Using moira groups in Thalia:
Since moira is the system of records for groups, we want to utilize existing moira groups instead of having our users creating thalia specific groups. Since moira is athena specific, we decide to synchronize against ldap instead of moira itself. We use ldap.mit.edu which synchronizes with moira every 4 hours.
There are more than 3000 moira security groups. We think each domain most likely will be interested in only a few dozens of them. Instead of importing all of the lists into each domain, we let the domain admins decide which lists they are interested in.
We have a new servlet, POST baseuri/group/[group name], for example test.thalia.mit.edu/group/thalia-dev, it will import the specified moira list into the test domain in thalia. It will also populate its membership against the ldap server based on the users currently in the domain. For example, if the test domain has user dongq and colodzin, the thalia-dev group in the domain will also contain dongq and colodzin.
We also have a perl script on the server that runs every hours and continuously synchronizes the thalia groups with moira groups. If the domain admin later added the user boell in the test domain, one hour later, user boell will be in the thalia-dev group. However, if we add a new user schen111 to the group thalia-dev in moira, this info will reach ldap.mit.edu four hours later, so it will take up to 5 or 6 hours for the new user to appear in the thalia-dev group in thalia.
Here is a list of the new servlets:
POST baseuri/group/[group name] import a moira group to thalia and populates its membership. Only domain admin is allowed to run this servlet.
DELETE baseuri/group/[group name] deletes the thalia group: please note it will not affect the moira group in anyway. Only domain admin is allowed to run this servlet.
GET baseuri/group/[group name] retrieve the membership of the specified group. This is open to regular thalia users. There might be a privacy issue. In moira, there are hidden groups whose membership should be hidden to people. This call violates it. However since ldap.mit.edu violates this first, so we are exposing info that have already being exposed elsewhere. However, we can always shut this servlet down.
GET baseuri/groups retrieves a list of groups in the domain
Access control changes:
We added a new attribute "type" for all access control assignments to distinguish between users. If the type is not set, it defaults to users.
For example, to give the group thalia-dev read access to a qualifier, you do
<authz user="thalia-dev" type="group" role="read" qualifier="xxxxxx"/>
UI to dos:
UI needs to provide an interface for the users to import moira groups.
UI needs to provide an interface to allow the users to assign rights to a group (including list all groups in the domain)
Due to privacy issue, not sure if the UI needs to provide an interface to show group membership.