perun icon indicating copy to clipboard operation
perun copied to clipboard
verified publisher icon CESNET

Synchronization based on userExtSource attributes

Open metodej opened this issue 5 years ago • 3 comments

  • added logic that tries to find correspoding group member of candidate based on ues attribute values, not just extLogins
  • ues attributes are also updated (or created) during sync for every candidate's ues for future synchronizations
  • also added tests

metodej avatar Nov 17 '20 17:11 metodej

Thank you for reviews, I've fixed the names of variables/methods as suggested. The synchronization should now search the whole vo (not just group) to link candidate to member (in lightweight sync). Also the update of ues attributes was fixed to create new attribute (if it's not in Perun) and also deal with attributes which had different value in Perun.

metodej avatar Nov 24 '20 17:11 metodej

I've got a few comments:

* It is not possible to find members according to attributes from primary userExtSource. I am afraid it may be a problem.

I don't think this is really a problem, but we should dicuss this personally. It is complicated.

* As @stavamichal mentioned, the new implementation may be slow.

* I am wondering if it will be a problem when we use different loginSource and memberSource during the synchronization. Meaning when we fetch just logins from one source and the rest of the data from the other. What do you think?

I don't think this will be possible with just attributes. Not without bigger changes in code.

* According to update user extSource attributes, It seems weird that we allow to update lists and throw an error for others attributes. What about use overwriteAttributeList for userExtSource attributes? Or do not update userExtSources at all. Just use them to find users by their attributes. Or just ignore the String attributes when they do not match?

This is a right question I already tried to ask myself. You definitely want to save attributes if they are missing. But you probably don't want to change user's UES attributes if he get them from IDP, proxy etc. So what we can do is to save them only if they are missing.

However, I will definitely need to read the PR again.

stavamichal avatar Nov 27 '20 08:11 stavamichal

For this PR we need to discuss if changes in it are not slowing existing synchronization and if is clear how does it work.

stavamichal avatar Dec 02 '20 08:12 stavamichal

Closing and putting on the graveyard. We do not plan to finish this shortly.

balcirakpeter avatar Oct 17 '22 07:10 balcirakpeter