Is fiware-skuld working within a federation? - fiware

I have a question about fiware-skuld.
Is It working Skuld within a federation?
Must be use globally or in each FIWARE Lab region?


It is not a good idea to run individually Skuld on each region. There are some
serious problems:
the users are global. The change of the user type (from Trial Users to Basic Users type) can be invoked only one time. The same is true for the notifications. Users do not want a
notification for each region.
there is a problem of synchronisation if each region delete their
resources when they want. Users must be notified only one time and
with a defined anticipation.
At this moment the scripts are invoked only for a region, but to support a
federation it is sufficient to modify only the scripts that delete resources to
iterate with each region.

Related

How to supress multiple alerts and receive only one notification in Zabbix?

I'm looking for a way to create a Zabbix monitor that will only alert when we have a bunch of other alerts on board.
For example, I have created alerts A, B, C, and so on, and when they appear separately, it is not a big deal, but if together, I would like to know and receive a notification to act accordingly.
Therefore, I wonder if it's feasible to design an alert D that only appears when all the others do.
I have only found a solution using dependent triggers, but it's not suitable in such cases.
If the items are in the same host, just add a higher severity trigger when all items breach their threshold.
If the items are in different hosts, you can add a "parent" host, with the metrics you need. Example: in a 8 nodes cluster, each cluster node will have a Warning severity problem when it's offline, and the parent host will have a High severity problem when more than 4 nodes are offline.
What you are looking for is Trigger Dependency. You can update the current trigger and add dependency with other triggers.
In this case your trigger gets suppressed if you depended triggered is already fired.

How to surface different Workshop pages to different user groups?

I have a Workshop module that addresses different user groups. Hence I would like to surface different pages to different groups by default. Indeed I see an option to control the default page selection based on a variable.
My first thought was to split my users into different Multipass groups and then have a function that queries a given user's Multipass attributes for membership in certain groups. However, I don't seem to be able to check for group membership in this way, probably for security reasons.
What would be the recommended way to go about this?
The Foundry security primitives for resource visibility (as opposed to data visibility) are largely aligned at the resource level rather than within a given resource. (The one exception I know of that's relevant is within the Object View configuration, where you can set visibility on different Tabs).
An approach also depends on if the resource visibility is a matter of permissions (i.e. should a user outside a given group not see a given page - again separate from the permission to see any data within that page) or one of convenience (i.e. all users can see all the data and all the interfaces, but each given group should simply start in a separate place.
In the former case, (i.e. security) I think it'd be best to make a separate Workshop app for each team and then maybe wrap them all into a Carbon workspace. The resource visibility, configured as the actual resource permissions in Compass, should determine if it appears in the Carbon workspace for the user.
If it's just for convenience, you could build all the pages in a single Workshop app, then make a separate Carbon workspace for each team and set a parameter to determine the default page, as you mentioned.

Assigning a task to a team

I'd like to assigne a task to a whole team of users, instead of a single user. Then anybody of that team should be able to execute the task. I do run the self hosted version of activecollab.
For example:
My team has 10 members, and therefore a capacity of 10* 8h/day = 80h
I'm assigning 100h of work/tasks to that team --> 80h stay for the day, 20h get pushed to the next day
Any member of that team can grab a task, track time and finally finish it.
Is that something which can be done right now via the api?
If not, is sth. like that on the roadmap?
ActiveCollab does not support task assignment to a team, only to an individual user. API can't be used to work around assignment of a single task to a single user. What you can do is implement a routine that will create a copy of a task for each team member and assign it to a member, but that can easily clutter your projects.
Thanks for the quick response.
Then I'm continuing with my workaround:
I'm getting the workload from all users and store them in a seperate table.
When I distribute the tasks, I look this table up, and see who is available for that activity, and finally assigne that task to that user.
Under /workload the users can still reassign and reschedule, I'll run the sync from 1. from time to time
E/thing else can be also done via the frontend

Access control: RBAC with additional group memberships instead of object properties

Given an application that shows objects (e.g. films) according to certain user permissions.
The general permission to show or create objects is implemented as RBAC with roles and permissions.
The specific permission to access an object with certain attributes (e.g. a film with the attribute “drama”) should be implemented with memberships. That means the object doesn’t have the property “drama”, it is a member of the group “drama”. If the user and the object are members in the same group, the user has the specific permission to access this object. There can be different groups for showing, creating or deleting an object, like a simple viewer group or some kind of editor group. Furthermore there is a table that specifies which group types are relevant for certain actions on certain objects. For example relevant groups for the action “show” on the object "film" could be “genre” and “age” (film's suitability for certain audiences).
The reason to implement it in the described way is to have great flexibility without touching the code. Changes to groups can be processed in the database.
General database design:
Example: The film "The Revenant" is a member of the groups "genre:drama" and "age:18". The user can access it, if he is a member of these groups too.
Does this sound like a good approach? Are there any existing solutions that are similar to this approach? Does it have major drawbacks (e.g. too many database queries - there may be several hundred users every day)?
Please share your thoughts on this issue with me - the choice of "drama" as category for the example is not a coincidence ;) I just dont know if this is a dead end or if I am heading to the right direction. I stuck at this point for quite a while.
At least you have a good sense of humor :-)
Your approach sounds fine. So long as you keep the number of parameters low, then you can get away with role-based access control (RBAC) and a few additional parameters e.g. group membership.
But in the long run, if you want to implement business-driven authorization (access control), you need a way to do this independently of your code: you do not want to rewrite your app code every time there is a requirements change.
To do so, there is an access control model called Attribute-Based Access Control (ABAC) that will let you define your authorization policies independently of your code.
In ABAC, you have the following concepts:
an architecture which defines a policy enforcement point (PEP) and a policy decision point (PDP). The PEP sits in front of (or within) your app. It intercepts the business requests (e.g. a request to view a film) and sends an authorization request to the PDP. The PDP is configured with policies. Based on the request the PDP will reach a decision: either yes, Permit or no, Deny.
a policy language: the policy language is attribute-based (hence the name ABAC). This means that you can use any number of attributes (e.g. user role, user id, user group memberships, but also user age, user location, user subscription as well as resource attributes such as movie rating, movie category, movie price...)
a request / response scheme: this is how you ask for authorization. It is essentially a yes/no flow. "Can a user do X?", "Yes they can."
There are several implementations of ABAC out there - some of which are framework-specific e.g. CanCanCan. XACML and ALFA are two approaches that are not tied to any particular framework. You can choose from open-source and commercial implementations of either language e.g.:
Open Source: SunXACML, ATT XACML
Commercial: Axiomatics Policy Server

Syncing File Name for Drive Realtime Document

My real-time document allows the user to edit the file name within the editor (much like Google's own apps). I represent this as a collaborative string so all collaborators see the file renames as soon as possible.
I'm trying to determined the best and most efficient way to keep this collaborative string in sync with the actual file name. There are two scenarios to consider:
In Editor Changes
If a user edits the document name within the editor. In this case we need to use the Drive API to push that change out to the file on Google drive. To avoid race conditions, it is best if only one of the collaborators pushes the change out. The easiest way to do this seems to check if the rename event was local.
I also found it best to add a delay so we are not pushing the rename out to the Drive API with every character change. If a few seconds pass with no more name changes at that point it pushes the change out. This all seems to work well.
External Changes
The harder one and the one I am interested in requesting advice on, the case when the file name is changed externally. For example, if the user renamed the file within the Drive interface itself. We want this change to update our collaborative string to match.
My application is entirely client-side so I can't use webhook push notifications. So my only solution is to poll the file name every X seconds (currently set to 10). But this presents the following problems:
It is API intensive. If you have 4 collaborators that keep the screen open for 8 hour that is 11520 API calls. If my app has lots of users with lots of documents I could see how this might push me past my API limits.
To avoid race conditions (and reduce API calls) we only want one collaborator to check for changes and update the collaborative string if the file name has changed. But how to pick when collaborators might join/exit at any time? Currently I am having each collaborator check anytime the collaborators change if they are the "leader". The "leader" is the collaborator whose session id is the highest. This seems to work but it all seems fairly hackey. Also if collaborators join close together I wonder if it might be possible that a race condition would cause multiple collaborators to think they are the leader.
Is there an easier way? An real-time API function I am missing?
It would be ideal if the real-time API just provided a method that stored the document name. Anytime the real-time API checks for mutations it could grab the latest document name.
I think you've identified the options. There isn't any built in functionality currently to sync it via the Realtime API specifically.
Personally I'd probably back off the poll time a lot.. its probably not critical that the title is always exactly up to date, so asking every few minutes is probably sufficient and would greatly reduce your qps.
In terms of identifying a "leader", I can't think of anything better than something deterministic based on the session id. So long as each rechecks on each session join/leave event, I don't think there should be any issues.