You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by "Francesco Chicchiriccò (Confluence)" <no...@apache.org> on 2019/04/05 11:10:00 UTC
[CONF] Apache Syncope > [DISCUSS] Syncope 3.0
There's **1 new edit** on this page
---
|
---
| | [![page icon](cid:page-
icon)](https://cwiki.apache.org/confluence/display/SYNCOPE/%5BDISCUSS%5D+Syncope+3.0?src=mail&src.mail.product=confluence-
server&src.mail.timestamp=1554462600469&src.mail.notification=com.atlassian.confluence.plugins.confluence-
notifications-batch-plugin%3Abatching-
notification&src.mail.recipient=8aa980874e36a1eb014e36a2c41679b9&src.mail.action=view
"page icon")
---
[[DISCUSS] Syncope
3.0](https://cwiki.apache.org/confluence/display/SYNCOPE/%5BDISCUSS%5D+Syncope+3.0?src=mail&src.mail.product=confluence-
server&src.mail.timestamp=1554462600469&src.mail.notification=com.atlassian.confluence.plugins.confluence-
notifications-batch-plugin%3Abatching-
notification&src.mail.recipient=8aa980874e36a1eb014e36a2c41679b9&src.mail.action=view
"\[DISCUSS\] Syncope 3.0")
| | | | | ![](cid:avatar_78b9d98d15f2e9b7250a2887bcf9b144) | | Francesco
Chicchiriccò edited this page
---
|
| | Here's what changed:
---
|
...
1. introduce a new, flexible UI for web access ( **Weblogin** in the picture, renamed as **WA** ), which will replace the existing login forms for Admin Console and Enduser UI
2. introduce a new component ( **APIGW** in the picture, renamed as **SRA** ), which will provide API gateway features
3. introduce a new component ( **Keymaster** ) with purpose of coordinating all the other components, centralizing common configuration required by all domains; this will allow to go beyond [the current multi-tenancy approach](https://ci.apache.org/projects/syncope/2_1_X/reference-guide.html#domains) which requires a pre-existing Master domain and the need to handle off-line each domain's configuration
4. split the existing features set into three subsets, so that any given deployment will pick only what required:
1. **idrepo** \- everything needed to manage identities as a repository: mainly, CRUD operations on Users, Groups and Any Objects
2. **idm** \- the provisioning features required to propagate, push and pull identities back and forth to External Resources
3. **am** \- the [authentication and authorization features](/confluence/pages/viewpage.action?pageId=91554092) \- mostly to build on top of existing libraries
|
![](https://cwiki.apache.org/confluence/s/en_GB/7901/17fbf59dc6f69bee0caf86e0cbbd7fb3bd9d8b4a/_/plugins/servlet/confluence/placeholder/macro-
icon?name=drawio) Drawio
---
| border | true
---|---
viewerToolbar | true
|
fitWindow | false
diagramName | Apache Syncope 3.0 Architecture
simpleViewer | false
width |
diagramWidth | 1232
revision | 3
## New components
...
### WA (Web Access)
Flexible UI for web access
1. dynamically adapting for the configured authentication features (modules, chains, levels, ...)
2. highly customizable, either graphically and processing
...
### SRA (Secure Remote Access)
At high-level, this [API
gateway](https://microservices.io/patterns/apigateway.html) it's an HTTP
reverse proxy exposing a _set of public APIs_ , where the response for
invocation of a public API is the result of a configurable process which
involves the invocation of one or more _internal APIs_.
...
Good candidate for building upon appears to be [Spring Cloud
Gateway](https://spring.io/projects/spring-cloud-gateway)
### Keymaster
Shall be based on existing Open Source products This component serves two
purposes:
1. allow for [Service Discovery](https://dzone.com/articles/service-discovery-in-a-microservices-architecture) (Core needs to call SRA, Console needs to call Core and SRA, SRA needs to call Core, and so on)
2. act as shared repository for [Configuration Parameters](http://syncope.apache.org/docs/reference-guide.html#configuration-parameters)
It is needed to provide two distinct implementations of Keymaster:
* one - backed by an existing Open Source product as [Apache Zookeper](https://zookeeper.apache.org/) or [Consul](https://www.consul.io/) \- to cover microservice deployment scenarios
* one "embedded" to keep covering ordinary, non-microservice deployment scenarios
## Discussion items
1. [CLI](https://ci.apache.org/projects/syncope/2_1_X/reference-guide.html#cli-component) was deliberately not included in the diagram above: since its introduction in 2.0, no usage at all was reported - maintenance cost does not appear worthwhile
2. It is hard to imagine how the [GUI installer](https://syncope.apache.org/docs/getting-started.html#gui-installer) can cope with such complexity; proposal is to remove it as well
3. The Eclipse plugin seems also to have no users; proposal is to remove it as well
4. [Enduser UI](https://ci.apache.org/projects/syncope/2_1_X/reference-guide.html#enduser-component) is currently implemented as AngularJS + Wicket application - but the AngularJS code appears somehow "disconnected" from the rest, and it has always been quite troublesome to troubleshoot - proposal is to rebuild as a pure Wicket application, maximizing re-use of components already working in Admin Console
5. whilst in 2.1 all applications are built as Java EE, it could be the case to switch to a more microservice-friendly approach: if so, shall we base on
1. [Spring Boot](https://spring.io/projects/spring-boot)
1. PRO
1. easy to migrate (being the current code Spring-based)
2. widely adopted (status quo)
3. can be easily converted to WAR, allowing traditional deployment in existing environments
2. CONS
1. not real microservice, mostly an embedded Tomcat
2. [Eclipse Microprofile](https://microprofile.io/)
1. PRO
1. promising approach, lot of rumors and buzz around
2. microservice native
2. CONS
1. major rewrite needed in case Spring and / or CXF cannot be re-used
2. different [implementations](https://wiki.eclipse.org/MicroProfile/Implementation) available, not as stable and widespread as their Java EE counterparts
6. In previous Syncope versions, an admin can specify an account lockout policy that locks a user out after a number of bad login attempts. The problem is that a malicious user who knows others usernames for an account could lock users out. We should look into adding an account policy option to instead display a captcha after a number of bad login attempts.
| | | [Go to page
history](https://cwiki.apache.org/confluence/pages/viewpreviousversions.action?pageId=97552791&src=mail&src.mail.product=confluence-
server&src.mail.timestamp=1554462600469&src.mail.notification=com.atlassian.confluence.plugins.confluence-
notifications-batch-plugin%3Abatching-
notification&src.mail.recipient=8aa980874e36a1eb014e36a2c41679b9 "Go to page
history")
---
---
| [View
page](https://cwiki.apache.org/confluence/display/SYNCOPE/%5BDISCUSS%5D+Syncope+3.0?src=mail&src.mail.product=confluence-
server&src.mail.timestamp=1554462600469&src.mail.notification=com.atlassian.confluence.plugins.confluence-
notifications-batch-plugin%3Abatching-
notification&src.mail.recipient=8aa980874e36a1eb014e36a2c41679b9&src.mail.action=view)
---
| | [Stop watching
space](https://cwiki.apache.org/confluence/users/removespacenotification.action?spaceKey=SYNCOPE&src=mail&src.mail.product=confluence-
server&src.mail.timestamp=1554462600469&src.mail.notification=com.atlassian.confluence.plugins.confluence-
notifications-batch-plugin%3Abatching-
notification&src.mail.recipient=8aa980874e36a1eb014e36a2c41679b9&src.mail.action=stop-
watching&jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ4c3JmOjhhYTk4MDg3NGUzNmExZWIwMTRlMzZhMmM0MTY3OWI5IiwicXNoIjoiMGEyOGQyNDYzOThhOTYxNzk4N2NkNDdiZGYyZjNjMWY2ODYxY2UxMWNjYmRhMTMwNDM1MjMwZGY2OTI3YjNiNCIsImlzcyI6ImNvbmZsdWVuY2Vfbm90aWZpY2F0aW9uc0FSRUgtWFVEMS1QT1FHLUNTQU8iLCJleHAiOjE1NTUwNjc0MDAsImlhdCI6MTU1NDQ2MjYwMH0.lsR-
JsuAdBrswpZwiKNyHoDc1lN6OevU9HPIHWkzvyk) | •
---|---
[Manage
notifications](https://cwiki.apache.org/confluence/users/editmyemailsettings.action?src=mail&src.mail.product=confluence-
server&src.mail.timestamp=1554462600469&src.mail.notification=com.atlassian.confluence.plugins.confluence-
notifications-batch-plugin%3Abatching-
notification&src.mail.recipient=8aa980874e36a1eb014e36a2c41679b9&src.mail.action=manage)
---
| ![Confluence logo big](cid:footer-desktop-logo)
---
This message was sent by Atlassian Confluence 6.14.2
![](cid:footer-mobile-logo)
---