Proposal: separate loading of security files.

[Hans Bakker <ma...@antwebsystems.com>]

Problem:

Currently security files are loaded as part of seed. Therefore it is 
difficult to allow access to components differently per tenant.

Proposal:
1. create a new data-reader name 'security'.
2. Be able to load specific security files in a custom component and use 
in ofbiz-component.xml the component:// notation
3. now in the custom component can be defined which components should be 
active.

Any opinions or suggestions?

Regards,
Hans

Re: Proposal: separate loading of security files.

[Hans Bakker <ma...@antwebsystems.com>]

Thank you for the replies up to now, let me make it even more simple:

instead of having all components enabled by default (security loaded), i 
want to enable the component i want to use inside my custom component in 
hot-deploy (only load security files of the components i want to use)

makes this more sense?

Regards,
Hans


On 05/31/2012 04:16 PM, Hans Bakker wrote:
> Scott,
> You you are right, i am re-reading my email and it is too short.
>
> The problem:
> 1. currently security data is part of seed and get always loaded.
> 2. if the security data of a component is not loaded, makes this 
> component invisible.
> 3. In a multi tenant environment I would like to have certain 
> components visible in a certain tenant and not in other tenants.
>
> The proposed solution:
> 1. do not load security with seed data but separate, under its own 
> data reader name as defined in entityengine.xml and in the component 
> related ofbiz-component.xnl files.
> 2. In order to easily load security data for a certain tenant, load 
> that data as part of a custom component in hot-deploy via the 
> component:// notation in the ofbiz-component.xml file as seeddata.
>
> hopefully explained a bit better this time.....
>
> Regards,
> Hans
>
>
> On 05/31/2012 03:50 PM, Scott Gray wrote:
>> Hi Hans,
>>
>> I'm sorry but could you go into a little more detail about the 
>> problem and proposal? I'm not sure I understand well enough to even 
>> know what questions to ask.
>>
>> What would it mean to define a new entity resource reader-name?  As 
>> far as I understand they aren't actually defined anywhere, you just 
>> use a certain reader(s) when starting ofbiz and those are the 
>> resources that get loaded based on what's in the entity-resource 
>> element's in the ofbiz-component files.
>>
>> Thanks
>> Scott
>>
>> On 31/05/2012, at 2:13 PM, Hans Bakker wrote:
>>
>>> Problem:
>>>
>>> Currently security files are loaded as part of seed. Therefore it is 
>>> difficult to allow access to components differently per tenant.
>>>
>>> Proposal:
>>> 1. create a new data-reader name 'security'.
>>> 2. Be able to load specific security files in a custom component and 
>>> use in ofbiz-component.xml the component:// notation
>>> 3. now in the custom component can be defined which components 
>>> should be active.
>>>
>>> Any opinions or suggestions?
>>>
>>> Regards,
>>> Hans
>>>
>>>
>

Re: Proposal: separate loading of security files.

[Hans Bakker <ma...@antwebsystems.com>]

please find my answer in-line...

On 05/31/2012 06:20 PM, Scott Gray wrote:
> Okay thanks for the additional detail, below is my attempt to further understand a bit, please bear with me.
>
> If we take as an example the accounting application, you'd like to be able to make that available to some tenants but not others.  At the moment in order to do that you'd need to manually remove the various ACCOUNTING_* related SecurityGroupPermission records from the tenant database after the db has been loaded with data.
yes exactly that....
>
> So if I understand correctly (I don't think I do), your proposal is to have a separate security reader which would run as part of a normal non-tenant installation but wouldn't run as part a tenant installation? How would that happen? I'm also not sure I understand how the custom hot-deploy component would load data for one tenant but not for another?
simply not load security files at all and only load the ones i want in 
the hot-deploy component....

> Thanks
> Scott
>
> On 31/05/2012, at 9:16 PM, Hans Bakker wrote:
>
>> Scott,
>> You you are right, i am re-reading my email and it is too short.
>>
>> The problem:
>> 1. currently security data is part of seed and get always loaded.
>> 2. if the security data of a component is not loaded, makes this component invisible.
>> 3. In a multi tenant environment I would like to have certain components visible in a certain tenant and not in other tenants.
>>
>> The proposed solution:
>> 1. do not load security with seed data but separate, under its own data reader name as defined in entityengine.xml and in the component related ofbiz-component.xnl files.
>> 2. In order to easily load security data for a certain tenant, load that data as part of a custom component in hot-deploy via the component:// notation in the ofbiz-component.xml file as seeddata.
>>
>> hopefully explained a bit better this time.....
>>
>> Regards,
>> Hans
>>
>>
>> On 05/31/2012 03:50 PM, Scott Gray wrote:
>>> Hi Hans,
>>>
>>> I'm sorry but could you go into a little more detail about the problem and proposal? I'm not sure I understand well enough to even know what questions to ask.
>>>
>>> What would it mean to define a new entity resource reader-name?  As far as I understand they aren't actually defined anywhere, you just use a certain reader(s) when starting ofbiz and those are the resources that get loaded based on what's in the entity-resource element's in the ofbiz-component files.
>>>
>>> Thanks
>>> Scott
>>>
>>> On 31/05/2012, at 2:13 PM, Hans Bakker wrote:
>>>
>>>> Problem:
>>>>
>>>> Currently security files are loaded as part of seed. Therefore it is difficult to allow access to components differently per tenant.
>>>>
>>>> Proposal:
>>>> 1. create a new data-reader name 'security'.
>>>> 2. Be able to load specific security files in a custom component and use in ofbiz-component.xml the component:// notation
>>>> 3. now in the custom component can be defined which components should be active.
>>>>
>>>> Any opinions or suggestions?
>>>>
>>>> Regards,
>>>> Hans
>>>>
>>>>

Re: Proposal: separate loading of security files.

[Hans Bakker <ma...@antwebsystems.com>]

We are already much further Adrian...allowing customizations and data 
model differences per tenant...
Regards,
Hans

On 05/31/2012 06:44 PM, Adrian Crum wrote:
> "3. In a multi tenant environment I would like to have certain 
> components visible in a certain tenant and not in other tenants."
>
> I see a fundamental flaw in the concept. Multi-tenancy is supposed to 
> be one instance of OFBiz running multiple instances of data. In other 
> words, the applications are constant, but application data depends on 
> the tenant. What is being proposed is a way to make multi-tenancy 
> behave in a different way - where the applications are not constant 
> but instead depend on the tenant. This seems a bit hackish to me.
>
> -Adrian
>
> On 5/31/2012 12:20 PM, Scott Gray wrote:
>> Okay thanks for the additional detail, below is my attempt to further 
>> understand a bit, please bear with me.
>>
>> If we take as an example the accounting application, you'd like to be 
>> able to make that available to some tenants but not others.  At the 
>> moment in order to do that you'd need to manually remove the various 
>> ACCOUNTING_* related SecurityGroupPermission records from the tenant 
>> database after the db has been loaded with data.
>>
>> So if I understand correctly (I don't think I do), your proposal is 
>> to have a separate security reader which would run as part of a 
>> normal non-tenant installation but wouldn't run as part a tenant 
>> installation? How would that happen? I'm also not sure I understand 
>> how the custom hot-deploy component would load data for one tenant 
>> but not for another?
>>
>> Thanks
>> Scott
>>
>> On 31/05/2012, at 9:16 PM, Hans Bakker wrote:
>>
>>> Scott,
>>> You you are right, i am re-reading my email and it is too short.
>>>
>>> The problem:
>>> 1. currently security data is part of seed and get always loaded.
>>> 2. if the security data of a component is not loaded, makes this 
>>> component invisible.
>>> 3. In a multi tenant environment I would like to have certain 
>>> components visible in a certain tenant and not in other tenants.
>>>
>>> The proposed solution:
>>> 1. do not load security with seed data but separate, under its own 
>>> data reader name as defined in entityengine.xml and in the component 
>>> related ofbiz-component.xnl files.
>>> 2. In order to easily load security data for a certain tenant, load 
>>> that data as part of a custom component in hot-deploy via the 
>>> component:// notation in the ofbiz-component.xml file as seeddata.
>>>
>>> hopefully explained a bit better this time.....
>>>
>>> Regards,
>>> Hans
>>>
>>>
>>> On 05/31/2012 03:50 PM, Scott Gray wrote:
>>>> Hi Hans,
>>>>
>>>> I'm sorry but could you go into a little more detail about the 
>>>> problem and proposal? I'm not sure I understand well enough to even 
>>>> know what questions to ask.
>>>>
>>>> What would it mean to define a new entity resource reader-name?  As 
>>>> far as I understand they aren't actually defined anywhere, you just 
>>>> use a certain reader(s) when starting ofbiz and those are the 
>>>> resources that get loaded based on what's in the entity-resource 
>>>> element's in the ofbiz-component files.
>>>>
>>>> Thanks
>>>> Scott
>>>>
>>>> On 31/05/2012, at 2:13 PM, Hans Bakker wrote:
>>>>
>>>>> Problem:
>>>>>
>>>>> Currently security files are loaded as part of seed. Therefore it 
>>>>> is difficult to allow access to components differently per tenant.
>>>>>
>>>>> Proposal:
>>>>> 1. create a new data-reader name 'security'.
>>>>> 2. Be able to load specific security files in a custom component 
>>>>> and use in ofbiz-component.xml the component:// notation
>>>>> 3. now in the custom component can be defined which components 
>>>>> should be active.
>>>>>
>>>>> Any opinions or suggestions?
>>>>>
>>>>> Regards,
>>>>> Hans
>>>>>
>>>>>

Re: Proposal: separate loading of security files.

[Adrian Crum <ad...@sandglass-software.com>]

"3. In a multi tenant environment I would like to have certain 
components visible in a certain tenant and not in other tenants."

I see a fundamental flaw in the concept. Multi-tenancy is supposed to be 
one instance of OFBiz running multiple instances of data. In other 
words, the applications are constant, but application data depends on 
the tenant. What is being proposed is a way to make multi-tenancy behave 
in a different way - where the applications are not constant but instead 
depend on the tenant. This seems a bit hackish to me.

-Adrian

On 5/31/2012 12:20 PM, Scott Gray wrote:
> Okay thanks for the additional detail, below is my attempt to further understand a bit, please bear with me.
>
> If we take as an example the accounting application, you'd like to be able to make that available to some tenants but not others.  At the moment in order to do that you'd need to manually remove the various ACCOUNTING_* related SecurityGroupPermission records from the tenant database after the db has been loaded with data.
>
> So if I understand correctly (I don't think I do), your proposal is to have a separate security reader which would run as part of a normal non-tenant installation but wouldn't run as part a tenant installation? How would that happen? I'm also not sure I understand how the custom hot-deploy component would load data for one tenant but not for another?
>
> Thanks
> Scott
>
> On 31/05/2012, at 9:16 PM, Hans Bakker wrote:
>
>> Scott,
>> You you are right, i am re-reading my email and it is too short.
>>
>> The problem:
>> 1. currently security data is part of seed and get always loaded.
>> 2. if the security data of a component is not loaded, makes this component invisible.
>> 3. In a multi tenant environment I would like to have certain components visible in a certain tenant and not in other tenants.
>>
>> The proposed solution:
>> 1. do not load security with seed data but separate, under its own data reader name as defined in entityengine.xml and in the component related ofbiz-component.xnl files.
>> 2. In order to easily load security data for a certain tenant, load that data as part of a custom component in hot-deploy via the component:// notation in the ofbiz-component.xml file as seeddata.
>>
>> hopefully explained a bit better this time.....
>>
>> Regards,
>> Hans
>>
>>
>> On 05/31/2012 03:50 PM, Scott Gray wrote:
>>> Hi Hans,
>>>
>>> I'm sorry but could you go into a little more detail about the problem and proposal? I'm not sure I understand well enough to even know what questions to ask.
>>>
>>> What would it mean to define a new entity resource reader-name?  As far as I understand they aren't actually defined anywhere, you just use a certain reader(s) when starting ofbiz and those are the resources that get loaded based on what's in the entity-resource element's in the ofbiz-component files.
>>>
>>> Thanks
>>> Scott
>>>
>>> On 31/05/2012, at 2:13 PM, Hans Bakker wrote:
>>>
>>>> Problem:
>>>>
>>>> Currently security files are loaded as part of seed. Therefore it is difficult to allow access to components differently per tenant.
>>>>
>>>> Proposal:
>>>> 1. create a new data-reader name 'security'.
>>>> 2. Be able to load specific security files in a custom component and use in ofbiz-component.xml the component:// notation
>>>> 3. now in the custom component can be defined which components should be active.
>>>>
>>>> Any opinions or suggestions?
>>>>
>>>> Regards,
>>>> Hans
>>>>
>>>>

Re: Proposal: separate loading of security files.

[Scott Gray <sc...@hotwaxmedia.com>]

Okay thanks for the additional detail, below is my attempt to further understand a bit, please bear with me.

If we take as an example the accounting application, you'd like to be able to make that available to some tenants but not others.  At the moment in order to do that you'd need to manually remove the various ACCOUNTING_* related SecurityGroupPermission records from the tenant database after the db has been loaded with data.

So if I understand correctly (I don't think I do), your proposal is to have a separate security reader which would run as part of a normal non-tenant installation but wouldn't run as part a tenant installation? How would that happen? I'm also not sure I understand how the custom hot-deploy component would load data for one tenant but not for another?

Thanks
Scott

On 31/05/2012, at 9:16 PM, Hans Bakker wrote:

> Scott,
> You you are right, i am re-reading my email and it is too short.
> 
> The problem:
> 1. currently security data is part of seed and get always loaded.
> 2. if the security data of a component is not loaded, makes this component invisible.
> 3. In a multi tenant environment I would like to have certain components visible in a certain tenant and not in other tenants.
> 
> The proposed solution:
> 1. do not load security with seed data but separate, under its own data reader name as defined in entityengine.xml and in the component related ofbiz-component.xnl files.
> 2. In order to easily load security data for a certain tenant, load that data as part of a custom component in hot-deploy via the component:// notation in the ofbiz-component.xml file as seeddata.
> 
> hopefully explained a bit better this time.....
> 
> Regards,
> Hans
> 
> 
> On 05/31/2012 03:50 PM, Scott Gray wrote:
>> Hi Hans,
>> 
>> I'm sorry but could you go into a little more detail about the problem and proposal? I'm not sure I understand well enough to even know what questions to ask.
>> 
>> What would it mean to define a new entity resource reader-name?  As far as I understand they aren't actually defined anywhere, you just use a certain reader(s) when starting ofbiz and those are the resources that get loaded based on what's in the entity-resource element's in the ofbiz-component files.
>> 
>> Thanks
>> Scott
>> 
>> On 31/05/2012, at 2:13 PM, Hans Bakker wrote:
>> 
>>> Problem:
>>> 
>>> Currently security files are loaded as part of seed. Therefore it is difficult to allow access to components differently per tenant.
>>> 
>>> Proposal:
>>> 1. create a new data-reader name 'security'.
>>> 2. Be able to load specific security files in a custom component and use in ofbiz-component.xml the component:// notation
>>> 3. now in the custom component can be defined which components should be active.
>>> 
>>> Any opinions or suggestions?
>>> 
>>> Regards,
>>> Hans
>>> 
>>> 
> 

Re: Proposal: separate loading of security files.

[Hans Bakker <ma...@antwebsystems.com>]

Proposal below Committed in revision 1346255.

Regards,
Hans

On 05/31/2012 04:16 PM, Hans Bakker wrote:
> Scott,
> You you are right, i am re-reading my email and it is too short.
>
> The problem:
> 1. currently security data is part of seed and get always loaded.
> 2. if the security data of a component is not loaded, makes this 
> component invisible.
> 3. In a multi tenant environment I would like to have certain 
> components visible in a certain tenant and not in other tenants.
>
> The proposed solution:
> 1. do not load security with seed data but separate, under its own 
> data reader name as defined in entityengine.xml and in the component 
> related ofbiz-component.xnl files.
> 2. In order to easily load security data for a certain tenant, load 
> that data as part of a custom component in hot-deploy via the 
> component:// notation in the ofbiz-component.xml file as seeddata.
>
> hopefully explained a bit better this time.....
>
> Regards,
> Hans
>
>
> On 05/31/2012 03:50 PM, Scott Gray wrote:
>> Hi Hans,
>>
>> I'm sorry but could you go into a little more detail about the 
>> problem and proposal? I'm not sure I understand well enough to even 
>> know what questions to ask.
>>
>> What would it mean to define a new entity resource reader-name?  As 
>> far as I understand they aren't actually defined anywhere, you just 
>> use a certain reader(s) when starting ofbiz and those are the 
>> resources that get loaded based on what's in the entity-resource 
>> element's in the ofbiz-component files.
>>
>> Thanks
>> Scott
>>
>> On 31/05/2012, at 2:13 PM, Hans Bakker wrote:
>>
>>> Problem:
>>>
>>> Currently security files are loaded as part of seed. Therefore it is 
>>> difficult to allow access to components differently per tenant.
>>>
>>> Proposal:
>>> 1. create a new data-reader name 'security'.
>>> 2. Be able to load specific security files in a custom component and 
>>> use in ofbiz-component.xml the component:// notation
>>> 3. now in the custom component can be defined which components 
>>> should be active.
>>>
>>> Any opinions or suggestions?
>>>
>>> Regards,
>>> Hans
>>>
>>>
>

Re: Proposal: separate loading of security files.

[Hans Bakker <ma...@antwebsystems.com>]

Scott,
You you are right, i am re-reading my email and it is too short.

The problem:
1. currently security data is part of seed and get always loaded.
2. if the security data of a component is not loaded, makes this 
component invisible.
3. In a multi tenant environment I would like to have certain components 
visible in a certain tenant and not in other tenants.

The proposed solution:
1. do not load security with seed data but separate, under its own data 
reader name as defined in entityengine.xml and in the component related 
ofbiz-component.xnl files.
2. In order to easily load security data for a certain tenant, load that 
data as part of a custom component in hot-deploy via the component:// 
notation in the ofbiz-component.xml file as seeddata.

hopefully explained a bit better this time.....

Regards,
Hans


On 05/31/2012 03:50 PM, Scott Gray wrote:
> Hi Hans,
>
> I'm sorry but could you go into a little more detail about the problem and proposal? I'm not sure I understand well enough to even know what questions to ask.
>
> What would it mean to define a new entity resource reader-name?  As far as I understand they aren't actually defined anywhere, you just use a certain reader(s) when starting ofbiz and those are the resources that get loaded based on what's in the entity-resource element's in the ofbiz-component files.
>
> Thanks
> Scott
>
> On 31/05/2012, at 2:13 PM, Hans Bakker wrote:
>
>> Problem:
>>
>> Currently security files are loaded as part of seed. Therefore it is difficult to allow access to components differently per tenant.
>>
>> Proposal:
>> 1. create a new data-reader name 'security'.
>> 2. Be able to load specific security files in a custom component and use in ofbiz-component.xml the component:// notation
>> 3. now in the custom component can be defined which components should be active.
>>
>> Any opinions or suggestions?
>>
>> Regards,
>> Hans
>>
>>

Re: Proposal: separate loading of security files.

[Scott Gray <sc...@hotwaxmedia.com>]

Hi Hans,

I'm sorry but could you go into a little more detail about the problem and proposal? I'm not sure I understand well enough to even know what questions to ask.

What would it mean to define a new entity resource reader-name?  As far as I understand they aren't actually defined anywhere, you just use a certain reader(s) when starting ofbiz and those are the resources that get loaded based on what's in the entity-resource element's in the ofbiz-component files.

Thanks
Scott

On 31/05/2012, at 2:13 PM, Hans Bakker wrote:

> Problem:
> 
> Currently security files are loaded as part of seed. Therefore it is difficult to allow access to components differently per tenant.
> 
> Proposal:
> 1. create a new data-reader name 'security'.
> 2. Be able to load specific security files in a custom component and use in ofbiz-component.xml the component:// notation
> 3. now in the custom component can be defined which components should be active.
> 
> Any opinions or suggestions?
> 
> Regards,
> Hans
> 
>