Data exchange¶

Security services offers different way and really flexible for exchanging security data. Please, keep in mind that restoring a security database must be done with care as there are settings in the database that contains URLs that depends on the environment. Our suggestion is to use the data exchange options described in this section.

Concept¶

Data exchange has been organised around two main concepts: applications and domains.

Applications¶

We are already familiar with the application concept and applied to data exchange, all operations can be performed in the ambient of an application or globally. That means we can move all data or just data related to an application. This approach give as the required mechanism to keep application's configuration independent of other application at the same time that we manage all information in a central service.

Domains¶

Domains organize the data in different areas: Authorization, Authentication, Users, Entities, MembershipSets. This separation of areas responds to different use case behind each domain:

Authorization: the audience are DevOps teams and deployment teams. This is related to the pure installation of the application.
Authentication: In the initial installation, this is installed with a Vanilla configuration. During configuration process, business analyst will be working with this domain (groups, roles, permissions,...)
Users: It is not common to move users from one environment to other; but it is possible with this domain. This is really important for setting up automated testing environments.
Entities: Allows to move entity configuration across different environments.
MembershipSet: Allows to move membership sets configuration across different environments.

Clients¶

Data exchange functionality is offered in three different clients:

Administration UI, that actually is calling to API.
API, documented in the Data Exchange specification at Swagger in Security Rest API.
sequel-security tool, a console tool that offers multiple operations for managing security configuration. This is the most powerful and complete client.

Operations¶

Import and export¶

Import and export security configuration. Not all operations, in purpose, are exposed with the same functionality depending the client. These commands are fully supported in the console tool; however in the API and UI is just possible to manage the Authorization domain.

Package format¶

The import/export package is a zip file that contains a predefined folder structure and json files. The structure is organised in applications and domains, as described below:

    \Applications
                 \{ApplicationKey}
                                  \Application.json
                                  \Authentication
                                                 \ApiResource.json
                                                 \Clients.json
                                  \Authorization
                                                 \Groups.json
                                                 \Roles.json
                                                 \Securable.json
                                                 \userTypes.json
                 \{ApplicationKey}
                                  \Application.json
                                  \Authentication
                                                 \ApiResource.json
                                                 \Clients.json
                                  \Authorization
                                                 \Groups.json
                                                 \Roles.json
                                                 \Securable.json
                                                 \userTypes.json

This zip file can contain more than one application; however when installing only domains and applications passed in the request will be processed. When exporting, the folders structure will be followed even if the export parameters are just affecting one or two files.

Sync¶

The sync operations helps to resynchronize a legacy security database with the latest security data. It is available in the console tool and also in the UI and API; however works in different ways.

sequel-security: the synchronization is done directly reading data from one database and storing data in the legacy database. This is useful for testing environments.
API and UI: the synchronization here is just the act of starting the sync process by emitting a message to the bus for let legacy sync consumers know that a full sync is required.

Repoint clients¶

Clients on security contains information that are specific of an environment: URLs and Origins. In some scenarios, like when restoring a database from production to a testing environment, it is required to add the URLs for the new environment. This option allows to do this task in a really simple way, based on providing the original pattern for selection the affected data and the new pattern (ie moving from http://old-server-name/Auth to http://new-server-name/Auth)