Grouper Users - Open Discussion List

["Dr. Loris Bennett" <>]

On Tue, 2009-03-10 at 11:05 -0400, Chris Hyzer wrote:
> Did we discuss this earlier when getting your hooks to work?  I forget.

I think we did, but I am still stubbornly pursuing Unix-like GIDs ;-) 

>   IDs which are more friendly than UUIDs are nice to have, but there
>  are issues when:
> 
> 1. Sequences might get out of sync e.g. due to imports or db
>  migrations, and start colliding with existing assignments

This is why I thought a uniqueness constraint on the attribute 'gid' in
the grouper_attributes table would be needed. 

> 2. Imports in general, colliding with existing values.  Do you change
>  the new one?  Break existing references?

As far as the general problem of imports goes, only the first customer
will get to reuse existing GIDs - everyone after that will get new GIDs
and have to sort out their own mapping. 

> 3. Now you need an env qualifier to know you are referring to the right
>  group: prod_123, or test_234

The customer is the only party using the GID and will only ever be
drawing information from the production system, so I wasn't planning on
differentiating here. Am I missing something?

> That is why Grouper would like to avoid that issue by using UUIDs for
>  groups.  Just curious, why dont the existing UUIDs work for you?

This is basically a legacy issue due to existing systems handling
permissions based on membership of Unix groups. Our initial customer is
a department with around 300 Unix groups, which are maintained using
regular Unix means. This customer wants to be able to relate the groups
that we provision to LDAP to the existing Unix groups which determine
permissions on the target systems. In other cases we assume that
customers will extract the membership information directly from LDAP.

Does this make sense? Or should I be taking a completely different
approach?

Cheers,

Loris

> Thanks,
> Chris
> 
> > -----Original Message-----
> > From: Dr. Loris Bennett 
> > [mailto:]
> > Sent: Tuesday, March 10, 2009 4:54 AM
> > To: Grouper Users Mailing List
> > Subject: [grouper-users] Unix-like Group IDs?
> > 
> > Hi,
> > 
> > I am planning to introduce unix-like group IDs for some groups within
> > grouper. Currently I have:
> > 
> > - A custom type with a group ID as an attribute
> > - A database sequence for the IDs
> > - A hook which inserts an ID from the sequence when a group is created
> > with the   corresponding custom type.
> > 
> > What I still need are:
> > 
> > - A mechanism to ensure that an ID is not used more than once (e.g.
> > some
> > sort of DB constraint on the attribute value)
> > - A mechanism to prevent the ID being changed (probably just setting
> > the
> > write privilege accordingly)
> > - Perhaps a view of display names and group IDs
> > 
> > Since it seems to me that this is a rather general feature that others
> > might require, I was wondering whether:
> > 
> > a) anyone has already done this
> > b) whether, should there be interest, such a feature could be packaged
> > as an add-on for grouper
> > 
> > Thoughts?
> > 
> > Loris
> > 
> > --
> > Dr. Loris Bennett (Mr.)
> > Freie Universität Berlin
> > ZEDAT - Zentraleinrichtung für Datenverarbeitung / Computer Center
> > Compute & Media Service
> > Fabeckstr. 32, Room 221
> > D-14195 Berlin
> > Tel ++49 30 838 51024
> > Fax ++49 30 838 56721
> > Email 
> > 
> > Web www.zedat.fu-berlin.de
> 
-- 
Dr. Loris Bennett (Mr.)
Freie Universität Berlin
ZEDAT - Zentraleinrichtung für Datenverarbeitung / Computer Center
Compute & Media Service
Fabeckstr. 32, Room 221
D-14195 Berlin
Tel ++49 30 838 51024
Fax ++49 30 838 56721
Email 

Web www.zedat.fu-berlin.de