Tracy: We are using Quartz scheduler as a base for task manager. There is no special "task manager" node, it is a distributed component embedded in every midPoint instance. Synchronization is done on top of Quartz database tables. Therefore yes, the task manager is itself HA. In fact, the single point of failure is the database (but that can be clustered too).
Martin: what's wrong with the localization? Maybe it is cause by monday morning, but I do not see the problem :-)
@semancik : this artifact should have newer date: https://nexus.evolveum.com/nexus/#browse/search=keyword%3Dlocalization:snapshots%3Acom.evolveum.midpoint%3Amidpoint-localization%3A4.0.3-SNAPSHOT
Ah, I forgot to mention last week: support-4.1 branch is not yet created. We are still committing bugfixes to master, bugfixes that are targetted both for 4.2 and 4.1.1. Part of the teams takes it easy this week after the release and easter. We will avoid some amount of cherrypicking in this way.
I will create support branch probably early next week.
looks good!
@mahendradoodi This chat is meant for developer and contributor coordination. It is not a support form. I would suggest to use midPoint mailing lists instead: https://lists.evolveum.com/mailman/listinfo/
@semancik Hi, I developed a new connector which is for Keycloak: https://github.com/openstandia/connector-keycloak
Could you list it on the connector list table?
Could you list it on the connector list table?
@semancik Happy New Year!
I've developed three new connectors! Could you list them on the connector list table?
I've developed three new connectors! Could you list them on the connector list table?
- Guacamole Connector: https://github.com/openstandia/connector-guacamole
- Datadog Connector: https://github.com/openstandia/connector-datadog
- Pulumi Connector: https://github.com/openstandia/connector-pulumi
@fefa2k If you want midPoint to emit simple notifications like "this object was added, modified or deleted", you can use so called custom notification transport - see https://wiki.evolveum.com/display/midPoint/Custom+notification+transport+HOWTO. (I.e. you would need to insert your own Groovy, JS, or whatever code that would send appropriate message to a RabbitMQ queue.) However, starting from 4.3-M1 there is an experimental feature of "serious" asynchronous provisioning - see https://wiki.evolveum.com/display/midPoint/Asynchronous+%28Messaging%29+Outbound+Resources. The difference between the two approaches is that the latter can utilize the full power of midPoint transformational engine (using mappings, object templates, metaroles, and the like) to derive the content of messages that are sent out. In order words, you can create a remote "projection" of your midPoint users and manage it just like you manage your LDAP, AD, CSV, or whatever "online" resources. Just refer to the wiki links above.
@fefa2k Yes. I understand. In usual midPoint deployments, however, this functionality is provided by (synchronous) midPoint connectors. The direct advantage is better troubleshooting, and - in particular - the ability to do "full reconciliation" of a target resource against midPoint. I would recommend to lean towards this architecture, at least in the long run.
@semancik Hello, I've developed new connector, GitHub Connector. Could you add to the connector list? Thanks in advance.
https://github.com/openstandia/connector-github
https://github.com/openstandia/connector-github
Hi everyone. When we implement MidPoint for our clients, we take full advantage of the RBAC capabilities by applying inducements to the org hierarchy orgs and other roles. This grants a standard set of access to the identities by way of things like a person's job title/position. Since there are exceptions to every rule, occasionally identities have direct assignments of specific roles.
The user assignments page is great in that it shows all assignments a user has - broken down by both direct and indirect assignments (granted through the org/role inducements).
Our current challenge is that occasionally, a user's direct assignment may be elevated to a standard indirect assignment by way of org/role inducements (e.g. the exception becomes part of the RBAC - no longer an exception). In such scenarios, we'd like the direct assignment to somehow be auto lifted, but we're finding it difficult to get at the direct/indirect assignment information that the user assignments tab presents.
Is there midpoint utility or model that easily calculates or otherwise reports all direct and indirect assignments (and which they are) to be used in such a scenario? (note, user role membership refs don't inform how the role got there, just that it is there)
Hello @bpowers1215 ! This should be the code that obtains the assignment information to be displayed on the user assignments tab: https://github.com/Evolveum/midpoint/blob/109771af5260d38ccc0e9e67e007a824d51fb397/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/PageAdminFocus.java#L642-L711.
The "interface" (i.e. the EvaluatedAssignment class and its content) is not very clean nor documented - yet. But maybe you would be able to obtain the information you need.
Anyway, what you need - if I am not mistaken - is to obtain a set of EvaluatedAssignments and their targets, and check if a specific target is reachable both directly and indirectly, via different values of $user/assignment. Be sure to check for validity, condition status, inducement orders, and so on. Everything should be there (so no need to e.g. evaluate conditions yourself), but be sure to take those flags into account.
Thanks @mederly. We actually have been taking a look at that very code. But we found that it seems to be dependent on a user model that is only attainable through an event like modification, or in this case, recomputation? So a recompute task is kicked off in the function you mentioned to obtain this. Am I reading this correctly, or is there another way to detect this information? It seem context will be matter as we are hoping to achieve insight of direct/indirect assignments to remove duplicate direct assignments either in a scripted task or an inbound mapping using assignment target search.
Yes. The information about direct/indirect assignment details is a by-product of a processing of user in so-called Projector. That's a central component in midPoint that takes a situation (focus object, optionally its deltas, and projections), and computes changes that should be applied on the object and its projections. Besides many other things, this projector evaluates also user assignments and their implications. Currently this is the only way how to get this information about assignment details. (I.e. it is not stored in the repository.)
So it is not a "cheap" operation (taking let's say milliseconds or tens of milliseconds). It will take more, depending on your particular situation, maybe hundreds of milliseconds or more.
But this Projector processing can be invoked in any situation. No specific requirements are there.
These are two key lines from the code snipped we are talking about:
Instead of Collections.singleton(delta) you should send an empty collection of deltas - as there are none to be processed.
And you can use this code safely in e.g. scripted task. That would be the best place in my opinion.
If the performance is a concern, you could experiment with so-called partial processing options to disable parts of the Projector processing. E.g. inbound and outbound mappings can be safely turned off, I think. For the overview of the whole Projector process please see this (unfinished) document: https://docs.evolveum.com/midpoint/devel/design/projector-and-clockwork-internals/
1 reply