4:49 p.m.
Hi,
(Apologies in advance for a long and detailed note. TL;DR I want to make a
breaking change but I think I am directly working with everyone using the
microservice.)
I would like to make a breaking change to the LDAP attribute store
microservice. Specifically I want to change the name and syntax for the
configuration option 'idp_identifier' (but not the functionality).
That configuration option is used to determine what value(s) is used for
the LDAP filter that is constructed to search for user records in LDAP.
Currently a simple configuration would be
idp_identifiers:
- eppn
ldap_identifier_attribute: uid
That configuration would take the value asserted by the IdP for eppn (the
SATOSA internal name for that attribute as it is "seen" by the
microservice) and use it to construct the filter value, eg. '
skoranda at uwm.edu', so that for example the LDAP filter would be
(uid=skoranda at uwm.edu)
More complicated configurations that include the ability to combine values
including NameID values asserted by the IdP are included in the example
configuration.
But there are two problems I have with the current configuration and its
syntax:
1) The value that is used to construct the LDAP filter may not be directly
coming (asserted by) an IdP. It may have been constructed using another
microservice(s) that runs prior to the LDAP attribute store. So I think
instead of
idp_identifier
I want to name the configuration option
ordered_identifier_candidates
2) The syntax as seen in the current example is poor. After a helpful
dialogue with Ivan I prefer this syntax, which I think better illustrates
what is going on (this would be a fairly complicated example):
ordered_identifier_candidates:
- attribute_names: [epuid]
- attribute_names: [eppn, name_id]
name_id_format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
- attribute_names: [eppn, edupersontargetedid]
- attribute_names: [eppn]
- attribute_names: [name_id]
name_id_format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
add_scope: issuer_entityid
- attribute_names: [edupersontargetedid]
add_scope: issuer_entityid
The simple configuration from above would become
ordered_identifier_candidates:
- attribute_names: [eppn]
An intermediate example configuration would be
ordered_identifier_candidates:
- attribute_names: [eppn]
- attribute_names: [edupersontargetedid]
add_scope: issuer_entityid
Normally I would of course prefer not to make a breaking change, but I
think I am working with everyone using the microservice and can direcftly
help them transition and I think it is early enough in the evolution of the
microservice that some flux is expected/allowed.
Thoughts?
Thanks,
Scott K
12:06 p.m.
On Sun, 2017-09-17 at 11:49 -0500, Scott Koranda wrote:
Normally I would of course prefer not to make a
breaking change, but
I
think I am working with everyone using the microservice and can
direcftly
help them transition and I think it is early enough in the evolution
of the
microservice that some flux is expected/allowed.
Thoughts?
I have nothing against this change as I agree with your thoughts above.
I will make a note about it in the release notes (if anyone actually
reads them :)) when we release it.
Br
--
Johan Lundberg
SUNET
Tulegatan 11
113 53 Stockholm
+46730714375
1:24 p.m.
New subject: breaking change to LDAP attribute store microservice?
Scott Koranda writes:
ordered_identifier_candidates:
- attribute_names: [epuid]
- attribute_names: [eppn, name_id]
name_id_format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
- attribute_names: [eppn, edupersontargetedid]
- attribute_names: [eppn]
- attribute_names: [name_id]
name_id_format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
add_scope: issuer_entityid
- attribute_names: [edupersontargetedid]
add_scope: issuer_entityid
I think this is great. It's much easier to understand. Also, this style of nested
dictionaries matches how many other projects use YAML (e.g., Ansible, Bukkit, Grav,
SaltStack).
Is it possible to detect in code whether you're dealing with the legacy dictionary
keywords or nested list configuration style and emit a deprecation warning? SATOSA is at
version 3.4.8 right now. Maybe you could phase out the old style configs by 3.5 or 3.6,
or perhaps wait until 4.0 (major version bumps being the canonical "breaking
change" signal). I don't know what makes the most sense to the rest of the
userbase, but it might be nice to have some kind of transitional period.
Best wishes,
Matthew
--
"The lyf so short, the craft so longe to lerne."
1:33 p.m.
Hi,
Is it possible to detect in code whether you're
dealing with the
legacy dictionary keywords or nested list configuration style and emit
a deprecation warning?
Sure, it is technically possible and not particularly hard, just
tedious.
I am trying to balance available resources and time constraints against
the normal best practices and hoping that we are early enough in the
cycle to "get away" with breaking changes.
So you are one of the deployers that I work directly with I can ensure
you transition smoothly. :-)
Thinking longer term, since the new repository for microservices/plugins is
coming online soon, we might want to consider a practice where we mark
microservices/plugins as "experimental" until they are ready for
"production". We could come up with some criteria for what is meant by
experimental and production and one of those could be no breaking
changes in anything other than a major release once the transition to
production is made.
Cheers,
Scott
2434
days inactive
2435
days old
3 comments
3 participants
participants (3)
-
lundberg@sunet.se -
skoranda@gmail.com -
xenophon@irtnog.org