1 of 8

Making a group system plugin

Colby Ranger (Google)

2 of 8

Previous Design

Tightly coupled with the internal Gerrit account and group system.

Groups were reference by database ID number
Not extensible!

Many assumption in the code base

groups can quickly return all members
users can quickly return all member groups
groups can hold arbitrary properties i.e. CLA

The previous group system design had a few shortcomings

Groups and Accounts were tightly coupled with the internal Gerrit database
Groups were referenced by database ID number
This made it very difficult to extend to other group system
The LDAP group system actually wrote entries into the Gerrit Groups Table in order to generate a unique ID for a group that could be used like any existing internal group.
This simply does not scale

Furthermore, the code the used the group system assumed

all the information, including all of the members was quickly available
that you could go for users or groups to check memberships
and that group could have arbitrary attributes

I didn't really fix the arbitrary attribute problem, I just made a group itself the attribute and your member in that group indicate the property being set. For the CLA groups, we explicitly list them in the gerrit.config and require an explicit list of groups that have accepted the CLA.

3 of 8

Motivation

Google has many internal group systems

LDAP, Google Groups, and 2 others

Limited API efficient enough for user facing requests

Unable to retrieve all groups -- there are too many
Unable to retrieve all groups for a single user -- there are still too many
Can only efficiently determine whether a user is a member of a known group

4 of 8

API - GroupBackend

@ExtensionPoint

public interface GroupBackend {

boolean handles(AccountGroup.UUID uuid);

@Nullable

GroupDescription.Basic get(AccountGroup.UUID g);

Collection<GroupReference> suggest(String name);

GroupMembership membershipsOf(IdentifiedUser u);

}

5 of 8

API - GroupMembership

public interface GroupMembership {

boolean contains(AccountGroup.UUID groupId);

boolean containsAnyOf(

Iterable<AccountGroup.UUID> groupIds);

Set<AccountGroup.UUID> getKnownGroups();

}

6 of 8

Code!

A simple group plugin to interact with the group system for a premier Google Apps domain, using the Provisioning API

7 of 8

Plugin Pain Points

Dependencies are shared with Gerrit

Rebuilt API libs with compatible version of Guava
Copied libs directly to the <site>/lib directory

DynamicSet silently throws away all construction errors.

8 of 8

Reference