You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by il...@apache.org on 2018/03/14 09:32:23 UTC
[1/2] syncope git commit: Adding clarification about CREATE / UPDATE
generated as Propagation Tasks
Repository: syncope
Updated Branches:
refs/heads/2_0_X 35ce733d1 -> 78827925a
refs/heads/master eeb544634 -> aee229951
Adding clarification about CREATE / UPDATE generated as Propagation Tasks
Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/78827925
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/78827925
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/78827925
Branch: refs/heads/2_0_X
Commit: 78827925a289af2c2831eeb36e41aef818fdbbc6
Parents: 35ce733
Author: Francesco Chicchiriccò <il...@apache.org>
Authored: Wed Mar 14 10:30:21 2018 +0100
Committer: Francesco Chicchiriccò <il...@apache.org>
Committed: Wed Mar 14 10:30:21 2018 +0100
----------------------------------------------------------------------
.../concepts/provisioning/propagation.adoc | 62 ++++++++++++--------
.../workingwithapachesyncope/customization.adoc | 12 ++--
.../restfulservices.adoc | 4 +-
3 files changed, 47 insertions(+), 31 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/syncope/blob/78827925/src/main/asciidoc/reference-guide/concepts/provisioning/propagation.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/reference-guide/concepts/provisioning/propagation.adoc b/src/main/asciidoc/reference-guide/concepts/provisioning/propagation.adoc
index f69b51d..9a4afff 100644
--- a/src/main/asciidoc/reference-guide/concepts/provisioning/propagation.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/provisioning/propagation.adoc
@@ -24,6 +24,7 @@ Whenever a change is performed via REST on Users, Groups or Any Objects:
. the generated propagation tasks are executed, e.g. the corresponding operations (create, update or delete) are sent
out, via connectors, to the configured Identity Stores; the tasks can be saved for later re-execution.
+[[propagation-resources]]
[TIP]
.Which external resources?
====
@@ -35,6 +36,7 @@ propagation process:
* *Any Object*: the external resources directly assigned plus the ones assigned to Groups configured for the Any Object
====
+[[propagation-capabilities]]
[WARNING]
.Adequate capabilities to Connectors and External Resources
====
@@ -43,6 +45,28 @@ External Resources for the actual operations to perform, otherwise the Propagati
execution status.
====
+[[propagation-password]]
+[TIP]
+.Propagate password values
+====
+Password values are kept in the internal storage according to the `password.cipher.algorithm`
+<<configuration-parameters, configuration parameter>>, whose value is `SHA1` by default.
+`SHA1` is a hash algorithm: this means that, once stored, the cleartext value cannot be reverted any more.
+
+During propagation, Syncope fetches all data of the given User, then prepares the attributes to propagate, according to
+the provided mapping; password has a special treatment:
+
+* if cleartext value is available (this cannot happen during <<provisioning-push>>), it is sent to the External Resource
+* if `password.cipher.algorithm` is `AES` (the only supported reversible algorithm), then the ciphered password value is
+ made cleartext again, and sent to the External Resource
+* if the <<external-resource-details,generate random password flag>> is set, a random password value is generated
+ according to the defined password policies, and sent to the External Resource
+* otherwise, a `null` value is sent to the External Resource
+
+Password values are always sent to External Resources wrapped as ConnId
+http://connid.tirasa.net/apidocs/1.4/org/identityconnectors/common/security/GuardedString.html[GuardedString^] objects.
+====
+
By default, the propagation process is controlled by the
ifeval::["{snapshotOrRelease}" == "release"]
https://github.com/apache/syncope/blob/syncope-{docVersion}/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/PriorityPropagationTaskExecutor.java[PriorityPropagationTaskExecutor^],
@@ -61,6 +85,20 @@ external resource was configured with adequate tracing
* minimize the set of operations to be actually performed onto the Identity Store by attempting to read the external
object corresponding to the internal entity and comparing with the modifications provided
+[[propagation-createorupdate]]
+[WARNING]
+.Create or update?
+====
+The minimization performed by `PriorityPropagationTaskExecutor` might lead to behaviors which look at first unexpected,
+but sound perfectly understandable once explained; in particular:
+
+* a `CREATE` propagation task might result in an effective `UPDATE` sent to the Connector +
+ if preliminary read returns an external object matching the same remote key of the object requested to be created
+* an `UPDATE` propagation task might result in an effective `CREATE` sent to the Connector +
+ if preliminary read does not find any external object matching the remote key of the objected requested to be
+updated
+====
+
Different implementations of the
ifeval::["{snapshotOrRelease}" == "release"]
https://github.com/apache/syncope/blob/syncope-{docVersion}/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/propagation/PropagationTaskExecutor.java[PropagationTaskExecutor^]
@@ -68,29 +106,7 @@ endif::[]
ifeval::["{snapshotOrRelease}" == "snapshot"]
https://github.com/apache/syncope/tree/2_0_X/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/propagation/PropagationTaskExecutor.java[PropagationTaskExecutor^]
endif::[]
-interface can be provided, in case the required behaviour does not fit into the provided implementation.
-
-[[propagation-password]]
-[TIP]
-.Propagate password values
-====
-Password values are kept in the internal storage according to the `password.cipher.algorithm`
-<<configuration-parameters, configuration parameter>>, whose value is `SHA1` by default.
-`SHA1` is a hash algorithm: this means that, once stored, the cleartext value cannot be reverted any more.
-
-During propagation, Syncope fetches all data of the given User, then prepares the attributes to propagate, according to
-the provided mapping; password has a special treatment:
-
-* if cleartext value is available (this cannot happen during <<provisioning-push>>), it is sent to the External Resource
-* if `password.cipher.algorithm` is `AES` (the only supported reversible algorithm), then the ciphered password value is
- made cleartext again, and sent to the External Resource
-* if the <<external-resource-details,generate random password flag>> is set, a random password value is generated
- according to the defined password policies, and sent to the External Resource
-* otherwise, a `null` value is sent to the External Resource
-
-Password values are always sent to External Resources wrapped as ConnId
-http://connid.tirasa.net/apidocs/1.4/org/identityconnectors/common/security/GuardedString.html[GuardedString^] objects.
-====
+interface can be provided, in case the required behavior does not fit into the provided implementation.
===== PropagationActions
http://git-wip-us.apache.org/repos/asf/syncope/blob/78827925/src/main/asciidoc/reference-guide/workingwithapachesyncope/customization.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/reference-guide/workingwithapachesyncope/customization.adoc b/src/main/asciidoc/reference-guide/workingwithapachesyncope/customization.adoc
index ccd8e2c..62c4fc2 100644
--- a/src/main/asciidoc/reference-guide/workingwithapachesyncope/customization.adoc
+++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/customization.adoc
@@ -29,9 +29,9 @@ replaced.
Once the project has been created from the provided Maven archetype, the generated source tree is available for either
adding new features or replacing existing components.
-[[override-behaviour]]
+[[override-behavior]]
[TIP]
-.Override behaviour
+.Override behavior
====
As a rule of thumb, any file of the local project will take precedence over a file with the same name in the same
directory of the standard Apache Syncope release.
@@ -60,7 +60,7 @@ ifeval::["{snapshotOrRelease}" == "snapshot"]
https://github.com/apache/syncope/tree/2_0_X/client/console/src/main/resources/org/apache/syncope/client/console/pages/BasePage.html[BasePage.html^].
endif::[]
-This general behaviour might have exceptions, as highlighted below.
+This general behavior might have exceptions, as highlighted below.
====
In general, the Embedded Mode (see the
@@ -177,7 +177,7 @@ When providing custom Java classes implementing the defined interfaces or extend
implementations, their package *must* be rooted under `org.apache.syncope.core`, otherwise they will not be available
at runtime.
-Besides replacing existing classes as explained <<override-behaviour,above>>, new implementations can be provided under
+Besides replacing existing classes as explained <<override-behavior,above>>, new implementations can be provided under
`core/src/main/java` for the following components:
* <<propagationactions,propagation>>, <<pushactions,push>>, <<pullactions,pull>> and <<logicactions,logic>> actions
@@ -234,7 +234,7 @@ By following such conventions, the new REST endpoint will be automatically picke
[WARNING]
====
-The <<override-behaviour,override behaviour>> might have exceptions; if you need to customize one of the
+The <<override-behavior,override behavior>> might have exceptions; if you need to customize one of the
Spring context definitions. For example, if you want to customize
ifeval::["{snapshotOrRelease}" == "release"]
https://github.com/apache/syncope/blob/syncope-{docVersion}/core/spring/src/main/resources/securityContext.xml[securityContext.xml^]
@@ -498,7 +498,7 @@ Given the nature of the <<enduser-application>>, all the files required by the A
generated under the local project's `enduser/src/main/webapp/app/` directory and are available for full customization.
The files in use by the Apache Wicket-based backend are still subject to the general
-<<override-behaviour,override behaviour>>, instead.
+<<override-behavior,override behavior>>, instead.
[discrete]
===== Enable the <<saml-2-0-service-provider>> extension
http://git-wip-us.apache.org/repos/asf/syncope/blob/78827925/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc b/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
index f20b96c..c49f30c 100644
--- a/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
+++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
@@ -67,7 +67,7 @@ endif::[]
ifeval::["{snapshotOrRelease}" == "snapshot"]
https://github.com/apache/syncope/blob/2_0_X/core/spring/src/main/resources/securityContext.xml[securityContext.xml^];
endif::[]
-while normally not needed, this configuration can be anyway customized via the <<override-behaviour,override behaviour>>.
+while normally not needed, this configuration can be anyway customized via the <<override-behavior,override behavior>>.
https://en.wikipedia.org/wiki/Basic_access_authentication[HTTP Basic Authentication] is set for use by default.
====
@@ -169,7 +169,7 @@ when communicating with <<external-resource-details,External Resources>> with no
Some REST endpoints - typically for creating, updating or deleting Users, Groups or Any Objects - return the
entity in the response payload by default. +
If this is not required, the `Prefer` request header can be set to `return-no-content` (`return-content` will instead
-keep the default behaviour).
+keep the default behavior).
When `Prefer` is specified in the request, the response will feature the `Preference-Applied` header, with value set
to the effective preference applied.
[2/2] syncope git commit: Adding clarification about CREATE / UPDATE
generated as Propagation Tasks
Posted by il...@apache.org.
Adding clarification about CREATE / UPDATE generated as Propagation Tasks
Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/aee22995
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/aee22995
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/aee22995
Branch: refs/heads/master
Commit: aee229951d495cd52e60eb27463d58f4ebcf2ac3
Parents: eeb5446
Author: Francesco Chicchiriccò <il...@apache.org>
Authored: Wed Mar 14 10:30:21 2018 +0100
Committer: Francesco Chicchiriccò <il...@apache.org>
Committed: Wed Mar 14 10:32:09 2018 +0100
----------------------------------------------------------------------
.../concepts/provisioning/propagation.adoc | 62 ++++++++++++--------
.../workingwithapachesyncope/customization.adoc | 12 ++--
.../restfulservices.adoc | 4 +-
3 files changed, 47 insertions(+), 31 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/syncope/blob/aee22995/src/main/asciidoc/reference-guide/concepts/provisioning/propagation.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/reference-guide/concepts/provisioning/propagation.adoc b/src/main/asciidoc/reference-guide/concepts/provisioning/propagation.adoc
index c54c77f..ce781f7 100644
--- a/src/main/asciidoc/reference-guide/concepts/provisioning/propagation.adoc
+++ b/src/main/asciidoc/reference-guide/concepts/provisioning/propagation.adoc
@@ -24,6 +24,7 @@ Whenever a change is performed via REST on Users, Groups or Any Objects:
. the generated propagation tasks are executed, e.g. the corresponding operations (create, update or delete) are sent
out, via connectors, to the configured Identity Stores; the tasks can be saved for later re-execution.
+[[propagation-resources]]
[TIP]
.Which external resources?
====
@@ -35,6 +36,7 @@ propagation process:
* *Any Object*: the external resources directly assigned plus the ones assigned to Groups configured for the Any Object
====
+[[propagation-capabilities]]
[WARNING]
.Adequate capabilities to Connectors and External Resources
====
@@ -43,6 +45,28 @@ External Resources for the actual operations to perform, otherwise the Propagati
execution status.
====
+[[propagation-password]]
+[TIP]
+.Propagate password values
+====
+Password values are kept in the internal storage according to the `password.cipher.algorithm`
+<<configuration-parameters, configuration parameter>>, whose value is `SHA1` by default.
+`SHA1` is a hash algorithm: this means that, once stored, the cleartext value cannot be reverted any more.
+
+During propagation, Syncope fetches all data of the given User, then prepares the attributes to propagate, according to
+the provided mapping; password has a special treatment:
+
+* if cleartext value is available (this cannot happen during <<provisioning-push>>), it is sent to the External Resource
+* if `password.cipher.algorithm` is `AES` (the only supported reversible algorithm), then the ciphered password value is
+ made cleartext again, and sent to the External Resource
+* if the <<external-resource-details,generate random password flag>> is set, a random password value is generated
+ according to the defined password policies, and sent to the External Resource
+* otherwise, a `null` value is sent to the External Resource
+
+Password values are always sent to External Resources wrapped as ConnId
+http://connid.tirasa.net/apidocs/1.4/org/identityconnectors/common/security/GuardedString.html[GuardedString^] objects.
+====
+
By default, the propagation process is controlled by the
ifeval::["{snapshotOrRelease}" == "release"]
https://github.com/apache/syncope/blob/syncope-{docVersion}/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/PriorityPropagationTaskExecutor.java[PriorityPropagationTaskExecutor^],
@@ -61,6 +85,20 @@ external resource was configured with adequate tracing
* minimize the set of operations to be actually performed onto the Identity Store by attempting to read the external
object corresponding to the internal entity and comparing with the modifications provided
+[[propagation-createorupdate]]
+[WARNING]
+.Create or update?
+====
+The minimization performed by `PriorityPropagationTaskExecutor` might lead to behaviors which look at first unexpected,
+but sound perfectly understandable once explained; in particular:
+
+* a `CREATE` propagation task might result in an effective `UPDATE` sent to the Connector +
+ if preliminary read returns an external object matching the same remote key of the object requested to be created
+* an `UPDATE` propagation task might result in an effective `CREATE` sent to the Connector +
+ if preliminary read does not find any external object matching the remote key of the objected requested to be
+updated
+====
+
Different implementations of the
ifeval::["{snapshotOrRelease}" == "release"]
https://github.com/apache/syncope/blob/syncope-{docVersion}/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/propagation/PropagationTaskExecutor.java[PropagationTaskExecutor^]
@@ -68,29 +106,7 @@ endif::[]
ifeval::["{snapshotOrRelease}" == "snapshot"]
https://github.com/apache/syncope/blob/master/core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/propagation/PropagationTaskExecutor.java[PropagationTaskExecutor^]
endif::[]
-interface can be provided, in case the required behaviour does not fit into the provided implementation.
-
-[[propagation-password]]
-[TIP]
-.Propagate password values
-====
-Password values are kept in the internal storage according to the `password.cipher.algorithm`
-<<configuration-parameters, configuration parameter>>, whose value is `SHA1` by default.
-`SHA1` is a hash algorithm: this means that, once stored, the cleartext value cannot be reverted any more.
-
-During propagation, Syncope fetches all data of the given User, then prepares the attributes to propagate, according to
-the provided mapping; password has a special treatment:
-
-* if cleartext value is available (this cannot happen during <<provisioning-push>>), it is sent to the External Resource
-* if `password.cipher.algorithm` is `AES` (the only supported reversible algorithm), then the ciphered password value is
- made cleartext again, and sent to the External Resource
-* if the <<external-resource-details,generate random password flag>> is set, a random password value is generated
- according to the defined password policies, and sent to the External Resource
-* otherwise, a `null` value is sent to the External Resource
-
-Password values are always sent to External Resources wrapped as ConnId
-http://connid.tirasa.net/apidocs/1.4/org/identityconnectors/common/security/GuardedString.html[GuardedString^] objects.
-====
+interface can be provided, in case the required behavior does not fit into the provided implementation.
===== PropagationActions
http://git-wip-us.apache.org/repos/asf/syncope/blob/aee22995/src/main/asciidoc/reference-guide/workingwithapachesyncope/customization.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/reference-guide/workingwithapachesyncope/customization.adoc b/src/main/asciidoc/reference-guide/workingwithapachesyncope/customization.adoc
index b5b5be2..7557cc9 100644
--- a/src/main/asciidoc/reference-guide/workingwithapachesyncope/customization.adoc
+++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/customization.adoc
@@ -29,9 +29,9 @@ replaced.
Once the project has been created from the provided Maven archetype, the generated source tree is available for either
adding new features or replacing existing components.
-[[override-behaviour]]
+[[override-behavior]]
[TIP]
-.Override behaviour
+.Override behavior
====
As a rule of thumb, any file of the local project will take precedence over a file with the same name in the same
directory of the standard Apache Syncope release.
@@ -60,7 +60,7 @@ ifeval::["{snapshotOrRelease}" == "snapshot"]
https://github.com/apache/syncope/blob/master/client/console/src/main/resources/org/apache/syncope/client/console/pages/BasePage.html[BasePage.html^].
endif::[]
-This general behaviour might have exceptions, as highlighted below.
+This general behavior might have exceptions, as highlighted below.
====
In general, the Embedded Mode (see the
@@ -176,7 +176,7 @@ When providing custom Java classes implementing the defined interfaces or extend
implementations, their package *must* be rooted under `org.apache.syncope.core`, otherwise they will not be available
at runtime.
-Besides replacing existing classes as explained <<override-behaviour,above>>, new <<implementations,implementations>> can
+Besides replacing existing classes as explained <<override-behavior,above>>, new <<implementations,implementations>> can
be provided - under `core/src/main/java` if Java - for the following components:
* <<propagationactions,propagation>>, <<pushactions,push>>, <<pullactions,pull>> and <<logicactions,logic>> actions
@@ -233,7 +233,7 @@ By following such conventions, the new REST endpoint will be automatically picke
[WARNING]
====
-The <<override-behaviour,override behaviour>> might have exceptions; if you need to customize one of the
+The <<override-behavior,override behavior>> might have exceptions; if you need to customize one of the
Spring context definitions. For example, if you want to customize
ifeval::["{snapshotOrRelease}" == "release"]
https://github.com/apache/syncope/blob/syncope-{docVersion}/core/spring/src/main/resources/securityContext.xml[securityContext.xml^]
@@ -494,7 +494,7 @@ Given the nature of the <<enduser-application>>, all the files required by the A
generated under the local project's `enduser/src/main/webapp/app/` directory and are available for full customization.
The files in use by the Apache Wicket-based backend are still subject to the general
-<<override-behaviour,override behaviour>>, instead.
+<<override-behavior,override behavior>>, instead.
[discrete]
===== Enable the <<saml-2-0-service-provider>> extension
http://git-wip-us.apache.org/repos/asf/syncope/blob/aee22995/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc b/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
index c47c57d..426338a 100644
--- a/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
+++ b/src/main/asciidoc/reference-guide/workingwithapachesyncope/restfulservices.adoc
@@ -67,7 +67,7 @@ endif::[]
ifeval::["{snapshotOrRelease}" == "snapshot"]
https://github.com/apache/syncope/blob/master/core/spring/src/main/resources/securityContext.xml[securityContext.xml^];
endif::[]
-while normally not needed, this configuration can be anyway customized via the <<override-behaviour,override behaviour>>.
+while normally not needed, this configuration can be anyway customized via the <<override-behavior,override behavior>>.
https://en.wikipedia.org/wiki/Basic_access_authentication[HTTP Basic Authentication] is set for use by default.
====
@@ -169,7 +169,7 @@ when communicating with <<external-resource-details,External Resources>> with no
Some REST endpoints - typically for creating, updating or deleting Users, Groups or Any Objects - return the
entity in the response payload by default. +
If this is not required, the `Prefer` request header can be set to `return-no-content` (`return-content` will instead
-keep the default behaviour).
+keep the default behavior).
When `Prefer` is specified in the request, the response will feature the `Preference-Applied` header, with value set
to the effective preference applied.