Re: svn commit: r770084 - in /ofbiz/trunk/framework/example
Locked
123456
... 8
123456
... 8
Re: Authz API Discussion (was re: svn commit: r770084)
 
Administrator
|
Re: Authz API Discussion (was re: svn commit: r770084)
|
In reply to this post by Adrian Crum-2
Inline
On 2/05/2009, at 10:45 AM, Adrian Crum wrote: > > Don't get me wrong, I'm not resisting change. I commented on your > design document that I'm in support of a security refactor. I'm sure > others in the community would support that too. > > The problem is, this wasn't discussed with the community beforehand. > No one was given an opportunity to provide input. It appears (and I > know that this might not be true) that the design was created, some > coding had been done, and THEN a document was drawn up and code > committed shortly afterward. a lot of effort into creating a proposal, posted it to confluence and created a jira issue linking to the page (which got sent to the dev list). He then responded to all the comments that people made, waited a few days for additional comments and THEN began coding. > > My recommendation would be to reboot this entire process to give the > community a chance to be involved in the design. What do you mean by reboot this entire process? So far you're the only person who has questioned the design... and you already commented on it initially on the confluence page to which Andrew responded. > > We should: > > 1. Send an email to the dev mailing list (and optionally the user > list) asking for comments on the existing security framework and > what they would like to see changed. I agree this could have been done more explicitly but a jira issue was created which does get sent to the dev list. People obviously saw it because comments were posted to the page. > > 2. Compile the list into a set of design objectives. > > 3. Send the list to the dev mailing list and ask for suggestions for > implementing the design objectives. > > 4. Compile a list of implementations and send it to the dev mailing > list for a vote. > > From my perspective, that's how a developer community should work. > Until those steps are followed, you're going to have a lot of people > asking the same questions I am - because they weren't involved and > don't understand what you're doing. committed different from the detailed design proposal that Andrew posted last week? I now realize you've obviously read it because you commented on the page, so if you don't understand what is being done now then you mustn't have understood it last week either and if you didn't understand it last week why didn't you post more comments/ questions? > > -Adrian > > > > --- On Fri, 5/1/09, Andrew Zeneski <[hidden email]> > wrote: > >> From: Andrew Zeneski <[hidden email]> >> Subject: Re: Authz API Discussion (was re: svn commit: r770084) >> To: [hidden email] >> Date: Friday, May 1, 2009, 2:30 PM >> Don't worry, I expected some level of resistance to a >> change of this magnitude, plus this requires a very >> different way of thinking so I planned on having to explain >> it, I tried to cover everything in the document, but >> that's impossible to do :) >> >> This is VERY similar to the existing security >> implementation, and very similar to other security APIs out >> there (JSecurity, Spring Security, etc). The slight >> differences are: >> >> Easier to understand and follow. Reading the new permission >> string format, you can see what is being checked. Nothing is >> hidden. The logic used to determine granular access control >> it defined on the permission itself. No more guessing where >> permission logic is located. >> >> It is much easier to extend, create seed data which >> overwrites the default permission logic references and use >> your own custom logic to determine access. No need to >> override service definitions or patch code (well once the >> migration is complete) or comment out ECAs. >> >> So, now my questions for you are: What is missing? What >> does this new API NOT do, which you are looking for? >> >> >> Andrew >> >> >> On May 1, 2009, at 4:37 PM, Adrian Crum wrote: >>> >>> I read the Auto-Grant section. The question is, where >> is the seed data shown in your code example located? If >> it's it the SFA component, then the permissions are >> still spread around. All that has changed is instead of >> having permission-modifying SECAs in components, you have >> permission-modifying seed data in components. How was >> anything "centralized?" >>> >>> I don't mean to pour cold water on your >> enthusiasm, it's just that I don't see where >> anything is being added or improved. It looks basically the >> same, only slightly different. >>> >>> -Adrian >>> >>> >>> >>> > > > |
smime.p7s (3K)
Re: Authz API Discussion (was re: svn commit: r770084)
|
|
Re: Authz API Discussion (was re: svn commit: r770084)
|
|
Re: Authz API Discussion (was re: svn commit: r770084)
|
|
In reply to this post by Adrian Crum-2
Well posting concerns in a new confluence page doesn't really
constitute communicating those concerns. In my experience with the community silence has always implied either consent or a lack of interest and when your working hard on something you don't want to see progress stall while you wait in vain for people to comment further. All this could easily have been avoided by interested parties simply commenting that they are actually interested and would like time to comment further instead of just assuming that the proposer is aware that you're going to get around to it at some point. Regards Scott On 2/05/2009, at 12:25 PM, Adrian Crum wrote: > > --- On Fri, 5/1/09, Scott Gray <[hidden email]> wrote: >> What do you mean by reboot this entire process? So far >> you're the only person who has questioned the design... >> and you already commented on it initially on the confluence >> page to which Andrew responded. > > That's not true: > > http://docs.ofbiz.org/display/OFBIZ/Notes+on+New+Security+Model?focusedCommentId=7797#comment-7797 > > -Adrian > > > > |
Re: Authz API Discussion (was re: svn commit: r770084)
|
|
Re: Authz API Discussion (was re: svn commit: r770084)
|
|
In reply to this post by Adrian Crum-2
On 2/05/2009, at 12:38 PM, Adrian Crum wrote:
> > --- On Fri, 5/1/09, Scott Gray <[hidden email]> wrote: >> Some of these questions in the discussions so far give me >> the feeling that the write up Andrew put in confluence >> hasn't been read, is that the case? >> >> Anyway I'm a +1 for the new auth framework, I think it >> give us more power AND simplicity. Will it need improvement >> over time? of course it will but I think it's a much >> better base to work from. > > I don't know if you were around at the time, but I was. One of the > "weaknesses" Andrew is trying to fix with this latest effort is the > permissions services - another design he introduced a couple years > ago. Everyone went along with it and re-wrote code to use service > permissions. (I spent several weekends just converting the > accounting component over to the new security implementation). Now > we're being told "Oops, that design is limited, let me try again." improvement to the existing security framework, designing a new framework doesn't invalidate an improvement to the old one. > Why would anyone have any objection to opening this up to the > community before we start writing code? Maybe there are others who > see weaknesses in the new design. Give them a chance to offer input. The point is that it was opened up to the community before any code was written, all that needed to happen to delay coding was for someone to say that they needed time. Collaboration is a two way street and it shouldn't be up to the proposer to check to see if you're considering making a comment at some point you should just say so. Regards Scott |
Re: Authz API Discussion (was re: svn commit: r770084)
|
|
Re: Authz API Discussion (was re: svn commit: r770084)
|
|
Re: Authz API Discussion (was re: svn commit: r770084)
|
|
Re: Authz API Discussion (was re: svn commit: r770084)
|
|
Re: Authz API Discussion (was re: svn commit: r770084)
|
|
Re: Authz API Discussion (was re: svn commit: r770084)
|
|
In reply to this post by Adrian Crum-2
On 2/05/2009, at 1:55 PM, Adrian Crum wrote:
> >> I don't really think that is relevant, permission >> services were an improvement to the existing security >> framework, designing a new framework doesn't invalidate >> an improvement to the old one. > > > Of course it is relevant! Do we need to continue to design things > that ultimately have to be redesigned? "Those who ignore history are > doomed to repeat it." existing framework and completely redesigning a framework. Your original comment implied that Andrew's previous work was flawed and I was trying to point out that there was nothing wrong with the last refactor, it was a perfectly valid improvement to what was in place before it. > What is the problem here? Are you that convinced that Andrew's > implementation is perfect? That there's no room for improvement or > other opinions? In case your memory is shortening here's what I wrote previously in this thread: >> Will it need improvement over time? of course it will but I think >> it's a much better base to work from. Let me be clear, I have no problem here whatsoever, I'm just countering arguments that the community wasn't given an opportunity to be involved because it was and still does. |
Re: Authz API Discussion (was re: svn commit: r770084)
|
|
In reply to this post by Adrian Crum-2
This discussion is going no where fast, how about we back track to
Andrew's last email and start actually discussing the design. Nothing is being foisted on anybody. Regards Scott On 2/05/2009, at 2:19 PM, Adrian Crum wrote: > > --- On Fri, 5/1/09, Anil Patel <[hidden email]> wrote: >> This is one of the big reasons what I love and hate >> community driven software. I don't see how what Andrew >> did is bad. Even though it was personal communication but I >> know Andrew only started after Adrian and Jacques showed >> interest by commenting on the page. > > The only interest I showed was that I agreed that OFBiz security > could use improvement, and I suggested he use a third party library. > I did not endorse or approve of his design. > >> Andrew has been actively explaining his idea all this time. > > As I demonstrated in another reply, no he did not. Only a few days > went by between introducing the idea and committing code. > >> The work done till date is not blocking anybody, old >> security system is still in place. New system is implemented >> in example component so its lot easy for him to explain and >> people to understand. > > What if the new work is a bad design? How will we know that until > everyone has had time to evaluate it? > >> People have different ways of working in community, Joe is >> committer still all the time he creates Jira issue and >> uploads his patch and most of time its somebody else who >> does commits, but that's his way of working. If we >> don't do what Joe does then why should Andrew do what >> Adrian does. > > As far as I know, Joe submits patches for things he doesn't have > commit rights to. > >> I don't see any reason why we should start over. > > Do you see a reason why we shouldn't? Will the project suffer > immensely if we pause and wait for others to comment? Is there some > catastrophe looming that requires us to rush this through? > >> All >> the time we talk about making things easy so people will >> contribute, Why do you want to resist a seasoned contributer >> for working. I'll rather have expect community will >> support. All the time he has been asking people to tell him >> suggestions, wish list etc. Why not support him and get more >> out of him instead. > > If we can't invite the community to participate - as I suggested - > then that only proves what I suspect - that this is a design that is > being foisted on the community. > > -Adrian > > > > |
Re: Authz API Discussion (was re: svn commit: r770084)
|
|
Re: Authz API Discussion (was re: svn commit: r770084)
|
|
Re: Authz API Discussion (was re: svn commit: r770084)
|
|
Re: Authz API Discussion (was re: svn commit: r770084)
|
|
In reply to this post by Adrian Crum-2
It's exactly the same in fact, we have a design proposed by somebody
let's start discussing it. Tear pieces out, replace some, improve others, whatever at least we have a starting point. Regards Scott On 2/05/2009, at 2:37 PM, Adrian Crum wrote: > > How about we start over and collaborate on a design? Is that so much > different? > > -Adrian > > > --- On Fri, 5/1/09, Scott Gray <[hidden email]> wrote: > >> From: Scott Gray <[hidden email]> >> Subject: Re: Authz API Discussion (was re: svn commit: r770084) >> To: [hidden email] >> Date: Friday, May 1, 2009, 7:30 PM >> This discussion is going no where fast, how about we back >> track to Andrew's last email and start actually >> discussing the design. Nothing is being foisted on anybody. >> >> Regards >> Scott >> >> On 2/05/2009, at 2:19 PM, Adrian Crum wrote: >> >>> >>> --- On Fri, 5/1/09, Anil Patel >> <[hidden email]> wrote: >>>> This is one of the big reasons what I love and >> hate >>>> community driven software. I don't see how >> what Andrew >>>> did is bad. Even though it was personal >> communication but I >>>> know Andrew only started after Adrian and Jacques >> showed >>>> interest by commenting on the page. >>> >>> The only interest I showed was that I agreed that >> OFBiz security could use improvement, and I suggested he use >> a third party library. I did not endorse or approve of his >> design. >>> >>>> Andrew has been actively explaining his idea all >> this time. >>> >>> As I demonstrated in another reply, no he did not. >> Only a few days went by between introducing the idea and >> committing code. >>> >>>> The work done till date is not blocking anybody, >> old >>>> security system is still in place. New system is >> implemented >>>> in example component so its lot easy for him to >> explain and >>>> people to understand. >>> >>> What if the new work is a bad design? How will we know >> that until everyone has had time to evaluate it? >>> >>>> People have different ways of working in >> community, Joe is >>>> committer still all the time he creates Jira issue >> and >>>> uploads his patch and most of time its somebody >> else who >>>> does commits, but that's his way of working. >> If we >>>> don't do what Joe does then why should Andrew >> do what >>>> Adrian does. >>> >>> As far as I know, Joe submits patches for things he >> doesn't have commit rights to. >>> >>>> I don't see any reason why we should start >> over. >>> >>> Do you see a reason why we shouldn't? Will the >> project suffer immensely if we pause and wait for others to >> comment? Is there some catastrophe looming that requires us >> to rush this through? >>> >>>> All >>>> the time we talk about making things easy so >> people will >>>> contribute, Why do you want to resist a seasoned >> contributer >>>> for working. I'll rather have expect community >> will >>>> support. All the time he has been asking people to >> tell him >>>> suggestions, wish list etc. Why not support him >> and get more >>>> out of him instead. >>> >>> If we can't invite the community to participate - >> as I suggested - then that only proves what I suspect - that >> this is a design that is being foisted on the community. >>> >>> -Adrian >>> >>> >>> >>> > > > |
Re: Authz API Discussion (was re: svn commit: r770084)
|
|
Re: Authz API Discussion (was re: svn commit: r770084)
|
|
| Free forum by Nabble | Edit this page |