[midPoint] Metarole and resourceRef inheritance
Wojciech Staszewski
wojciech.staszewski at diagnostyka.pl
Wed Mar 27 10:20:16 CET 2019
Hello!
I know this is a very old topic, but I feel that have to update it.
Well, if we have one or just a few resources it works ok.
But the more resources use this metarole the slower it works.
An example:
In my case if an user has account and entitlements on a resource assigned by a role using this metarole,
the reconciliation of such user takes about 8,66 minutes (532212 miliseconds).
If I change this metarole to a "classic" one, with statically defined resourceRef and no other scripted expressions,
the reconciliation of the same user takes 3 seconds.
Keep this in mind when you're trying to design too generic metaroles to avoid their multiplication.
Regards!
WS
W dniu 04.12.2017 o 21:12, Wojciech Staszewski pisze:
> I was happy untimely...
> The entitlement assignment from this role works only with intent marked as "default".
>
> Can I use expression to calculate the intent?
> In the documentation, in every example intent is statically declared only.
>
> I tried to create an intent filter expression but I got errors:
>
> /Internal object inconsistence, probably a parser bug: Neither value, expression nor raw element specified in property value PPV(null) (inducement/[2]/construction/intent in role: *******)/
>
> Regards!
> WS
>
> W dniu 02.12.2017 o 18:48, Wojciech Staszewski pisze:
>> Unfortunately the expression with "getExtensionReferenceValue()" doesn't
>> work, I don't know why.
>>
>> But this is working:
>>
>> <resourceRef relation="org:default" type="c:ResourceType">
>> <filter>
>> <q:inOid>
>> <expression>
>> <script>
>> <code>
>> val = basic.getPropertyValue(immediateRole,
>> "extension/resourceRef");
>> return val;
>> </code>
>> </script>
>> </expression>
>> </q:inOid>
>> </filter>
>> <resolutionTime>run</resolutionTime>
>> </resourceRef>
>>
>> So I'm happy.
>> This was the biggest obstacle at the moment to finish the most important
>> resource.
>>
>> Best regards,
>> WS
>>
>> W dniu 28.11.2017 o 13:01, Pavol Mederly pisze:
>>> Hello Wojciech,
>>>
>>> while it is true that query API was changed in 3.4, your code i.e.
>>>
>>> <resourceRef type="c:ResourceType">
>>> <filter>
>>> <q:inOid>
>>> <expression>
>>> <script>
>>> <code>
>>> val =
>>> basic.getExtensionReferenceValue(immediateRole,
>>> "http://midpoint.evolveum.com/xml/ns/custom/roleext", "resourceRef")
>>> return val?.getOid()
>>> </code>
>>> </script>
>>> </expression>
>>> </q:inOid>
>>> </filter>
>>> <resolutionTime>run</resolutionTime>
>>> </resourceRef>
>>>
>>> should not be affected by it. It should work as before.
>>>
>>> Maybe you could try to log the value of variable "val" to see if it is
>>> filled-in correctly.
>>>
>>> Pavol Mederly
>>> Software developer
>>> evolveum.com
>>>
>>> On 28.11.2017 11:14, Wojciech Staszewski wrote:
>>>> I noticed, that since v 3.4 the query API was changed. Maybe this is
>>>> a problem because the example provided by Katka Valalikova was taken
>>>> from older version?
>>>> I assume that "filter:NONE" is the key and I have to construct
>>>> correct ObjectFilter in the new manner using QueryBuilder? Am I right?
>>>>
>>>> W dniu 27.11.2017 o 19:14, Wojciech Staszewski pisze:
>>>>> Hello!
>>>>>
>>>>> I'm just trying this solution and got some trouble.
>>>>>
>>>>> I have created role, lets call it "Master", this role have an extension
>>>>> attribute "resourceRef", and it induces basic resource account.
>>>>> Value of this attribute is my resource OID.
>>>>>
>>>>> Then I've created metarole with provided expression:
>>>>>
>>>>> <resourceRef type="c:ResourceType">
>>>>> <filter>
>>>>> <q:inOid>
>>>>> <expression>
>>>>> <script>
>>>>> <code>
>>>>> val =
>>>>> basic.getExtensionReferenceValue(focus,
>>>>> "http://midpoint.evolveum.com/xml/ns/custom/roleext", "resourceRef")
>>>>> return val?.getOid()
>>>>> </code>
>>>>> </script>
>>>>> </expression>
>>>>> </q:inOid>
>>>>> </filter>
>>>>> <resolutionTime>run</resolutionTime>
>>>>> </resourceRef>
>>>>>
>>>>> This metarole is assigned to "Master". Master role creates an account
>>>>> with required basic attributes, and metarole gives the entitlements.
>>>>> But the metarole resourceRef expression does not resolve the resource
>>>>> OID from master role, the errors appear:
>>>>>
>>>>> Got no target from repository, filter:NONE, class:class
>>>>> com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType in
>>>>> resolving resource.
>>>>>
>>>>> I want this single metarole assign to any of dozens "master" roles
>>>>> which
>>>>> are assigning resource accounts in dozens identical systems and it must
>>>>> give entitlement with the same icfs:name in each resource (this is
>>>>> working already).
>>>>>
>>>>> Am I missing something? Thanks!
>>>>> WS
>>>>>
>>>>>
>>>>> W dniu 16.02.2017 o 09:16, Wojciech Staszewski pisze:
>>>>>> Thank you very much!
>>>>>> I'll try it. I can't promise that I'll try it today because I have
>>>>>> to use snapshots due to translation process.
>>>>>> And because of that I have some stability issues (stack overflow
>>>>>> error when applying changes on user and in reconciliation also),
>>>>>> but I'll check it if only these issues are fixed.
>>>>>>
>>>>>> Best regards!
>>>>>> WS
>>>>>>
>>>>>> W dniu 16.02.2017 o 08:53, Katka Valalikova pisze:
>>>>>>> Hi Wojciech,
>>>>>>>
>>>>>>> in one of my environment I have a similar situation (if I
>>>>>>> understood your problem correctly). I have hundreds of Unix
>>>>>>> systems where I manage groups, users and their memberships in
>>>>>>> groups. I use following configuration.
>>>>>>>
>>>>>>> 1. I have midPoint Role A - this role has assigned metarole M(x)
>>>>>>> which create a group (G) on target linux and after this Role A is
>>>>>>> assigned to the user, it adds this user as a member of unix group
>>>>>>> (G) created by the metarole M(x). In the Role A I have extension
>>>>>>> attribute which contains reference to the resource where all of
>>>>>>> this should happen.
>>>>>>> 2. The configuration for the "dynamically" resolved resource ref
>>>>>>> looks like following:
>>>>>>>
>>>>>>>
>>>>>>> <inducement id="1"> <!-- create an unix group on the target
>>>>>>> system referenced from the val.getOid() with the name from
>>>>>>> extension/ext:commonName-->
>>>>>>> <construction>
>>>>>>> <resourceRef type="c:ResourceType">
>>>>>>> <filter>
>>>>>>> <q:inOid>
>>>>>>> <expression>
>>>>>>> <script>
>>>>>>> <code>
>>>>>>> val =
>>>>>>> basic.getExtensionReferenceValue(focus,
>>>>>>> "http://midpoint.evolveum.com/xml/ns/custom/roleext", "resourceRef")
>>>>>>> return val?.getOid()
>>>>>>> </code>
>>>>>>> </script>
>>>>>>> </expression>
>>>>>>> </q:inOid>
>>>>>>> </filter>
>>>>>>> <resolutionTime>run</resolutionTime>
>>>>>>> </resourceRef>
>>>>>>> <kind>entitlement</kind>
>>>>>>> <intent>unixGroup</intent>
>>>>>>> <attribute>
>>>>>>> <c:ref>icfs:name</c:ref>
>>>>>>> <matchingRule
>>>>>>> xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
>>>>>>> <outbound>
>>>>>>> <source>
>>>>>>> <name>commonName</name>
>>>>>>> <c:path
>>>>>>> xmlns:ext="http://midpoint.evolveum.com/xml/ns/custom/roleext">extension/ext:commonName</c:path>
>>>>>>> </source>
>>>>>>> </outbound>
>>>>>>> </attribute>
>>>>>>> </construction>
>>>>>>> </inducement>
>>>>>>> <inducement id="2"> <!-- assign user to the group on the
>>>>>>> target system referenced from the val.getOid() -->
>>>>>>> <construction>
>>>>>>> <resourceRef type="c:ResourceType">
>>>>>>> <filter>
>>>>>>> <q:inOid>
>>>>>>> <expression>
>>>>>>> <script>
>>>>>>> <code>
>>>>>>> val =
>>>>>>> basic.getExtensionReferenceValue(immediateRole,
>>>>>>> "http://midpoint.evolveum.com/xml/ns/custom/roleext", "resourceRef")
>>>>>>> return val?.getOid()
>>>>>>> </code>
>>>>>>> </script>
>>>>>>> </expression>
>>>>>>> </q:inOid>
>>>>>>> </filter>
>>>>>>> <resolutionTime>run</resolutionTime>
>>>>>>> </resourceRef>
>>>>>>> <kind>account</kind>
>>>>>>> <intent>default</intent>
>>>>>>> <association>
>>>>>>> <c:ref>ri:unixGroup</c:ref>
>>>>>>> <outbound>
>>>>>>> <strength>strong</strength>
>>>>>>> <expression>
>>>>>>> <associationFromLink>
>>>>>>> <projectionDiscriminator>
>>>>>>> <kind>entitlement</kind>
>>>>>>> <intent>unixGroup</intent>
>>>>>>> </projectionDiscriminator>
>>>>>>> </associationFromLink>
>>>>>>> </expression>
>>>>>>> </outbound>
>>>>>>> </association>
>>>>>>> </construction>
>>>>>>> <order>2</order>
>>>>>>> <focusType>UserType</focusType>
>>>>>>> </inducement>
>>>>>>>
>>>>>>> You can maybe use something like this. In general, there is a
>>>>>>> support for resolving references to the resource (even roles,
>>>>>>> services, orgs) dynamically using filter (and expression) instead
>>>>>>> of static reference (resourceRef, ...). Your expression can be
>>>>>>> modified according to your needs. However, keep in mind that this
>>>>>>> configuration can be used only if the target systems are the same
>>>>>>> and have the same schema. In my case, all of target systems are
>>>>>>> Linux distribution with the same configuration.
>>>>>>>
>>>>>>> Best regards,
>>>>>>>
>>>>>>> Katarina Valalikova
>>>>>>> Java Developer
>>>>>>> evolveum.com
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>> From: "Wojciech Staszewski"<wojciech.staszewski at diagnostyka.pl>
>>>>>>> To: "midPoint General Discussion"<midpoint at lists.evolveum.com>
>>>>>>> Sent: Tuesday, February 14, 2017 10:26:33 AM
>>>>>>> Subject: [midPoint] Metarole and resourceRef inheritance
>>>>>>>
>>>>>>> Hello all!
>>>>>>>
>>>>>>> I have a question, maybe stupid or maybe not:
>>>>>>>
>>>>>>> - Why metarole must have "ResourceRef"? Can't it be inherited from
>>>>>>> "master" role?
>>>>>>> (I know the answer: "metarole is also a normal role..." etc.).
>>>>>>>
>>>>>>> This would be useful with large number of identical systems. I'd
>>>>>>> like to have 30 metaroles that I could assign to any of 200
>>>>>>> systems than have to maintain 30x200 metaroles.
>>>>>>> Access rights (roles, groups, privileges, "entitlements" in
>>>>>>> general) are identical in each system, they are replicated from
>>>>>>> central server.
>>>>>>> Any change causing necessity to edit 30x200 roles, it will be a
>>>>>>> nightmare to maintain.
>>>>>>>
>>>>>>> Best regards,
>>>>>>> Wojciech Staszewski
>>>>>>> _______________________________________________
>>>>>>> midPoint mailing list
>>>>>>> midPoint at lists.evolveum.com
>>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>> _______________________________________________
>>>>>>> midPoint mailing list
>>>>>>> midPoint at lists.evolveum.com
>>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
--
Wojciech Staszewski
Administrator Systemów Sieciowych
tel. kom: 663 680 236
www.diagnostyka.pl
Diagnostyka Sp. z o. o.
ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy KRS)
NIP: 675-12-65-009; REGON: 356366975
Kapitał zakładowy: 33 756 500 zł.
Pomyśl o środowisku zanim wydrukujesz ten e-mail.
More information about the midPoint
mailing list