd737a5e818e289

#20 Updated by Radek Tomiška about 1 month ago

  • Status changed from Needs feedback to Resolved
  • Assignee changed from Radek Tomiška to Vít Švanda
  • % Done changed from 90 to 100

I did code revie again, thx for fixes.

#21 Updated by Radek Tomiška 29 days ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF

Go to top