Versions Compared

Old Version 5

changes.mady.by.user Daan

Saved on

compared with

New Version Current

changes.mady.by.user Daan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: better description

...

moveUser API:

Jira
serverASF JIRA
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId5aa69414-a9e9-3523-82ec-879b028fb15b
keyCLOUDSTACK-10121

Branch

What branch is this work being done in

Introduction

Tthe The current LDAP plugin implementation ties the full CloudStack infrastructure to a LDAP (OU) and creates an CloudStack account for every UID found. A user might want to have a customer create it's own ldap tree and/or add users to a shared account. Thus a user (i.e. domain admin) would be able to organise access to CloudStack using the OU/UID in their ldap.

In this feature multi tenancy is created and account to LDAP group binding. as a result each domain can have their own LDAP implementation and can define accounts for certain purposes, managing those accounts in their LDAP server.

Purpose

The purpose of the document to specify the functionality of the domain level binding to an LDAP tree, allowing per customer administration.

...

S8              An admin moved a user into two distinct groups mapped to two different accounts in the same domain. The user will be refused logging in as in scenario S4. No move will be done. An error stating the situation and deferring to the LDAP admin will be returned. The user will not be removed but marked disabled, so a move can still be done after the issue is resolved.

Proposed solution

The linking of LDAP groups It will be possible to add an ldap configuration for a specific domain. the domain id field will be optional to maintain backwards compatibility. Specific accounts can be linked to LDAP groups. This will be done on account-properties.by an account level property that has no global default value. (ldap.mapped.group)

domain level settings

The configuration mechanism will be extended to include domain level configuration items for LDAP. The basedn and bind attributes would be domain level attributes. For the use-cases described this is not strictly necessary but for users providing public offerings or large enterprise installations, this will improve the usability of the feature. The extra work involved will be not just adding the needed settings but also the enabling of settings on a domain level, which does not exist at the moment of writing.

...

A moveUser API will be added in favour of extending updateUser API for security, as users have access to updateUser API.

References

  • relevant links

Document History

Glossary

Feature Specifications

  • put a summary or a brief description of the feature in question 
  • list what is deliberately not supported or what the feature will not offer - to clear any prospective ambiguities
  • list all open items or unresolved issues the developer is unable to decide about without further discussion
  • quality risks (test guidelines)
    • functional
    • non functional: performance, scalability, stability, overload scenarios, etc
    • corner cases and boundary conditions
    • negative usage scenarios
  • specify supportability characteristics:
    • what new logging (or at least the important one) is introduced
    • how to debug and troubleshoot
    • what are the audit events 
    • list JMX interfaces
    • graceful failure and recovery scenarios
    • possible fallback or work around route if feature does not work as expected, if those workarounds do exist ofcourse.
    • if feature depends other run-time environment related requirements, provide sanity check list for support people to run
  • explain configuration characteristics:
    • configuration parameters or files introduced/changed
    • branding parameters or files introduced/changed
    • highlight parameters for performance tweaking
    • highlight how installation/upgrade scenarios change
  • deployment requirements (fresh install vs. upgrade) if any
  • system requirements: memory, CPU, desk space, etc
  • interoperability and compatibility requirements:
    • OS
    • xenserver, hypervisors
    • storage, networks, other
  • list localization and internationalization specifications 
  • explain the impact and possible upgrade/migration solution introduced by the feature 
  • explain performance & scalability implications when feature is used from small scale to large scale
  • explain security specifications
    • list your evaluation of possible security attacks against the feature and the answers in your design* *
  • explain marketing specifications
  • explain levels or types of users communities of this feature (e.g. admin, user, etc)

Use cases

put the relevant use case/stories to explain how the feature is going to be used/work

Architecture and Design description

...

prior ldap work has been done in these FSs.

This specification is about tying an ldap per domain (multi tenant) and an account per ldap group including auto moving and deleting of accounts as they are moved or deleted in ldap.

...

Web Services APIs

list changes to existing web services APIs and new APIs introduced with signatures and throughout documentation

...