Older blog entries for mindcrime (starting at number 34)

Some Notes on Identity Management in OpenQabal

Some quick notes on what's going on with the Identity related stuff in OQ. Not necessarily in order:

1. One of the key concepts in OQ is the notion of federated identity... that is, an identity associated with one install of OQ should be "usable" from another install, where "usable" might mean "user at Site A can list user at Site B as a friend" or it might mean "user from Site B can login at Site A" or it might mean both, or it might mean neither.

2. That said, part of the idea of OQ, at any given install, is to be a sort of "social operating system" that enables application integration based on "social" technologies (the social graph, social ranking/voting, etc).

3. The use cases around (2) above are where some actual work has been done, and stuff works. We currently integrate apps running in the same domain by using JA-SIG CAS, with the authentication backend being our own simplistic IdM system (refered to as the IdentityEngine).

4. At one time it seemed to make sense to have the IdentityEngine project there to act as a mediator / bridge to possible other existing enterprise IdM systems. In retrospect, I'm no longer sure that adds much value.

5. It's entirely possible that a better approach would be to rip out the existing OQ IdM 'stuff' and just plop in Sun's OpenSSO / OpenFederation / OpenDS / OpenPTK stack. I'm doing some research on that point at this very moment, while also continuing to work on the existing OQ stuff based on CAS and the IdentityEngine.

6. Part of the point in rolling out this initial, somewhat naive, built-in IdM was to give us a test platform to experiment with issues around (1) above. To that point, I've been working on the possibility of making CAS an OpenID Relying Party, so that a user can login to OQ through OpenID and get the full CAS SSO experience.

7. Much research still needs to be done to sort out the best approach(es) to handling (1) above. OpenID may well be part of that solution, along with OAuth, but don't hold me to that. SAML, WS-Federation and some of the Liberty Alliance stuff may also be useful. Still need to do more research there.

8. What works now is this: SSO using CAS, successfully integrates Roller, JavaBB and our "User Console" app. Roller has a mechanism for fully externalizing user management, so it's not technically required to provision a new user into the Roller user table, although that code is still in place at the moment. JavaBB, on the other hand, does not (yet) have that ability, so when we create a new user, we have to populate the JavaBB user table.

9. One of the big things I want to determine is "what are the implicatiosn for user provisioning, when using an external authentication source like OpenID?" See comment (6) above. Getting that done will enable some experimenting around how this will work in principle.

10. User provisioning with SPML is also of interest.

11. The IdentityEngine exposes remote interfaces using EJB3 SLSBs, this is used by our implementation of the pluggable UserManager in Roller (there are use cases which require exposing APIs like "get list of users" and "get user by name" etc. In addition, we have to be able to authenticate "out of band" to enable authentication for the MetaweblogAPI interface (and presumably APP as well).

12. Another point that has not been addressed at all is two-factor (or multi-factor in general) authentication.

If anything else comes to mind, I'll make a follow up post. Please send other questions to the dev@ mailing-list...

Syndicated 2008-11-18 04:37:53 (Updated 2008-11-18 04:46:42) from openqabal

Finally back to work on OpenQabal

So after a rather long hiatus - due mainly to a political campaign - we're finally getting back to work on OpenQabal here. Of course our old road-map is now shot to heck, so it's going to take a while to sit down and put together a new plan and get some momentum going again. But I can say that a lot of work has been done the past week. Some of the needed work done includes: swapping all of the EJB2 SLSBs that were in place for remoting with EJB3 SLSB's instead, plugging in some of the JMS event messaging code that had been planned (and prototyped like 2 years ago!), renaming some modules, some serious refactoring in the IdentityEngine project, and - last but not least - getting the CruiseControl build-loop all sorted out so that everything builds continuously again.

So what's next in the short-term? Some or all of the following:

  • update CAS to the latest release
  • major improvements to the IdentityManager module
  • OpenID login support
  • support for provisioning users who are logging in using OpenID (or other 3rd party authentication services)

Getting those things knocked out will represent major progress. After that, it'll be time to start on the GraphEngine, PolicyEngine and ProfileEngine stuff for managing the social-graph, profiles and privacy / access control issues. After that, hopefully we can finally get started on the federated social-graph using FOAF... and after that, start on the SIOC stuff for distributed conversations. Oh and something needs to be done with the user-dashboard module to support plugging in applications. That may turn out to be using Portlets, or possibly the Google Gadgets / OpenSocial stuff.

After that... well, let's not look quite *that* far ahead just yet.

Syndicated 2008-11-04 04:22:17 (Updated 2008-11-04 04:26:52) from openqabal

So, what's going on with OpenQabal anyway?

Anyone following the OpenQabal project may be wondering: "What the heck is going on? No recent commits to SVN, no blog posts... what's up, is this dead or what?" Well, the answer is "No, the project is hardly dead." It has been on something of a hiatus however, as the main developer is currently running a campaign for NC Lieutenant Governor and has been a touch occupied the past month or two.

Rest assured though, that things will get back to normal. I'm hoping to get some work done this weekend, and once the election is over, the pace should pick up again. Unfortunately the old road-map is totally hosed now, at least as far as schedule goes, so that will need to be re-worked.

In the meantime, feel free to grab the code, experiment, research, submit proposals, patches, etc. And definitely email me with any questions or concerns.

Syndicated 2008-08-13 02:58:47 from openqabal

OpenQabal 0.0.3 available

OpenQabal 0.0.3 has been released and is now available from the SVN repo. As with previous releases, there are not yet pre-built binary releases available... you will have to check the code out from SVN and build it. Thankfully this process is now *much* easier as a result of massive work on the build system and the addition of scripts to automate most of the tedious stuff. You can now essentially build and install OpenQabal with 4 commands.

Changes in this release include:

  • New, more modular build system using Ivy for dependency management and incorporating useful tools such as FindBugs, JDepend, PMD, TestNG, Cobertura, etc.
  • New "User Dashboard" component that provides the main point of entry and ties the various components together visually
  • Concordantly with the introduction of the new User Dashboard, all of the old Sitemesh stuff has been ripped out
  • New configure and install scripts to automate most of the tedious parts of building and installing OpenQabal
  • Addition of many unit tests (we still don't have 100% test coverage, but progress has been made)
  • New "IdentityEngine" component introduced (more on this later)
  • Posting blogs using MetaWeblogAPI now works with the OpenQabal IdentityEngine component
  • Various minor bug fixes and tweaks

This release is a huge step in the direction of having a really usable system, but there is still a LOT of work to be done. Some things that had originally been planned for this release had to be deferred to 0.0.4, with OpenID support being the most notable such item. And of course there are still plenty of ideas on the roadmap that we haven't even gotten started on yet. But we're now in a lot better position to be able to start on some of the more interesting stuff, such as the "distributed conversation" support, tools for building a managing the "social graph," etc.

Look for a new post soon with more discussion of what the roadmap will look in the near future, as well as some discussion of some of the important changes that did make it into 0.0.3. And with any luck, the long-awaited "demo server" will be coming soon, as well as some screencasts and other ways of exploring OpenQabal.

Syndicated 2008-05-10 22:24:31 (Updated 2008-05-10 22:25:45) from openqabal

2 more tasks until OpenQabal 0.0.3 can be released

Finally getting closer and closer to getting this OpenQabal release out. The last two tasks to do are: A. verify the new SQL which includes a "seed" admin user, and B. make the install/config/uninstall scripts and any utility scripts working on Windows. Most of that stuff is in Ruby so it should be pretty portable, but there are some Bash scripts which will need equivalents written as DOS batch files. Ugh. Still, this stuff should be done soon, maybe tonight, which means the release should happen in the next day or two.

In other news, I've started working on getting setup with Amazon EC2, in order to host a "demo" instance of OpenQabal.

And after that, I think I need to go on holiday for a while. :-)

Syndicated 2008-05-04 21:46:48 (Updated 2008-05-04 21:49:26) from openqabal

29 Apr 2008 (updated 4 May 2008 at 22:10 UTC) »

OpenQabal Update

Ok, the new OpenQabal release that was mentioned a few weeks ago is *finally* eminent. No really, it's coming soon. The big hold-up turned out to be a bit of Roller integration that had been overlooked. Getting single-sign-on and integration with the centralized identity stuff working using Acegi and CAS takes care of web access; and that stuff has been in place for a while now. But at some point we realized that API access for posting new blog entries also needed to be wired into the new authentication stuff. And that's a whole new can of worms.

Basically, deciding to implement that in this release meant moving forward with implementing an initial version of what we're calling the IdentityEngine, which will eventually be the centralized source for all things identity, vis-a-vis OpenQabal. Even for OpenID logins or other logins using an external authentication provider, OpenQabal has to keep track of that that that such-and-such identity exists, and map it to resources, etc. So getting this piece in place was kind of a big deal, even if this first cut at it is fairly naive.

Anyway, with that in place and API access now working, the last things left to do before a release are basically all "fit and polish" work. Clean up some loose ends here and there, more testing, tweaking the SQL scripts and the install scripts. Oh, and the install stuff needs to be tested on Windows and any relevant tweaks made. At any rate, if things go well, look for the new release maybe this weekend, or early next week.

Syndicated 2008-04-29 04:09:50 (Updated 2008-05-04 21:50:28) from openqabal

Update on my Data Portability presentation @ "Refresh The Triangle"

So apparently there was some miscommunication or whatever, and I'm not going to be presenting at this month's Refresh The Triangle after all. I am, however, now officially "on the hook" to present a talk on Data Portability at the September "Refresh" meeting. The actual date will be Thursday, Sept. 25, 2008. Location TBD, as far as I know. Check the Refresh website for more details.

Syndicated 2008-04-16 19:28:00 (Updated 2008-04-16 19:28:46) from openqabal

Google is now an OpenID provider: Use your Google account to sign into any site that accepts OpenID

It appears that Google is now an OpenID provider, which means you can log into any site which allows OpenID logins using a Google account. This is a pretty big win for OpenID in terms of putting even more momentum behind the protocol. Of course the truth still holds - as said before - that "it doesn't matter if everybody and their brother is an OpenID provider, if nobody allows OpenID logins." But the number of sites that do accept OpenID appears to be growing and an endorsement by Google can't hurt in terms of encouraging others to move in that direction.

Unfortunately this blog itself doesn't actually support OpenID logins, which is something of a bummer. It'll be fun when we reach a point where we can go "self-hosted" using OpenQabal and use this blog as a place to play with some of the new and nifty stuff coming down the pipe. With some luck, that'll happen before the entropic heat death of the universe. <big-grin / >

Syndicated 2008-04-09 04:10:24 (Updated 2008-04-09 04:11:55) from openqabal

The Economist: Social Networks Are Not A Business

Just stumbled across an interesting article from The Economist which makes an case that social networks, ala Facebook, Orkut, Myspace, etc., are not a business. Or rather, that the "social network" per-se is not valid as a business model in and of itself.

From the article:

Social networking appears to be similar in this regard. The big internet and media companies have bid up the implicit valuations of MySpace, Facebook and others. But that does not mean there is a working revenue model. Sergey Brin, Google's co-founder, recently admitted that Google's “social networking inventory as a whole” was proving problematic and that the “monetisation work we were doing there didn't pan out as well as we had hoped.” Google has a contractual agreement with News Corp to place advertisements on its network, MySpace, and also owns its own network, Orkut. Clearly, Google is not making money from either.

Facebook, now allied to Microsoft, has fared worse. Its grand attempt to redefine the advertising industry by pioneering a new approach to social marketing, called Beacon, failed completely. Facebook's idea was to inform a user's friends whenever he bought something at certain online retailers, by running a small announcement inside the friends' “news feeds”. In theory, this was to become a new recommendation economy, an algorithmic form of word of mouth. In practice, users rebelled and privacy watchdogs cried foul. Mark Zuckerberg, Facebook's founder, admitted in December that “we simply did a bad job with this release” and apologised.

Of course the point here isn't to disparage the usefulness of social networks, in fact, they article goes on to elaborate on how ubiquitous social networking (as opposed to "social networks") may become (emphasis added):

So it is entirely conceivable that social networking, like web-mail, will never make oodles of money. That, however, in no way detracts from its enormous utility. Social networking has made explicit the connections between people, so that a thriving ecosystem of small programs can exploit this “social graph” to enable friends to interact via games, greetings, video clips and so on.

Coming up for air
But should users really have to visit a specific website to do this sort of thing? “We will look back to 2008 and think it archaic and quaint that we had to go to a destination like Facebook or LinkedIn to be social,” says Charlene Li at Forrester Research, a consultancy. Future social networks, she thinks, “will be like air. They will be anywhere and everywhere we need and want them to be.” No more logging on to Facebook just to see the “news feed” of updates from your friends; instead it will come straight to your e-mail inbox, RSS reader or instant messenger. No need to upload photos to Facebook to show them to friends, since those with privacy permissions in your electronic address book can automatically get them.

The problem with today's social networks is that they are often closed to the outside web. The big networks have decided to be “open” toward independent programmers, to encourage them to write fun new software for them. But they are reluctant to become equally open towards their users, because the networks' lofty valuations depend on maximising their page views—so they maintain a tight grip on their users' information, to ensure that they keep coming back. As a result, avid internet users often maintain separate accounts on several social networks, instant-messaging services, photo-sharing and blogging sites, and usually cannot even send simple messages from one to the other. They must invite the same friends to each service separately. It is a drag.

Of course this closely parallels what Om Malik was saying a while back in his Are Social Networks Just a Feature? article. Specifically, Om says "It is time to rethink the whole notion of social networking, and start thinking of it as a feature for other online activities. "

Needless to say, we here at OpenQabal agree, and are one of a handful of projects working on creating software to support "social networking as a feature." That's not to say that when OQ is finished you couldn't take it, put an instance on the public 'Net, and position it as a Facebook competitor. It's just that we think doing so would be a really bad idea, if you plan to make money.

Syndicated 2008-03-30 09:48:41 (Updated 2008-03-30 09:52:02) from openqabal

30 Mar 2008 (updated 30 Mar 2008 at 08:10 UTC) »

An interesting discussion about Data Portability

If you've been following the whole Data Portability scene with any interest, there's an interesting discussion going on here that is worth reading / participating in. Obviously there's still a lot of disagreement about certain aspects of this whole thing, but hopefully things will coalesce sooner than later and the discussion will become even more pragmatic.

On a related note, I'm tentatively scheduled to present on the subject of Data Portability at next month's Refresh The Triangle event, so any Triangle area folks who are interested, please do come out and take part.

In the mean-time, I have to do some catching up with what the current areas of focus, themes, patterns, etc. are among the players in this space. I'm a little behind on reading the DP list, so it's time to get back into that conversation a little more earnestly. And even more so if OpenQabal is going to implement "Data Portability" (which, of course, depends on what that turns out to be!).

Also, the technical documentation section of the dataportability.org site has some interesting reading for anybody who's trying to understand what this whole discussion is about. In particular, see the use cases section.

Syndicated 2008-03-30 07:03:05 (Updated 2008-03-30 07:13:34) from openqabal

25 older entries...

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!