RE: [DISCUSS] - Retire OpenAz?

["Sinnema, Remon" <remon.sinnema@emc.com>]

Hi Carlos,

You say that the XACML specification makes for good bedtime reading since it knocks you out quick. What would have to change to make it read better? If you can give me some ideas I can bring them to the XACML Technical Committee and see what we can do. Also, what other documentation aside from the specification itself are you looking for?


Thanks,
Ray


-----Original Message-----
From: Carlos Perez [mailto:carlos_perez@ultimatesoftware.com] 
Sent: dinsdag 9 februari 2016 0:31
To: dev@openaz.incubator.apache.org
Subject: Re: [DISCUSS] - Retire OpenAz?

It's only my opinion but I do think David makes some good points. One point in particular is just the lack of devs really even knowing what XACML is, or what it's for.  I myself didn't know what it was about until about 2 years ago, and only because I have a particular interest in security and access control did I go out in search for an alternative to some other XACML implementations. Some that would not share even the slightest amount of information before they get you into a hour+ long phone call to "find out your needs".  That said, I think it's still a little harsh to say that I have been writing software that "sucks", but I'm going to take that with a grain of salt and say it was for dramatic effect. =o)

All that said, one major item of interest to email from David was his mention of a PR, and then I remembered this. https://github.com/apache/incubator-openaz/pulls

Now I'm not sure if this counts as activity, nor will I even try to qualify this as a community, but there are now 3 pending PR's dating back to December 3rd, 2015 that's. Well it's something.  Anyway, I know the AT&T group has been a little incommunicado but they are the best people to put SOME kind of docs put there, even a video of how to download/setup/and run would be a start.  I know the lack of docs has been my biggest weakness but so far I've been trying to learn via YouTube videos and reading what I can of the spec (good bedtime reading BTW, knocks you out quick).  I know that Colm (I think it's Colm) did some write up recently which was an attempt to show OpenAz used in an app, it was lite but still a start.  

Any who, this emails gotten a bit long so I'm going to cut it off here, but I would like to see David's port of the AT&T admin portal (I think that will really help), and if possible could Colm reply back with his write up??

Regards,

Carlos


On 2/8/16, 5:02 PM, "David Ash" <green.neon@gmail.com> wrote:

>I have submitted a pull request for my port of the Admin interface.  
>I'll check what other changes were made and see what else I can submit.
>
>BTW, although I had previously worked for AT&T, including working on 
>software that interacted with AT&T's original XACML engine, I no longer 
>work for AT&T.  My interest in this project came from my desire to have 
>a RESTful API for XACML authorization, I found this project via Google, 
>and my contributions to this project are my own.  In this regard I am a 
>truly independent contributor.
>
>On Mon, Feb 8, 2016 at 2:42 PM, David Ash <green.neon@gmail.com> wrote:
>
>> I think it hasn't seen much activity over the past two months because 
>>it's  been a holiday season.  I know most of the AT&T people take most 
>>of  December off (once upon a time, I was one).
>>
>> It has a lot of work to be done before it's functional and even 
>>remotely  mature, and we're not going to see a lot of outside interest 
>>until it gets  there.
>> * The Admin part is crucial, and it hadn't even been ported over (I 
>>ported  it myself, still need to fork in github and do a 
>>pull-request).
>> * There's a shortage of documentation.  To the point that it's unusable.
>> * It's complicated enough that its difficult to come up with the  
>>documentation.
>>
>> Now, sure there seems to be a shortage of interest but I say give 
>>that  time.  XACML is not a thing of the past, it's still part of the future.
>> Organizations and software developers are still slowly moving to 
>>XACML
>>--
>> it is the best authorization solution in existence to my knowledge, 
>>and  fits nicely into a modern auth stack with SCIM, JSON Identity 
>>Suite, OpenID  Connect, and OAuth.  (  
>>http://www.slideshare.net/nordicapis/1415-twobo-nordicap-istour
>> ).  Most developers still aren't using an external authorization 
>>solution  because they are building highly-coupled monolithic software 
>>that sucks.
>> And honestly, there aren't a lot of other free open source options.  
>>The  only alternative I see that is any good is WSO2's Identity Server 
>>(which is  vastly superior to this product, but hey that's an 
>>opportunity in some  ways).  If this project really succeeded, it 
>>would at least allow  developers of open source systems to build 
>>better, more modular software.
>>
>> The main problem I see is that AT&T still has most of the knowledge 
>>and is  able to put very little effort behind it.  We need Pam's team 
>>to write up  some high quality documentation (particularly for the 
>>API's) and release  that information.
>>
>> The other problem I see is there's kind of a lack of vision as far as 
>>I  can tell.  We need someone in the lead that has the time to craft a 
>>vision  for what this product should really be.  When you look at 
>>WSO2's Identity  Server, you immediately start realizing the 
>>possibilities -- things that  this project haven't even touched yet.
>>
>>
>> Thanks,
>>
>> David Ash
>>
>>
>> PS. I'll put in a pull request for my port of the Admin interface.
>>
>>
>>
>> On Mon, Feb 8, 2016 at 9:59 AM, Emmanuel Lécharny 
>> <elecharny@gmail.com>
>> wrote:
>>
>>> Le 08/02/16 16:53, Carlos Perez a écrit :
>>> > Hi guys,
>>> >
>>> > While I completely understand the reasoning for the discussion to
>>>retire
>>> > OpenAXZ, and to be completely honest I was surprised it took this
>>>long),
>>> > it would be a real shame to see it just fade away into oblivion.
>>>
>>> I Agree.
>>>
>>> >
>>> > That said, what does happen when a project never makes it to a TLP?
>>>
>>> From Apache POV, not a lot. We just shut down the mailing lists, and 
>>> close the repos (no more writes allowed).
>>>
>>>
>>> > Does
>>> > it have a chance to be resuscitated later if it is deemed 
>>> > worthwhile
>>>and
>>> > has more interest?
>>> It's always a possibility. A very remote one, I have to say. The 
>>>fact  that in almost 2 years the project hasn't be able to attract 
>>>any new  contributors, and that almost no activity has been seen from 
>>>the initial  contributors make it unlikely that the project could 
>>>make a come back.
>>>
>>> In 10 years, I haven't seen that happen. Not once.
>>>
>>>
>>> > Does the license revert back to AT&T?
>>>
>>> Good question. I can ask legal@a.o about that. The fact that it 
>>> didn't make it to a TLP might be relevant. For TLPs, the code base 
>>> has been granted to The ASF and remains so, same for the name.
>>> >
>>> > XACML is a complicated spec and I can¹t say that I fully 
>>> > understand
>>>it
>>> > yet, but I think it solves a real problem (I just regret not 
>>> > having
>>>the
>>> > time personally to help push it along).
>>>
>>> That's the main issue : the fcat that it's a complex code base might 
>>>be  intimidating for many of the potential users. But IMHO, would it 
>>>be  really a critical brick of many IT systems, it *would* have 
>>>attracted  developpers. That raises the question of XACML as a useful technology.
>>> It as been around for more than 10 years now, and I'm not sure that 
>>>it  captured a lot of interest. But that may be just me... (and I 
>>>*think* it  could have been a big hit years ago. Not so sure 
>>>nowadays.)
>>>
>>> Thanks !
>>>
>>>
>>


This e-mail message and any attachments to it are intended only for the named recipients and may contain legally privileged and/or confidential information. If you are not one of the intended recipients, do not duplicate or forward this e-mail message.