You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by ma...@apache.org on 2015/12/11 16:35:05 UTC
syncope git commit: provisioning, SYNCOPE-700
Repository: syncope
Updated Branches:
refs/heads/master 75387d7ac -> 8714fa8b6
provisioning, SYNCOPE-700
Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/8714fa8b
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/8714fa8b
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/8714fa8b
Branch: refs/heads/master
Commit: 8714fa8b67ae5f4fa4eab408bcb4ef63fadbd97e
Parents: 75387d7
Author: Massimiliano Perrone <ma...@tirasa.net>
Authored: Fri Dec 11 16:34:42 2015 +0100
Committer: Massimiliano Perrone <ma...@tirasa.net>
Committed: Fri Dec 11 16:34:42 2015 +0100
----------------------------------------------------------------------
src/main/asciidoc/concepts/concepts.adoc | 8 +--
.../concepts/provisioning/connectors.adoc | 32 ++++++++++++
.../concepts/provisioning/propagation.adoc | 34 +++++++++++++
.../concepts/provisioning/provisioning.adoc | 37 ++++++++++++++
.../asciidoc/concepts/provisioning/push.adoc | 51 +++++++++++++++++++
.../concepts/provisioning/resources.adoc | 51 +++++++++++++++++++
.../asciidoc/concepts/provisioning/sync.adoc | 52 ++++++++++++++++++++
7 files changed, 258 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/syncope/blob/8714fa8b/src/main/asciidoc/concepts/concepts.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/concepts/concepts.adoc b/src/main/asciidoc/concepts/concepts.adoc
index 2798816..c781e50 100644
--- a/src/main/asciidoc/concepts/concepts.adoc
+++ b/src/main/asciidoc/concepts/concepts.adoc
@@ -32,13 +32,7 @@
=== Tasks
-=== Provisioning
-
-==== Connectors
-
-==== Resources
-
-==== Propagation, Push & Synchronization
+include::provisioning/provisioning.adoc[]
=== Policies
http://git-wip-us.apache.org/repos/asf/syncope/blob/8714fa8b/src/main/asciidoc/concepts/provisioning/connectors.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/concepts/provisioning/connectors.adoc b/src/main/asciidoc/concepts/provisioning/connectors.adoc
new file mode 100644
index 0000000..835d95a
--- /dev/null
+++ b/src/main/asciidoc/concepts/provisioning/connectors.adoc
@@ -0,0 +1,32 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+==== Connectors
+Syncope uses entities like connectors bundles, connector instances and external resources to synchronize user accounts
+with and propagate to external systems. This paragraph clarifies what the responsibility and scope of each of these entities are.
+
+===== Connector bundle
+Connector bundles are the components that are able to connect to classes of systems when configured correctly and
+told to do so. They are not bound to Syncope specifically, as they are part of the separate framework
+http://connid.tirasa.net/[ConnId], but they can be plugged into a deployed Syncope system.
+
+===== Connector instance
+Connectors instances are instance of connector bundles, obtained by assigning values to configuration properties
+defined in bundles.
+For instance, there is only a single "DatabaseTable connector" (the bundle) that can be instantiated many times, for
+example if there is need to connect to two different databases.
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/syncope/blob/8714fa8b/src/main/asciidoc/concepts/provisioning/propagation.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/concepts/provisioning/propagation.adoc b/src/main/asciidoc/concepts/provisioning/propagation.adoc
new file mode 100644
index 0000000..d58ba53
--- /dev/null
+++ b/src/main/asciidoc/concepts/provisioning/propagation.adoc
@@ -0,0 +1,34 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+==== Propagation
+The propagation is the mechanism to extend provisioning operations on external resources.
+The propagation layer implements remote creation, maintenance, activation and deactivation of user and role objects
+and their attributes.
+A propagation towards a specific external resource occurs if and only if the external resource's connector
+instance capabilities permit.
+Propagation will be tried on an external resource for each provisioning operation involving users or roles assigned
+to that resource.
+
+===== Configuration
+Connectors::
+Connector instances can be configured to create, update and delete operations.
+Propagation tasks::
+When propagation tasks are created, their propagation mode will be set according to the mode of the external resource.
+Operation::
+When tasks are executed, the execution status will be set to SUCCESS or FAILURE, based on the actual propagation result.
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/syncope/blob/8714fa8b/src/main/asciidoc/concepts/provisioning/provisioning.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/concepts/provisioning/provisioning.adoc b/src/main/asciidoc/concepts/provisioning/provisioning.adoc
new file mode 100644
index 0000000..35f5987
--- /dev/null
+++ b/src/main/asciidoc/concepts/provisioning/provisioning.adoc
@@ -0,0 +1,37 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+=== Provisioning
+The main purpose of identity management systems is to manage user and role provisioning.
+User and role provisioning refers to the creation, maintenance, activation and deactivation of user and role objects
+and their attributes. Provisioning operations can act on Apache Syncope only or be propagated towards external
+resources as well.
+The provisioning operation can be initiated by an authorized user (for instance, working on Apache Syncope
+administration console) or by an internal task like a synchronization task.
+A synchronization task can be used to perform a bulk provisioning operation involving either Syncope and one
+or more external resources.
+
+include::connectors.adoc[]
+
+include::resources.adoc[]
+
+include::propagation.adoc[]
+
+include::push.adoc[]
+
+include::sync.adoc[]
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/syncope/blob/8714fa8b/src/main/asciidoc/concepts/provisioning/push.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/concepts/provisioning/push.adoc b/src/main/asciidoc/concepts/provisioning/push.adoc
new file mode 100644
index 0000000..06ea053
--- /dev/null
+++ b/src/main/asciidoc/concepts/provisioning/push.adoc
@@ -0,0 +1,51 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+==== Push
+Basically, the push is a sort of synchronization mechanism used by Apache Syncope to propagate a filtered set of
+user/role/membership data to external resources.
+Push can be "full" only: all the data matching the configured filter (potentially the same set of data) will be sent
+to the external resource at each push task execution.
+
+===== From Syncope to an external resource
+All the entity (user/group) data involved by a push are retrieved locally and compared with remote ones before sending out.
+An entity to be sent out can be:
+
+. a matching entity, if a corresponding remote entity has been found;
+. or an unmatching entity, otherwise.
+
+By default, Syncope will propagate all the unmatching entities for provisioning (without linking entities and resources)
+and will update all the matching ones.
+By the way, a different behaviour can be configured working with matching/unmatching rules.
+
+===== Matching and Unmatching rules
+Unmatching (corresponding user not found on external resource):
+
+* IGNORE (do not perform any action);
+* UNLINK (just unlink resource without performing any (de-)provisioning operation - of course, if any link is found);
+* ASSIGN (provision entity linking the resource);
+* PROVISION (provision entity without linking the resource).
+
+Matching (corresponding users found on external resource):
+
+* IGNORE (do not perform any action);
+* UPDATE (update matching entity);
+* DEPROVISION (delete resource entity);
+* UNASSIGN (unlink resource and delete resource entity) ;
+* UNLINK (just unlink resource without performing any (de-)provisioning operation);
+* LINK (just link resource without performing any (de-)provisioning operation).
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/syncope/blob/8714fa8b/src/main/asciidoc/concepts/provisioning/resources.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/concepts/provisioning/resources.adoc b/src/main/asciidoc/concepts/provisioning/resources.adoc
new file mode 100644
index 0000000..b9b7070
--- /dev/null
+++ b/src/main/asciidoc/concepts/provisioning/resources.adoc
@@ -0,0 +1,51 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+==== Resources
+The propagation implements the provisioning on external resources. It depends on the assignment, directly or indirectly
+ (via memberships), of users/roles to external resources.
+Users and roles can be assigned or linked to an external resource in three different ways: with a soft link,
+with a hard link, without any link (see below for more details).
+Each provisioning operation involving a certain user/role will be propagated (if permitted by resource connector
+instance capabilities) towards each resource linked by the user/role object itself.
+In general, the provisioning won't occur on a certain external resource if any direct/indirect link exists with
+that resource.
+
+===== Manage external resource provisioning directly
+Provisioning will occur on a certain external resource every time the operation involves users or roles assigned
+to that resource.
+Users and roles can be assigned to an external resource by defining a direct or indirect link between objects.
+By the way, Apache Syncope empowers the possibility to control the existence of users/roles on external resources
+giving the possibility to manage remote provisioning directly.
+In fact, an authorized user (or an internal task - a sync task, for instance) can ask for
+
+* *link / unlink* users/roles to/from specific resources (soft link),
+* *assign / unassign* users/roles to/from specific resources (hard link),
+* *provision / de-provision* users/roles on/from specific resources (maybe, without any link).
+
+link/unlink::
+Apache Syncope gives the possibility to create and remove a sort of soft linking between users/roles and resources.
+This kind of link doesn't imply any propagation at link creation/deletion time.
+Provision/De-Provision::
+Apache Syncope gives the possibility to directly provision and de-provision users/roles on/from resources, without any
+link in place. This provisioning feature (disjoint from the resource link mechanisms) is often very useful in case
+of reclaims.
+Assign/Unassign::
+Apache Syncope gives the possibility to create and remove a sort of hard linking between users/roles and resources.
+This kind of link implies propagation at link creation/deletion time: it is the composition between link/unlink and
+provision/de-provision operations.
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/syncope/blob/8714fa8b/src/main/asciidoc/concepts/provisioning/sync.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/concepts/provisioning/sync.adoc b/src/main/asciidoc/concepts/provisioning/sync.adoc
new file mode 100644
index 0000000..7bc130f
--- /dev/null
+++ b/src/main/asciidoc/concepts/provisioning/sync.adoc
@@ -0,0 +1,52 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+==== Synchronization
+Basically, the synchronization is the mechanism used by Apache Syncope to acquire user/group data from external resources.
+Synchronization can be "full" (full reconciliation) or "incremental".
+In the former case, each sync task execution will take over just of changes from the previous execution
+(if exists and connector permits incremental sync).
+In the latter case, each sync task execution will take over of the entire set of data managed by the external resource.
+
+===== From an external resource to Syncope
+All the entity (user/group) data involved by a synchronization are retrieved from an external resource and processed
+internally by Syncope itself.
+A retrieved entity can be:
+
+. a matching entity, if a corresponding local/internal entity has been found;
+. or an unmatching entity, otherwise.
+
+By default, Syncope will create locally all the unmatching entities (without linking entities and resources) and will
+update all the matching ones.
+By the way, a different behaviour can be configured working with matching/unmatching rules.
+
+===== Matching and Unmatching rules
+Unmatching (corresponding user not found on Syncope):
+
+* IGNORE / UNLINK (do not perform any action);
+* ASSIGN (create entity linking the resource);
+* PROVISION (create entity without linking the resource).
+
+Matching (corresponding users found on Syncope):
+
+* IGNORE (do not perform any action);
+* UPDATE (update matching entity);
+* DEPROVISION (delete resource entity);
+* UNASSIGN (unlink resource and delete resource entity) ;
+* UNLINK (just unlink resource without performing any (de-)provisioning operation);
+* LINK (just link resource without performing any (de-)provisioning operation).
\ No newline at end of file