Combine CERN HR logic with internal life-cycle #844
Conversation
|
Schema that trues to describe the new logic |
enricovianello
force-pushed
the
fix-hr-lifecycle-handler
branch
from
5443d36
to
21ee0c1
Compare
|
@giacomini I'm not sure what's better between adding into the logic the delete of the unused action label (db is not involved is label doesn't exist) https://github.com/indigo-iam/iam/pull/844/files#diff-73664991d3c69420bd0bdde5aa47020a0e11cdb51168ffa015a974685bcce26fR213 and launching a script that deletes every action label for each user. Another solution could be remove the delete I added into this release and add a proper migration within next release, because next release will contains several db migrations. |
There was a problem hiding this comment.
@enricovianello thanks for quickly implementing this! And thanks for the explanatory schema! I think this logic cleanly solves both the grace period issue and "accounts getting suspended when they change institutes' issue. And the new status labels are much more descriptive than the previous ones.
Thanks @balciiberk :)
What do you think? CERN HR lifecycle handler v2-updated.pdf (Update) we could define another status "NOT_FOUND" to make it different from an API error |
|
@enricovianello This makes sense in the case that the error is "null VOPerson record obtained". But when there is another error returned from hr-db-api, this can create problems. For example, if the hr-db-api is down for some reason, it would return error to all of the users and it would start the suspending grace period for all of the users. If we separate these 2 kinds of errors and change the endTime on only the error "null VOPerson record obtained", and don't touch the endTime on any other error, it makes sense I think. |
In case of down we cannot reach the code that updates the endTime so this problem should not exist...
..but keeping different statuses surely reduces the possible errors! I updated the logic: CERN HR lifecycle handler v2.2.pdf I highlight in this schema also the raised events. I added also the logic necessary to avoid event spamming when values are updated with always the same value. As you can see the cases when the endtime is updated are:
I'm wondering if the update of timestamp label for every account each time the handler runs makes sense (it means hundreds of useless AccountLabelSetEvents). |
Update end-time with CERN HR voPerson participation endDate value
Events raised only if the update is effective
enricovianello
force-pushed
the
fix-hr-lifecycle-handler
branch
from
7485a41
to
b36428a
Compare
|
In this case, logicwise everything looks good to me!
I agree. If this value isn't used somewhere else, I don't think we need to know every account's last updated time. Seeing that the lifecycle ran from the logs is enough I think |
|
Schema with latest updates: |
|
Updates on label logic:
hr.cern.cern_person_idcontains CERN unique identifier of the userhr.cern.ignoredis used to exclude a user that has acern_person_idfrom updating his personal data (given name, family name and optionally email) and his membership end-time from the data retrieved from HR database; this means, for example, that administrators have to manually manage his membershipendTimeto avoid suspension;hr.cern.timestampvalue was used to express the last time HR handler has run. Due to the fact it was updated each time the handler runs, also triggering anAccountLabelSetEvent, it was removed. We can rely on LOG to understand when the handler runs;hr.cern.statuscontains the current status of contacting the API for that user; possible values are:IGNOREDused when labelhr.cern.ignoreis present;ERRORin case of failed connections to HR API or null VOPerson record obtained;NOT_FOUNDin case HR API record is obtained but no experiment participation is found at all;MEMBERwhen API returns a VOPerson record not null and the participation to the experiment is found and the expiration date is still valid (not expired);EXPIREDwhen API returns a VOPerson record not null and the participation to the experiment is found but it has expired;hr.cern.messagecontains more details about status value;hr.cern.skip-email-synch, if set, is used to skip email update from HR record;hr.cern.actionhas been removed.New CERN-HR-lifecycle-handler logic doesn't suspend users. It relies on the other internal
expired-accounts-handlerlogic. But it still restores users those have been suspended by theexpired-accounts-handlerbecause of the end of suspension grace period.This means a grace period is now applied for CERN profile.