1 of 8

Making a group system plugin

Colby Ranger (Google)

2 of 8

Previous Design

  • Tightly coupled with the internal Gerrit account and group system.
    • Groups were reference by database ID number
    • Not extensible!
  • Many assumption in the code base
    • groups can quickly return all members
    • users can quickly return all member groups
    • groups can hold arbitrary properties i.e. CLA

3 of 8

Motivation

  • Google has many internal group systems
    • LDAP, Google Groups, and 2 others
  • Limited API efficient enough for user facing requests
    • Unable to retrieve all groups -- there are too many
    • Unable to retrieve all groups for a single user -- there are still too many
    • Can only efficiently determine whether a user is a member of a known group

4 of 8

@ExtensionPoint

public interface GroupBackend {

boolean handles(AccountGroup.UUID uuid);

@Nullable

GroupDescription.Basic get(AccountGroup.UUID g);

Collection<GroupReference> suggest(String name);

GroupMembership membershipsOf(IdentifiedUser u);

}

5 of 8

public interface GroupMembership {

boolean contains(AccountGroup.UUID groupId);

boolean containsAnyOf(

Iterable<AccountGroup.UUID> groupIds);

Set<AccountGroup.UUID> getKnownGroups();

}

6 of 8

Code!

A simple group plugin to interact with the group system for a premier Google Apps domain, using the Provisioning API

7 of 8

Plugin Pain Points

  • Dependencies are shared with Gerrit
    • Rebuilt API libs with compatible version of Guava
    • Copied libs directly to the <site>/lib directory
  • DynamicSet silently throws away all construction errors.

8 of 8

Reference