Re: [Architecture] Access Level Model For WSO2 Dashboard Server

[Udara Rathnayake]

Another question, ​Is this going to work if we have to connect to a
read-only LDAP/A
​D​
userstore?

On Tue, Jun 7, 2016 at 9:43 AM, Tanya Madurapperuma  wrote:

> Is this model scalable? Because per dashboard we will have to create 4
> internal roles. So if we have N number of dashboards we will end up having
> 4 * N number of internal roles.
>
> @ IS team : is this approach fine? Or is there any better approach?
>
> Thanks,
> Tanya
>
> On Mon, Jun 6, 2016 at 3:44 PM, Nisala Nanayakkara 
> wrote:
>
>> adding Johan and Manuranga
>>
>> Thanks,
>> Nisala
>>
>> On Mon, Jun 6, 2016 at 3:41 PM, Nisala Nanayakkara 
>> wrote:
>>
>>> Hi all,
>>>
>>> I am working on implementing an access levels model for WSO2 Dashboard
>>> Server. Currently global permission model for create/delete/login is
>>> implemented by Megala. Since it does not support to provide per dashboard
>>> level access for the users. I am going to extend it and implement a
>>> permission model that can be used to provide per dashboard level access for
>>> the users.
>>>
>>> In order to implement this feature, I am going to add four roles at
>>> dashboard creation time as follows,
>>>
>>>- internal/dashboard/{dashboardID}/editor
>>>- internal/dashboard/{dashboardID}/viewer
>>>- internal/dashboard/{dashboardID}/settings
>>>- internal/dashboard/{dashboardID}/delete
>>>
>>> At the dashboard creation time, the user who creates the dashboard will
>>> get all the four roles. But other users have to get above roles to do
>>> appropriate actions to the dashboard. So that we can set above four roles
>>> for the users and They will be given different access levels according to
>>> their roles.
>>>
>>> Please feel free to give any feedback.
>>>
>>> Thanks,
>>> Nisala
>>> --
>>> *Nisala Niroshana Nanayakkara,*
>>> Software Engineer
>>> Mobile:(+94)717600022
>>> WSO2 Inc., http://wso2.com/
>>>
>>
>>
>>
>> --
>> *Nisala Niroshana Nanayakkara,*
>> Software Engineer
>> Mobile:(+94)717600022
>> WSO2 Inc., http://wso2.com/
>>
>
>
>
> --
> Tanya Madurapperuma
>
> Senior Software Engineer,
> WSO2 Inc. : wso2.com
> Mobile : +94718184439
> Blog : http://tanyamadurapperuma.blogspot.com
>



-- 
Regards,
UdaraR
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Nullable Support for JSON schema - Visual Data Mapper Editor

[Nuwan Pallewela]

Hi Malaka,

On Tue, Jun 7, 2016 at 10:45 AM, Malaka Silva  wrote:

> Hi Sohani,
>
> I guess we are dealing with optional input/output here. So in that case
> are we showing those in a different color or anyway to distinguish?
>
> On execution side this needs to be handled from data mapper mediator.
>
This is handled by the mapping configuration generation in data mapper
editor so that data mapper engine may have minimum changes.

>
> On Tue, Jun 7, 2016 at 9:21 AM, Sohani Weerasinghe 
> wrote:
>
>> Hi All,
>>
>> We are in a process of implementing the $subject and please find the
>> implementation details.
>>
>> *Input*:
>>
>> http://www.w3.org/TR/html4/;>
>> sample
>> 011265565501
>> 011265565501
>> 
>>
>> After loading the above payload, the generated schema will be as follows
>>
>> {
>>   "$schema" : "http://json-schema.org/draft-04/schema#;,
>>   *"nullable" : "false"*,
>>   "id" : "http://wso2jsonschema.org;,
>>   "title" : "h:person",
>>   "type" : "object",
>>   "properties" : {
>> "firstName" : {
>>   *"nullable" : "false",*
>>   "id" : "http://wso2jsonschema.org/firstName;,
>>   "type" : "string"
>> },
>> *"nullable" : "false"*,
>> "phone" : {
>>   "id" : "http://wso2jsonschema.org/phone;,
>>   "type" : "array",
>>   "items" : [ {
>> "attributes" : {
>>   "primary" : {
>>* "nullable" : "false"*,
>> "id" : "http://wso2jsonschema.org/phone/0/primary;,
>> "type" : "boolean"
>>   }
>> },
>> "id" : "http://wso2jsonschema.org/phone/0;,
>> "type" : "object",
>> "value" : {
>>   "type" : "number"
>> },
>> "properties" : {
>>   "ext" : {
>>* "nullable" : "false",*
>> "id" : "http://wso2jsonschema.org/phone/0/ext;,
>> "type" : "number"
>>   }
>> }
>>   } ]
>> }
>>   },
>>   "namespaces" : [ {
>> "prefix" : "h",
>> "url" : "http://www.w3.org/TR/html4/;
>>   } ]
>> }
>>
>> Then, user can right click on the node and click on 'Enable Nullable' and
>> make the object or array or element, etc nullable.
>>
>>
>> ​The schema will be as follows
>>
>> {
>>   "$schema" : "http://json-schema.org/draft-04/schema#;,
>>  * "nullable" : "true",*
>>   "id" : "http://wso2jsonschema.org;,
>>   "title" : "h:person",
>>   "type" : "object",
>>   "properties" : {
>> "firstName" : {
>>   "nullable" : "false",
>>   "id" : "http://wso2jsonschema.org/firstName;,
>>   "type" : "string"
>> },
>> "nullable" : "false",
>> "phone" : {
>>   "id" : "http://wso2jsonschema.org/phone;,
>>   "type" : "array",
>>   "items" : [ {
>> "attributes" : {
>>   "primary" : {
>> "nullable" : "false",
>> "id" : "http://wso2jsonschema.org/phone/0/primary;,
>> "type" : "boolean"
>>   }
>> },
>> "id" : "http://wso2jsonschema.org/phone/0;,
>> "type" : "object",
>> "value" : {
>>   "type" : "number"
>> },
>> "properties" : {
>>   "ext" : {
>> "nullable" : "false",
>> "id" : "http://wso2jsonschema.org/phone/0/ext;,
>> "type" : "number"
>>   }
>> }
>>   } ]
>> }
>>   },
>>   "namespaces" : [ {
>> "prefix" : "h",
>> "url" : "http://www.w3.org/TR/html4/;
>>   } ]
>> }
>>
>> If a user wants to disable it then, user can right click on the node and
>> click on 'Disable Nullable'
>>
>>
>> ​
>> After enabling, we thought of changing the icon of the tree node so that
>> user can easily identify whether a particular node is a nullable or not.
>>
>> Thanks,
>> Sohani
>> Sohani Weerasinghe
>> Senior Software Engineer
>> WSO2, Inc: http://wso2.com
>>
>> Mobile  : +94 716439774
>> Blog :http://christinetechtips.blogspot.com/
>> Twitter  : https://twitter.com/hanichristine
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
>
> --
>
> Best Regards,
>
> Malaka Silva
> Senior Technical Lead
> M: +94 777 219 791
> Tel : 94 11 214 5345
> Fax :94 11 2145300
> Skype : malaka.sampath.silva
> LinkedIn : http://www.linkedin.com/pub/malaka-silva/6/33/77
> Blog : http://mrmalakasilva.blogspot.com/
>
> WSO2, Inc.
> lean . enterprise . middleware
> http://www.wso2.com/
> http://www.wso2.com/about/team/malaka-silva/
> 
> https://store.wso2.com/store/
>
> Save a tree -Conserve nature & Save the world for your future. Print this
> email only if it is absolutely necessary.
>

Thanks,
Nuwan

-- 
--

*Nuwan Chamara Pallewela*


*Software Engineer*

*WSO2, Inc. *http://wso2.com
*lean . enterprise . middleware*

Email   *nuw...@wso2.com *
Mobile  *+94719079739 

Re: [Architecture] [APPM] One time download link support for mobile app install/download

[Chathura Dilan]

Hi Thilini,

+1 for this approach



Please see my comments inline



1. The generated download link is not secured since it is a one-time
download link. Is there a security concern regarding this approach?

There is no major security issue in this approach. I'm adding Prabath for
more ideas



2. According to above, a single user will have to generate separate app
download links, in a case where he has several devices to download the app.
In that case, are we going to limit

User should be able to generate multiple download links from one request.
But we can introduce a throttling mechanism for app installation requests
for security purpose.



3. Are we going to persist the details of the device (device id) that the
download link had been generated for so that we can enforce the security?

It's good if we can persist the download request for analytics purposes.
IMO we don't need to persist other information like device ID.









On Tue, Jun 7, 2016 at 9:31 AM, Lahiru Cooray  wrote:

>
>
> On Tue, Jun 7, 2016 at 9:12 AM, Thilini Shanika  wrote:
>
>> Hi all,
>>
>> We are planning to implement one-time app download link support for
>> mobile application installation/download in App Manager 1.2.0. The main
>> objective of introducing this feature is to overcome security issues with
>> the current approach of installing mobile apps.
>>
>> Below is the designed approach of achieving $Subject.
>> ​
>> ​
>> According to above,
>>
>>- User login to App Store and make subscription/installation to a
>>particular mobile app
>>- One time download link is generated for the user
>>(/binaries/one-time/{UUID}) and the mapping of generated UUID and
>>the actual binary file is persisted in a Database table. The status of the
>>download will be marked as 0 to indicate that the download link has not
>>been used yet.
>>- The device will access the binary download API via the generated
>>UUID to install the app. When the download/installation is completed, the
>>status of the binary downloadable URL reference will be marked as 1 to
>>indicate it has been used once. After an app download, any other access to
>>the link will be prohibited.
>>
>>
>> There are few concerns regarding the implementation.
>>
>>- The generated download link is not secured since it is a one-time
>>download link. Is there a security concern regarding this approach?
>>- According to above, a single user will have to generate separate
>>app download links, in a case where he has several devices to download the
>>app. In that case, are we going to limit (Configurable limit) the number 
>> of
>>download links that can  be generated by a single user?
>>
>> AFAIK we use the same operation to perform the enterprise installation as
> well, where an admin user can install an App to several users/devices. In
> that case I don't think limiting generation of download links user wise
> would be a good option (unless we consider the devices as well)
>
>>
>>- Are we going to persist the details of the device (device id) that
>>the download link had been generated for so that we can enforce the
>>security?
>>
>> +1
>
>> Your comments and suggestions are highly appreciated.
>>
>> Thanks
>> Thilini
>>
>>
>> --
>> Thilini Shanika
>> Senior Software Engineer
>> WSO2, Inc.; http://wso2.com
>> 20, Palmgrove Avenue, Colombo 3
>>
>> E-mail: tgtshan...@gmail.com
>> ​
>>
>> ___
>> Architecture mailing list
>> Architecture@wso2.org
>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>>
>>
>
>
> --
> *Lahiru Cooray*
> Software Engineer
> WSO2, Inc.;http://wso2.com/
> lean.enterprise.middleware
>
> Mobile: +94 715 654154
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
Regards,

Chatura Dilan Perera
*Associate Tech Lead** - WSO2 Inc.*
www.dilan.me
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

[Architecture] Dep sync strategies for Carbon 4 products in Kubernetes

[Chamila De Alwis]

Hi,

I was looking into the possibility of using Rsync as a platform agnostic
approach to manage deployment synchronization of artifacts that are
dynamically generated in a containerized environment. The scenario I
considered was the artifact generation in the Gateway when an API is
published in the API Manager distributed setup.

We can consider either a push or pull based method in Rsync to perform
deployment synchronization between the GW manager and the worker nodes. The
manager and worker will be two Kubernetes pods, liable to be spawned on
different Kubernetes nodes.

In the push method, it's the GW manager that initiates the process.

   1. Add a folder watcher (inotifywatch[1]) to
   repository/deployment/server/synapse-configs
   2. When triggered
  1. Contact Kubernetes API and get list of WORKER_SVC container IPs
  2. for each container IP, Rsync with --delete



The pull method works the other way, i.e. initiated by the GW worker nodes
and has to be run continuously on a loop.

​
The problem with these two approaches is that it depends on a single GW
manager node. For the push method, multiple GW managers should not
repeatedly do Rsync calls to the workers. In the pull method, if multiple
GW manager nodes are present (and fronted with a load balancer with
Active/Passive failover), they should have the artifacts synchronized. This
could be possible using a hostPath volume between the GW Manager pod
replicas however, it is yet to be tested.

Additionally, Kubernetes supports a volume plugin named Git Volume [2],
which is basically an emptyDir volume with an initial "git clone" command
done on the provided remote repository.

The issue with this is that there is no push functionality when the
contents are updated. This might be solved by extending the Git Repo volume
plugin and writing a Carbon Volume Plugin for Kubernetes, however IMO it
would come up with the same set of problems we have in the current SVN
based deployment synchronization, only with an additional code base.

NFS volume based approach was also considered, however because of the
limitations in moving the mount between the nodes (solutions like Flocker
works on Block Level storage [3]), and managing read-write capability of
multiple containers it also seems to be a complex path.

IMO out of these approaches, Rsync is the possible candidate (specifically
the push method), although it takes a few workarounds to achieve
functionality. GW Managers would need to synchronize artifacts between
themselves, as well as towards the worker nodes, and the push job should
only run from the active manager node.

I highly appreciate any input on this.

[1] - http://linux.die.net/man/1/inotifywatch
[2] - http://kubernetes.io/docs/user-guide/volumes/#gitrepo
[3] -
https://docs.clusterhq.com/en/latest/faq/#can-i-attach-a-single-volume-to-multiple-hosts

Regards,
Chamila de Alwis
Committer and PMC Member - Apache Stratos
Software Engineer | WSO2 | +94772207163
Blog: code.chamiladealwis.com
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [AppM] Supporting custom fields added to the publisher UI with new REST APIs

[Dinusha Senanayaka]

Hi All,

We could not go for approach suggested by Sagara due to the reasons
explained by Lahiru in previous reply. We could go for what Dimuthu has
suggested (keep custom fields in a json string), but it will be difficult
to populate UI. Anyway if we cannot keep rxt metadata something like
follows we have to go with that approach. Appreciate any other suggestions
on this ?


 Name


Regards,
Dinusha.

On Fri, May 27, 2016 at 11:21 PM, Lahiru Cooray  wrote:

> Hi,
> (In AppM REST API design we followed the contract first approach according
> to [1])
>
> The main concern is how do we manage an API definition (eg:swagger) if our
> request/response data models are dynamic?
> And also in AppM user story there are few domain specific constraints we
> need to address so AFAIC our models should be specific.
>
> So, to cater the $subject one approach would be as Dimuthu has mentioned, 
> constructing
> a JSON string with all custom fields name/value pairs and add that as a
> value in an RXT field, where we are aware of the custom attributes. So we
> can place a property in our DTO to filter and dynamically add the
> custom attributes.
>
>
> [1] WSO2 REST APIs Design Guidelines
> 
>
> On Fri, May 27, 2016 at 10:03 AM, Dimuthu Leelarathne 
> wrote:
>
>> Hi all,
>>
>> According to the userstory, I think the custom fields are going to be
>> defined per deployment. In that case we can ask the RXT to be modified at
>> the deployment time as Sagara suggested. Or else you can construct a JSON
>> string with all custom fields name/value pairs and add that as a value in
>> an RXT field. I also believe Sagara's approach is more elegant as that has
>> inherent support and full-fills the requirement.
>>
>> thanks,
>> Dimuthu
>>
>> On Thu, May 26, 2016 at 10:35 PM, Sagara Gunathunga 
>> wrote:
>>
>>>
>>>
>>> On Thu, May 26, 2016 at 10:36 AM, Dinusha Senanayaka 
>>> wrote:
>>>
 +Chandana

 On Thu, May 26, 2016 at 9:03 PM, Dinusha Senanayaka 
 wrote:

> Hi All,
>
> There are some use cases that publisher UI need to be customized by
> adding new UI fields.  Those fields can be used in the store for different
> use cases (eg; App Price). With the support of Enterprise Store, getting
> this done is very easy. It's just adding new field/s in the RXT and few
> modifications to .hbs file. We don't have to do anything additionally to
> POST/UPDATE/GET  app info with these new fields trough the jaggery APIs.
>
> Requirement is how are we going to do this with the new REST API
> model. We use pre-defined DTO classes for request/response generation with
> the swagger definition. Therefore  publisher users could not add new 
> custom
> fields easily and get them supported through the APIs as previously 
> without
> modifying the code.
>
> One option is, pre-define "customFields" object inside AppDTO class
> and get the users to define custom fields in the RXT with new tag called
> "customFields". So that we could populate value inside the DTO class by
> looking at the fields marked as customFields in the RXT. But this requires
> capability to define some additional property to RXT field in addition to
> name/value. @Registry team, any ideas on whether this is possible ?
>

>>> I don't see any issue to solve at the Registry/RXT model level, as you
>>> also mentioned once you modify underline RXT to accommodate additional
>>> fields  ES will pickup them easily. If you look at G-Reg REST API wick also
>>> adjust RXT changes automatically.
>>>
>>> You face to above problem due to pre-defined DTOs, you need to find a
>>> solution at that level, better not to use fixed DTOs at all. May be
>>> referring to G-Reg REST API implementation will help[1]
>>>
>>>
>>> [1] -
>>> https://github.com/wso2/carbon-governance/tree/master/components/governance/org.wso2.carbon.governance.rest.api
>>>
>>>
>>>
>>> Thanks !
>>>

> Suggestions/feedback are appreciated.
>
> Regards,
> Dinusha.
>
> --
> Dinusha Dilrukshi
> Associate Technical Lead

Re: [Architecture] Access Level Model For WSO2 Dashboard Server

[Tanya Madurapperuma]

Is this model scalable? Because per dashboard we will have to create 4
internal roles. So if we have N number of dashboards we will end up having
4 * N number of internal roles.

@ IS team : is this approach fine? Or is there any better approach?

Thanks,
Tanya

On Mon, Jun 6, 2016 at 3:44 PM, Nisala Nanayakkara  wrote:

> adding Johan and Manuranga
>
> Thanks,
> Nisala
>
> On Mon, Jun 6, 2016 at 3:41 PM, Nisala Nanayakkara 
> wrote:
>
>> Hi all,
>>
>> I am working on implementing an access levels model for WSO2 Dashboard
>> Server. Currently global permission model for create/delete/login is
>> implemented by Megala. Since it does not support to provide per dashboard
>> level access for the users. I am going to extend it and implement a
>> permission model that can be used to provide per dashboard level access for
>> the users.
>>
>> In order to implement this feature, I am going to add four roles at
>> dashboard creation time as follows,
>>
>>- internal/dashboard/{dashboardID}/editor
>>- internal/dashboard/{dashboardID}/viewer
>>- internal/dashboard/{dashboardID}/settings
>>- internal/dashboard/{dashboardID}/delete
>>
>> At the dashboard creation time, the user who creates the dashboard will
>> get all the four roles. But other users have to get above roles to do
>> appropriate actions to the dashboard. So that we can set above four roles
>> for the users and They will be given different access levels according to
>> their roles.
>>
>> Please feel free to give any feedback.
>>
>> Thanks,
>> Nisala
>> --
>> *Nisala Niroshana Nanayakkara,*
>> Software Engineer
>> Mobile:(+94)717600022
>> WSO2 Inc., http://wso2.com/
>>
>
>
>
> --
> *Nisala Niroshana Nanayakkara,*
> Software Engineer
> Mobile:(+94)717600022
> WSO2 Inc., http://wso2.com/
>



-- 
Tanya Madurapperuma

Senior Software Engineer,
WSO2 Inc. : wso2.com
Mobile : +94718184439
Blog : http://tanyamadurapperuma.blogspot.com
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [APPM] One time download link support for mobile app install/download

[Lahiru Cooray]

On Tue, Jun 7, 2016 at 9:12 AM, Thilini Shanika  wrote:

> Hi all,
>
> We are planning to implement one-time app download link support for mobile
> application installation/download in App Manager 1.2.0. The main objective
> of introducing this feature is to overcome security issues with the current
> approach of installing mobile apps.
>
> Below is the designed approach of achieving $Subject.
> ​
> ​
> According to above,
>
>- User login to App Store and make subscription/installation to a
>particular mobile app
>- One time download link is generated for the user
>(/binaries/one-time/{UUID}) and the mapping of generated UUID and
>the actual binary file is persisted in a Database table. The status of the
>download will be marked as 0 to indicate that the download link has not
>been used yet.
>- The device will access the binary download API via the generated
>UUID to install the app. When the download/installation is completed, the
>status of the binary downloadable URL reference will be marked as 1 to
>indicate it has been used once. After an app download, any other access to
>the link will be prohibited.
>
>
> There are few concerns regarding the implementation.
>
>- The generated download link is not secured since it is a one-time
>download link. Is there a security concern regarding this approach?
>- According to above, a single user will have to generate separate app
>download links, in a case where he has several devices to download the app.
>In that case, are we going to limit (Configurable limit) the number of
>download links that can  be generated by a single user?
>
> AFAIK we use the same operation to perform the enterprise installation as
well, where an admin user can install an App to several users/devices. In
that case I don't think limiting generation of download links user wise
would be a good option (unless we consider the devices as well)

>
>- Are we going to persist the details of the device (device id) that
>the download link had been generated for so that we can enforce the
>security?
>
> +1

> Your comments and suggestions are highly appreciated.
>
> Thanks
> Thilini
>
>
> --
> Thilini Shanika
> Senior Software Engineer
> WSO2, Inc.; http://wso2.com
> 20, Palmgrove Avenue, Colombo 3
>
> E-mail: tgtshan...@gmail.com
> ​
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
*Lahiru Cooray*
Software Engineer
WSO2, Inc.;http://wso2.com/
lean.enterprise.middleware

Mobile: +94 715 654154
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

[Architecture] [APPM] One time download link support for mobile app install/download

[Thilini Shanika]

Hi all,

We are planning to implement one-time app download link support for mobile
application installation/download in App Manager 1.2.0. The main objective
of introducing this feature is to overcome security issues with the current
approach of installing mobile apps.

Below is the designed approach of achieving $Subject.
​
​
According to above,

   - User login to App Store and make subscription/installation to a
   particular mobile app
   - One time download link is generated for the user
   (/binaries/one-time/{UUID}) and the mapping of generated UUID and
   the actual binary file is persisted in a Database table. The status of the
   download will be marked as 0 to indicate that the download link has not
   been used yet.
   - The device will access the binary download API via the generated UUID
   to install the app. When the download/installation is completed, the status
   of the binary downloadable URL reference will be marked as 1 to indicate it
   has been used once. After an app download, any other access to the link
   will be prohibited.


There are few concerns regarding the implementation.

   - The generated download link is not secured since it is a one-time
   download link. Is there a security concern regarding this approach?
   - According to above, a single user will have to generate separate app
   download links, in a case where he has several devices to download the app.
   In that case, are we going to limit (Configurable limit) the number of
   download links that can  be generated by a single user?
   - Are we going to persist the details of the device (device id) that the
   download link had been generated for so that we can enforce the security?

Your comments and suggestions are highly appreciated.

Thanks
Thilini


-- 
Thilini Shanika
Senior Software Engineer
WSO2, Inc.; http://wso2.com
20, Palmgrove Avenue, Colombo 3

E-mail: tgtshan...@gmail.com
​
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] BPMN - Bulk Task Reassignment, Substitution feature

[Manuranga Perera]

>
> ​Initial discussion was to run this tasks at midnight, because all the
> substitution start at beginning of a day.

Ok, now I understand what you meant initially.

> Since we are moving to time-stamp based approach, we will not required to
> calculate this ​for all users; but calculate for some users (if there are
> transitive substitutes.), when a substitution of an user starts.

 Agreed.

> ​Who will trigger this event. ?

It is a task, that will be scheduled when the substitution is created. What
I meant is we can '*think*' about that as a timed *event *since it's per
user. It don't matter, really.

To summarize: +1 for the task approach where only one user is handled in
the task.

On Mon, Jun 6, 2016 at 1:17 PM, Hasitha Aravinda  wrote:

> Hi Manu,
>
> On Mon, Jun 6, 2016 at 10:12 PM, Manuranga Perera  wrote:
>
>> ​Let's say, engine hasn't received any new task creation requests
>>> ​ for​
>>>  this particular user during T1-T5. Then engine will not able to
>>> reassign above X tasks back to user B during this time period. But user B
>>> should able to
>>> ​perform
>>>  above task after T1.
>>> This is why we can't
>>> ​ use​
>>>  event driven pattern here.
>>
>> Let's take an example. Say we use event driven pattern here and we have
>>> substitution from user A to user B which
>>> ​is
>>>  defined at T0, starts at T1 and end at T10. Currently User A has x
>>> number of in-progress tasks.
>>
>>
>> Yes, we do need tasks to re-assign the user, but this doesn't mean we
>> need a separate task to calculate for all users.
>>
>
> ​Initial discussion was to run this tasks at midnight, because all the
> substitution start at beginning of a day. So we had to calculate this for
> all users.
>
> Since we are moving to time-stamp based approach, we will not required to
> calculate this ​for all users; but calculate for some users (if there are
> transitive substitutes.), when a substitution of an user starts.
> ​
>
>
>> We can consider this task as the end of substitution event.
>>
>
> ​W
> ho will trigger this event. ?
>
> Thanks,
> Hasitha. ​
>
>
>>
>> --
>> With regards,
>> *Manu*ranga Perera.
>>
>> phone : 071 7 70 20 50
>> mail : m...@wso2.com
>>
>
>
>
> --
> --
> Hasitha Aravinda,
> Associate Technical Lead,
> WSO2 Inc.
> Email: hasi...@wso2.com
> Mobile : +94 718 210 200
>



-- 
With regards,
*Manu*ranga Perera.

phone : 071 7 70 20 50
mail : m...@wso2.com
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] BPMN - Bulk Task Reassignment, Substitution feature

[Hasitha Aravinda]

Hi Manu,

On Mon, Jun 6, 2016 at 10:12 PM, Manuranga Perera  wrote:

> ​Let's say, engine hasn't received any new task creation requests
>> ​ for​
>>  this particular user during T1-T5. Then engine will not able to reassign
>> above X tasks back to user B during this time period. But user B should
>> able to
>> ​perform
>>  above task after T1.
>> This is why we can't
>> ​ use​
>>  event driven pattern here.
>
> Let's take an example. Say we use event driven pattern here and we have
>> substitution from user A to user B which
>> ​is
>>  defined at T0, starts at T1 and end at T10. Currently User A has x
>> number of in-progress tasks.
>
>
> Yes, we do need tasks to re-assign the user, but this doesn't mean we need
> a separate task to calculate for all users.
>

​Initial discussion was to run this tasks at midnight, because all the
substitution start at beginning of a day. So we had to calculate this for
all users.

Since we are moving to time-stamp based approach, we will not required to
calculate this ​for all users; but calculate for some users (if there are
transitive substitutes.), when a substitution of an user starts.
​


> We can consider this task as the end of substitution event.
>

​W
ho will trigger this event. ?

Thanks,
Hasitha. ​


>
> --
> With regards,
> *Manu*ranga Perera.
>
> phone : 071 7 70 20 50
> mail : m...@wso2.com
>



-- 
--
Hasitha Aravinda,
Associate Technical Lead,
WSO2 Inc.
Email: hasi...@wso2.com
Mobile : +94 718 210 200
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] BPMN - Bulk Task Reassignment, Substitution feature

[Manuranga Perera]

>
> ​Let's say, engine hasn't received any new task creation requests
> ​ for​
>  this particular user during T1-T5. Then engine will not able to reassign
> above X tasks back to user B during this time period. But user B should
> able to
> ​perform
>  above task after T1.
> This is why we can't
> ​ use​
>  event driven pattern here.

Let's take an example. Say we use event driven pattern here and we have
> substitution from user A to user B which
> ​is
>  defined at T0, starts at T1 and end at T10. Currently User A has x number
> of in-progress tasks.


Yes, we do need tasks to re-assign the user, but this doesn't mean we need
a separate task to calculate for all users. We can consider this task as
the end of substitution event.

-- 
With regards,
*Manu*ranga Perera.

phone : 071 7 70 20 50
mail : m...@wso2.com
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] BPMN - Bulk Task Reassignment, Substitution feature

[Manuranga Perera]

>
>  There is no such status like "In progress".
>>
>> Isn't "claiming" a task is equivalent to making "in progress".
>
> In your example of call, I'll first claim and then start the call.
>
> No, Unclaimed tasks do not have an Assignee. We are talking about
> substituting assignees here.


Unclaimed  tasks has 'activiti:candidateUsers'. I though substitution
feature will be about moving around unclaimed tasks.
-- 
With regards,
*Manu*ranga Perera.

phone : 071 7 70 20 50
mail : m...@wso2.com
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] BPMN - Bulk Task Reassignment, Substitution feature

[Hasitha Aravinda]

On Mon, Jun 6, 2016 at 9:21 PM, Manuranga Perera  wrote:

> I think as much as possible we have to achieve this with Event-driven
>> architecture rather than schedulers.
>>
> +1
>

​
Let's take an example. Say we use event driven pattern here and we have
substitution from user A to user B which
​is
 defined at T0, starts at T1 and end at T10. Currently User A has x number
of in-progress tasks.

Let's say, engine hasn't received any new task creation requests
​ for​
this particular user during T1-T5. Then engine will not able to reassign
above X tasks back to user B during this time period. But user B should
able to
​perform
 above task after T1.

This is why we can't
​ use​
event driven pattern here.
​


> So we can use simple cache mechanism as below
>
> While this is possible, I don't see why we are trying to shave off a few
> milliseconds from the task creation and make the it more complex even
> sacrificing correctness. Isn't this some premature optimization ?
>
> --
> With regards,
> *Manu*ranga Perera.
>
> phone : 071 7 70 20 50
> mail : m...@wso2.com
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>
​Thanks,
Hasitha.
-- 
--
Hasitha Aravinda,
Associate Technical Lead,
WSO2 Inc.
Email: hasi...@wso2.com
Mobile : +94 718 210 200
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] BPMN - Bulk Task Reassignment, Substitution feature

[Vinod Kavinda]

> There is no such status like "In progress".
>
> Isn't "claiming" a task is equivalent to making "in progress".
>
> In your example of call, I'll first claim and then start the call.
>

No, Unclaimed tasks do not have an Assignee. We are talking about
substituting assignees here.

>
> On Mon, Jun 6, 2016 at 11:51 AM, Manuranga Perera  wrote:
>
>> I think as much as possible we have to achieve this with Event-driven
>>> architecture rather than schedulers.
>>>
>> +1
>>
>>> So we can use simple cache mechanism as below
>>
>> While this is possible, I don't see why we are trying to shave off a few
>> milliseconds from the task creation and make the it more complex even
>> sacrificing correctness. Isn't this some premature optimization ?
>>
>> --
>> With regards,
>> *Manu*ranga Perera.
>>
>> phone : 071 7 70 20 50
>> mail : m...@wso2.com
>>
>
>
>
> --
> With regards,
> *Manu*ranga Perera.
>
> phone : 071 7 70 20 50
> mail : m...@wso2.com
>



-- 
Vinod Kavinda
Software Engineer
*WSO2 Inc. - lean . enterprise . middleware .*
Mobile : +94 (0) 712 415544
Blog : http://soatechflicks.blogspot.com/
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] BPMN - Bulk Task Reassignment, Substitution feature

[Manuranga Perera]

>
> There is no such status like "In progress".

Isn't "claiming" a task is equivalent to making "in progress".

In your example of call, I'll first claim and then start the call.

On Mon, Jun 6, 2016 at 11:51 AM, Manuranga Perera  wrote:

> I think as much as possible we have to achieve this with Event-driven
>> architecture rather than schedulers.
>>
> +1
>
>> So we can use simple cache mechanism as below
>
> While this is possible, I don't see why we are trying to shave off a few
> milliseconds from the task creation and make the it more complex even
> sacrificing correctness. Isn't this some premature optimization ?
>
> --
> With regards,
> *Manu*ranga Perera.
>
> phone : 071 7 70 20 50
> mail : m...@wso2.com
>



-- 
With regards,
*Manu*ranga Perera.

phone : 071 7 70 20 50
mail : m...@wso2.com
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] BPMN - Bulk Task Reassignment, Substitution feature

[Manuranga Perera]

>
> I think as much as possible we have to achieve this with Event-driven
> architecture rather than schedulers.
>
+1

> So we can use simple cache mechanism as below

While this is possible, I don't see why we are trying to shave off a few
milliseconds from the task creation and make the it more complex even
sacrificing correctness. Isn't this some premature optimization ?

-- 
With regards,
*Manu*ranga Perera.

phone : 071 7 70 20 50
mail : m...@wso2.com
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Access Level Model For WSO2 Dashboard Server

[Nisala Nanayakkara]

adding Johan and Manuranga

Thanks,
Nisala

On Mon, Jun 6, 2016 at 3:41 PM, Nisala Nanayakkara  wrote:

> Hi all,
>
> I am working on implementing an access levels model for WSO2 Dashboard
> Server. Currently global permission model for create/delete/login is
> implemented by Megala. Since it does not support to provide per dashboard
> level access for the users. I am going to extend it and implement a
> permission model that can be used to provide per dashboard level access for
> the users.
>
> In order to implement this feature, I am going to add four roles at
> dashboard creation time as follows,
>
>- internal/dashboard/{dashboardID}/editor
>- internal/dashboard/{dashboardID}/viewer
>- internal/dashboard/{dashboardID}/settings
>- internal/dashboard/{dashboardID}/delete
>
> At the dashboard creation time, the user who creates the dashboard will
> get all the four roles. But other users have to get above roles to do
> appropriate actions to the dashboard. So that we can set above four roles
> for the users and They will be given different access levels according to
> their roles.
>
> Please feel free to give any feedback.
>
> Thanks,
> Nisala
> --
> *Nisala Niroshana Nanayakkara,*
> Software Engineer
> Mobile:(+94)717600022
> WSO2 Inc., http://wso2.com/
>



-- 
*Nisala Niroshana Nanayakkara,*
Software Engineer
Mobile:(+94)717600022
WSO2 Inc., http://wso2.com/
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

[Architecture] Access Level Model For WSO2 Dashboard Server

[Nisala Nanayakkara]

Hi all,

I am working on implementing an access levels model for WSO2 Dashboard
Server. Currently global permission model for create/delete/login is
implemented by Megala. Since it does not support to provide per dashboard
level access for the users. I am going to extend it and implement a
permission model that can be used to provide per dashboard level access for
the users.

In order to implement this feature, I am going to add four roles at
dashboard creation time as follows,

   - internal/dashboard/{dashboardID}/editor
   - internal/dashboard/{dashboardID}/viewer
   - internal/dashboard/{dashboardID}/settings
   - internal/dashboard/{dashboardID}/delete

At the dashboard creation time, the user who creates the dashboard will get
all the four roles. But other users have to get above roles to do
appropriate actions to the dashboard. So that we can set above four roles
for the users and They will be given different access levels according to
their roles.

Please feel free to give any feedback.

Thanks,
Nisala
-- 
*Nisala Niroshana Nanayakkara,*
Software Engineer
Mobile:(+94)717600022
WSO2 Inc., http://wso2.com/
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Behavior of OAuth 2.0 Dynamic Client Registration

[S, Sumit (Sumit)]

Hi, How can I unsubscribe to the message. Please advise.

From: Architecture [mailto:architecture-boun...@wso2.org] On Behalf Of Roshan 
Wijesena
Sent: Monday, June 6, 2016 2:34 PM
To: Geesara Prathap 
Cc: architecture 
Subject: Re: [Architecture] Behavior of OAuth 2.0 Dynamic Client Registration

On Mon, Jun 6, 2016 at 11:27 AM, Geesara Prathap 
> wrote:
Yes, It should be. We should use the same endpoint in order to create and 
update  an OAuth application.


Well, its depends on your implementation and auth server. I believe it is not 
necessary to  use same endpoint templates. Different vendors use different ways 
to implement their DCR endpoints.  For example, consider below endpoints for 
creating and update. This has been used in MIT auth server's DCR 
implementation.[1]


For creating (POST)


http://localhost:8080/openid-connect-server-webapp/register


Payload


{
"application_type":"web",
   "redirect_uris": [
   "http://10.100.0.13:8080/simple-web-app/openid_connect_login;
   ],
   "client_name": "Simple Web App"
}


For the update (PUT).


http://localhost:8080/openid-connect-server-webapp/register/4547fc03-a6f3-4641-8e1f-84eb13093e5c


{

client_name: "Changed App",
client_id: "4547fc03-a6f3-4641-8e1f-84eb13093e5c",
"redirect_uris": [
   "http://10.100.0.13:8080/simple-web-app/openid_connect_login;
]}

[1] https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server

@maneesha,

is it possible to share two payloads that you have used in create and update 
endpoints?


Regards
Roshan

--
Roshan Wijesena.
Senior Software Engineer-WSO2 Inc.
Mobile: +94719154640
Email: ros...@wso2.com
WSO2, Inc. : wso2.com
lean.enterprise.middleware.
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Behavior of OAuth 2.0 Dynamic Client Registration

[Roshan Wijesena]

On Mon, Jun 6, 2016 at 11:27 AM, Geesara Prathap  wrote:

> Yes, It should be. We should use the same endpoint in order to create and
> update  an OAuth application.
>

Well, its depends on your implementation and auth server. I believe it is
not necessary to  use same endpoint templates. Different vendors use
different ways to implement their DCR endpoints.  For example, consider
below endpoints for creating and update. This has been used in MIT auth
server's DCR implementation.[1]

For creating (POST)

http://localhost:8080/openid-connect-server-webapp/register

Payload

{
"application_type":"web",
   "redirect_uris": [
   "http://10.100.0.13:8080/simple-web-app/openid_connect_login;
   ],
   "client_name": "Simple Web App"
}

For the update (PUT).

http://localhost:8080/openid-connect-server-webapp/register/4547fc03-a6f3-4641-8e1f-84eb13093e5c

{

client_name: "Changed App",
client_id: "4547fc03-a6f3-4641-8e1f-84eb13093e5c",
"redirect_uris": [
   "http://10.100.0.13:8080/simple-web-app/openid_connect_login;
]}

[1] https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server

@maneesha,

is it possible to share two payloads that you have used in create and
update endpoints?


Regards
Roshan

-- 
Roshan Wijesena.
Senior Software Engineer-WSO2 Inc.
Mobile: *+94719154640*
Email: ros...@wso2.com
*WSO2, Inc. :** wso2.com *
lean.enterprise.middleware.
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] [IS] Regenerating client secret/key and revoking an oauth app in OAuth 2.0 implementation

[Johann Nallathamby]

Aren't we discussing about two requirements.
1. Allow to register applications with user given client id/secret
2. Allow the client id/secret to be changed.

While changing client id has complications highlighted above, (1) also has
some challenges. Currently we assume the client id is unique across tenant
domains in certain places when we try to retrieve the app. If we allow the
client id to be taken as input in the registration call then we can no
longer assume this; just like SAML2 SSO issuer.

On Fri, Jun 3, 2016 at 12:10 PM, Chamara Philips  wrote:

> Hi,
>
> It depends on what user prefer. Comparing with username password analogy,
> if the user need to change the consumer key for some reason, it may be nice
> if the user can change the consumer key. But the main point here is the
> consumer key is going to be generated. User can't give what he likes. In
> that case it is not exactly like the username password scenario.
>
> At the same time, AFAIU, because of the same reason above there is no
> point of having the option to regenerate the consumer key for an existing
> app. This may complicate things.
>
> Hence, I also feel like it will be enough for the user to have the option
> to regenerate the client secret.
>
> On Fri, Jun 3, 2016 at 11:51 AM, Farasath Ahamed 
> wrote:
>
>> Hi,
>>
>> Since client_id is simply an identifier for the OAuth application, is it
>> really required to regenerate the client_id when the client_secret is
>> compromised?
>>
>> Isn't it be similar to a situation where we are changing our username and
>> password because our password was compromised?
>>
>>
>>
>> Farasath Ahamed
>> Software Engineer,
>> WSO2 Inc.; http://wso2.com
>> lean.enterprise.middleware
>>
>>
>> Email: farasa...@wso2.com
>> Mobile: +94777603866
>> Blog: blog.farazath.com
>> Twitter: @farazath619 
>>
>> On Fri, Jun 3, 2016 at 11:32 AM, Harsha Thirimanna 
>> wrote:
>>
>>> Hi Farasath,
>>>
>>> In that case, we have to create a new application if some one wants to
>>> reset the consumer key. That will not be a good experience to the user and
>>> specification also not specifically saying that only we should revoke
>>> consumer key or both.
>>>
>>> An authorization server may revoke a client's secret in order to
>>>prevent abuse of a revealed secret.
>>>
>>>
>>> Note: This measure will immediately invalidate any authorization
>>>"code" or refresh token issued to the respective client.  This might
>>>unintentionally impact client identifiers and secrets used across
>>>multiple deployments of a particular native or web application.
>>>
>>>
>>>
>>> *Harsha Thirimanna*
>>> Associate Tech Lead; WSO2, Inc.; http://wso2.com
>>> * *
>>> *email: **hars...@wso2.com* * cell: +94 71 5186770 *
>>> *twitter: **http://twitter.com/ *
>>> *harshathirimannlinked-in: **http:
>>> **//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
>>> *
>>>
>>> *Lean . Enterprise . Middleware*
>>>
>>>
>>> On Fri, Jun 3, 2016 at 11:11 AM, Farasath Ahamed 
>>> wrote:
>>>
 Hi Indunil,

 In a case of client_secret being revealed wouldn't it be sufficient
 only to regenerate the client_key without regenerating the consumer key? In
 Google API console I have noticed that you only have the option to reset
 the client secret of an OAuth application. If you want to regenerate both
 client_id and client_secret you simply delete the app and create a new one.


 Thanks,
 Farasath Ahamed
 Software Engineer,
 WSO2 Inc.; http://wso2.com
 lean.enterprise.middleware


 Email: farasa...@wso2.com
 Mobile: +94777603866
 Blog: blog.farazath.com
 Twitter: @farazath619 

 On Fri, Jun 3, 2016 at 10:21 AM, Indunil Upeksha Rathnayake <
 indu...@wso2.com> wrote:

> Hi,
> I am working on [1] for implementing regeneration of client secret/key
> of an oauth app and revocation of an oauth app for the next milestone
> release of Identity Server. Appreciate your feedbacks on the following
> approaches I have taken.
>
> A trusted client would need to update the client secret/key, in order
> to prevent the abuse of revealed client secret/key. So for addressing 
> that,
> I am working on adding two options as *Regenerate Client Secret* and 
> *Regenerate
> Consumer Key* for oauth applications in IS. After a client secret/key
> get regenerated, that will immediately invalidate any active authorization
> code, access token or refresh token, issued to the respective client.
>
>
>
> *Will it be necessary to add two options for revoking client secret
> and key or better to go for a different