Uploaded image for project: 'Identity Gateway'
  1. Identity Gateway
  2. OPENIG-2925

Make UserProfileFilter and related AmService configuration more user-friendly

    XMLWordPrintable

    Details

    • Type: Story
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.5.0
    • Fix Version/s: 6.5.0
    • Component/s: OpenAM
    • Labels:
      None

      Description

      This is a transcript of a discussion I had with Guillaume Sauthier and shared with the other teams members. Everything is in here, even the configuration as an acceptance criteria  

      AmService becomes fatter and fatter with all these services, and its companion builder suffer the same effect. And we know that soon we will refactor the PEF and add a kind of PolicyService to AmService.
      AmService should factorize the credentials, the CHF Handler that provides automatic authentication, the notification service. Nothing more.
      The SessionService, UserProfile and soon PolicyService are services that rely on an AmService but that may not be the role of AmService to hold them. The motivation for that is really the configuration of that services. Recently, I moved the profileAttributes to AmService configuration: I was obliged to do that as we implicitly agreed that such services should be held and instantiated by AmService.
      But yesterday we mentioned about another way to do it: such services could be instantiated through Heaplet and thus reside in the Heap where the other filters could look them up. By doing so, the configuration of the services are really part of the declaration of these services; and it would be possible to share the service instances among different filters, or to have different instances of each service configured differently if needed.
      That would give a setup like the following for the UserProfileFilter:

      {
        "heap": [
          {
            "name": "AmService-1",
            "type": "AmService",
            "config": {
              "agent": {
                "username": "ig-agent",
                "password": "password"
              },
              "enableNotifications": false
            }
          },
          {
            "name": "UserProfileService-1",
            "type": "UserProfileService",
            "config": {
              "amService": "AmService-1",
              "profileAttributes": [ "mail", "employeenumber"]
            }
          },
          {
            "name": "UserProfileFilter-1",
            "type": "UserProfileFilter",
            "config": {
              "userProfileService": "UserProfileService-1"
            }
          },
          {
            "name": "UserProfileFilter-2",
            "type": "UserProfileFilter",
            "config": {
              "userProfileService": {
                "name": "UserProfileService-2",
                "type": "UserProfileService",
                "config": {
                  "amService": "AmService-1",
                  "profileAttributes": [ "mail", "employeenumber", "customAttribute-1", "customAttribute-2" ],
                  "cache": {
                    "enabled": true,
                    "maximumTimeToCache": "2 hours"
                  }
                }
              }
            }
          }
        ]
      }
      

      I really like this kind of setup, definitely, split-up the responsibility to where they are used.
      The inline declaration of the UserProfileService-2 is quite natural too.
      The same exercice could be done for the filters that depends on the SessionService to show the benefits.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              laurent.vaills Laurent Vaills
              Reporter:
              guillaume.sauthier Guillaume Sauthier
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: