| <jason> basically, there is no way to associate a role with a group. |
| <jason> if i wanted to display a list of roles for a project, you can't do it right now. |
| <jason> there is no table that binds roles with groups. |
| <jason> but the grant(User, Group, Role) requires all three. |
| <jason> there is no TURBINE_GROUP_ROLE, so there is no way to add a role to a project. |
| <jason> so there is no way to display a list of roles for a project. |
| <jason> am i missing something? |
| <jason> i asked daveb to look at it and he arrived at the same conclusion i did. |
| <fedor> the point is that roles are global |
| <fedor> so there is no and should not be an assoc between them |
| <fedor> again: roles do not belong to projects |
| <fedor> if the did |
| <fedor> you whould not need a Group as parameter to grant() |
| <fedor> it would be implied |
| <fedor> example: |
| <fedor> there is role "admin" |
| <fedor> which has certain permissions (does not matter) |
| <jason> the javadocs _say_ role _within_ a group. |
| <fedor> it says: |
| <fedor> .. assign user a role within a group... |
| <fedor> you should read: |
| <fedor> assign... within a group |
| <fedor> not |
| <fedor> role within a group |
| <jason> well that's not what it says. |
| <fedor> no! |
| <fedor> it's a grammatical ambiguity |
| <jason> and if roles are global then why is there a group table? |
| <fedor> "within" attaches to "assign" |
| <jason> if there is only one. |
| <fedor> sounds like we are where we've started... |
| <jason> in our discussion of how you thought the projects should be display with all the roles associated with that project: i can't do that. |
| <fedor> group is NOT a group of roles! |
| <fedor> there are no roles assoc with a project |
| <fedor> let's go back to the example, OK? |
| <fedor> we have few roles (they are global): |
| <jason> hold on one sec. |
| <fedor> "admin", "developer", "tester", "guest" |
| <fedor> go ahead |
| <jason> but what if you wanted an admin role for each project, why is there even a group table if all roles are global? |
| <jason> this is really pissing me off. |
| <jason> the docs suck! |
| <fedor> group is a project |
| <jason> yes, i get that [ even though the names are god awful ] |
| <jason> but you also said that permission are global, but there is a table relating permissions with roles? |
| <fedor> role IS a group of permissions |
| <jason> i am just trying to produce the first form that we discussed. can we do that? |
| <fedor> produce what? |
| <fedor> go ahead |
| <jason> i thought we were going to present the admin with a list of projects and the roles associated with those projects and the intersection would be checkboxes. |
| <jason> you sure there isn't a mistake in the schema and the rafal just used the global group for everything? |
| <fedor> omit "associated with those projects" and i agree |
| <jason> so you just show a huge list of roles that are global? |
| <fedor> right |
| <fedor> not amny though |
| <fedor> s/amny/many |
| <fedor> not so many. |
| <jason> well, for tambora we have different groups/projects and the roles for those projects are distinct so if this thing works with only global roles then i think there's a problem. |
| <jason> how can projects share the same set of roles. |
| <fedor> can you tell what particular roles those are? |
| <fedor> i want to see why you need that |
| <fedor> and persuade you that you do not ;-) |
| <jason> in tambora there are two distinct systems, storage and transport and the roles within them are very different. |
| <fedor> can you elaborate more? |
| <jason> can we go over an example of how you think it works. the last time we were discussing this with john, i got the distinct impression that roles were separated by group. we were arguing whether to use checkboxes or lists because you might have to select a project before selecting a role. |
| <fedor> ;-) |
| <fedor> ok i continue: |
| <fedor> fedor> we have few roles (they are global): |
| <fedor> <fedor> "admin", "developer", "tester", "guest" |
| <fedor> ("fedor" is not a role ;-) |
| <jason> :-) |
| <fedor> and we have a few projects: |
| <fedor> "scarab", "turbine", "velocity" |
| <fedor> and there are users: |
| <fedor> jon, geir, jason |
| <fedor> you do: |
| <fedor> grant(jon, scarab, admin); |
| <fedor> grant(jon,scarab,developer) |
| <jason> that sucks! |
| <fedor> grant(jason, scarab, developer) |
| <fedor> why? |
| <fedor> it's normal |
| <jason> "tester" |
| <jason> what if in turbine you wanted "pool-connection-tester" |
| <fedor> what's the point? |
| <fedor> you create subproject |
| <jason> that doesn't apply to the other projects, you're stuck with totally general categories. |
| <fedor> in turbine called "pool-connection" |
| <fedor> and give that user "tester" in it |
| <fedor> Give another example where you need it |
| <jason> but turbine is the top-level project? |
| <fedor> probably |
| <fedor> what's the diff? |
| <jason> you are telling me that roles will never vary for each individual project? |
| <fedor> roles are the same |
| <fedor> but set of roles |
| <fedor> assigned to a user is individual |
| <fedor> in our last example |
| <fedor> user "ThatGuyThatTestsPoolsAndNothingElse" |
| <fedor> will have "tester" role in "connection-pool" subproject |
| <fedor> and "guest" role in project "Turbine" |
| <jason> but the name tester will be duplicated then "tester" for turbine, and "tester" for the connection pool on the list of roles? |
| <jason> what if you had turbine as the tool for a website management tool: you would have content managers, editors, designers. you are telling me that the roles each of these people play would be the same? |
| <jason> no way. |
| <fedor> if they perform different _functions_ |
| <jason> say the designer was could change some ui features, the content providers (sorry not content manager) could enter articles, and the editors had approval abilities. |
| <fedor> those whould be different roles |
| <jason> but they are roles of those distinct categories!! |
| <fedor> those are different roles |
| <jason> yes! |
| <jason> but there would be roles associated with a designer that bear no relation to the roles of a content manager. |
| <fedor> what categories are you talking about? |
| <jason> designer/content provider/editor |
| <jason> you are saying those are roles? |
| <fedor> those are roles |
| <fedor> and say you have a site hosting... |
| <jason> i think i'm one level away ... |
| <fedor> a few "web portals" or somethin |
| <fedor> what's the project(group) breakdown you would have? |
| <jason> each site would probably be a project. |
| <fedor> right |
| <jason> but one site might deal with mutual funds and one with books. |
| <fedor> and each would have "designer/content provider/editor" |
| <fedor> but roles as far as site management is concerned are the same |
| <jason> sure, but you can't get any more specialized then that? |
| <fedor> example! |
| <jason> say you have a mutual fund analyst role, and they can do certains things on the mutual fund site that wouldn't happen on the book site. |
| <fedor> isn't he just a content provider? |
| <jason> yes, but that's a little general. |
| <jason> for a huge financial portal you would probably have distinct financial type roles. |
| <jason> for a huge literary site you might want to break up what types of content they provide. |
| <fedor> are we talking about a site management |
| <fedor> or |
| <jason> yes, site management |
| <fedor> financial analysis tool |
| <fedor> you are mixing the two i think |
| <fedor> these would be two different pieces of software |
| <jason> no. ok say we just have content provider. |
| <jason> as the one role of someone who can add content to the site. |
| <fedor> ana each would have it's own set of roles |
| <fedor> go |
| <jason> a set of roles only applies to a user, yes? |
| <jason> jason is content provider, editor |
| <jason> s/is/is a/ |
| <fedor> or rather : |
| <fedor> .. is a CP in project A, editor in project B |
| --> Rafal (-fil@gw.e-point.pl) has joined #turbine |
| <Rafal> hi |
| <fedor> hi |
| <jason> hi rafal |
| <fedor> you are just on time! |
| <jason> so what we are saying is that roles are universal across all projects? |
| <jason> that one sentence would clear a lot up for me. |
| <Rafal> yes. roles should be abstract |
| <Rafal> I see you wrote a proposal for the admin app |
| <Rafal> I'll read it in a minute |
| <jason> yes, i think i have a fundamental misunderstanding that fedor just cleared up. |
| <Rafal> we discussed the role/group stuff with Fedor and Jon a while ago |
| <jason> i did not think of roles as universal, but being held within a group/project. |
| <jason> yes, but the logs aren't kept anywhere, and i couldn't anything useful in the mail archive, mostly because the search facility sucks. but fedor has been trying to educate me. |
| <Rafal> no... roles are universal, but you assign them to an user *within* a group (project etc) |
| <jason> yes, that has finally sunk in. |
| <jason> that is the one sentence i was looking for "roles are universal". |
| <jason> ok, we were talking about a portal site can we just go a little further with it? |
| <jason> we had the roles of designer/content provider/editor |
| <Rafal> sure |
| <jason> and we had two sites, a large financial site, and a large literary site. |
| <Rafal> I have working portal software running on Turbine |
| <Rafal> so I know this sort of stuff |
| <jason> great! |
| <Rafal> in our system we have a content tree |
| <Rafal> each of the portals would be children of the root node |
| <jason> and do you distinguish who is actually allowed to add/edit particuluar types of content? |
| <Rafal> in our system we associate a turbine group with a node (and possibly it's children) |
| <Rafal> then we have roles a few 'editor' roles with varying set of permissions |
| <Rafal> (like edit article, add section and so on) |
| <jason> so each group is a different site? |
| <Rafal> yes. you can have a few groups for one site - for particular parts of it. |
| <Rafal> a fragment of the content tree... |
| <Rafal> it's clean and simpe |
| <jason> can continue with my example, and then you point me in the right direction vis-a-vis making new groups/perms and what not? |
| <Rafal> what do you think? |
| <Rafal> ok. you have some abstract contnent tree |
| <Rafal> you establish a mapping between the contnent tree and turbine groups |
| <Rafal> for an arbitrary content node, you can give a list of one or more turbine groups that are asociated with it |
| <Rafal> you create a role 'contnent provider' and 'editor' roles |
| <Rafal> define permissions 'add article' 'edit article' 'remove article' 'add section' 'remove section' |
| <Rafal> 'content provider' has article related permissions, 'editor' has both article and section related. |
| <jason> so for distinct parts of your site you have created turbine groups. ok that helps a lot too. |
| <Rafal> then assing 'content provider' in 'portal A' group to 'John Doe' user, and so on. |
| <jason> and so the 'content provider' role in group A can have a different set of permissions then the role 'content provider' in group B? |
| <Rafal> the administrative application has to check what groups the 'current node' is associated with |
| <Rafal> and check if the user has the permission to execute an action whithn any of these groups. |
| <Rafal> the 'groups' abstraction that Jon forged for Scarab project proved to be really useful... |
| <Rafal> no. a role has a single set of permissions. |
| <Rafal> if you need a different set, you can create a different role, but ... |
| <Rafal> in this portal related stuff here, the permissions should be basicly the same in all parts of the portal. |
| <Rafal> so should be the roles. |
| <Rafal> user 'A' can be content provider for the financial site, and an editor of some part of the other site... |
| <jason> how about the notion of a content provider for a financial site being different from that of a content provider for a literary site: say for a financial CP permission to change daily stock quotes, and literary CP say update top 10 list? |
| <Rafal> no, these are different roles |
| <Rafal> why would you like make them one? |
| <jason> so then 'financial content provider' and 'literary content provider'? |
| <jason> i'm simply trying to understand the model, that's all. |
| <jason> and each of those roles have their own perms. ok. |
| <Rafal> yes |
| <fedor> i think content provider is content provider that's it |
| <Rafal> if the 'content' means the same in both sites, you need one role |
| <Rafal> usually the portal will have both 'articles' and 'applications' embeded in the application tree. |
| <Rafal> usually applications will need different roles/permission than the articles. |
| <Rafal> s/application tree/navigation tree/ |
| <jason> thanks, rafal that helps a lot! |
| <Rafal> ok |
| <jason> ignore my postings, as i had a fundamental misunderstanding. |
| <Rafal> allright :) |
| <jason> i will adjust the proposal as i understand now how it's supposed to work. |
| <jason> do you use a webapp for your admin, or using an LDAP client? |
| <Rafal> talking about the proposal, AccessControlList is not pluggable |
| <Rafal> AccessControlBuilder is not used any more (access.control setting in TR.p) |
| <Rafal> we use database console right now :( |
| <jason> ah! |
| <Rafal> we don't have too many adminstrators in our portal so it kind of works... |
| <jason> yup, i do that too. |
| <jason> ok, so the access.control is a property that can be removed now? |
| <jason> i will clean that up if that's the case. |
| <jason> can i remove the whole access control section from the TR.props. |
| <Rafal> i'm lookin at the master file right now and it's not there |
| <Rafal> hmmm I must have removed it earlier. |
| <jason> ok, i'm looking at project i'm working on and it's probably not updated. |
| <jason> so people never have to extend the AccessControlList class? |
| <Rafal> no. there's no way to do this now, and I think there is no need to. |
| <jason> that's cool. just checking. i will write an xdoc today. with the info i've gathered here and finish the proposal so i can get started on the admin app for tambora and the tdk. |
| <Rafal> good. |
| <Rafal> my friends have some ideas for the UI... |
| <Rafal> I need to write the down. |
| <Rafal> OneWeb (the other e-point project) has quite nice security admin app and we could steal a few bits |
| <jason> cool, just toss them in the proposals directory and we can work on them together. |
| <jason> sure that would be great! i have to get something working this week for tambora. |
| <Rafal> I'll be back in a minute... |