This seemed like as good a message to respond to as any... nice thread
though!
Since revisionist history seems popular in this thread here is my own:
One day I saw a Jira issue that pointed to some big documents that
were in someone's personal space on confluence, and pages I had not
seen referenced before. Unfortunately posting something to confluence
doesn't put it in front of very many eyes (ie only those who watch the
regular updates), more on that below. The next day I saw some code
going in, and then more and more. Being stuck traveling at the time I
didn't have time to review or comment, and WHAM! there the code was
and the ONLY to get any changes to it at that point are to complain
and fight like hell... being too tired for that and too frustrated
with that and various other things, I just added my comments to a
confluence page of my own, and this one is in the open wiki and not in
my personal space:
http://docs.ofbiz.org/display/OFBIZ/Notes+on+New+Security+Model
How many people saw it? Well, no matter, if you are interested please
take a look now.
My personal opinion on this is that the design has only subjective
improvements and most of it is a big step backwards (easier but less
flexible, for the services versus direct permission part anyway, and
we decided long ago that flexibility was better than ease in this
case; and yes there is a creative way to invoke code attached to
permissions, but that is a bit inflexible IMO since much permission
logic involved multiple permissions... it's the artifact we want the
code attached to not the permission itself), plus will cause migration
pain for those updating. I'm not against change and progress... unless
it is change only for the sake of change and founded on someone's
subjective opinion of what is better and easier.
I see no side-by-side comparisons or concrete improvements or even
presentation of non-subjective issues to resolve (ie "this is
prettier, and easier", that's subjective), just a bunch of stuff in
the documents that is (in my subjective view) just a bunch of BS that
could have been generated by a "business software BS generator". To
find some great examples of those, search on google for "bs
generator", some fun results include:
http://www.atrixnet.com/bs-generator.html
http://www.erikandanna.com/Humor/bullshit_generator.htm
It looks like what I was afraid of is EXACTLY what happened. Andrew
and various others seem simply not interested in feedback being
convinced of what they have presented and not wanted to admit any
appearance of fault, which appreciating and using feedback naturally
does. If you think that's harsh then bash me like you've bashed
Adrian. Don't worry... go for it! I happen to have a button with the
letters "delete" on it, and I've been using it more and more lately.
As for how to move forward? How about we allow development to go on as
desired, and we'll discuss and modify best practices over time. I will
revert the changes to the example component (in the spirit of Commit-
Then-Review that some are so fond of... well there's my review and a
commit to boot!). BTW, thanks Andrew for isolating those in a single
commit. For examples going forward whle this is still up in the air,
examples of use new artifacts can be added (ie new service, screen,
etc), or a patch can be kept on a jira issue for those who want to try
it out. Once we have decided on best practices moving forward, then we
can change the example component. Not sure how people want to move
forward, but for now I have attached the patch here (note that this
can also be produced with a "svn diff -r 770083:r770408 >
AuthzExampleComponentSupport.patch" from the ofbiz/framework/exmaple
directory):
https://issues.apache.org/jira/browse/OFBIZ-2383
For other components let's not be too hasty. I won't get into a commit
war over the example component, but for the rest I'll gladly do so
since I think these changes have a negative ROI and this whole thing
has turned into a big old chest-thumping mess. That being the case,
sorry for joining in and thumping my own chest.
Hopefully we can discuss some security objectives and common cases we
want to support, and then evaluate this new proposed approach against
them and/or establish a new approach based on this. There definitely
ARE areas where it is currently cumbersome to implement specific
security related requirements.
-David
On May 1, 2009, at 10:00 PM, Andrew Zeneski wrote:
In the past, what 8 years that I have been working on OFBiz, not
once have I had the masochistic urge to work on something which did
not already have some sort of design. Never will you fine me
wishing to refactor something without having the requirements
already known. So, you will never find me coming to the table empty
handed, and that is exactly what this sort of "request" is asking.
Nor, do I want to review and discuss with someone an idea until they
have their thoughts put together. So, what you can expect from me
now, in the past and in the future is exactly your first statement.
"Here is my design, what do you think..."
On May 1, 2009, at 10:56 PM, Adrian Crum wrote:
It's not the same! There is a big difference between "Here's my
design, what do you think?" and "I'm interested in refactoring the
security framework. Could you help me with the design?"
-Adrian
--- On Fri, 5/1/09, Scott Gray <[email protected]> wrote:
From: Scott Gray <[email protected]>
Subject: Re: Authz API Discussion (was re: svn commit: r770084)
To: [email protected]
Date: Friday, May 1, 2009, 7:49 PM
It's exactly the same in fact, we have a design proposed
by somebody
let's start discussing it. Tear pieces out, replace
some, improve
others, whatever at least we have a starting point.
Regards
Scott
On 2/05/2009, at 2:37 PM, Adrian Crum wrote:
How about we start over and collaborate on a design?
Is that so much
different?
-Adrian
--- On Fri, 5/1/09, Scott Gray
<[email protected]> wrote:
From: Scott Gray
<[email protected]>
Subject: Re: Authz API Discussion (was re: svn
commit: r770084)
To: [email protected]
Date: Friday, May 1, 2009, 7:30 PM
This discussion is going no where fast, how about
we back
track to Andrew's last email and start
actually
discussing the design. Nothing is being foisted
on anybody.
Regards
Scott
On 2/05/2009, at 2:19 PM, Adrian Crum wrote:
--- On Fri, 5/1/09, Anil Patel
<[email protected]> wrote:
This is one of the big reasons what I love
and
hate
community driven software. I don't see
how
what Andrew
did is bad. Even though it was personal
communication but I
know Andrew only started after Adrian and
Jacques
showed
interest by commenting on the page.
The only interest I showed was that I agreed
that
OFBiz security could use improvement, and I
suggested he use
a third party library. I did not endorse or
approve of his
design.
Andrew has been actively explaining his
idea all
this time.
As I demonstrated in another reply, no he did
not.
Only a few days went by between introducing the
idea and
committing code.
The work done till date is not blocking
anybody,
old
security system is still in place. New
system is
implemented
in example component so its lot easy for
him to
explain and
people to understand.
What if the new work is a bad design? How will
we know
that until everyone has had time to evaluate it?
People have different ways of working in
community, Joe is
committer still all the time he creates
Jira issue
and
uploads his patch and most of time its
somebody
else who
does commits, but that's his way of
working.
If we
don't do what Joe does then why should
Andrew
do what
Adrian does.
As far as I know, Joe submits patches for
things he
doesn't have commit rights to.
I don't see any reason why we should
start
over.
Do you see a reason why we shouldn't? Will
the
project suffer immensely if we pause and wait for
others to
comment? Is there some catastrophe looming that
requires us
to rush this through?
All
the time we talk about making things easy
so
people will
contribute, Why do you want to resist a
seasoned
contributer
for working. I'll rather have expect
community
will
support. All the time he has been asking
people to
tell him
suggestions, wish list etc. Why not
support him
and get more
out of him instead.
If we can't invite the community to
participate -
as I suggested - then that only proves what I
suspect - that
this is a design that is being foisted on the
community.
-Adrian
