com.waveset.provision
Class Provisioner

java.lang.Object
  extended bycom.waveset.provision.Provisioner
All Implemented Interfaces:
WavesetProperties.Listener

public class Provisioner
extends java.lang.Object
implements WavesetProperties.Listener

The Provisioner class implements what the design refers to as the "Provisioning Engine". It is the object responsible for coordinating the provisioning of accounts among multiple resources, enforcing rules defined by the role, and implementing provisioning notification options defined by the role.

A Provisioner object is typically maintained by the singleton Server, and also may be maintained by one or more WorkflowProvisioner objects managed by the workflow engine.

There is currently no real need for this to be a singleton, though we do need references to some singletons, notably the repository and the cache. They are suppplied through the constructor. We also need a few other things, which we'll assume we can get through their static factory methods.

Much of the original logic has been moved into the ProvisionContext class, as part of a redesign to support multiple provisioning threads.


Nested Class Summary
static class Provisioner.ProvisionOp
           
 
Field Summary
static java.lang.String code_id
           
static java.lang.String DEFAULT_FORM
          The name of the Configuration object containing the form to use for reProvisioning.
static java.lang.String IDENTITY_ATTRIBUTE
          Special attribute name that may be passed down in the ResourceInfo._attributes map to convey the full identity of the account.
static java.lang.String OLD_USER_FORM
          The id of the Configuration object containing the original user form, provided for backward compatibility.
protected static Trace trace
           
 
Constructor Summary
Provisioner(LighthouseContext context)
           
Provisioner(LighthouseContext context, PolicyManager policies, PolicyProcessor policyProcessor)
           
 
Method Summary
 void checkPasswordPolicies(WSUser user, ProvisioningOptions options)
          Check accountId and password policies for the Lighthouse user and resource accounts.
 void checkPolicies(WSUser user, ProvisioningOptions options)
          Check all policies enforced by the provisioning engine.
 WavesetResult deleteAccount(ProvisioningOptions ops)
          Delete the Lighthouse account.
 WavesetResult deProvision(ProvisioningOptions ops)
          Deprovision resource accounts (but retain the Lighthouse account).
 void fetchAccounts(ProvisioningOptions options)
          Given a user object, fetch resource accounts associated with this user, and merge their attributes into the user object.
 void generateIdentity(WSUser user, ResourceInfo info, boolean tolerateFailure, WSUser resuser, ResourceResult result)
          Fill in any accountId missing from the resource info.
 ResourceAdapter getAdapter(Resource res)
          Get the adapter for a resource definition.
 ObjectCache getCache()
          Return the cache we use.
 LighthouseContext getContext()
           
 Policy getLighthousePolicy(WSUser user)
          Return the effective Lighthouse policies.
 ProvisionMonitor getMonitor()
          Get the currently registered ProvisioningMonitor.
 OrderedResourceOps getOrderedResourceOps(ProvisioningOptions ops, boolean deProvision)
           
 PasswordGenerator getPasswordGenerator()
          Return a password generator.
 PolicyManager getPolicyManager()
          Exposed only so we can get to a policy manager from within ProvisionResult.
 java.util.List getResourceOps(ProvisioningOptions ops)
          Build the list of resource "ops" that would be used to process a provison with the given options.
 java.util.List getResourceOps(WSUser user)
          This method returns the list of ResourceOp objects that would be built if a provision or reprovision were done.
 void println(java.lang.String msg)
           
 void propertiesFileChanged()
          Properties file listener.
 WavesetResult provision(ProvisioningOptions options)
          Provision a new Lighthouse user and optionally create resource accounts.
 WavesetResult reProvision(ProvisioningOptions ops)
          Perform a provisioning pass on an existing user account.
 void setCurrentTime(java.util.Date d)
          Set the current time override.
 void setMonitor(ProvisionMonitor mon)
          Used by IDMX to disable the recon monitor.
 void setPasswordExpiration(WSUser user)
          Public utility method to reset a user's password expiration.
 void updateResetHistory(WSUser user, boolean checkLimits)
          Called by the password views to maintain the reset history on the user object, and optionally check for reset limits.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

code_id

public static final java.lang.String code_id
See Also:
Constant Field Values

trace

protected static final Trace trace

IDENTITY_ATTRIBUTE

public static final java.lang.String IDENTITY_ATTRIBUTE
Special attribute name that may be passed down in the ResourceInfo._attributes map to convey the full identity of the account.

See Also:
Constant Field Values

DEFAULT_FORM

public static final java.lang.String DEFAULT_FORM
The name of the Configuration object containing the form to use for reProvisioning. Normally the form will be defined in the System Configuration object, we use this if nothing else is defined.

See Also:
Constant Field Values

OLD_USER_FORM

public static final java.lang.String OLD_USER_FORM
The id of the Configuration object containing the original user form, provided for backward compatibility.

See Also:
Constant Field Values
Constructor Detail

Provisioner

public Provisioner(LighthouseContext context)
            throws WavesetException

Provisioner

public Provisioner(LighthouseContext context,
                   PolicyManager policies,
                   PolicyProcessor policyProcessor)
            throws WavesetException
Method Detail

getContext

public LighthouseContext getContext()

getPolicyManager

public PolicyManager getPolicyManager()
Exposed only so we can get to a policy manager from within ProvisionResult. Unfortunate.


getMonitor

public ProvisionMonitor getMonitor()
Get the currently registered ProvisioningMonitor. For now we'll assume this is a global setting managed by LighthouseContext, though we could manage it locally or put it in ProvisioningOptions.


setMonitor

public void setMonitor(ProvisionMonitor mon)
Used by IDMX to disable the recon monitor.


setCurrentTime

public void setCurrentTime(java.util.Date d)
Set the current time override.


getCache

public ObjectCache getCache()
Return the cache we use. Used by things we spawn like ProvisionContext.


propertiesFileChanged

public void propertiesFileChanged()
Properties file listener.

Specified by:
propertiesFileChanged in interface WavesetProperties.Listener

println

public void println(java.lang.String msg)

generateIdentity

public void generateIdentity(WSUser user,
                             ResourceInfo info,
                             boolean tolerateFailure,
                             WSUser resuser,
                             ResourceResult result)
                      throws WavesetException
Fill in any accountId missing from the resource info.

Throws:
WavesetException

getResourceOps

public java.util.List getResourceOps(WSUser user)
                              throws WavesetException
This method returns the list of ResourceOp objects that would be built if a provision or reprovision were done. This can be used to display information about what is about to happen during a reprovision, including what accounts will be created, updated, and deleted.

Since this is for informational purposes, make sure that ProvisionContext.buildResourceOps continues to be a relativel cheap operation. It shouldn't be doing any repo or resource hits.

Throws:
WavesetException

getOrderedResourceOps

public OrderedResourceOps getOrderedResourceOps(ProvisioningOptions ops,
                                                boolean deProvision)
                                         throws WavesetException
Returns:
OrderedResourceOps, which can be used to directly set the operations to perform via ProvisioningOptions.
Throws:
WavesetException

getResourceOps

public java.util.List getResourceOps(ProvisioningOptions ops)
                              throws WavesetException
Build the list of resource "ops" that would be used to process a provison with the given options.

Throws:
WavesetException

getLighthousePolicy

public Policy getLighthousePolicy(WSUser user)
                           throws WavesetException
Return the effective Lighthouse policies. Note that this is different than the accountId/password policy returned by getDefaultPolicy

Throws:
WavesetException

setPasswordExpiration

public void setPasswordExpiration(WSUser user)
                           throws WavesetException
Public utility method to reset a user's password expiration. Called by UserViewer if the OP_NO_REPROVISION option is on (which it never is). Also by WorkflowServices immediately after converting the view back to a user. !! I don't like this, we probably ought to always go through reProvision with an option to disable resource account updates, so we can better encapsulate the constraints.

Throws:
WavesetException

getAdapter

public ResourceAdapter getAdapter(Resource res)
                           throws WavesetException
Get the adapter for a resource definition. Shorthand for a comparitively unweildy call that you always forget.

Throws:
WavesetException

provision

public WavesetResult provision(ProvisioningOptions options)
                        throws MissingAttribute,
                               PolicyViolation,
                               WavesetException
Provision a new Lighthouse user and optionally create resource accounts.

Throws:
MissingAttribute
PolicyViolation
WavesetException

checkPasswordPolicies

public void checkPasswordPolicies(WSUser user,
                                  ProvisioningOptions options)
                           throws WavesetException
Check accountId and password policies for the Lighthouse user and resource accounts. Accounts are identified through ProvisioningOptions. Called by several view handlers to check policies before storing the user or launching a workflow.

We assume the ResourceInfo list is fleshed out as necessary.

This is subject to certain provisioning options, notably the targetResources list and the noCreate flag. This is important for some BNSF cases where they want to set the Lighthouse password and the RACF password differently with different policies. But the user may have a ResourceInfo for RACF with created=false so we have to allow the Lighthouse password policy to be checked without assuming that this password will also be pushed to RACF.

Throws:
WavesetException

checkPolicies

public void checkPolicies(WSUser user,
                          ProvisioningOptions options)
                   throws WavesetException
Check all policies enforced by the provisioning engine. This currently includes password and accountId policies. This is a public method intended to be called from the user view. We originally called only checkPasswordPolicies, but also needed to check account ID policies.

This should now always be called prior to getting into the provisioner. provision() and reProvision() will continue to check policies, but it should be done sooner so the errors can be displayed before the task suspends for approvals.

Throws:
WavesetException

getPasswordGenerator

public PasswordGenerator getPasswordGenerator()
                                       throws WavesetException
Return a password generator. Used by a few views like ResetPasswordViewer that need to generate passwords before getting into the provisioner.

Throws:
WavesetException

reProvision

public WavesetResult reProvision(ProvisioningOptions ops)
                          throws WavesetException
Perform a provisioning pass on an existing user account.

This will reconcile changes made to the resource lists, and propagate any pending changes found in the user object to the resources.

Note that if we're propagating password changes, we expect the password policies to have been checked by now, and the expiration date to have been set relative to the time the change was made, which may have been some time ago. This is normally done by a view handler.

Throws:
WavesetException

deProvision

public WavesetResult deProvision(ProvisioningOptions ops)
                          throws WavesetException
Deprovision resource accounts (but retain the Lighthouse account). // NOTE: !! Now that we're exposing deProvision and deleteAccount // as two options of the same thing, we should merge them so // we can do both without hitting the repo twice. //

Throws:
WavesetException

deleteAccount

public WavesetResult deleteAccount(ProvisioningOptions ops)
                            throws WavesetException
Delete the Lighthouse account. Throw an error if there are any existing resource accounts unless the "force delete" option is on.

Throws:
WavesetException

updateResetHistory

public void updateResetHistory(WSUser user,
                               boolean checkLimits)
                        throws WavesetException
Called by the password views to maintain the reset history on the user object, and optionally check for reset limits.

Throws:
WavesetException

fetchAccounts

public void fetchAccounts(ProvisioningOptions options)
                   throws WavesetException
Given a user object, fetch resource accounts associated with this user, and merge their attributes into the user object.

Convenience method that combines the fetchAccounts and mergeAccounts methods.

If the resources list is null, all of the accounts associated with this user are fetched.

Throws:
WavesetException