Re: [Carbon-dev] Defining a role as internal or external
On Fri, May 27, 2011 at 12:24 PM, Hasini Gunasinghe wrote: > Hi, > Since the current categorization is confusing with ability to read/write to > external user stores as well, I removed the 'Type' column from the UI for > RC2. And updated context sensitive help to answer user's concerns if any, as > to why if a role may become editable/not editable. +1 Thanks & regards, -Prabath > If we can find a better filtering mechanism, will add that in the future. > Thanks, > Hasini. > > On Thu, May 26, 2011 at 1:35 PM, Amila Suriarachchi wrote: >> >> >> On Thu, May 26, 2011 at 12:42 PM, Dimuthu Leelarathne >> wrote: >>> >>> Hi, >>> >>> On Thu, May 26, 2011 at 11:17 AM, Amila Suriarachchi >>> wrote: Role is a set of permissions (i.e resouceid + action). Resource id or resource is always specific to a system. There for a role is defined for a given system. Therefore it is a external roles is a confusing idea. And also we need to have a clear definition about adminRole. If I engaged UT for a service and set a role like myRole, and invoke the service as admin (who is in adminRole) it won't work. Same thing happens with XCMAL as well. >>> >>> It is wrong to assume that admin can access all deployed services. Admin >>> is the admin for all admin console. >> >> In General Admin means a user who can access every thing. In this case I >> think it is better to rename it as adminConsoleAdmin and >> AdminConsoleAdminRole. >> >> thanks, >> Amila. >> >>> >>> thanks, >>> dimuthu >>> >>> thanks, Amila. > > [1] https://wso2.org/jira/browse/CARBON-9195 > Thanks, > Hasini. >> >> thanks, >> Amila. >>> >>> On Sun, May 22, 2011 at 11:10 AM, Hasini Gunasinghe >>> wrote: Hi, This is the understanding that I have regarding this. Please correct if anything is wrong. Differentiation of roles as external or internal is based on whether we manage user roles in the user store itself or in internal UM database in a hybrid manner. For an example, we find the above use case with LDAP user store where we can either manage roles in LDAP itself or in internal JDBC database in a hybrid manner (basically when user store is read only). In that case, internal role means: if a role is managed in internal UM database in a hybrid manner. external role means: if a role is managed in LDAP user store - can be either embedded LDAP or external LDAP. >>> >>> Roles defined in embedded LDAP are not external. >>> >>> It really doesn't matter whether the underlying implementation is >>> JDBC or LDAP. Users should not be worrying about underlying >>> implementation. >>> >>> tx, >>> dimuthul >>> >>> I think above mail is related to issue: https://wso2.org/jira/browse/CARBON-9195. The issue reported there is the default behavior according to above understanding. Because JDBC user store manager handles roles in hybrid manner only when "read only" property is set to true in user-mgt.xml. Thanks, Hasini. On Fri, May 6, 2011 at 11:09 AM, Amila Jayasekara wrote: > > Hi All, > > How do we define whether a particular role is internal or external > ? (Role type) > > After a chat with Pavithra, we came to following conclusion. > > If a role is defined within a server we treat those as internal > roles. > If a server reads role information from some other user store we > consider those as external roles. > > If above definition is not correct, please advice. > > Thanks > AmilaJ > ___ > Carbon-dev mailing list > Carbon-dev@wso2.org > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>> >>> >>> ___ >>> Carbon-dev mailing list >>> Carbon-dev@wso2.org >>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>> >> > ___ Carbon-dev mailing list Carbon-dev@wso2.org http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>> >>> >>> ___ >>> Carbon-dev mailing list >>> Carbon-dev@wso2.org >>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>> >> >> >> ___ >> Carbon-dev mailing list >> Carbon-dev@wso2.org >> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >> > > > ___ > Carbon-dev mailing list > Carbon-dev@wso2.org > http://mail.wso2.or
Re: [Carbon-dev] Defining a role as internal or external
Hi, Since the current categorization is confusing with ability to read/write to external user stores as well, I removed the 'Type' column from the UI for RC2. And updated context sensitive help to answer user's concerns if any, as to why if a role may become editable/not editable. If we can find a better filtering mechanism, will add that in the future. Thanks, Hasini. On Thu, May 26, 2011 at 1:35 PM, Amila Suriarachchi wrote: > > > On Thu, May 26, 2011 at 12:42 PM, Dimuthu Leelarathne > wrote: > >> Hi, >> >> On Thu, May 26, 2011 at 11:17 AM, Amila Suriarachchi wrote: >> >>> Role is a set of permissions (i.e resouceid + action). Resource id or >>> resource is always specific to a system. There for a role is defined for a >>> given system. Therefore it is a external roles is a confusing idea. >>> >> >>> And also we need to have a clear definition about adminRole. If I engaged >>> UT for a service and set a role like myRole, and invoke the service as admin >>> (who is in adminRole) it won't work. Same thing happens with XCMAL as well. >>> >>> >> It is wrong to assume that admin can access all deployed services. Admin >> is the admin for all admin console. >> > > In General Admin means a user who can access every thing. In this case I > think it is better to rename it as adminConsoleAdmin and > AdminConsoleAdminRole. > > thanks, > Amila. > > >> >> thanks, >> dimuthu >> >> >> >>> thanks, >>> Amila. >>> >>> [1] https://wso2.org/jira/browse/CARBON-9195 Thanks, Hasini. > thanks, > Amila. > >> >> On Sun, May 22, 2011 at 11:10 AM, Hasini Gunasinghe >> wrote: >> >>> Hi, >>> >>> This is the understanding that I have regarding this. Please correct >>> if anything is wrong. >>> >>> Differentiation of roles as external or internal is based on whether >>> we manage user roles in the user store itself or in internal UM >>> database in >>> a hybrid manner. >>> >>> For an example, we find the above use case with LDAP user store where >>> we can either manage roles in LDAP itself or in internal JDBC database >>> in a >>> hybrid manner (basically when user store is read only). >>> >>> In that case, internal role means: if a role is managed in internal >>> UM database in a hybrid manner. >>>external role means: if a role is managed in LDAP >>> user store - can be either embedded LDAP or external LDAP. >>> >>> >> Roles defined in embedded LDAP are not external. >> >> It really doesn't matter whether the underlying implementation is JDBC >> or LDAP. Users should not be worrying about underlying implementation. >> >> tx, >> dimuthul >> >> >> >>> I think above mail is related to issue: >>> https://wso2.org/jira/browse/CARBON-9195. The issue reported there >>> is the default behavior according to above understanding. >>> Because JDBC user store manager handles roles in hybrid manner only >>> when "read only" property is set to true in user-mgt.xml. >>> >>> Thanks, >>> Hasini. >>> >>> On Fri, May 6, 2011 at 11:09 AM, Amila Jayasekara >>> wrote: >>> Hi All, How do we define whether a particular role is internal or external ? (Role type) After a chat with Pavithra, we came to following conclusion. If a role is defined within a server we treat those as internal roles. If a server reads role information from some other user store we consider those as external roles. If above definition is not correct, please advice. Thanks AmilaJ ___ Carbon-dev mailing list Carbon-dev@wso2.org http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>> >>> >> >> ___ >> Carbon-dev mailing list >> Carbon-dev@wso2.org >> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >> >> > >>> >>> ___ >>> Carbon-dev mailing list >>> Carbon-dev@wso2.org >>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>> >>> >> >> ___ >> Carbon-dev mailing list >> Carbon-dev@wso2.org >> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >> >> > > ___ > Carbon-dev mailing list > Carbon-dev@wso2.org > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > > ___ Carbon-dev mailing list Carbon-dev@wso2.org http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
Re: [Carbon-dev] Defining a role as internal or external
On Thu, May 26, 2011 at 12:42 PM, Dimuthu Leelarathne wrote: > Hi, > > On Thu, May 26, 2011 at 11:17 AM, Amila Suriarachchi wrote: > >> Role is a set of permissions (i.e resouceid + action). Resource id or >> resource is always specific to a system. There for a role is defined for a >> given system. Therefore it is a external roles is a confusing idea. >> > >> And also we need to have a clear definition about adminRole. If I engaged >> UT for a service and set a role like myRole, and invoke the service as admin >> (who is in adminRole) it won't work. Same thing happens with XCMAL as well. >> >> > It is wrong to assume that admin can access all deployed services. Admin is > the admin for all admin console. > In General Admin means a user who can access every thing. In this case I think it is better to rename it as adminConsoleAdmin and AdminConsoleAdminRole. thanks, Amila. > > thanks, > dimuthu > > > >> thanks, >> Amila. >> >> >>> >>> [1] https://wso2.org/jira/browse/CARBON-9195 >>> >>> Thanks, >>> Hasini. >>> >>> thanks, Amila. > > On Sun, May 22, 2011 at 11:10 AM, Hasini Gunasinghe > wrote: > >> Hi, >> >> This is the understanding that I have regarding this. Please correct >> if anything is wrong. >> >> Differentiation of roles as external or internal is based on whether >> we manage user roles in the user store itself or in internal UM database >> in >> a hybrid manner. >> >> For an example, we find the above use case with LDAP user store where >> we can either manage roles in LDAP itself or in internal JDBC database >> in a >> hybrid manner (basically when user store is read only). >> >> In that case, internal role means: if a role is managed in internal UM >> database in a hybrid manner. >>external role means: if a role is managed in LDAP >> user store - can be either embedded LDAP or external LDAP. >> >> > Roles defined in embedded LDAP are not external. > > It really doesn't matter whether the underlying implementation is JDBC > or LDAP. Users should not be worrying about underlying implementation. > > tx, > dimuthul > > > >> I think above mail is related to issue: >> https://wso2.org/jira/browse/CARBON-9195. The issue reported there is >> the default behavior according to above understanding. >> Because JDBC user store manager handles roles in hybrid manner only >> when "read only" property is set to true in user-mgt.xml. >> >> Thanks, >> Hasini. >> >> On Fri, May 6, 2011 at 11:09 AM, Amila Jayasekara wrote: >> >>> Hi All, >>> >>> How do we define whether a particular role is internal or external ? >>> (Role type) >>> >>> After a chat with Pavithra, we came to following conclusion. >>> >>> If a role is defined within a server we treat those as internal >>> roles. >>> If a server reads role information from some other user store we >>> consider those as external roles. >>> >>> If above definition is not correct, please advice. >>> >>> Thanks >>> AmilaJ >>> ___ >>> Carbon-dev mailing list >>> Carbon-dev@wso2.org >>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>> >> >> > > ___ > Carbon-dev mailing list > Carbon-dev@wso2.org > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > > >>> >> >> ___ >> Carbon-dev mailing list >> Carbon-dev@wso2.org >> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >> >> > > ___ > Carbon-dev mailing list > Carbon-dev@wso2.org > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > > ___ Carbon-dev mailing list Carbon-dev@wso2.org http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
Re: [Carbon-dev] Defining a role as internal or external
Hi, On Thu, May 26, 2011 at 11:17 AM, Amila Suriarachchi wrote: > Role is a set of permissions (i.e resouceid + action). Resource id or > resource is always specific to a system. There for a role is defined for a > given system. Therefore it is a external roles is a confusing idea. > > And also we need to have a clear definition about adminRole. If I engaged > UT for a service and set a role like myRole, and invoke the service as admin > (who is in adminRole) it won't work. Same thing happens with XCMAL as well. > > It is wrong to assume that admin can access all deployed services. Admin is the admin for all admin console. thanks, dimuthu > thanks, > Amila. > > >> >> [1] https://wso2.org/jira/browse/CARBON-9195 >> >> Thanks, >> Hasini. >> >> >>> thanks, >>> Amila. >>> On Sun, May 22, 2011 at 11:10 AM, Hasini Gunasinghe wrote: > Hi, > > This is the understanding that I have regarding this. Please correct if > anything is wrong. > > Differentiation of roles as external or internal is based on whether we > manage user roles in the user store itself or in internal UM database in a > hybrid manner. > > For an example, we find the above use case with LDAP user store where > we can either manage roles in LDAP itself or in internal JDBC database in > a > hybrid manner (basically when user store is read only). > > In that case, internal role means: if a role is managed in internal UM > database in a hybrid manner. >external role means: if a role is managed in LDAP > user store - can be either embedded LDAP or external LDAP. > > Roles defined in embedded LDAP are not external. It really doesn't matter whether the underlying implementation is JDBC or LDAP. Users should not be worrying about underlying implementation. tx, dimuthul > I think above mail is related to issue: > https://wso2.org/jira/browse/CARBON-9195. The issue reported there is > the default behavior according to above understanding. > Because JDBC user store manager handles roles in hybrid manner only > when "read only" property is set to true in user-mgt.xml. > > Thanks, > Hasini. > > On Fri, May 6, 2011 at 11:09 AM, Amila Jayasekara wrote: > >> Hi All, >> >> How do we define whether a particular role is internal or external ? >> (Role type) >> >> After a chat with Pavithra, we came to following conclusion. >> >> If a role is defined within a server we treat those as internal roles. >> If a server reads role information from some other user store we >> consider those as external roles. >> >> If above definition is not correct, please advice. >> >> Thanks >> AmilaJ >> ___ >> Carbon-dev mailing list >> Carbon-dev@wso2.org >> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >> > > ___ Carbon-dev mailing list Carbon-dev@wso2.org http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>> >> > > ___ > Carbon-dev mailing list > Carbon-dev@wso2.org > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > > ___ Carbon-dev mailing list Carbon-dev@wso2.org http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
Re: [Carbon-dev] Defining a role as internal or external
Hi, On Thu, May 26, 2011 at 10:20 AM, Hasini Gunasinghe wrote: > This category name and the definition needs to be sorted out and I think > this discussion started to decide that. There is an jira [1] related to > this. > > In finalizing that, I have two questions: > 1. What is the actual requirement of displaying the category as 'Internal' > or 'External' in front of the role name? Because through UI, we enable > edit/delete options for a role only if the role is editable. > Internal/external categorization was introduced eliminate confusion. There were problems such as, -Why can't I edit this role? -Why can't I delete this role? If a role is editable/deletable (that means if WSO2 servers own this role) it was indicated internal. Otherwise external. Current usage of these categorization is wrong, and leads to more confusion. If you can suggest more better namings +1. tx, dimuthu > 2. IMO, above mentioned definition of *external* can lead to confusion when > the user store is external ldap with read/write permission, because then the > WSO2 UM may or may not have originated that role, but still it is editable > though management console. > > [1] https://wso2.org/jira/browse/CARBON-9195 > > Thanks, > Hasini. > > >> thanks, >> Amila. >> >>> >>> On Sun, May 22, 2011 at 11:10 AM, Hasini Gunasinghe wrote: >>> Hi, This is the understanding that I have regarding this. Please correct if anything is wrong. Differentiation of roles as external or internal is based on whether we manage user roles in the user store itself or in internal UM database in a hybrid manner. For an example, we find the above use case with LDAP user store where we can either manage roles in LDAP itself or in internal JDBC database in a hybrid manner (basically when user store is read only). In that case, internal role means: if a role is managed in internal UM database in a hybrid manner. external role means: if a role is managed in LDAP user store - can be either embedded LDAP or external LDAP. >>> Roles defined in embedded LDAP are not external. >>> >>> It really doesn't matter whether the underlying implementation is JDBC or >>> LDAP. Users should not be worrying about underlying implementation. >>> >>> tx, >>> dimuthul >>> >>> >>> I think above mail is related to issue: https://wso2.org/jira/browse/CARBON-9195. The issue reported there is the default behavior according to above understanding. Because JDBC user store manager handles roles in hybrid manner only when "read only" property is set to true in user-mgt.xml. Thanks, Hasini. On Fri, May 6, 2011 at 11:09 AM, Amila Jayasekara wrote: > Hi All, > > How do we define whether a particular role is internal or external ? > (Role type) > > After a chat with Pavithra, we came to following conclusion. > > If a role is defined within a server we treat those as internal roles. > If a server reads role information from some other user store we > consider those as external roles. > > If above definition is not correct, please advice. > > Thanks > AmilaJ > ___ > Carbon-dev mailing list > Carbon-dev@wso2.org > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > >>> >>> ___ >>> Carbon-dev mailing list >>> Carbon-dev@wso2.org >>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>> >>> >> In functionality wise there is no issue. > > ___ > Carbon-dev mailing list > Carbon-dev@wso2.org > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > > ___ Carbon-dev mailing list Carbon-dev@wso2.org http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
Re: [Carbon-dev] Defining a role as internal or external
On Thu, May 26, 2011 at 10:20 AM, Hasini Gunasinghe wrote: > Hi, > > On Wed, May 25, 2011 at 6:32 PM, Amila Suriarachchi wrote: > >> >> >> On Sun, May 22, 2011 at 3:45 PM, Dimuthu Leelarathne >> wrote: >> >>> Hi, >>> >>> Internal means WSO2 user manager owns the role and has the right to >>> manage it, basically edit it and delete it as it wish. External means WSO2 >>> user manager does not own the role, it only reads the role. >>> >> >> I tried with the 3.2.0 branch build. When I create a role using Admin >> console it create it as *external* and let me edit and delete. is that >> correct? >> > In functionality wise there is no issue. > true :) > This category name and the definition needs to be sorted out and I think > this discussion started to decide that. There is an jira [1] related to > this. > > In finalizing that, I have two questions: > 1. What is the actual requirement of displaying the category as 'Internal' > or 'External' in front of the role name? Because through UI, we enable > edit/delete options for a role only if the role is editable. > 2. IMO, above mentioned definition of *external* can lead to confusion when > the user store is external ldap with read/write permission, because then the > WSO2 UM may or may not have originated that role, but still it is editable > though management console. > Role is a set of permissions (i.e resouceid + action). Resource id or resource is always specific to a system. There for a role is defined for a given system. Therefore it is a external roles is a confusing idea. And also we need to have a clear definition about adminRole. If I engaged UT for a service and set a role like myRole, and invoke the service as admin (who is in adminRole) it won't work. Same thing happens with XCMAL as well. thanks, Amila. > > [1] https://wso2.org/jira/browse/CARBON-9195 > > Thanks, > Hasini. > > >> thanks, >> Amila. >> >>> >>> On Sun, May 22, 2011 at 11:10 AM, Hasini Gunasinghe wrote: >>> Hi, This is the understanding that I have regarding this. Please correct if anything is wrong. Differentiation of roles as external or internal is based on whether we manage user roles in the user store itself or in internal UM database in a hybrid manner. For an example, we find the above use case with LDAP user store where we can either manage roles in LDAP itself or in internal JDBC database in a hybrid manner (basically when user store is read only). In that case, internal role means: if a role is managed in internal UM database in a hybrid manner. external role means: if a role is managed in LDAP user store - can be either embedded LDAP or external LDAP. >>> Roles defined in embedded LDAP are not external. >>> >>> It really doesn't matter whether the underlying implementation is JDBC or >>> LDAP. Users should not be worrying about underlying implementation. >>> >>> tx, >>> dimuthul >>> >>> >>> I think above mail is related to issue: https://wso2.org/jira/browse/CARBON-9195. The issue reported there is the default behavior according to above understanding. Because JDBC user store manager handles roles in hybrid manner only when "read only" property is set to true in user-mgt.xml. Thanks, Hasini. On Fri, May 6, 2011 at 11:09 AM, Amila Jayasekara wrote: > Hi All, > > How do we define whether a particular role is internal or external ? > (Role type) > > After a chat with Pavithra, we came to following conclusion. > > If a role is defined within a server we treat those as internal roles. > If a server reads role information from some other user store we > consider those as external roles. > > If above definition is not correct, please advice. > > Thanks > AmilaJ > ___ > Carbon-dev mailing list > Carbon-dev@wso2.org > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > >>> >>> ___ >>> Carbon-dev mailing list >>> Carbon-dev@wso2.org >>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>> >>> >> > ___ Carbon-dev mailing list Carbon-dev@wso2.org http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
Re: [Carbon-dev] Defining a role as internal or external
Hi, On Wed, May 25, 2011 at 6:32 PM, Amila Suriarachchi wrote: > > > On Sun, May 22, 2011 at 3:45 PM, Dimuthu Leelarathne wrote: > >> Hi, >> >> Internal means WSO2 user manager owns the role and has the right to manage >> it, basically edit it and delete it as it wish. External means WSO2 user >> manager does not own the role, it only reads the role. >> > > I tried with the 3.2.0 branch build. When I create a role using Admin > console it create it as *external* and let me edit and delete. is that > correct? > In functionality wise there is no issue. This category name and the definition needs to be sorted out and I think this discussion started to decide that. There is an jira [1] related to this. In finalizing that, I have two questions: 1. What is the actual requirement of displaying the category as 'Internal' or 'External' in front of the role name? Because through UI, we enable edit/delete options for a role only if the role is editable. 2. IMO, above mentioned definition of *external* can lead to confusion when the user store is external ldap with read/write permission, because then the WSO2 UM may or may not have originated that role, but still it is editable though management console. [1] https://wso2.org/jira/browse/CARBON-9195 Thanks, Hasini. > thanks, > Amila. > >> >> On Sun, May 22, 2011 at 11:10 AM, Hasini Gunasinghe wrote: >> >>> Hi, >>> >>> This is the understanding that I have regarding this. Please correct if >>> anything is wrong. >>> >>> Differentiation of roles as external or internal is based on whether we >>> manage user roles in the user store itself or in internal UM database in a >>> hybrid manner. >>> >>> For an example, we find the above use case with LDAP user store where we >>> can either manage roles in LDAP itself or in internal JDBC database in a >>> hybrid manner (basically when user store is read only). >>> >>> In that case, internal role means: if a role is managed in internal UM >>> database in a hybrid manner. >>>external role means: if a role is managed in LDAP user >>> store - can be either embedded LDAP or external LDAP. >>> >>> >> Roles defined in embedded LDAP are not external. >> >> It really doesn't matter whether the underlying implementation is JDBC or >> LDAP. Users should not be worrying about underlying implementation. >> >> tx, >> dimuthul >> >> >> >>> I think above mail is related to issue: >>> https://wso2.org/jira/browse/CARBON-9195. The issue reported there is >>> the default behavior according to above understanding. >>> Because JDBC user store manager handles roles in hybrid manner only when >>> "read only" property is set to true in user-mgt.xml. >>> >>> Thanks, >>> Hasini. >>> >>> On Fri, May 6, 2011 at 11:09 AM, Amila Jayasekara wrote: >>> Hi All, How do we define whether a particular role is internal or external ? (Role type) After a chat with Pavithra, we came to following conclusion. If a role is defined within a server we treat those as internal roles. If a server reads role information from some other user store we consider those as external roles. If above definition is not correct, please advice. Thanks AmilaJ ___ Carbon-dev mailing list Carbon-dev@wso2.org http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>> >>> >> >> ___ >> Carbon-dev mailing list >> Carbon-dev@wso2.org >> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >> >> > ___ Carbon-dev mailing list Carbon-dev@wso2.org http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
Re: [Carbon-dev] Defining a role as internal or external
On Sun, May 22, 2011 at 3:45 PM, Dimuthu Leelarathne wrote: > Hi, > > Internal means WSO2 user manager owns the role and has the right to manage > it, basically edit it and delete it as it wish. External means WSO2 user > manager does not own the role, it only reads the role. > I tried with the 3.2.0 branch build. When I create a role using Admin console it create it as *external* and let me edit and delete. is that correct? thanks, Amila. > > On Sun, May 22, 2011 at 11:10 AM, Hasini Gunasinghe wrote: > >> Hi, >> >> This is the understanding that I have regarding this. Please correct if >> anything is wrong. >> >> Differentiation of roles as external or internal is based on whether we >> manage user roles in the user store itself or in internal UM database in a >> hybrid manner. >> >> For an example, we find the above use case with LDAP user store where we >> can either manage roles in LDAP itself or in internal JDBC database in a >> hybrid manner (basically when user store is read only). >> >> In that case, internal role means: if a role is managed in internal UM >> database in a hybrid manner. >>external role means: if a role is managed in LDAP user >> store - can be either embedded LDAP or external LDAP. >> >> > Roles defined in embedded LDAP are not external. > > It really doesn't matter whether the underlying implementation is JDBC or > LDAP. Users should not be worrying about underlying implementation. > > tx, > dimuthul > > > >> I think above mail is related to issue: >> https://wso2.org/jira/browse/CARBON-9195. The issue reported there is the >> default behavior according to above understanding. >> Because JDBC user store manager handles roles in hybrid manner only when >> "read only" property is set to true in user-mgt.xml. >> >> Thanks, >> Hasini. >> >> On Fri, May 6, 2011 at 11:09 AM, Amila Jayasekara wrote: >> >>> Hi All, >>> >>> How do we define whether a particular role is internal or external ? >>> (Role type) >>> >>> After a chat with Pavithra, we came to following conclusion. >>> >>> If a role is defined within a server we treat those as internal roles. >>> If a server reads role information from some other user store we >>> consider those as external roles. >>> >>> If above definition is not correct, please advice. >>> >>> Thanks >>> AmilaJ >>> ___ >>> Carbon-dev mailing list >>> Carbon-dev@wso2.org >>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>> >> >> > > ___ > Carbon-dev mailing list > Carbon-dev@wso2.org > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > > ___ Carbon-dev mailing list Carbon-dev@wso2.org http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
Re: [Carbon-dev] Defining a role as internal or external
Hi, On Sun, May 22, 2011 at 4:13 PM, Senaka Fernando wrote: > Hi Dimuthu, > > I need to clarify a small thing related to LDAP.What would be the overhead > of switching from embedded LDAP to external LDAP? > > Say I have created a replica of my external LDAP locally, and tested it, > and I now want to switch to the corporate LDAP server. If the roles on the > embedded LDAP were a subset of the roles on the external LDAP, what would I > need to do when I migrate? Do I need to recreate or reorganize the roles? > and if not, do I need to redefine all permissions? > It depends on your scenario. If you have read only permission to cooperate LDAP and tested with embedded LDAP using readonly LDAP realm, then the switching is basically a change in the connection properties. Please note WSO2 servers are operating in read only mode because you are not the owner of these roles. WSO2 servers merely use them. If you have read/write permission to cooperate LDAP and tested with embedded LDAP using the ApacheDS realm then the change over becomes a bit tricky. First of all you have to import the schemas. The last time I tried with OpenLDAP it didn't work. The secondly you have to create whatever the roles you created in Embedded LDAP in cooperate LDAP. But you don't have to reconfigure permissions as long as database and role names are the same. In this case WSO2 servers becomes an party that owns roles. tx, dimuthul > Thanks, > Senaka. > >> >> tx, >> dimuthul >> >> >> >>> I think above mail is related to issue: >>> https://wso2.org/jira/browse/CARBON-9195. The issue reported there is >>> the default behavior according to above understanding. >>> Because JDBC user store manager handles roles in hybrid manner only when >>> "read only" property is set to true in user-mgt.xml. >>> >>> Thanks, >>> Hasini. >>> >>> On Fri, May 6, 2011 at 11:09 AM, Amila Jayasekara wrote: >>> Hi All, How do we define whether a particular role is internal or external ? (Role type) After a chat with Pavithra, we came to following conclusion. If a role is defined within a server we treat those as internal roles. If a server reads role information from some other user store we consider those as external roles. If above definition is not correct, please advice. Thanks AmilaJ ___ Carbon-dev mailing list Carbon-dev@wso2.org http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>> >>> >> >> ___ >> Carbon-dev mailing list >> Carbon-dev@wso2.org >> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >> >> > > > -- > *Senaka Fernando* > Product Manager - WSO2 Governance Registry; > Associate Technical Lead; WSO2 Inc.; http://wso2.com* > Member; Apache Software Foundation; http://apache.org > > E-mail: senaka AT wso2.com > **P: +1 408 754 7388; ext: 51736*; *M: +94 77 322 1818 > Linked-In: http://linkedin.com/in/senakafernando > > *Lean . Enterprise . Middleware > > > ___ > Carbon-dev mailing list > Carbon-dev@wso2.org > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > > ___ Carbon-dev mailing list Carbon-dev@wso2.org http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
Re: [Carbon-dev] Defining a role as internal or external
Hi Dimuthu, I need to clarify a small thing related to LDAP. On Sun, May 22, 2011 at 3:45 PM, Dimuthu Leelarathne wrote: > Hi, > > Internal means WSO2 user manager owns the role and has the right to manage > it, basically edit it and delete it as it wish. External means WSO2 user > manager does not own the role, it only reads the role. > > On Sun, May 22, 2011 at 11:10 AM, Hasini Gunasinghe wrote: > >> Hi, >> >> This is the understanding that I have regarding this. Please correct if >> anything is wrong. >> >> Differentiation of roles as external or internal is based on whether we >> manage user roles in the user store itself or in internal UM database in a >> hybrid manner. >> >> For an example, we find the above use case with LDAP user store where we >> can either manage roles in LDAP itself or in internal JDBC database in a >> hybrid manner (basically when user store is read only). >> >> In that case, internal role means: if a role is managed in internal UM >> database in a hybrid manner. >>external role means: if a role is managed in LDAP user >> store - can be either embedded LDAP or external LDAP. >> >> > Roles defined in embedded LDAP are not external. > > It really doesn't matter whether the underlying implementation is JDBC or > LDAP. Users should not be worrying about underlying implementation. > What would be the overhead of switching from embedded LDAP to external LDAP? Say I have created a replica of my external LDAP locally, and tested it, and I now want to switch to the corporate LDAP server. If the roles on the embedded LDAP were a subset of the roles on the external LDAP, what would I need to do when I migrate? Do I need to recreate or reorganize the roles? and if not, do I need to redefine all permissions? Thanks, Senaka. > > tx, > dimuthul > > > >> I think above mail is related to issue: >> https://wso2.org/jira/browse/CARBON-9195. The issue reported there is the >> default behavior according to above understanding. >> Because JDBC user store manager handles roles in hybrid manner only when >> "read only" property is set to true in user-mgt.xml. >> >> Thanks, >> Hasini. >> >> On Fri, May 6, 2011 at 11:09 AM, Amila Jayasekara wrote: >> >>> Hi All, >>> >>> How do we define whether a particular role is internal or external ? >>> (Role type) >>> >>> After a chat with Pavithra, we came to following conclusion. >>> >>> If a role is defined within a server we treat those as internal roles. >>> If a server reads role information from some other user store we >>> consider those as external roles. >>> >>> If above definition is not correct, please advice. >>> >>> Thanks >>> AmilaJ >>> ___ >>> Carbon-dev mailing list >>> Carbon-dev@wso2.org >>> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >>> >> >> > > ___ > Carbon-dev mailing list > Carbon-dev@wso2.org > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > > -- *Senaka Fernando* Product Manager - WSO2 Governance Registry; Associate Technical Lead; WSO2 Inc.; http://wso2.com* Member; Apache Software Foundation; http://apache.org E-mail: senaka AT wso2.com **P: +1 408 754 7388; ext: 51736*; *M: +94 77 322 1818 Linked-In: http://linkedin.com/in/senakafernando *Lean . Enterprise . Middleware ___ Carbon-dev mailing list Carbon-dev@wso2.org http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
Re: [Carbon-dev] Defining a role as internal or external
Hi, Internal means WSO2 user manager owns the role and has the right to manage it, basically edit it and delete it as it wish. External means WSO2 user manager does not own the role, it only reads the role. On Sun, May 22, 2011 at 11:10 AM, Hasini Gunasinghe wrote: > Hi, > > This is the understanding that I have regarding this. Please correct if > anything is wrong. > > Differentiation of roles as external or internal is based on whether we > manage user roles in the user store itself or in internal UM database in a > hybrid manner. > > For an example, we find the above use case with LDAP user store where we > can either manage roles in LDAP itself or in internal JDBC database in a > hybrid manner (basically when user store is read only). > > In that case, internal role means: if a role is managed in internal UM > database in a hybrid manner. >external role means: if a role is managed in LDAP user > store - can be either embedded LDAP or external LDAP. > > Roles defined in embedded LDAP are not external. It really doesn't matter whether the underlying implementation is JDBC or LDAP. Users should not be worrying about underlying implementation. tx, dimuthul > I think above mail is related to issue: > https://wso2.org/jira/browse/CARBON-9195. The issue reported there is the > default behavior according to above understanding. > Because JDBC user store manager handles roles in hybrid manner only when > "read only" property is set to true in user-mgt.xml. > > Thanks, > Hasini. > > On Fri, May 6, 2011 at 11:09 AM, Amila Jayasekara wrote: > >> Hi All, >> >> How do we define whether a particular role is internal or external ? (Role >> type) >> >> After a chat with Pavithra, we came to following conclusion. >> >> If a role is defined within a server we treat those as internal roles. >> If a server reads role information from some other user store we >> consider those as external roles. >> >> If above definition is not correct, please advice. >> >> Thanks >> AmilaJ >> ___ >> Carbon-dev mailing list >> Carbon-dev@wso2.org >> http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev >> > > ___ Carbon-dev mailing list Carbon-dev@wso2.org http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev
Re: [Carbon-dev] Defining a role as internal or external
Hi, This is the understanding that I have regarding this. Please correct if anything is wrong. Differentiation of roles as external or internal is based on whether we manage user roles in the user store itself or in internal UM database in a hybrid manner. For an example, we find the above use case with LDAP user store where we can either manage roles in LDAP itself or in internal JDBC database in a hybrid manner (basically when user store is read only). In that case, internal role means: if a role is managed in internal UM database in a hybrid manner. external role means: if a role is managed in LDAP user store - can be either embedded LDAP or external LDAP. I think above mail is related to issue: https://wso2.org/jira/browse/CARBON-9195. The issue reported there is the default behavior according to above understanding. Because JDBC user store manager handles roles in hybrid manner only when "read only" property is set to true in user-mgt.xml. Thanks, Hasini. On Fri, May 6, 2011 at 11:09 AM, Amila Jayasekara wrote: > Hi All, > > How do we define whether a particular role is internal or external ? (Role > type) > > After a chat with Pavithra, we came to following conclusion. > > If a role is defined within a server we treat those as internal roles. > If a server reads role information from some other user store we > consider those as external roles. > > If above definition is not correct, please advice. > > Thanks > AmilaJ > ___ > Carbon-dev mailing list > Carbon-dev@wso2.org > http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev > ___ Carbon-dev mailing list Carbon-dev@wso2.org http://mail.wso2.org/cgi-bin/mailman/listinfo/carbon-dev