Re: Global uniqueness requirement of username

2021-05-10 Thread Martin van Es 
Hi Francesco,

Ok, I can log debug statements!

When I inspect the entity object on any of the available methods for
e.g. org.apache.syncope.core.provisioning.api.pushpull.PushActions it seems
to be of class JPAUser.

Now, what I expect (but maybe I'm completely mistaken) is to be able to
manipulate the JPAUser object as it flows into the target resource. For
example, I expect some get'ers, and set'ers on (internal) attributes so
that I can inspect values, conditionally alter or add them and update the
changes back into the object to be provisioned. I know much of this can be
done using attribute mapping logic in the normal resource configuration,
but what if the logic was a bit more complicated? Are these groovy scripts
meant and able to manipulate attributes as I think they are? I've taken a
look at the JPAUser API documentation[1], and although the class is quite
rich and supports e.g. add(UPlainAttr attr) I don't see ways to get, set or
update available attributes on the object?

[1]
http://syncope.apache.org/apidocs/2.0/org/apache/syncope/core/persistence/jpa/entity/user/JPAUser.html

Best regards.
Martin

On Mon, May 10, 2021 at 2:19 PM Francesco Chicchiriccò 
wrote:

> On 10/05/21 14:05, Martin van Es wrote:
>
>
>
> On Mon, May 10, 2021 at 9:07 AM Francesco Chicchiriccò <
> ilgro...@apache.org> wrote:
>
>> On 07/05/21 19:50, Martin van Es wrote:
>>
>> Another question.
>> How would I print debug (core.log) statements in a Groovy propagation
>> action script?
>>
>> Not very related to the subject, but you can find a relevant example here:
>>
>>
>> https://github.com/apache/syncope/blob/2_1_X/fit/core-reference/src/test/resources/rest/SearchScript.groovy#L104
>>
> Thx for your input!
>
> This is the output when I blindly add log.info() to a test Groovy
> propagation action script:
>
> 11:57:53.811 DEBUG
> org.apache.syncope.core.provisioning.java.ConnectorManager - Connector to
> be registered:
> ConnectorFacadeProxy{connector=org.identityconnectors.framework.impl.api.local.LocalConnectorFacadeImpl@63b8
> d810
> capabitilies=[UPDATE, DELETE, CREATE, SEARCH, AUTHENTICATE]}
> 11:57:53.811 DEBUG
> org.apache.syncope.core.provisioning.java.ConnectorManager - Successfully
> registered bean
> connInstance-Master-3229BE00-2A72-4A78-A9BE-002A729A784D-service-cloud
> 11:57:53.813 DEBUG
> org.apache.syncope.core.provisioning.api.job.SchedTaskJobDelegate -
> Executing push on JPAExternalResource[service-cloud]
> 11:57:54.063 DEBUG
> org.apache.syncope.core.provisioning.api.pushpull.SyncopeResultHandler -
> Pushing USER with key 89b4b6da-1ef3-4720-b4b6-da1ef3072081 towards
> JPAExternalResource[service-cloud]
> 11:57:56.666 ERROR
> org.apache.syncope.core.provisioning.java.pushpull.OutboundMatcher - While
> building JPAImplementation[My_Groovy_PropagationAction]
> org.codehaus.groovy.control.MultipleCompilationErrorsException: startup
> failed:
> Script_591aa0a4f0c025faabe5fd7f86d74fb0.groovy: 39: [Static type checking]
> - The variable [log] is undeclared.
> @ line 39, column 5.
>   log.info("Entering " + action + " Script");
>   ^
>
> The main problem here probably is that I'm not a hard-core Java developer
> and I'm trying to create a maximum flexibility, zero-compilation identity
> synchronisation setup for the team to work with. Simple syncope-console
> editable Groovy scripts would help tremendously with that goal!
>
> Sorry, I did not read well that you were not interested in Groovy scripts
> for connectors but in Groovy Propagation Actions classes.
>
> You can use Groovy's @Slf4j then:
>
> import groovy.transform.CompileStatic
> import groovy.util.logging.Slf4j
> import org.apache.syncope.core.persistence.api.entity.task.PropagationTask
> import
> org.apache.syncope.core.provisioning.api.propagation.PropagationActions
> import org.identityconnectors.framework.common.objects.ConnectorObject
>
> @Slf4j
> @CompileStatic
> class MyPropagationActions implements PropagationActions {
>
>   @Override
>   void before(PropagationTask task, ConnectorObject beforeObj) {
> log.error("About to run {}", task)
>   }
> }
>
> Logging statements will be sent to core.log.
>
> Regards.
>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellencehttp://www.tirasa.net/
>
> Member at The Apache Software Foundation
> Syncope, Cocoon, Olingo, CXF, OpenJPA, 
> PonyMailhttp://home.apache.org/~ilgrosso/
>
>

-- 
If 'but' was any useful, it would be a logic operator

Re: Global uniqueness requirement of username

2021-05-10 Thread Francesco Chicchiriccò 

On 10/05/21 14:05, Martin van Es wrote:



On Mon, May 10, 2021 at 9:07 AM Francesco Chicchiriccò mailto:ilgro...@apache.org>> wrote:

On 07/05/21 19:50, Martin van Es wrote:

Another question.
How would I print debug (core.log) statements in a Groovy propagation 
action script?


Not very related to the subject, but you can find a relevant example here:


https://github.com/apache/syncope/blob/2_1_X/fit/core-reference/src/test/resources/rest/SearchScript.groovy#L104
 


Thx for your input!

This is the output when I blindly add log.info () to a test 
Groovy propagation action script:

11:57:53.811 DEBUG org.apache.syncope.core.provisioning.java.ConnectorManager - 
Connector to be registered: 
ConnectorFacadeProxy{connector=org.identityconnectors.framework.impl.api.local.LocalConnectorFacadeImpl@63b8
d810
capabitilies=[UPDATE, DELETE, CREATE, SEARCH, AUTHENTICATE]}
11:57:53.811 DEBUG org.apache.syncope.core.provisioning.java.ConnectorManager - 
Successfully registered bean 
connInstance-Master-3229BE00-2A72-4A78-A9BE-002A729A784D-service-cloud
11:57:53.813 DEBUG 
org.apache.syncope.core.provisioning.api.job.SchedTaskJobDelegate - Executing 
push on JPAExternalResource[service-cloud]
11:57:54.063 DEBUG 
org.apache.syncope.core.provisioning.api.pushpull.SyncopeResultHandler - 
Pushing USER with key 89b4b6da-1ef3-4720-b4b6-da1ef3072081 towards 
JPAExternalResource[service-cloud]
11:57:56.666 ERROR 
org.apache.syncope.core.provisioning.java.pushpull.OutboundMatcher - While 
building JPAImplementation[My_Groovy_PropagationAction]
org.codehaus.groovy.control.MultipleCompilationErrorsException: startup failed:
Script_591aa0a4f0c025faabe5fd7f86d74fb0.groovy: 39: [Static type checking] - 
The variable [log] is undeclared.
@ line 39, column 5.
log.info ("Entering " + action + " Script");
  ^

The main problem here probably is that I'm not a hard-core Java developer and 
I'm trying to create a maximum flexibility, zero-compilation identity 
synchronisation setup for the team to work with. Simple syncope-console 
editable Groovy scripts would help tremendously with that goal!


Sorry, I did not read well that you were not interested in Groovy scripts for 
connectors but in Groovy Propagation Actions classes.

You can use Groovy's @Slf4j then:

import groovy.transform.CompileStatic
import groovy.util.logging.Slf4j
import org.apache.syncope.core.persistence.api.entity.task.PropagationTask
import org.apache.syncope.core.provisioning.api.propagation.PropagationActions
import org.identityconnectors.framework.common.objects.ConnectorObject

@Slf4j
@CompileStatic
class MyPropagationActions implements PropagationActions {

  @Override
  void before(PropagationTask task, ConnectorObject beforeObj) {
    log.error("About to run {}", task)
  }
}

Logging statements will be sent to core.log.

Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Global uniqueness requirement of username

2021-05-10 Thread Martin van Es 
On Mon, May 10, 2021 at 9:07 AM Francesco Chicchiriccò 
wrote:

> On 07/05/21 19:50, Martin van Es wrote:
>
> Another question.
> How would I print debug (core.log) statements in a Groovy propagation
> action script?
>
> Not very related to the subject, but you can find a relevant example here:
>
>
> https://github.com/apache/syncope/blob/2_1_X/fit/core-reference/src/test/resources/rest/SearchScript.groovy#L104
>
> Thx for your input!

This is the output when I blindly add log.info() to a test Groovy
propagation action script:

11:57:53.811 DEBUG
org.apache.syncope.core.provisioning.java.ConnectorManager - Connector to
be registered:
ConnectorFacadeProxy{connector=org.identityconnectors.framework.impl.api.local.LocalConnectorFacadeImpl@63b8
d810
capabitilies=[UPDATE, DELETE, CREATE, SEARCH, AUTHENTICATE]}
11:57:53.811 DEBUG
org.apache.syncope.core.provisioning.java.ConnectorManager - Successfully
registered bean
connInstance-Master-3229BE00-2A72-4A78-A9BE-002A729A784D-service-cloud
11:57:53.813 DEBUG
org.apache.syncope.core.provisioning.api.job.SchedTaskJobDelegate -
Executing push on JPAExternalResource[service-cloud]
11:57:54.063 DEBUG
org.apache.syncope.core.provisioning.api.pushpull.SyncopeResultHandler -
Pushing USER with key 89b4b6da-1ef3-4720-b4b6-da1ef3072081 towards
JPAExternalResource[service-cloud]
11:57:56.666 ERROR
org.apache.syncope.core.provisioning.java.pushpull.OutboundMatcher - While
building JPAImplementation[My_Groovy_PropagationAction]
org.codehaus.groovy.control.MultipleCompilationErrorsException: startup
failed:
Script_591aa0a4f0c025faabe5fd7f86d74fb0.groovy: 39: [Static type checking]
- The variable [log] is undeclared.
@ line 39, column 5.
  log.info("Entering " + action + " Script");
  ^

The main problem here probably is that I'm not a hard-core Java developer
and I'm trying to create a maximum flexibility, zero-compilation identity
synchronisation setup for the team to work with. Simple syncope-console
editable Groovy scripts would help tremendously with that goal!

Best regards.
Martin

Re: Global uniqueness requirement of username

2021-05-10 Thread Francesco Chicchiriccò 

On 07/05/21 19:50, Martin van Es wrote:

Another question.
How would I print debug (core.log) statements in a Groovy propagation action 
script?


Not very related to the subject, but you can find a relevant example here:

https://github.com/apache/syncope/blob/2_1_X/fit/core-reference/src/test/resources/rest/SearchScript.groovy#L104

Other samples from Groovy files in the same dir and scriptedsql sibling.

Statements will go to core-connid.log

Regards.


On Fri, May 7, 2021 at 1:49 PM Martin van Es mailto:mrva...@gmail.com>> wrote:

Hi,

I've been playing around with Syncope again and was trying to sync a src 
LDAP scheme that contains multiple organizations, which contain multiple Groups 
and People branches. All of these branches contain organisation specific users, 
possibly sharing the same uid (login name). You might call this a multi-tennant 
lay-out.

I was hoping Realms could keep these tennants separated and the usernames 
uniquely scoped to the realm (automatically).

It turns out, that plainly assigning uid to internal attribute username 
won't work, for two reasons:

1. admin isn't allowed (in my docker test deploy) because there's already a 
global user called admin, even if I provision the user in a separate Realm?)
2. I can't reuse uid's assigned to username, even when I use a different 
Realm, so I'd have to assign entryUUID to username and create a separate 
user_id attribute mapped to uid for all users?

Secondly, some of the organisation DN's contain (forward) slashes in the dc 
part of their DN, which makes configuring the resource awkward (I need to 
escape the slash using a backslash in the Base Contexts to Synchronize) but 
worse: it renders membership matching impossible (the entryDN of the user can 
not be found from the member DN in the group although the matching DN string is 
correct as inspected from debug output) so I guess that's a bug to be solved in 
Syncope at some time, because it works as expected for organisations without 
the slashes in the dc part.

Best regards,
Martin
--
If 'but' was any useful, it would be a logic operator



--
If 'but' was any useful, it would be a logic operator



--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Re: Global uniqueness requirement of username

2021-05-10 Thread Francesco Chicchiriccò 

On 07/05/21 13:49, Martin van Es wrote:

Hi,

I've been playing around with Syncope again and was trying to sync a src LDAP 
scheme that contains multiple organizations, which contain multiple Groups and 
People branches. All of these branches contain organisation specific users, 
possibly sharing the same uid (login name). You might call this a multi-tennant 
lay-out.

I was hoping Realms could keep these tennants separated and the usernames 
uniquely scoped to the realm (automatically).

It turns out, that plainly assigning uid to internal attribute username won't 
work, for two reasons:

1. admin isn't allowed (in my docker test deploy) because there's already a 
global user called admin, even if I provision the user in a separate Realm?)


There is one pre-defined admin user: you can change such username to something 
different in

core/src/main/resources/admin.properties

via the "adminUser" property.


2. I can't reuse uid's assigned to username, even when I use a different Realm, 
so I'd have to assign entryUUID to username and create a separate user_id 
attribute mapped to uid for all users?


Yes, Syncope's username is defined as unique for the SyncopeUser table.

Currently, there is no predefined way to set the constraint "unique per Realm" 
on anything.


Secondly, some of the organisation DN's contain (forward) slashes in the dc 
part of their DN, which makes configuring the resource awkward (I need to 
escape the slash using a backslash in the Base Contexts to Synchronize) but 
worse: it renders membership matching impossible (the entryDN of the user can 
not be found from the member DN in the group although the matching DN string is 
correct as inspected from debug output) so I guess that's a bug to be solved in 
Syncope at some time, because it works as expected for organisations without 
the slashes in the dc part.


Realm names (as all other Entity keys) are set to match the NAME pattern:

https://github.com/apache/syncope/blob/2_1_X/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/validation/entity/RealmValidator.java#L52

hence forward slashes are not allowed: consider that the rationales behind this 
constraint are that (1) NAME values are normally used in URLs and also that (2) 
forward slash is used internally by Syncope as full path separator.

Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/