Re: [scim] Request for Input
Phil Hunt <phil.hunt@oracle.com> Sun, 31 March 2013 19:31 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1833E21F86AE for <scim@ietfa.amsl.com>; Sun, 31 Mar 2013 12:31:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.999
X-Spam-Level:
X-Spam-Status: No, score=-3.999 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VUXmSPXnRhKp for <scim@ietfa.amsl.com>; Sun, 31 Mar 2013 12:31:37 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 93DA021F868B for <scim@ietf.org>; Sun, 31 Mar 2013 12:31:37 -0700 (PDT)
Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r2VJVY6I000440 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sun, 31 Mar 2013 19:31:35 GMT
Received: from acsmt356.oracle.com (acsmt356.oracle.com [141.146.40.156]) by ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r2VJVW6w025000 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 31 Mar 2013 19:31:33 GMT
Received: from abhmt108.oracle.com (abhmt108.oracle.com [141.146.116.60]) by acsmt356.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id r2VJVVUe005742; Sun, 31 Mar 2013 14:31:31 -0500
Received: from [192.168.1.14] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sun, 31 Mar 2013 12:31:31 -0700
Mime-Version: 1.0 (Apple Message framework v1283)
Content-Type: multipart/alternative; boundary="Apple-Mail=_62F1BF01-35D0-4A64-8B0C-849468B9230A"
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <-2041779814984196830@unknownmsgid>
Date: Sun, 31 Mar 2013 12:31:36 -0700
Message-Id: <25337D60-E43F-4794-BF84-BD317869E5FB@oracle.com>
References: <CAPx6tN5PwV=hwifdCj3JiOKLsYCQZdewHOh7voau7OLSm3FWvg@mail.gmail.com> <AAE9F872-F35E-4A73-8674-4A7AF6C0537B@oracle.com> <56C3C758F9D6534CA3778EAA1E0C34375C3ADF35@BLUPRD0412MB643.namprd04.prod.outlook.com> <E963C9E3-BC9D-4E54-A409-ABC0B1FC7D9E@nexussafe.com> <-2041779814984196830@unknownmsgid>
To: Samuel Erdtman <samuel@erdtman.se>
X-Mailer: Apple Mail (2.1283)
X-Source-IP: ucsinet22.oracle.com [156.151.31.94]
Cc: Erik Wahlström <erik.wahlstrom@nexussafe.com>, Kelly Grizzle <kelly.grizzle@sailpoint.com>, Alexandre Santos <asantos@pingidentity.com>, "scim@ietf.org" <scim@ietf.org>
Subject: Re: [scim] Request for Input
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/scim>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Mar 2013 19:31:39 -0000
The trade off here is that the simple request you propose becomes complex because multiple operations must be completed against a resource rather then completing all changes in a single albeit somewhat more complex patch. The RESTful model now becomes more complex because now we have both a Resource level set of verbs and then we have attribute level verbs. Finally, it seems doubtful you could get rid of the current PATCH operation - by adding simple value modification proposed below, the spec would now have two ways of modifying things through 2 different RESTful models (per above). Overall, the spec gets much longer and more complex because it has multiple choices and RESTful verb models. Aside: We've talked at length about positional identifies before. The trouble with value identifiers is managing all those keys and requiring the client to look them up before deleting. In practice it seems simplest to just specify the value you want deleted and let the server sort it out on the server side (avoiding extra request/responses). The limitation of the server-side value key approach is you cannot have duplicate values. In general this seems reasonable. Another option that was considered is the JSON Patch draft. http://tools.ietf.org/html/draft-ietf-appsawg-json-patch-10 It works reasonably well when you know the entire contents of a JSON record/document. It's path construct doesn't really lend itself well to a Resource where the full document may not be available at the time of the PATCH. In other words, the SCIM operation is to patch a remote object rather than a JSON document in hand. In the end, it has the same limitation as the value identifiers. In particular for large groups, we want to avoid downloading the entire group just to allow the client to be able to patch it. It's also worth noting that a SCIM client may not be allowed to know about the entire set of members in a SCIM Group. A subtle tweak to the current PATCH that makes it more readable and less cryptic might be all we really need. Phil @independentid www.independentid.com phil.hunt@oracle.com On 2013-03-31, at 11:47 AM, Samuel Erdtman wrote: > I would vote for the simplest solution that solves the problem, I think Kelly raises a point that makes PUT and DELETE harder to get as clean as in the examples I.e. there is no single unique id for most multivalued attributes, the value attribute could be the same for several attributes e.g. Same phone number could be used for both mobile and work then it is the combination value and type that makes it unique. (With the current discussion on not requiring global unique id's for the combined set group and user will have the same problem if not required unique) > > The solution might be to something like this: > PUT /Groups/<group-Id>/<attribute>/ > e.g. > PUT /Groups/<group-Id>/members/ > > DELETE /Groups/<group-Id>/<attribute>/<type>/<value> > e.g. > DELETE /Groups/<group-Id>/members/User/<value> > > We could also allow replace in one operation by doing put to a uniquely identified attribute: > PUT /Groups/<group-Id>/<attribute>/<type>/<value> > e.g. > PUT /Groups/<group-Id>/members/User/<value> > > In case we go for a solution like this I think that we also should simplify or remove PATCH operation. We could do singe attribute delete, add and update like this: > PUT /Groups/<group-Id>/<attribute> (add or update attribute) > PUT /Groups/<group-Id>/<attribute> (remove attribute) > This has the disadvantage towards patch that you can only handle one attribute at the time or the full resource object. > > Finally I would like to remind everyone that we have had the discussion of adding an "unique" identifier to the attributes in a multivalued attribute and the strongest argument against was that it is not possible when putting SCIM on top of an existing data source. > > > Sent from my iPhone > > On 28 mar 2013, at 18:54, "Erik Wahlström" <erik.wahlstrom@nexussafe.com> wrote: > >> +1 >> Rather make patch mandatory before adding functionality to PUT and DELETE. Just for simplicity. >> / Erik >> >> On Mar 28, 2013, at 2:10 PM, Kelly Grizzle wrote: >> >>> PATCH was added specifically to address the “changing membership of a large group” use case. The POST/DELETE to the members endpoint was considered when looking into PATCH, but unfortunately this does not work in the general case. Specifically, this only works if the list elements have a unique identifier, so it fell apart when trying to apply this to adding/removing addresses (which do not have a unique identifier). >>> >>> I’m not convinced that we need to add another mechanism to solve this use case, but I do agree that PATCH could be simplified. >>> >>> --Kelly >>> >>> From: scim-bounces@ietf.org [mailto:scim-bounces@ietf.org] On Behalf Of Phil Hunt >>> Sent: Wednesday, March 27, 2013 7:02 PM >>> To: Alexandre Santos >>> Cc: scim@ietf.org >>> Subject: Re: [scim] Request for Input >>> >>> I think this may fit in with our discussion of adjusting PATCH to work better with multi-value and complex attributes (ticket 18). >>> >>> So far, we've been avoiding extended paths that go within the Resource entity (e.g. to address specific attributes). >>> >>> If you were to do the item below, I think you would have to add the attribute name to the path at the very least. >>> >>> PUT /Groups/<groupid>/members/Users/<userid> >>> >>> Still I think that may have problems if the member is actual a URL rather then a simple UUID. >>> >>> Phil >>> >>> @independentid >>> www.independentid.com >>> phil.hunt@oracle.com >>> >>> >>> >>> >>> >>> On 2013-03-27, at 4:01 PM, Alexandre Santos wrote: >>> >>> >>> For groups with many users (>10k) it becomes problematic to do POSTs or PUTs. The only alternative would be PATCH. However PATCH is not mandatory. >>> >>> For this reason we would like to request your input for the following proposal: allow membership changes via PUT and DELETE. >>> >>> For this the PUT and DELETE commands would be in the format: >>> PUT /Groups/<groupId>/user/<userId> - to add a user to a group >>> DELETE /Groups/<groupId>/user/<userId> - to remove the user from the group >>> >>> Thank you, >>> >>> Alexandre Santos | Sr. Development Engineer >>> PingIdentity | www.pingidentity.com >>> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >>> O: 604.697.7056 >>> Email: asantos@pingidentity.com >>> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >>> Connect with Ping >>> Twitter: @pingidentity >>> LinkedIn Group: Ping's Identity Cloud >>> Facebook.com/pingidentitypage >>> _______________________________________________ >>> scim mailing list >>> scim@ietf.org >>> https://www.ietf.org/mailman/listinfo/scim >>> >>> _______________________________________________ >>> scim mailing list >>> scim@ietf.org >>> https://www.ietf.org/mailman/listinfo/scim >> >> _______________________________________________ >> scim mailing list >> scim@ietf.org >> https://www.ietf.org/mailman/listinfo/scim > _______________________________________________ > scim mailing list > scim@ietf.org > https://www.ietf.org/mailman/listinfo/scim
- Re: [scim] Request for Input Alexandre Santos
- [scim] Request for Input Alexandre Santos
- Re: [scim] Request for Input Anthony Nadalin
- Re: [scim] Request for Input Phil Hunt
- Re: [scim] Request for Input Kelly Grizzle
- Re: [scim] Request for Input Erik Wahlström
- Re: [scim] Request for Input Samuel Erdtman
- Re: [scim] Request for Input Phil Hunt