Eclipse Community Forums: Board committer reps

Home » Archived » Board committer reps » how to address this

Fri, 20 April 2007 10:04

Eclipse User

Hi,

I am not sure how to address this issue and looking for advice.

In development process we usually have several identities for each
developer and each identity is managed in its own system, such as
version control systems (CVS, SVN, etc), issue tracking systems
(Bugzilla, JIRA, etc), instant messaging systems (icq, xmpp, gtalk,
yahoo, skype, etc) and regular email. In IDEs each of those those
identities is managed by its own plugin. For example in Eclipse, CVS and
SVN identities are known by team version control providers, issue
tracking systems are managed by Mylar or specialized plugins, and
instant messaging identities are managed by ECF.

As a result, we don't really have links between those identities. For
example, we can't open an entry in the CVS History, Synchronize view or
CVS annotation (aka "blame" thing) in the editor and send an instant
message to the user who committed that change (say when he did something
outstanding or if he did something terrifying) or see if person who made
comment to the bug report is online.

We need some kind of address book or roster UI and correspond backend
that would allow to manage multiple user identities and would allow 3rd
party components to interact with those identities. The closest piece
Eclipse have right now is the Roster view from ECF, but it still quite
far from supporting such feature and it is unclear if it even in scope
of the ECF project.

IBM Jazz project choose different approach to this issue. since they
built their own issue tracker, version control system and even instant
messaging system they got unified identity across all those systems.
Unfortunately in the real world we have to deal with number of existing
legacy systems.

Does anyone have thoughts on this and what is the best way to address
this need?

regards,
Eugene

PS: you can also comment to my blog post at
http://jroller.com/page/eu?entry=multiple_identies

Re: how to address this [message #2916 is a reply to message #2898]

Fri, 20 April 2007 10:34

Eclipse User

Originally posted by: merks.ca.ibm.com

This is a multi-part message in MIME format.
--------------000301080405040901000605
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Eugene,

Yes, managing all these identities is a big pain! At IBM we have
multiple such things too and tomorrow a bunch of my passwords expire,
which happens every three months. So it's time to start changing
passwords again. And of course different systems have different
password rules, so it's hard to get one password that works for all the
systems. And that means you have to write them down, which kind of
defeats their security, and undermines the very reason for making them
expire so often and for defining rules to restrict your choice of
password. It's such a joy to be told that a password no one would ever
guess is nevertheless trivial by some undocumented algorithm.

Are you aware of the Higgins Trust Framework project?

http://www.eclipse.org/higgins/

I don't know much about it, but I think it's trying to address exactly
this type of problem and I suppose it could be used by other projects at
some point in the future.

Eugene Kuleshov wrote:
> Hi,
>
> I am not sure how to address this issue and looking for advice.
>
> In development process we usually have several identities for each
> developer and each identity is managed in its own system, such as
> version control systems (CVS, SVN, etc), issue tracking systems
> (Bugzilla, JIRA, etc), instant messaging systems (icq, xmpp, gtalk,
> yahoo, skype, etc) and regular email. In IDEs each of those those
> identities is managed by its own plugin. For example in Eclipse, CVS
> and SVN identities are known by team version control providers, issue
> tracking systems are managed by Mylar or specialized plugins, and
> instant messaging identities are managed by ECF.
>
> As a result, we don't really have links between those identities. For
> example, we can't open an entry in the CVS History, Synchronize view
> or CVS annotation (aka "blame" thing) in the editor and send an
> instant message to the user who committed that change (say when he did
> something outstanding or if he did something terrifying) or see if
> person who made comment to the bug report is online.
>
> We need some kind of address book or roster UI and correspond backend
> that would allow to manage multiple user identities and would allow
> 3rd party components to interact with those identities. The closest
> piece Eclipse have right now is the Roster view from ECF, but it still
> quite far from supporting such feature and it is unclear if it even in
> scope of the ECF project.
>
> IBM Jazz project choose different approach to this issue. since they
> built their own issue tracker, version control system and even instant
> messaging system they got unified identity across all those systems.
> Unfortunately in the real world we have to deal with number of
> existing legacy systems.
>
> Does anyone have thoughts on this and what is the best way to address
> this need?
>
> regards,
> Eugene
>
> PS: you can also comment to my blog post at
> http://jroller.com/page/eu?entry=multiple_identies
>

--------------000301080405040901000605
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Eugene, 
 
Yes, managing all these identities is a big pain!   At IBM we have
multiple such things too and tomorrow a bunch of my passwords expire,
which happens every three months.  So it's time to start changing
passwords again.  And of course different systems have different
password rules, so it's hard to get one password that works for all the
systems.  And that means you have to write them down, which kind of
defeats their security, and undermines the very reason for making them
expire so often and for defining rules to restrict your choice of
password.  It's such a joy to be told that a password no one would ever
guess is nevertheless trivial by some undocumented algorithm.  
 
Are you aware of the Higgins Trust Framework project? 
<blockquote><a href="http://www.eclipse.org/higgins/">http://www.eclipse.org/higgins/</a> 
</blockquote>
I don't know much about it, but I think it's trying to address exactly
this type of problem and I suppose it could be used by other projects
at some point in the future. 
 
 
Eugene Kuleshov wrote:
<blockquote cite="midf0ah9e$mk4$1@build.eclipse.org" type="cite">Hi,
 
 
 I am not sure how to address this issue and looking for advice.
 
 
 In development process we usually have several identities for each
developer and each identity is managed in its own system, such as
version control systems (CVS, SVN, etc), issue tracking systems
(Bugzilla, JIRA, etc), instant messaging systems (icq, xmpp, gtalk,
yahoo, skype, etc) and regular email. In IDEs each of those those
identities is managed by its own plugin. For example in Eclipse, CVS
and SVN identities are known by team version control providers, issue
tracking systems are managed by Mylar or specialized plugins, and
instant messaging identities are managed by ECF.
 
 
 As a result, we don't really have links between those identities. For
example, we can't open an entry in the CVS History, Synchronize view or
CVS annotation (aka "blame" thing) in the editor and send an instant
message to the user who committed that change (say when he did
something outstanding or if he did something terrifying) or see if
person who made comment to the bug report is online.
 
 
 We need some kind of address book or roster UI and correspond backend
that would allow to manage multiple user identities and would allow 3rd
party components to interact with those identities. The closest piece
Eclipse have right now is the Roster view from ECF, but it still quite
far from supporting such feature and it is unclear if it even in scope
of the ECF project.
 
 
 IBM Jazz project choose different approach to this issue. since they
built their own issue tracker, version control system and even instant
messaging system they got unified identity across all those systems.
Unfortunately in the real world we have to deal with number of existing
legacy systems.
 
 
 Does anyone have thoughts on this and what is the best way to address
this need?
 
 
 regards,
 
 Eugene
 
 
PS: you can also comment to my blog post at
<a class="moz-txt-link-freetext" href="http://jroller.com/page/eu?entry=multiple_identies">http://jroller.com/page/eu?entry=multiple_identies</a>
 
 
</blockquote>
 
</body>
</html>

--------------000301080405040901000605--

Re: how to address this [message #2935 is a reply to message #2916]

Fri, 20 April 2007 10:52

Eclipse User

Ed,

From what I been able to dig out, Higgins project is not planning to
provide UI for managing or matching identities and it is more focused on
managing identities for the current user.

For use cases I mentioned we need to manage or collect identities of
other users. So, managing passwords is not needed for such purpose, but
the key feature is to link ids of some arbitrary user in different
systems. I think task is quite trivial. Practically map of maps kind of
structure that can be maintained locally, or trough some kind of data
provider (maybe even Higgins). The only issue is how to standardize such
API and UI that can be used by all consumers.

regards,
Eugene

Ed Merks wrote:
> Eugene,
>
> Yes, managing all these identities is a big pain! At IBM we have
> multiple such things too and tomorrow a bunch of my passwords expire,
> which happens every three months. So it's time to start changing
> passwords again. And of course different systems have different
> password rules, so it's hard to get one password that works for all
> the systems. And that means you have to write them down, which kind
> of defeats their security, and undermines the very reason for making
> them expire so often and for defining rules to restrict your choice of
> password. It's such a joy to be told that a password no one would
> ever guess is nevertheless trivial by some undocumented algorithm.
>
> Are you aware of the Higgins Trust Framework project?
>
> http://www.eclipse.org/higgins/
>
> I don't know much about it, but I think it's trying to address exactly
> this type of problem and I suppose it could be used by other projects
> at some point in the future.
>
>
> Eugene Kuleshov wrote:
>> Hi,
>>
>> I am not sure how to address this issue and looking for advice.
>>
>> In development process we usually have several identities for each
>> developer and each identity is managed in its own system, such as
>> version control systems (CVS, SVN, etc), issue tracking systems
>> (Bugzilla, JIRA, etc), instant messaging systems (icq, xmpp, gtalk,
>> yahoo, skype, etc) and regular email. In IDEs each of those those
>> identities is managed by its own plugin. For example in Eclipse, CVS
>> and SVN identities are known by team version control providers, issue
>> tracking systems are managed by Mylar or specialized plugins, and
>> instant messaging identities are managed by ECF.
>>
>> As a result, we don't really have links between those identities.
>> For example, we can't open an entry in the CVS History, Synchronize
>> view or CVS annotation (aka "blame" thing) in the editor and send an
>> instant message to the user who committed that change (say when he
>> did something outstanding or if he did something terrifying) or see
>> if person who made comment to the bug report is online.
>>
>> We need some kind of address book or roster UI and correspond
>> backend that would allow to manage multiple user identities and would
>> allow 3rd party components to interact with those identities. The
>> closest piece Eclipse have right now is the Roster view from ECF, but
>> it still quite far from supporting such feature and it is unclear if
>> it even in scope of the ECF project.
>>
>> IBM Jazz project choose different approach to this issue. since they
>> built their own issue tracker, version control system and even
>> instant messaging system they got unified identity across all those
>> systems. Unfortunately in the real world we have to deal with number
>> of existing legacy systems.
>>
>> Does anyone have thoughts on this and what is the best way to
>> address this need?
>>
>> regards,
>> Eugene
>>
>> PS: you can also comment to my blog post at
>> http://jroller.com/page/eu?entry=multiple_identies
>>
>

Re: how to address this [message #2952 is a reply to message #2935]

Fri, 20 April 2007 14:10

Eclipse User

Mhm, this might be really off-topic for this newsgroup for now but I
found a very pragmatic approach for this. :)

I have one of those computers with a TPM chip and it works great with
the provided password software. I never have to enter a password again
plus non of the passwords are stored by any software but the password
manager in the secured area. Thus, I just scan my fingerprint to logon
and the rest is handled automatically.

Cu, Gunnar

--
Gunnar Wagenknecht
gunnar@wagenknecht.org
http://wagenknecht.org/

Re: how to address this [message #2967 is a reply to message #2952]

Fri, 20 April 2007 14:59

Eclipse User

Gunnar, just to clarify, my use case has nothing to do with managing
personal passwords.

regards,
Eugene

Gunnar Wagenknecht wrote:
> Mhm, this might be really off-topic for this newsgroup for now but I
> found a very pragmatic approach for this. :)
>
> I have one of those computers with a TPM chip and it works great with
> the provided password software. I never have to enter a password again
> plus non of the passwords are stored by any software but the password
> manager in the secured area. Thus, I just scan my fingerprint to logon
> and the rest is handled automatically.
>
> Cu, Gunnar
>
>

Re: how to address this [message #3029 is a reply to message #2898]

Sat, 21 April 2007 02:01

Eclipse User

Originally posted by: slewis.composent.com

Though a worthy topic, I do think this is off topic for this list as I
understand it. Might be a better topic for higgins-dev and/or ecf-dev
or perhaps even equinox-dev.

A few thoughts on identity:

1) It's difficult to get general agreement about how identity should be
*defined*. This is very different, IMHO, from whether/how one presents
a UI for identity...e.g. managing multiple identities, associating
passwords/credentials with ones identities, etc.

2) With ECF, we've taken the approach of creating an API for the weakest
(and simplest) notion of identity that we could get away with, but is
still useful within the scope of our project. For ECF, the ID contract
simply specifies *uniqueness within an associated Namespace*. This
doesn't say anything of credentials, authentication, trust or any of
those other important concepts, it just allows entities (users,
processes, groups) to be uniquely identified across processes.
Incidently, our ID interface extends the JAAS java.security.Principal
interface and so is able to be used within JAAS.

For extensibility, we define an extension point in the
org.eclipse.ecf.identity bundle to allow other bundles to implement new
Namespaces (and also control the creation of IDs within their
Namespace). Comm protocol implementations define their own
Namespaces...and their own interpretation of a given ID. For certain
types of communication, this gives addressability...i.e. for connecting
to a server socket at a certain address, for retrieving a remote file or
resource (e.g. URI), etc.

ECF's work on identity doesn't address Eugene's desire (shared by me)
for a 'unified identity' that can interoperate among Eclipse and
non-Eclipse-based systems. But we think it does provide a useful
building block/starting point for building some of these other parts of
unified identity...addressing of remote processes (useful for
communications/ECF project), associations (with credentials, other types
of identities, etc), trust establishment, identity management
interfaces, etc. Hopefully this, along with Higgins and other efforts
can be used to get toward more unified identity.

Best,

Scott

Eugene Kuleshov wrote:
> Hi,
>
> I am not sure how to address this issue and looking for advice.
>
> In development process we usually have several identities for each
> developer and each identity is managed in its own system, such as
> version control systems (CVS, SVN, etc), issue tracking systems
> (Bugzilla, JIRA, etc), instant messaging systems (icq, xmpp, gtalk,
> yahoo, skype, etc) and regular email. In IDEs each of those those
> identities is managed by its own plugin. For example in Eclipse, CVS and
> SVN identities are known by team version control providers, issue
> tracking systems are managed by Mylar or specialized plugins, and
> instant messaging identities are managed by ECF.
>
> As a result, we don't really have links between those identities. For
> example, we can't open an entry in the CVS History, Synchronize view or
> CVS annotation (aka "blame" thing) in the editor and send an instant
> message to the user who committed that change (say when he did something
> outstanding or if he did something terrifying) or see if person who made
> comment to the bug report is online.
>
> We need some kind of address book or roster UI and correspond backend
> that would allow to manage multiple user identities and would allow 3rd
> party components to interact with those identities. The closest piece
> Eclipse have right now is the Roster view from ECF, but it still quite
> far from supporting such feature and it is unclear if it even in scope
> of the ECF project.
>
> IBM Jazz project choose different approach to this issue. since they
> built their own issue tracker, version control system and even instant
> messaging system they got unified identity across all those systems.
> Unfortunately in the real world we have to deal with number of existing
> legacy systems.
>
> Does anyone have thoughts on this and what is the best way to address
> this need?
>
> regards,
> Eugene
>
> PS: you can also comment to my blog post at
> http://jroller.com/page/eu?entry=multiple_identies
>

Re: how to address this [message #4033 is a reply to message #3029]

Sat, 21 April 2007 10:09

Eclipse User

For some reason everyone is shifting this into managing personal
identities (and to managing personal passwords). Though use case I've
been referring to has nothing to do with passwords. In Scott's
terminology, that use case mean correlation of the same user across
multiple name spaces.

Like it is been said, the API and supporting UI is not that difficult
to implement. But my struggle is how to make such API and UI unified for
the Eclipse Platform. ECF project seemed a good candidate for providing
this functionality and I've been bugging them for quite some time. Now
we have a new player Higgins, which may be a better fit. However, it is
unclear how Platform plugins (such as Team/CVS) would be able to use
Higgins features, because it will be complete foreigner to them. On the
other hand, Team/CVS et all, don't really have to use this API, and it
can stay a standalone component, that just provide links between namespaces.

To sum up, this is clearly cross project issue and I wonder what is
the proper process to address things like that?

regards,
Eugene

Scott Lewis wrote:
> Though a worthy topic, I do think this is off topic for this list as I
> understand it. Might be a better topic for higgins-dev and/or ecf-dev
> or perhaps even equinox-dev.
>
> A few thoughts on identity:
>
> 1) It's difficult to get general agreement about how identity should
> be *defined*. This is very different, IMHO, from whether/how one
> presents a UI for identity...e.g. managing multiple identities,
> associating passwords/credentials with ones identities, etc.
>
> 2) With ECF, we've taken the approach of creating an API for the
> weakest (and simplest) notion of identity that we could get away with,
> but is still useful within the scope of our project. For ECF, the ID
> contract simply specifies *uniqueness within an associated
> Namespace*. This doesn't say anything of credentials, authentication,
> trust or any of those other important concepts, it just allows
> entities (users, processes, groups) to be uniquely identified across
> processes. Incidently, our ID interface extends the JAAS
> java.security.Principal interface and so is able to be used within JAAS.
>
> For extensibility, we define an extension point in the
> org.eclipse.ecf.identity bundle to allow other bundles to implement
> new Namespaces (and also control the creation of IDs within their
> Namespace). Comm protocol implementations define their own
> Namespaces...and their own interpretation of a given ID. For certain
> types of communication, this gives addressability...i.e. for
> connecting to a server socket at a certain address, for retrieving a
> remote file or resource (e.g. URI), etc.
>
> ECF's work on identity doesn't address Eugene's desire (shared by me)
> for a 'unified identity' that can interoperate among Eclipse and
> non-Eclipse-based systems. But we think it does provide a useful
> building block/starting point for building some of these other parts
> of unified identity...addressing of remote processes (useful for
> communications/ECF project), associations (with credentials, other
> types of identities, etc), trust establishment, identity management
> interfaces, etc. Hopefully this, along with Higgins and other efforts
> can be used to get toward more unified identity.
>
> Best,
>
> Scott
>
>
> Eugene Kuleshov wrote:
>> Hi,
>>
>> I am not sure how to address this issue and looking for advice.
>>
>> In development process we usually have several identities for each
>> developer and each identity is managed in its own system, such as
>> version control systems (CVS, SVN, etc), issue tracking systems
>> (Bugzilla, JIRA, etc), instant messaging systems (icq, xmpp, gtalk,
>> yahoo, skype, etc) and regular email. In IDEs each of those those
>> identities is managed by its own plugin. For example in Eclipse, CVS
>> and SVN identities are known by team version control providers, issue
>> tracking systems are managed by Mylar or specialized plugins, and
>> instant messaging identities are managed by ECF.
>>
>> As a result, we don't really have links between those identities.
>> For example, we can't open an entry in the CVS History, Synchronize
>> view or CVS annotation (aka "blame" thing) in the editor and send an
>> instant message to the user who committed that change (say when he
>> did something outstanding or if he did something terrifying) or see
>> if person who made comment to the bug report is online.
>>
>> We need some kind of address book or roster UI and correspond
>> backend that would allow to manage multiple user identities and would
>> allow 3rd party components to interact with those identities. The
>> closest piece Eclipse have right now is the Roster view from ECF, but
>> it still quite far from supporting such feature and it is unclear if
>> it even in scope of the ECF project.
>>
>> IBM Jazz project choose different approach to this issue. since they
>> built their own issue tracker, version control system and even
>> instant messaging system they got unified identity across all those
>> systems. Unfortunately in the real world we have to deal with number
>> of existing legacy systems.
>>
>> Does anyone have thoughts on this and what is the best way to
>> address this need?
>>
>> regards,
>> Eugene
>>
>> PS: you can also comment to my blog post at
>> http://jroller.com/page/eu?entry=multiple_identies
>>

Re: how to address this [message #4106 is a reply to message #4033]

Sat, 21 April 2007 17:40

Eclipse User

Originally posted by: slewis.composent.com

Eugene Kuleshov wrote:
>
<stuff deleted>
>
> To sum up, this is clearly cross project issue and I wonder what is the
> proper process to address things like that?

Well, that's a problem IMHO...for the committer reps and for the Board.
Since the Foundation doesn't have any direct say over the content of
the projects, and the projects are not very diverse (i.e. are typically
staffed/run by a single/small number of companies) it requires something
difficult: actual cross-organizational coordination. This is something
that I as a former Board member attempted to encourage among the
projects, to admittedly limited success.

I've been an advocate that support for 'unified identity' should
ultimately be in at the level of the Platform...so that all bundles that
need various services for 'unified identity'...e.g. unique ids,
cross-namespace user identification, authentication, etc. can get them
in a way that is consistent and not reimplement them at the middleware
(e.g. ECF) or app level (Eclipse, Mylar) each time.

Last year, some IBM Lotus folks had some work done for user
login/authentication using JAAS (I know it's not what you are looking
for Eugene, but it is an important part of the identity picture for
others), and they said they were going to donate it to EF under EPL in
Equinox, but that apparently never happened...I don't know why.

In my opinion what should happen is that a project should exist that
would be responsible for adding 'unified identity' services at the level
of OSGi/Equinox/Platform. I expect this would include cross-namespace
user identity, authentication and authorization, trust services, use
of/integration with JAAS for authentication and authorization, etc.
Perhaps that project should/is/could be Higgins. Perhaps that project
could/should start with something as simple as the ECF ID/Namespace
plugin/service and/or some of the things that Higgins already has
(IDAS). Perhaps there should be multiple organizations making
contributions, providing resources, and supporting such a project.

Although I think ECF, Higgins, and Equinox can and should contribute to
such a project (e.g. with our existing identity bundle/extension point),
I don't think it can reasonably be expected to do everything here as an
independent-run project...especially since even if we did there would be
no guarantee of platform-level usage or integration. This is a
practical limitation for ECF...we just can take on only so much with our
current level of corp membership support (none), and as important as
'unified identity' is, it isn't the only thing we are being asked to
provide.

Best,

Scott

>
> regards,
> Eugene
>
>
> Scott Lewis wrote:
>> Though a worthy topic, I do think this is off topic for this list as I
>> understand it. Might be a better topic for higgins-dev and/or ecf-dev
>> or perhaps even equinox-dev.
>>
>> A few thoughts on identity:
>>
>> 1) It's difficult to get general agreement about how identity should
>> be *defined*. This is very different, IMHO, from whether/how one
>> presents a UI for identity...e.g. managing multiple identities,
>> associating passwords/credentials with ones identities, etc.
>>
>> 2) With ECF, we've taken the approach of creating an API for the
>> weakest (and simplest) notion of identity that we could get away with,
>> but is still useful within the scope of our project. For ECF, the ID
>> contract simply specifies *uniqueness within an associated
>> Namespace*. This doesn't say anything of credentials, authentication,
>> trust or any of those other important concepts, it just allows
>> entities (users, processes, groups) to be uniquely identified across
>> processes. Incidently, our ID interface extends the JAAS
>> java.security.Principal interface and so is able to be used within JAAS.
>>
>> For extensibility, we define an extension point in the
>> org.eclipse.ecf.identity bundle to allow other bundles to implement
>> new Namespaces (and also control the creation of IDs within their
>> Namespace). Comm protocol implementations define their own
>> Namespaces...and their own interpretation of a given ID. For certain
>> types of communication, this gives addressability...i.e. for
>> connecting to a server socket at a certain address, for retrieving a
>> remote file or resource (e.g. URI), etc.
>>
>> ECF's work on identity doesn't address Eugene's desire (shared by me)
>> for a 'unified identity' that can interoperate among Eclipse and
>> non-Eclipse-based systems. But we think it does provide a useful
>> building block/starting point for building some of these other parts
>> of unified identity...addressing of remote processes (useful for
>> communications/ECF project), associations (with credentials, other
>> types of identities, etc), trust establishment, identity management
>> interfaces, etc. Hopefully this, along with Higgins and other efforts
>> can be used to get toward more unified identity.
>>
>> Best,
>>
>> Scott
>>
>>
>> Eugene Kuleshov wrote:
>>> Hi,
>>>
>>> I am not sure how to address this issue and looking for advice.
>>>
>>> In development process we usually have several identities for each
>>> developer and each identity is managed in its own system, such as
>>> version control systems (CVS, SVN, etc), issue tracking systems
>>> (Bugzilla, JIRA, etc), instant messaging systems (icq, xmpp, gtalk,
>>> yahoo, skype, etc) and regular email. In IDEs each of those those
>>> identities is managed by its own plugin. For example in Eclipse, CVS
>>> and SVN identities are known by team version control providers, issue
>>> tracking systems are managed by Mylar or specialized plugins, and
>>> instant messaging identities are managed by ECF.
>>>
>>> As a result, we don't really have links between those identities.
>>> For example, we can't open an entry in the CVS History, Synchronize
>>> view or CVS annotation (aka "blame" thing) in the editor and send an
>>> instant message to the user who committed that change (say when he
>>> did something outstanding or if he did something terrifying) or see
>>> if person who made comment to the bug report is online.
>>>
>>> We need some kind of address book or roster UI and correspond
>>> backend that would allow to manage multiple user identities and would
>>> allow 3rd party components to interact with those identities. The
>>> closest piece Eclipse have right now is the Roster view from ECF, but
>>> it still quite far from supporting such feature and it is unclear if
>>> it even in scope of the ECF project.
>>>
>>> IBM Jazz project choose different approach to this issue. since they
>>> built their own issue tracker, version control system and even
>>> instant messaging system they got unified identity across all those
>>> systems. Unfortunately in the real world we have to deal with number
>>> of existing legacy systems.
>>>
>>> Does anyone have thoughts on this and what is the best way to
>>> address this need?
>>>
>>> regards,
>>> Eugene
>>>
>>> PS: you can also comment to my blog post at
>>> http://jroller.com/page/eu?entry=multiple_identies
>>>

Re: how to address this [message #4176 is a reply to message #2935]

Mon, 23 April 2007 00:35

Eclipse User

Originally posted by: paul.socialphysics.org

Eugene,

While it's true that Higgins has a focus on user-centric identity, it
nevertheless can support the functionality that you require. Doing so
leverages one of the most powerful capabilities in Higgins, namely, the
ability to link/correlate Digital Subjects (what you call "identities")
across Contexts (your heterogeneous collection of systems).

In Higgins-speak what you need to do is create one Higgins Context that
we'll call here the "meta" Context and then instantiate N other Contexts
each representing one of the systems you mention (CVS, Bugzilla, Skype,
etc.). [In an ideal world Higgins Context Provider plug-ins would already
exist for all of these other Contexts, though that is far from the case.]
In each Context, one physical person (called an Entity in Higgins) is
represented as a Digital Subject--a set of attributes one of which is a
local identifier (e.g. eugene@gmail.com, or 234-265-99, etc.) unique to
the containing Context. Some external system that knows all of the
correlations (e.g. paul@gmail.com is the same as pault-in-some-Bugzilla)
will need to populate the "meta" Context with one Digital Subject for each
Entity being modeled, and for each Entity add a set of N "pointer"
attributes pointing to the N Digital Subjects that represent this same
person in the N other Contexts.

Glossing over security issues and the systems configuration challenge
(e.g. making sure that all required Context Provider plugs-ins exist and
are installed locally) the only "backend service" API you'd need would be
the IdAS API.

We've done enough work with ECF to believe that some of these N "other"
Contexts could be implemented by thin shims over ECF containers and
rosters, though all the ECF-integration code is out of date at the moment.

As for deployment architectures, at present IdAS (and the required Context
Provider plug-ins) can run all locally in an embedded mode.

As for status, Higgins is at M0.7 and all if its APIs still evolving. Also
none of the Context Providers you require (e.g. CVS, SVN, gtalk, yahaoo,
skype, Bugzilla, JIRA) currently exist. The good news is that most of the
communications-oriented providers required could be handled in one fell
swoop with an up-to-date Higgins Context Provider for ECF.

Hope that helps,

-Paul

Re: how to address this [message #560277 is a reply to message #2898]

Fri, 20 April 2007 10:34

Eclipse User

This is a multi-part message in MIME format.
--------------000301080405040901000605
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Eugene,

Yes, managing all these identities is a big pain! At IBM we have
multiple such things too and tomorrow a bunch of my passwords expire,
which happens every three months. So it's time to start changing
passwords again. And of course different systems have different
password rules, so it's hard to get one password that works for all the
systems. And that means you have to write them down, which kind of
defeats their security, and undermines the very reason for making them
expire so often and for defining rules to restrict your choice of
password. It's such a joy to be told that a password no one would ever
guess is nevertheless trivial by some undocumented algorithm.

Are you aware of the Higgins Trust Framework project?

http://www.eclipse.org/higgins/

I don't know much about it, but I think it's trying to address exactly
this type of problem and I suppose it could be used by other projects at
some point in the future.

Eugene Kuleshov wrote:
> Hi,
>
> I am not sure how to address this issue and looking for advice.
>
> In development process we usually have several identities for each
> developer and each identity is managed in its own system, such as
> version control systems (CVS, SVN, etc), issue tracking systems
> (Bugzilla, JIRA, etc), instant messaging systems (icq, xmpp, gtalk,
> yahoo, skype, etc) and regular email. In IDEs each of those those
> identities is managed by its own plugin. For example in Eclipse, CVS
> and SVN identities are known by team version control providers, issue
> tracking systems are managed by Mylar or specialized plugins, and
> instant messaging identities are managed by ECF.
>
> As a result, we don't really have links between those identities. For
> example, we can't open an entry in the CVS History, Synchronize view
> or CVS annotation (aka "blame" thing) in the editor and send an
> instant message to the user who committed that change (say when he did
> something outstanding or if he did something terrifying) or see if
> person who made comment to the bug report is online.
>
> We need some kind of address book or roster UI and correspond backend
> that would allow to manage multiple user identities and would allow
> 3rd party components to interact with those identities. The closest
> piece Eclipse have right now is the Roster view from ECF, but it still
> quite far from supporting such feature and it is unclear if it even in
> scope of the ECF project.
>
> IBM Jazz project choose different approach to this issue. since they
> built their own issue tracker, version control system and even instant
> messaging system they got unified identity across all those systems.
> Unfortunately in the real world we have to deal with number of
> existing legacy systems.
>
> Does anyone have thoughts on this and what is the best way to address
> this need?
>
> regards,
> Eugene
>
> PS: you can also comment to my blog post at
> http://jroller.com/page/eu?entry=multiple_identies
>

--------------000301080405040901000605
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Eugene, 
 
Yes, managing all these identities is a big pain!   At IBM we have
multiple such things too and tomorrow a bunch of my passwords expire,
which happens every three months.  So it's time to start changing
passwords again.  And of course different systems have different
password rules, so it's hard to get one password that works for all the
systems.  And that means you have to write them down, which kind of
defeats their security, and undermines the very reason for making them
expire so often and for defining rules to restrict your choice of
password.  It's such a joy to be told that a password no one would ever
guess is nevertheless trivial by some undocumented algorithm.  
 
Are you aware of the Higgins Trust Framework project? 
<blockquote><a href="http://www.eclipse.org/higgins/">http://www.eclipse.org/higgins/</a> 
</blockquote>
I don't know much about it, but I think it's trying to address exactly
this type of problem and I suppose it could be used by other projects
at some point in the future. 
 
 
Eugene Kuleshov wrote:
<blockquote cite="midf0ah9e$mk4$1@build.eclipse.org" type="cite">Hi,
 
 
 I am not sure how to address this issue and looking for advice.
 
 
 In development process we usually have several identities for each
developer and each identity is managed in its own system, such as
version control systems (CVS, SVN, etc), issue tracking systems
(Bugzilla, JIRA, etc), instant messaging systems (icq, xmpp, gtalk,
yahoo, skype, etc) and regular email. In IDEs each of those those
identities is managed by its own plugin. For example in Eclipse, CVS
and SVN identities are known by team version control providers, issue
tracking systems are managed by Mylar or specialized plugins, and
instant messaging identities are managed by ECF.
 
 
 As a result, we don't really have links between those identities. For
example, we can't open an entry in the CVS History, Synchronize view or
CVS annotation (aka "blame" thing) in the editor and send an instant
message to the user who committed that change (say when he did
something outstanding or if he did something terrifying) or see if
person who made comment to the bug report is online.
 
 
 We need some kind of address book or roster UI and correspond backend
that would allow to manage multiple user identities and would allow 3rd
party components to interact with those identities. The closest piece
Eclipse have right now is the Roster view from ECF, but it still quite
far from supporting such feature and it is unclear if it even in scope
of the ECF project.
 
 
 IBM Jazz project choose different approach to this issue. since they
built their own issue tracker, version control system and even instant
messaging system they got unified identity across all those systems.
Unfortunately in the real world we have to deal with number of existing
legacy systems.
 
 
 Does anyone have thoughts on this and what is the best way to address
this need?
 
 
 regards,
 
 Eugene
 
 
PS: you can also comment to my blog post at
<a class="moz-txt-link-freetext" href="http://jroller.com/page/eu?entry=multiple_identies">http://jroller.com/page/eu?entry=multiple_identies</a>
 
 
</blockquote>
 
</body>
</html>

--------------000301080405040901000605--

Re: how to address this [message #560280 is a reply to message #2916]

Fri, 20 April 2007 10:52

Eclipse User

Re: how to address this [message #560282 is a reply to message #2935]

Fri, 20 April 2007 14:10

Eclipse User

Re: how to address this [message #560285 is a reply to message #2952]

Fri, 20 April 2007 14:59

Eclipse User

Re: how to address this [message #560296 is a reply to message #2898]

Sat, 21 April 2007 02:01

Eclipse User

Though a worthy topic, I do think this is off topic for this list as I
understand it. Might be a better topic for higgins-dev and/or ecf-dev
or perhaps even equinox-dev.

A few thoughts on identity:

1) It's difficult to get general agreement about how identity should be
*defined*. This is very different, IMHO, from whether/how one presents
a UI for identity...e.g. managing multiple identities, associating
passwords/credentials with ones identities, etc.

2) With ECF, we've taken the approach of creating an API for the weakest
(and simplest) notion of identity that we could get away with, but is
still useful within the scope of our project. For ECF, the ID contract
simply specifies *uniqueness within an associated Namespace*. This
doesn't say anything of credentials, authentication, trust or any of
those other important concepts, it just allows entities (users,
processes, groups) to be uniquely identified across processes.
Incidently, our ID interface extends the JAAS java.security.Principal
interface and so is able to be used within JAAS.

For extensibility, we define an extension point in the
org.eclipse.ecf.identity bundle to allow other bundles to implement new
Namespaces (and also control the creation of IDs within their
Namespace). Comm protocol implementations define their own
Namespaces...and their own interpretation of a given ID. For certain
types of communication, this gives addressability...i.e. for connecting
to a server socket at a certain address, for retrieving a remote file or
resource (e.g. URI), etc.

ECF's work on identity doesn't address Eugene's desire (shared by me)
for a 'unified identity' that can interoperate among Eclipse and
non-Eclipse-based systems. But we think it does provide a useful
building block/starting point for building some of these other parts of
unified identity...addressing of remote processes (useful for
communications/ECF project), associations (with credentials, other types
of identities, etc), trust establishment, identity management
interfaces, etc. Hopefully this, along with Higgins and other efforts
can be used to get toward more unified identity.

Best,

Scott

Eugene Kuleshov wrote:
> Hi,
>
> I am not sure how to address this issue and looking for advice.
>
> In development process we usually have several identities for each
> developer and each identity is managed in its own system, such as
> version control systems (CVS, SVN, etc), issue tracking systems
> (Bugzilla, JIRA, etc), instant messaging systems (icq, xmpp, gtalk,
> yahoo, skype, etc) and regular email. In IDEs each of those those
> identities is managed by its own plugin. For example in Eclipse, CVS and
> SVN identities are known by team version control providers, issue
> tracking systems are managed by Mylar or specialized plugins, and
> instant messaging identities are managed by ECF.
>
> As a result, we don't really have links between those identities. For
> example, we can't open an entry in the CVS History, Synchronize view or
> CVS annotation (aka "blame" thing) in the editor and send an instant
> message to the user who committed that change (say when he did something
> outstanding or if he did something terrifying) or see if person who made
> comment to the bug report is online.
>
> We need some kind of address book or roster UI and correspond backend
> that would allow to manage multiple user identities and would allow 3rd
> party components to interact with those identities. The closest piece
> Eclipse have right now is the Roster view from ECF, but it still quite
> far from supporting such feature and it is unclear if it even in scope
> of the ECF project.
>
> IBM Jazz project choose different approach to this issue. since they
> built their own issue tracker, version control system and even instant
> messaging system they got unified identity across all those systems.
> Unfortunately in the real world we have to deal with number of existing
> legacy systems.
>
> Does anyone have thoughts on this and what is the best way to address
> this need?
>
> regards,
> Eugene
>
> PS: you can also comment to my blog post at
> http://jroller.com/page/eu?entry=multiple_identies
>

Re: how to address this [message #560302 is a reply to message #3029]

Sat, 21 April 2007 10:09

Eclipse User

Re: how to address this [message #560305 is a reply to message #4033]

Sat, 21 April 2007 17:40

Eclipse User

Eugene Kuleshov wrote:
>
<stuff deleted>
>
> To sum up, this is clearly cross project issue and I wonder what is the
> proper process to address things like that?

Well, that's a problem IMHO...for the committer reps and for the Board.
Since the Foundation doesn't have any direct say over the content of
the projects, and the projects are not very diverse (i.e. are typically
staffed/run by a single/small number of companies) it requires something
difficult: actual cross-organizational coordination. This is something
that I as a former Board member attempted to encourage among the
projects, to admittedly limited success.

I've been an advocate that support for 'unified identity' should
ultimately be in at the level of the Platform...so that all bundles that
need various services for 'unified identity'...e.g. unique ids,
cross-namespace user identification, authentication, etc. can get them
in a way that is consistent and not reimplement them at the middleware
(e.g. ECF) or app level (Eclipse, Mylar) each time.

Last year, some IBM Lotus folks had some work done for user
login/authentication using JAAS (I know it's not what you are looking
for Eugene, but it is an important part of the identity picture for
others), and they said they were going to donate it to EF under EPL in
Equinox, but that apparently never happened...I don't know why.

In my opinion what should happen is that a project should exist that
would be responsible for adding 'unified identity' services at the level
of OSGi/Equinox/Platform. I expect this would include cross-namespace
user identity, authentication and authorization, trust services, use
of/integration with JAAS for authentication and authorization, etc.
Perhaps that project should/is/could be Higgins. Perhaps that project
could/should start with something as simple as the ECF ID/Namespace
plugin/service and/or some of the things that Higgins already has
(IDAS). Perhaps there should be multiple organizations making
contributions, providing resources, and supporting such a project.

Although I think ECF, Higgins, and Equinox can and should contribute to
such a project (e.g. with our existing identity bundle/extension point),
I don't think it can reasonably be expected to do everything here as an
independent-run project...especially since even if we did there would be
no guarantee of platform-level usage or integration. This is a
practical limitation for ECF...we just can take on only so much with our
current level of corp membership support (none), and as important as
'unified identity' is, it isn't the only thing we are being asked to
provide.

Best,

Scott

>
> regards,
> Eugene
>
>
> Scott Lewis wrote:
>> Though a worthy topic, I do think this is off topic for this list as I
>> understand it. Might be a better topic for higgins-dev and/or ecf-dev
>> or perhaps even equinox-dev.
>>
>> A few thoughts on identity:
>>
>> 1) It's difficult to get general agreement about how identity should
>> be *defined*. This is very different, IMHO, from whether/how one
>> presents a UI for identity...e.g. managing multiple identities,
>> associating passwords/credentials with ones identities, etc.
>>
>> 2) With ECF, we've taken the approach of creating an API for the
>> weakest (and simplest) notion of identity that we could get away with,
>> but is still useful within the scope of our project. For ECF, the ID
>> contract simply specifies *uniqueness within an associated
>> Namespace*. This doesn't say anything of credentials, authentication,
>> trust or any of those other important concepts, it just allows
>> entities (users, processes, groups) to be uniquely identified across
>> processes. Incidently, our ID interface extends the JAAS
>> java.security.Principal interface and so is able to be used within JAAS.
>>
>> For extensibility, we define an extension point in the
>> org.eclipse.ecf.identity bundle to allow other bundles to implement
>> new Namespaces (and also control the creation of IDs within their
>> Namespace). Comm protocol implementations define their own
>> Namespaces...and their own interpretation of a given ID. For certain
>> types of communication, this gives addressability...i.e. for
>> connecting to a server socket at a certain address, for retrieving a
>> remote file or resource (e.g. URI), etc.
>>
>> ECF's work on identity doesn't address Eugene's desire (shared by me)
>> for a 'unified identity' that can interoperate among Eclipse and
>> non-Eclipse-based systems. But we think it does provide a useful
>> building block/starting point for building some of these other parts
>> of unified identity...addressing of remote processes (useful for
>> communications/ECF project), associations (with credentials, other
>> types of identities, etc), trust establishment, identity management
>> interfaces, etc. Hopefully this, along with Higgins and other efforts
>> can be used to get toward more unified identity.
>>
>> Best,
>>
>> Scott
>>
>>
>> Eugene Kuleshov wrote:
>>> Hi,
>>>
>>> I am not sure how to address this issue and looking for advice.
>>>
>>> In development process we usually have several identities for each
>>> developer and each identity is managed in its own system, such as
>>> version control systems (CVS, SVN, etc), issue tracking systems
>>> (Bugzilla, JIRA, etc), instant messaging systems (icq, xmpp, gtalk,
>>> yahoo, skype, etc) and regular email. In IDEs each of those those
>>> identities is managed by its own plugin. For example in Eclipse, CVS
>>> and SVN identities are known by team version control providers, issue
>>> tracking systems are managed by Mylar or specialized plugins, and
>>> instant messaging identities are managed by ECF.
>>>
>>> As a result, we don't really have links between those identities.
>>> For example, we can't open an entry in the CVS History, Synchronize
>>> view or CVS annotation (aka "blame" thing) in the editor and send an
>>> instant message to the user who committed that change (say when he
>>> did something outstanding or if he did something terrifying) or see
>>> if person who made comment to the bug report is online.
>>>
>>> We need some kind of address book or roster UI and correspond
>>> backend that would allow to manage multiple user identities and would
>>> allow 3rd party components to interact with those identities. The
>>> closest piece Eclipse have right now is the Roster view from ECF, but
>>> it still quite far from supporting such feature and it is unclear if
>>> it even in scope of the ECF project.
>>>
>>> IBM Jazz project choose different approach to this issue. since they
>>> built their own issue tracker, version control system and even
>>> instant messaging system they got unified identity across all those
>>> systems. Unfortunately in the real world we have to deal with number
>>> of existing legacy systems.
>>>
>>> Does anyone have thoughts on this and what is the best way to
>>> address this need?
>>>
>>> regards,
>>> Eugene
>>>
>>> PS: you can also comment to my blog post at
>>> http://jroller.com/page/eu?entry=multiple_identies
>>>

Re: how to address this [message #560308 is a reply to message #2935]

Mon, 23 April 2007 00:35

Eclipse User

Eugene,

While it's true that Higgins has a focus on user-centric identity, it
nevertheless can support the functionality that you require. Doing so
leverages one of the most powerful capabilities in Higgins, namely, the
ability to link/correlate Digital Subjects (what you call "identities")
across Contexts (your heterogeneous collection of systems).

In Higgins-speak what you need to do is create one Higgins Context that
we'll call here the "meta" Context and then instantiate N other Contexts
each representing one of the systems you mention (CVS, Bugzilla, Skype,
etc.). [In an ideal world Higgins Context Provider plug-ins would already
exist for all of these other Contexts, though that is far from the case.]
In each Context, one physical person (called an Entity in Higgins) is
represented as a Digital Subject--a set of attributes one of which is a
local identifier (e.g. eugene@gmail.com, or 234-265-99, etc.) unique to
the containing Context. Some external system that knows all of the
correlations (e.g. paul@gmail.com is the same as pault-in-some-Bugzilla)
will need to populate the "meta" Context with one Digital Subject for each
Entity being modeled, and for each Entity add a set of N "pointer"
attributes pointing to the N Digital Subjects that represent this same
person in the N other Contexts.

Glossing over security issues and the systems configuration challenge
(e.g. making sure that all required Context Provider plugs-ins exist and
are installed locally) the only "backend service" API you'd need would be
the IdAS API.

We've done enough work with ECF to believe that some of these N "other"
Contexts could be implemented by thin shims over ECF containers and
rosters, though all the ECF-integration code is out of date at the moment.

As for deployment architectures, at present IdAS (and the required Context
Provider plug-ins) can run all locally in an embedded mode.

As for status, Higgins is at M0.7 and all if its APIs still evolving. Also
none of the Context Providers you require (e.g. CVS, SVN, gtalk, yahaoo,
skype, Bugzilla, JIRA) currently exist. The good news is that most of the
communications-oriented providers required could be handled in one fell
swoop with an up-to-date Higgins Context Provider for ECF.

Hope that helps,

-Paul

Previous Topic:	The First 100 Days
Next Topic:	Projects vs. Components and Incubation Conformance

Goto Forum:

-=] Back to Top [=-

Current Time: Mon Nov 03 19:03:22 EST 2025

.:: Contact :: Home ::.

Breadcrumbs

Sign up to our Newsletter