I would like to know if it’s possible to download a dynamically generated tar file from Trac. In an expertise page on this site I would like to be able to link to the source of the Expertise plugin from within the article itself. When a user clicks on this link, either Trac, Subversion or WordPress should generate the tar file and send it as a download.

In this new article I would like to describe how federation fits in with my ideas.

Additionally, a friend who has been giving me much appreciated feedback on my articles pointed me to an article on the website of his employer. The article he pointed me to had a great vision in it, which overlapped a lot with my own ideas regarding the identity of non-human identities in a computer network. Giving non-human identities a ‘name’, or labeling them, immediately made me think about a discipline that has been keeping me busy for a few years now; Configuration Management (CM), or in a narrower context Software Configuration Management (SCM or also SCCM). It is interesting to see a number of disciplines I know starting to overlap more with IdM the longer I think about the subject.

We’re all United

According to Wikipedia, a Federated identity is:

The virtual reunion, or assembled identity, of a person’s user information (or principal), stored across multiple distinct identity management systems. Data are joined together by use of the common token, usually the user name.

While this may look a little bit like what I’ve been writing about, and while it’s from a technical point of view definitely a step in the right direction I still would like to ask the reader:

• Who owns, or has the exclusive right to alter, your identity attributes in a federated identity management system?

A remarkable trend has grown in the IT industry for many years, and maybe it started with Governments much longer ago, that people’s identity attributes get copied into databases or even assigned to people by the owners of those databases. In the industry this is called provisioning and once a subset of your IA’s has been provisioned into a corporate, government or educational database, said organization treats this copy of your IA’s as if it’s theirs. I recently read a very interesting article titled Google collects data on us where a legal expert answers a question from a reader regarding the collection of data on users. Unfortunately most of my readers won’t be able to read the Dutch. Ofcourse you can read a (not so great) translation on, ironically, Google translate but the main reason for mentioning this article is the quote:

The privacy laws in Europe are the most stringent on the planet, many times more stringent than in the US. Every processing needs permission and that permission needs to be given explicitly. Additionally there must always be an opt-out and you have the right to view any transaction done with your identity attributes.

Fortunately Europe seems to have a tendency to formulate laws extremely well worded which apparently means that nobody understands them well enough to realize that any government, any corporation, any educational institute or any other organization that provisions their identity management system with your identity attributes without explicit permission, the possibility to opt-out, and the right to view transactions is in fact violating European law.

We’re all Individuals

A popular saying is:

The whole is greater than the sum of the parts.

While I believe this is frequently true we sometimes seem to forget that there must be parts first before we can even talk about a whole. A family is composed of individuals. Without individuals there would be no such concept as family. Likewise, an organization consist of, among others, individuals. Without the individuals there would be no such concept as an organization. It would be a typically human thing to say that nothing would exist without individuals but I’ll stop short of stating that because nature does have a way of it’s own to create things without individuals getting involved. So let’s simply state that:

No whole exists without entities defining the whole.

I believe this to be as fundamental a statement about identity management as the one I made in the first article I wrote on Identity Management, “An identity is a finite set of attributes belonging to an entity that make the entity uniquely identifiable.”. Defining the identity of an entity properly is like laying the proper foundation for building a pyramid, you simply can’t start building at the second level and expect to build a pyramid that will last throughout the centuries.

It’s a mighty big pyramid we’ve been building in IT-land for the last couple of decades. Hardly any industry branch can do without it anymore, computers are present nearly everywhere, if only to keep the salary administration. Have we been building a pyramid by starting to build at the second level? I believe so because the pyramid we’ve been building and which we’ve tried to federate into a colossal pyramid by connecting them all together through the internet is cracking at the seems.

Here’s to Rebuilding the Foundation

After writing three chapters I’m quite certain that I’ve lost the ADHD generation so it’s time now to stop writing soundbites and look at this from a more scientific point of view. Newtonian science was a fantastic foundation until Einstein came along and made it all relative. Einsteinian science was a fantastic foundation until quantum mechanics came along and Schrödinger’s cat quantum locked Einstein and most other scientists with absurdity. This doesn’t mean that either Newton, Einstein or Schrödinger were wrong or useless, on the contrary; in their time they were truly giants and I believe they still are. Similarly, the IT foundation we’ve been working on for decades is neither wrong nor useless to keep building with but I believe we have the insights and the resources now to do a better job.

We’re all Objects

Right, that’s why I kept the ‘scientific’ part for the last bit. While being united or being individual, most people don’t like to be thought of as objects. Neither do I, so I was referring to Object Oriented Programming instead. I won’t go explaining OOP but to restate the obvious:

Together the 5 individuals, each having their own identity, make a nice fairly traditional family entity with an identity of it’s own. Similarly:

These 12 individuals and 3 servers make a small although incomplete company; all the individuals have their own identity, under the earlier definition even the servers have their own identity. The company in turn has it’s own identity. Similarly we could define organizations and lots more things having leaf nodes. A federation would simply look like this:

All pretty standard OOP approaches here, this is the intuitive method that got us where we are today which is where companies and organization essentially treat individuals like they are assets to the company and copy the identity attributes they claim to need into their identity management system. The accuracy of the administration depends on the accuracy of the administration staff, whether a company has clear entry and exit procedures for personnel etc. Most identity attributes are typically not under the control of the individuals themselves and frequently there is no way of telling what the identity attributes get used for.

If we do things the following way though:

where the red line is a mere link between the global IdM system and the organization, we could let the individual still control all it’s own IA’s through the global IdM system while organization imposed attributes, which could strictly taken be considered organizational property, are under the control of the organization.

Version Control and CM/SCM

A colleague once described the difference to me as

“Version control is what’s really important. SCM is what your manager wants to know.”

While I don’t neccesarily agree with this there is some merit to this statement as it demonstrates that there’s a clear disctinction between “version control” (how did the data change?) and CM/SCM (who changed the data and why?). I’ve always found it intriguing why there’s a distinction in the industry between configuration management (which is typically about hardware items) and software configuration management (which is typically about software as the ‘software’ part would have you believe). There’s really no difference here in my opinion;

• When we put another harddisk in a machine because the old one is broken, certain kind of organizations require a management approval for this; The machine itself should be updated in the configuration management system to reflect this change. In other words “the data has changed” (version control) and “the manager approved it” (CM), which reads just like:
• When we modify a file that’s part of an application, certain kind of organizations require a management approval to put this file ‘in production’; The application itself should be updated in the software configuration management system to reflect this change. In other words “the data has changed” (version control) and “the manager approved it” (SCM)

Perhaps somewhat unusual, but I prefer to simply speak of CM or Configuration Management and forget about the SCM acronym altogether.

Just a quick intro to whom you are dealing with here.

• student at the University of Twente in The Netherlands
• working voluntarily as a system administrator at study association Inter-Actief for at least four years now.

I dare say I’ve seen quit a few things that can go wrong (very badly wrong too) and the most weird incompatibilities between even relatively similar platforms like FreeBSD and Debian.
Though I’m sure that there’s room for quite the improvement in our network and setup one of the things I find we’ve done quite well at Inter-Actief is our configuration management.

I’ve worked for a few companies in the IT branch over here in this kingdom, ranging from tiny startups to established names in their branch. Though those companies often have complete systems in place for documentation, versioning of code and any other expensive solution you can imagine it seems impossibly hard to find a company that applies that same idea to configuration management.

The idea

SCM (software configuration management) or SCCM (software configuration and change management) is:

• a method for organising,
• maintaining
• and tracking

all kinds of configuration changes, from updates pushed to clients to web-server configuration to pushing settings to a mobile device.

Though it can be extremely complex and very powerful to have such a solution in place most companies don’t see the need for it, don’t understand the need for it or just don’t want to spend yet another couple thousand euro’s on yet another toy for the tech-guys.

Another quite valid point made by Fred was that SCCM makes changes, every change, from top to bottom traceable, which some companies might not be all to comfortable with, it makes it easier to blame someone for a mistake too (and the manager who ordered the change).

I’ve personally encountered quite a few situations where for numerous reasons changes were made to a corporate environment which after being live for a while turned out they had broken other features of the corporate intranet or even exposed parts of it to the outside world.

Such errors happen and the consequences can be quite nasty for a company, for the poor guy or gal who made the changes. But more important in such a situation is the ability to respond rapidly, to revert the changes and then asses what went wrong and try again.

This is basically what I will try to focus in in the coming ramblings about SCM, why use SCM, how to use it, when to use it and a simple way to implement is.

Mindset

The main problem with most companies is that they don’t see the need for SCM to begin with. Because, really, we’ve got our IT-guys in the basement, they’ve configured everything, it works and because we are such an awesome company and can see in the future we’ve set up an environment which will last for at least 10 years.

Time to wake up here, that dream, ain’t gonna happen. Just as the market and the world changes, you adapt to it, and so will your environment because it will need to meet new demands by your workers. Long story short, an IT-environment is as dynamic as the company itself and just as it is important to know which changes are made to products, to visions, to a direction you’re taking it is important to be able to see which changes have been made to your IT infrastructure, what triggered them, how it has grown and possibly what went wrong where and learn that lesson.

Just to put everything into place, let’s start with a few usecases, shall we.

Welcome to Peapl, a company specialising in educational software and social engineering solutions. It has about a hundred servers ranging from content-servers, to their corporate intra- and extranet, mail-servers, a few PBX’es and so on.

Recently the company has started to use IPv6 internally as a test-phase and some changes were made to the webserver configuration to accomodate that. Though everything seems fine, a few days later someones discovers that a part of the intranet is behaving oddly and, total disaster the intranet is accessible without having to provide authentication credentials.

In such a case, the first thing you want to do is

• roll back to the ‘last good known working configuration’ and after that has been handled
• start looking for what caused the problem.

But… oh dear, where did the old configuration files go? Didn’t you create a backup? Didn’t you copy the old configuration file to the same dir in case something went wrong? Of course you did but when all seemed to be working these reserve copies were removed…

Such situations are far more common than you might think. Especially when you’re working with multiple people on some configuration changes in a big environment, a simple miscommunication can be enough to cause quite the trouble.

Another case… You’ve just tested an update in you test-environment and have made the necessary changes to the production environment to push those changes to all clients involved, say a Multivers client update to the financial department.

Next morning, their manager calls, complete disaster, the update failed, some licensing issue, now the financial department is in lockdown and they can’t do anything. Oh shi-.

In that case, it would be extremely useful if with just a few commands you could:

• revert the update
• get the old configuration for that application back
• and just tell that poor manager that the update has been undone, if everyone would be so kind to reboot, the problem will be fixed.

More importantly, it gives you the possibility to see what was changed and how that could’ve caused this problem.

Another example, but now the other way around. What better way to introduce someone to your network, explain how it works and how it has changed than having access to a history of your network configuration and changes through your SCM? Just dig in, map it out and you might actually be able to find some problems before they even occur just by connecting the dots and thinking about each consequence a change brings with it.

Sounds good, doesn’t it?

Ah, but there’s a catch. As I said earlier, most companies don’t see the need for such a solution. SCM requires a certain mindset. SCM is not some for of wicka which can do all this automagically, it doesn’t require a robe and wizard’s hat. It does however require a certain precision and the habit of documenting your changes and making sure that changes are put into your SCM solution.

Unfortunately, SCM is most often deployed as a counter measure, when it’s gone wrong a few times or it’s become clear that changes are so difficult to implement because no one actually really knows how everything works anymore and is afraid to touch the system because it just might blow up. SCM is then often forced upon a department, which makes it that more irritating because suddenly you have to accomodate to this new SCM thing and change your working habits to suit it.

Starting with SCM

The best way to start with SCM, in my opinion, is to start small. Even though it might seem completely useless in a small environment it’s the habit that matters. Getting that routine in your head that when you make changes, you document, immediately and completely. Already having such a system in place makes it a lot easier for new people to get started with that routine than when it is later on forced upon everyone from the top.

Personally I’m a bit of an over-achiever when it comes to SCM. I track anything and everything, from our servers at Inter-/Actief/ to my own server in Amsterdam, my gateway at home, even from my phone I can pull up a complete history of changes. And the weird thing is, I actually get frustrated when a SCM solution is not available, because my routine is so used to it.

So, how do we do it, this great SCM thing?

Well for starters, we need to find a solution that

• implements SCM in a way we like
• which suits our network and method of work
• preferably doesn’t cost a lot
• is relatively simple to implement in our current infrastructure
• works with all the different platforms involved

Good luck finding one… we couldn’t. The problem with pre-made SCM solutions is that they often target a certain type of network or platform. Microsoft has it’s big SCCM but try to get that to work with a Unix machine. Similarly, most providers of SCM solutions assume a certain network topology, platform prevalence or want to sell you a complete solution integrating with other products of theirs…

For those exact reasons we decided to create our own SCM. But instead of writing it from scratch we decided to use something freely available, a version control system. It gives us all the nice features of being able to track configuration changes, get full histories and diff’s of those changes, mapping it out, seeing relations between a configuration file and another and since al major version control systems support hooks it gives us the ability to do all kinds of things once we make changes to a file, from logging it to a central facility to getting all clients involved to pull a certain change-set to them to update their configuration with.

(to be continued…)