•  
     
    story #8289 synchronize users in users groups
Summary
Empty
synchronize users in users groups
I can automate group synchronization with external tools

Add / remove users

PUT /v1/user_groups/{id}/users
[ {user reference}, {user reference}, ... ]

Where {user reference} can be one of:

  • {"id": integer}
  • {"username": string}
  • {"email": string}
  • {"ldap_id": string}

Note:

  • for email, if 2 accounts share the same email adress, an error is thrown (4XX, to be defined)
  • there can be only one entry in {user reference}, if one of the entry is {"id": 101, "username": "john"}, an error 4XX is thrown

This route will update the membership with the given list of users:

  • Add missing users
  • Remove users that are present in the group but not in the submitted array
  • This is meant to be used for large groups (400 / 500 people)
  • There is no notification of people (even for adding as project member)
  • As for all other user manipulation regarding ldap: there is no need of prior log-in of people. As soon as someone exist in LDAP, she can be added into the group

Covered groups:

  • works on all static and dynamic groups except Tracker v3 admins and global groups (registered users, ...).

Error management

By default, PUT /v1/user_groups/{id}/users will return 200 and process the list of user if all entries are valid:

  • Format is valid
  • Only one user match each entry (ie. there is no 2 accounts for a submitted email)
  • all users are added/removed

As soon as there is an error, a 4XX error is return and nothing is changed. All errors are listed (ie. we don't stop at first error). Note: as all REST errors, yhere is no guarranty that error is parsable and stable, it's meant for a human analysis.

Technical aspects

  • UserManager::getUserByIdentifier should already do part of the job regarding ldap_id (but we have to ensure it does an LDAP lookup if the ldap_id is not already present in Tuleap)
  • Team forecast weird egde cases due to the mix groups (static/dynamic) and the mixed nature of input
Empty
dylan bowden (dylan)
Status
Empty
Done
Development
  • [ ] Does it involves User Interface? 
  • [ ] Are there any mockups?
  • [ ] Are permissions checked?
  • [ ] Does it need Javascript development?
  • [ ] Does it need a forge upgrade bucket?
  • [ ] Does it need to execute things in system events?
  • [ ] Does it impact project creation (templates)?
  • [ ] Is it exploratory?
Empty
Details
#8289
Manuel Vacelet (vaceletm)
2015-11-02 17:28
2015-07-29 14:53
8528

References

Follow-ups

User avatar
Manuel
Can we rename this story with "synchronize users in users groups". "add/remove" is confusing, I though initially the end point could be used to specify a list of username to be added or removed. Wheras it's a synchro mechanism
User avatar
I checked with the end user and he said that it is ok like that.

Thanks Manuel for your clarification.
User avatar
Adding details about notifications and ldap people

  • Acceptance criteria
    Something went wrong, the follow up content couldn't be loaded
    Only formatting have been changed, you should switch to markup to see the changes
User avatar
The team split story #8307 that covers "list according to set visibility"

  • I want to
    -add/remove/list users in users groups 
    +add/remove users in users groups 
  • Acceptance criteria
    Something went wrong, the follow up content couldn't be loaded
    Only formatting have been changed, you should switch to markup to see the changes
User avatar
  • Acceptance criteria
    Something went wrong, the follow up content couldn't be loaded
    Only formatting have been changed, you should switch to markup to see the changes
User avatar

Changes:

  • I added the usage of ldap_id in addition to other identifiers
  • remove ?force as it's useless with ldap_id
  • add info about the number of people in groups

For notifications, could you please detail why this should be an option:

  • When do you want to notify and when do you want NOT to notify ?

  • Acceptance criteria
    Something went wrong, the follow up content couldn't be loaded
    Only formatting have been changed, you should switch to markup to see the changes
User avatar
The requester wants to add the LDAP_ID (employee_ID) to avoid the risk of errors.
As there might be several accounts for a single email, there is a risk of error if we try to add a user via the email . I would like to be able to use ldap_id and/or ldap_login in addition to email, username and tuleap id and therefore avoid the risk of error.

>> To my knowledge there is no such thing (email notification on group update) in Tuleap, could you detail the case ?
This is the case by default when adding/removing users in the special(dynamic?) group ‘members’. My understanding is that the members group is supported as well ?
User avatar
Salma what the users are thinking about the proposal on error management (esp. best effort "?force" mode) ?

We wrote the "?force" use case but, on our side, we don't intend to implement it as the result seems extremely unreliable and cumbersome. However we are maybe missing something important, maybe the users can come up with a compelling example proven us wrong.

  • Acceptance criteria
    Something went wrong, the follow up content couldn't be loaded
    Only formatting have been changed, you should switch to markup to see the changes
User avatar
Update with a proposal for error management

  • Acceptance criteria
    Something went wrong, the follow up content couldn't be loaded
    Only formatting have been changed, you should switch to markup to see the changes
  • CC list set to dylan bowden (dylan)
User avatar

Following discussion / estimation with the team, we updated the proposition.
For the record:
- PATCH idempotency was an issue because other PATCH on the platform are NOT idempotent
- PUT is easier to consume when you maintain a list of user (like if you want to automate the import of a list from one tool to another) as the client doesn't have to compute the diff (what to add, what to remove)

About your questions:

We need to use an LDAP identifier (login or employee id (ldap_id)) to remove the case of many logins with the same email address. In fact when does this case happen?

I don't undestand this part: do you want to use ldap_id and/or ldap login in addition to email, username and tuleap id ?

Tuleap doesn't mandate to have 1 emai == 1 account so it's possible to have one email address shared by several Tuleap accounts. It's often the case for admin accounts and it might also be the case in your LDAP (I don't know how it works)

Moreover, we need to disable (using an option) the e-mail notification when we edit a group members.

To my knowledge there is no such thing (email notification on group update) in Tuleap,  could you detai the case ?


I have understood that we can add/remove many users using the same query.
Am I right? 

Yes

What does it happen when it does not work (many logins for the same email, e-mail not found, …). Does the command stop without doing anything or does it work and do what can be done? 

I prefer that the command does what can be done and return an error listing what did not work. 

I will check with the team


  • Acceptance criteria
    Something went wrong, the follow up content couldn't be loaded
    Only formatting have been changed, you should switch to markup to see the changes
User avatar
Hello Manuel,

There is the answer of the requester:
***************************************************
We need to use an LDAP identifier (login or employee id (ldap_id)) to remove the case of many logins with the same email address. In fact when does this case happen?

Moreover, we need to disable (using an option) the e-mail notification when we edit a group members.

I have understood that we can add/remove many users using the same query.
Am I right?

What does it happen when it does not work (many logins for the same email, e-mail not found, …). Does the command stop without doing anything or does it work and do what can be done?

I prefer that the command does what can be done and return an error listing what did not work.
***************************************************

Thanks for your clarification.

  • Acceptance criteria
    Something went wrong, the follow up content couldn't be loaded
    Only formatting have been changed, you should switch to markup to see the changes
  • CC list cleared values: None
  • Permissions set to