Skip to end of banner
Go to start of banner

How to handle CapabilitySets which include Capabilities which may not be deflined yet.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Spike Overview

JIRA ID: EUREKA-90 How to handle CapabilitySets which include Capabilities which may not be deflined yet.

Objective: EUREKA needs to manage a capability set that includes capabilities that do not yet exist on the platform.

Problem Statement

The UI module's descriptor includes a permission set with permissions from other backend modules. When the application is entitled, UI modules can be installed earlier than backend modules, as the process occurs asynchronously via an event from Kafka. In this scenario, EUREKA does not create a capability set and skips this event because it lacks sufficient information to create it and associate it with existing resources in Keycloak. OKAPI checks permissions at runtime and does not make any pre-installations.

Deliverables

Folio-Page-13.png

Option 1 Postpone the UI events in the database to process them later, after processing all backend modules' events.

The approach requires that capability events for UI modules are not sent until all backend modules have been processed, and a delay or confirmation event from mod-role-keycloak indicates that all backend modules have been installed.

Pros

This can be quickly implemented to resolve the issue for phase one, especially when we will have a couple of large applications installed on the EUREKA platform.

Cons

This approach does not handle proper permissions set when one of the permissions would be in another application and would be installed late.

Option 2 Rearrange the application descriptor so that UI module capability events are sent only after all backend module events have been sent:

The approach involves rearranging the processing of modules to send all UI modules only after all backend modules have already been processed.

Pros

This can be quickly implemented to resolve the issue for phase one, especially when we will have a couple of large applications installed on the EUREKA platform.

Cons

This approach does not handle proper permissions set when one of the permissions would be in another application and would be installed late.

Option 3 involves creating postponed jobs for the capability events that have not been processed, and triggering them again when a new application is installed.

If we encounter an issue while processing a capability event and cannot proceed correctly, we will create a postponed job from this event and store it in the database. The postponed jobs will attempt to rerun once the mod-roles-keycloak receives another event indicating that a new application has been installed or updated. It is essential to ensure that these jobs start only after the application installation has been completed.

Pros

This approach would handle all possible cases where the UI modules have permission sets with permissions from other backend modules, which could be defined in other applications.

Cons

The approach will require a long time to implement.

Risks & Assumptions

  1. The approach will correctly manage capability sets within one application but won't handle permissions defined in another application. For a long-term solution, we need to implement a more complex approach with postponed jobs. These jobs will run periodically and attempt to create capability sets.

Conclusion

I would choose option two, which can be easily implemented for phase one when we only have one big application. This approach would solve the current problem. However, for a long-term solution, we need to consider using some postponed jobs. These jobs would need to run periodically to check which events have been processed correctly and which still need to be postponed and rerun later.

Spike Status: COMPLITED

  • No labels