Hi, At the beginning of this thread I felt really sad that this project was going to retire. But towards the end I really felt there's still hope. I am doing my final exams as an undergraduate right now. I will have about three weeks right after the exams. I would like to invest those three weeks for this project as I feel XACML isn't dead but it's just that people are yet to realize it's full potential.
With the new buzz word Microservices going around I believe people would look to ways of externalizing authorization and guess what they would find out : XACML. I would love to keep this project alive and help in any way possible. Thanks, On Wed, Feb 10, 2016 at 9:57 AM, David Ash <[email protected]> wrote: > Wait, just realized the issues in that jira link are old. Which means jira > has been there for a long time. I was temporarily under the misconception > that jira just got put up and had all that activity. Instead its a > reflection of the slow down after July. > > But we can get some activity in there again! Heck I've already done some of > that stuff, although it wasn't committed and things do appear to have > changed so the work will have to be done again. But its no biggie. Things > like changing 500 files to get rid of att naming is right up my alley. :-) > On Feb 9, 2016 9:20 PM, "David Ash" <[email protected]> wrote: > > > Wow. Awesome. Things are about to start happening here, I can tell. Great > > job everyone. Way to save a project. > > > > On Tue, Feb 9, 2016, 9:03 PM Hadrian Zbarcea <[email protected]> wrote: > > > >> https://issues.apache.org/jira/browse/OPENAZ > >> > >> Hadrian > >> > >> On 02/09/2016 11:20 AM, David Ash wrote: > >> > So much to talk about, so many good thoughts. > >> > > >> > I think there's a path forward, and I definitely would vote to keep > this > >> > project alive. > >> > > >> > > >> > - I am interested in developing and helping the project move > >> forward. I > >> > hope that Carlos is also interested in putting in some work to > make > >> this > >> > project happen. Personally, sure I'm busy but I don't feel like > >> there's a > >> > lot of work to be done to make this project releasable and do the > >> things > >> > necessary to make it pick up and bring in more people. The core > >> code base > >> > is already highly functional. I know it works because I worked on > >> an > >> > application that consumed its services at AT&T back in the day. > >> There's > >> > just a bit of work to smoothing out the process of installation > and > >> running > >> > it with a standard servlet server. And it needs documentation. > >> > > >> > - I'm a little disheartened that we haven't heard from Pam > Dragosh. > >> > She's the original visionary behind it, and I'd very much like to > >> have just > >> > a little bit of her time to help us transition it the rest of the > >> way to > >> > Apache (not coding, but a transfer of knowledge to aid > >> documentation. And > >> > maybe it's just all implemented according to some spec, but I'm > not > >> aware > >> > of whether the XACML spec somehow specifies API endpoints, etc). > >> And > >> > there's an entire admin API that is difficult to reverse engineer. > >> > > >> > - I work for a company that may be willing to donate some work in > >> > exchange for a bit of recognition. I am going to the Fluent > >> conference in > >> > early March, and will be meeting the CTO of my company there. I'm > >> going to > >> > use that opportunity to try to get him on-board with us helping > this > >> > project. I think it makes sense for both the project and the > >> company. > >> > > >> > - I agree it's probably the wrong thread to talk Maven vs. Gradle, > >> but > >> > if Gradle has some advantages (which it sounds like it does), > maybe > >> moving > >> > to Gradle is what needs to happen. Sure, it's only 1%, but that's > >> where > >> > this project is. We're basically that 1% of the way away from > >> being able > >> > to release this, with the exception of documentation (and to some > >> degree > >> > promotion). > >> > > >> > - We obviously need some basic project management work to get > >> done. We > >> > need a JIRA instance up and running for us, and we need some tasks > >> put in > >> > there. Who can volunteer to make some/all of that happen? If no > >> one else > >> > wants to volunteer, I can do it (although if Apache already has an > >> instance > >> > for us to use, I don't know where it is). And who could edit the > >> main page > >> > to create those links? Can Carlos and I be promoted to make more > >> things > >> > happen? > >> > > >> > - We need a roadmap. I'm not big on roadmaps personally, but I > >> have a > >> > basic idea of what it needs to be for the short term: > >> > - Smooth out the build process. > >> > - Get AT&T out of anywhere it remains in the code. > >> > - Version 1.0 Release > >> > > >> > Any other thoughts? > >> > > >> > > >> > > >> > > >> > On Tue, Feb 9, 2016 at 7:28 AM, Sinnema, Remon <[email protected] > > > >> > wrote: > >> > > >> >> Attracting outside interest will be hard when it's unclear what > people > >> can > >> >> work on. > >> >> > >> >> The project page doesn't provide a lot of information: > >> >> http://incubator.apache.org/projects/openaz.html > >> >> The "website" that it links to gives 404. > >> >> > >> >> There is no link to the issue tracker. Emmanuel mentioned JIRA, but > >> where > >> >> is it? > >> >> I couldn't find a roadmap either. > >> >> > >> >> The code contains no guidance about the various sub-projects, how > they > >> >> relate together, and what their status is. > >> >> > >> >> Give this situation, if I wanted to contribute, I wouldn't know where > >> to > >> >> start. > >> >> > >> >> > >> >> BTW, the old project page still exists but doesn't link to Apache: > >> >> http://www.openliberty.org/wiki/index.php/OpenAz_Main_Page > >> >> > >> >> > >> >> -----Original Message----- > >> >> From: David Ash [mailto:[email protected]] > >> >> Sent: maandag 8 februari 2016 22:42 > >> >> To: [email protected] > >> >> Subject: Re: [DISCUSS] - Retire OpenAz? > >> >> > >> >> I think it hasn't seen much activity over the past two months because > >> it's > >> >> been a holiday season. I know most of the AT&T people take most of > >> >> December off (once upon a time, I was one). > >> >> > >> >> It has a lot of work to be done before it's functional and even > >> remotely > >> >> mature, and we're not going to see a lot of outside interest until it > >> gets > >> >> there. > >> >> * The Admin part is crucial, and it hadn't even been ported over (I > >> ported > >> >> it myself, still need to fork in github and do a pull-request). > >> >> * There's a shortage of documentation. To the point that it's > >> unusable. > >> >> * It's complicated enough that its difficult to come up with the > >> >> documentation. > >> >> > >> >> Now, sure there seems to be a shortage of interest but I say give > that > >> >> time. XACML is not a thing of the past, it's still part of the > future. > >> >> Organizations and software developers are still slowly moving to > XACML > >> -- > >> >> it is the best authorization solution in existence to my knowledge, > and > >> >> fits nicely into a modern auth stack with SCIM, JSON Identity Suite, > >> OpenID > >> >> Connect, and OAuth. ( > >> >> http://www.slideshare.net/nordicapis/1415-twobo-nordicap-istour > >> >> ). Most developers still aren't using an external authorization > >> solution > >> >> because they are building highly-coupled monolithic software that > >> sucks. > >> >> And honestly, there aren't a lot of other free open source options. > >> The > >> >> only alternative I see that is any good is WSO2's Identity Server > >> (which is > >> >> vastly superior to this product, but hey that's an opportunity in > some > >> >> ways). If this project really succeeded, it would at least allow > >> >> developers of open source systems to build better, more modular > >> software. > >> >> > >> >> The main problem I see is that AT&T still has most of the knowledge > >> and is > >> >> able to put very little effort behind it. We need Pam's team to > write > >> up > >> >> some high quality documentation (particularly for the API's) and > >> release > >> >> that information. > >> >> > >> >> The other problem I see is there's kind of a lack of vision as far > as I > >> >> can tell. We need someone in the lead that has the time to craft a > >> vision > >> >> for what this product should really be. When you look at WSO2's > >> Identity > >> >> Server, you immediately start realizing the possibilities -- things > >> that > >> >> this project haven't even touched yet. > >> >> > >> >> > >> >> Thanks, > >> >> > >> >> David Ash > >> >> > >> >> > >> >> PS. I'll put in a pull request for my port of the Admin interface. > >> >> > >> >> > >> >> > >> >> On Mon, Feb 8, 2016 at 9:59 AM, Emmanuel Lécharny < > [email protected] > >> > > >> >> wrote: > >> >> > >> >>> Le 08/02/16 16:53, Carlos Perez a écrit : > >> >>>> Hi guys, > >> >>>> > >> >>>> While I completely understand the reasoning for the discussion to > >> >>>> retire OpenAXZ, and to be completely honest I was surprised it took > >> >>>> this long), it would be a real shame to see it just fade away into > >> >> oblivion. > >> >>> > >> >>> I Agree. > >> >>> > >> >>>> > >> >>>> That said, what does happen when a project never makes it to a TLP? > >> >>> > >> >>> From Apache POV, not a lot. We just shut down the mailing lists, > and > >> >>> close the repos (no more writes allowed). > >> >>> > >> >>> > >> >>>> Does > >> >>>> it have a chance to be resuscitated later if it is deemed > worthwhile > >> >>>> and has more interest? > >> >>> It's always a possibility. A very remote one, I have to say. The > fact > >> >>> that in almost 2 years the project hasn't be able to attract any new > >> >>> contributors, and that almost no activity has been seen from the > >> >>> initial contributors make it unlikely that the project could make a > >> come > >> >> back. > >> >>> > >> >>> In 10 years, I haven't seen that happen. Not once. > >> >>> > >> >>> > >> >>>> Does the license revert back to AT&T? > >> >>> > >> >>> Good question. I can ask [email protected] about that. The fact that it > >> didn't > >> >>> make it to a TLP might be relevant. For TLPs, the code base has been > >> >>> granted to The ASF and remains so, same for the name. > >> >>>> > >> >>>> XACML is a complicated spec and I can¹t say that I fully understand > >> >>>> it yet, but I think it solves a real problem (I just regret not > >> >>>> having the time personally to help push it along). > >> >>> > >> >>> That's the main issue : the fcat that it's a complex code base might > >> >>> be intimidating for many of the potential users. But IMHO, would it > be > >> >>> really a critical brick of many IT systems, it *would* have > attracted > >> >>> developpers. That raises the question of XACML as a useful > technology. > >> >>> It as been around for more than 10 years now, and I'm not sure that > it > >> >>> captured a lot of interest. But that may be just me... (and I > *think* > >> >>> it could have been a big hit years ago. Not so sure nowadays.) > >> >>> > >> >>> Thanks ! > >> >>> > >> >>> > >> >> > >> > > >> > > > -- *A.Farasath Ahamed* Undergraduate | Department of Computer Science and Engineering,University of Moratuwa Article Writer | MoraSpirit Mobile: +94 777 603 866 Blog: blog.farazath.com E-Mail: [email protected]
