Managing Identities: LDAP, Google Directory, and Django

Video in TIB AV-Portal: Managing Identities: LDAP, Google Directory, and Django

Formal Metadata

Managing Identities: LDAP, Google Directory, and Django
Title of Series
Part Number
Number of Parts
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Universities and other enterprises often deploy a complex mix of systems for managing identities and permissions for students, faculty and staff. Standard LDAP, Google Apps for Education/Enterprise, Student Information Systems, hiring systems, CAS/Single Sign-On, and more must all work together without conflicts or delays. At the California College of Arts, we've created a Django-based system to help end-users and staff create and manage identities, passwords, groups, permissions, and more. Scot Hacker will demonstrate the system and provide a tour of its strictly decoupled internals. The system is unusual in that it uses almost no data modeling of its own, relying instead on communication via python-ldap, Google and Workday APIs, and old-school file shuffling to negotiate communications with other systems.
Slide rule Default (computer science) Enterprise architecture Code Feedback Sampling (statistics) Staff (military) Student's t-test Faculty (division) Uniform resource locator Computer animation Touch typing System programming Identity management
Aliasing Server (computing) Building Group action Service (economics) Digital media System administrator Execution unit Set (mathematics) Real-time operating system Online help Student's t-test Raw image format Field (computer science) Power (physics) Web 2.0 Casting (performing arts) Mathematics Core dump System programming Selectivity (electronic) Utility software Identity management Authentication Email Inheritance (object-oriented programming) Block (periodic table) Weight Projective plane Student information system Staff (military) Faculty (division) Data management Film editing Googol Password Right angle
Statistical hypothesis testing Group action Context awareness State of matter Code Archaeological field survey 1 (number) Set (mathematics) Formal language Fraction (mathematics) Casting (performing arts) Different (Kate Ryan album) Core dump Software framework Determinant Exception handling Enterprise architecture Theory of relativity Mapping Namespace Relational database Sampling (statistics) Electronic mailing list Data storage device Infinity Bit Maxima and minima Instance (computer science) Flow separation Type theory Data management Message passing Data model Process (computing) Information systems Figurate number Quicksort Arithmetic progression Resultant Writing Point (geometry) Dataflow Server (computing) Service (economics) Sequel Computer file Online help Student's t-test Login Raw image format Template (C++) Element (mathematics) Number Revision control Crash (computing) String (computer science) System programming Energy level Selectivity (electronic) Acoustic shadow Data structure Form (programming) Default (computer science) Standard deviation Multiplication Information Validity (statistics) Gender Projective plane Model theory Boilerplate (text) Counting Variance Database Student information system Line (geometry) Faculty (division) Word Maize Computer animation Personal digital assistant Query language Password Table (information) Local ring Library (computing)
Group action Code State of matter System administrator View (database) Multiplication sign Decision theory Execution unit ACID 1 (number) Water vapor Client (computing) Parameter (computer programming) Shape (magazine) Mereology Data dictionary Web 2.0 Different (Kate Ryan album) Encryption Cuboid Electronic visual display Series (mathematics) Error message Exception handling Scripting language Algorithm Email Relational database Electronic mailing list Bit Sequence Category of being Type theory Message passing Data management Metamodell Process (computing) Hash function Right angle Pattern language Cycle (graph theory) Reading (process) Reverse engineering Aliasing Trail Slide rule Functional (mathematics) Ultraviolet photoelectron spectroscopy Similarity (geometry) Field (computer science) Product (business) Operator (mathematics) System programming Utility software Codierung <Programmierung> Form (programming) Installation art Dependent and independent variables Interface (computing) Projective plane Model theory Interactive television Line (geometry) System call Uniform resource locator Computer animation Logic Personal digital assistant Query language Video game Object (grammar) Library (computing)
Statistical hypothesis testing Group action Scheduling (computing) System administrator Execution unit Real-time operating system Client (computing) Inverse element Data dictionary Fraction (mathematics) Roundness (object) Different (Kate Ryan album) Computer configuration Single-precision floating-point format Information security Touchscreen Theory of relativity Arm Software developer Keyboard shortcut Sampling (statistics) Bit Maxima and minima Unit testing Instance (computer science) Web application Message passing Wave Arithmetic mean Process (computing) Telecommunication Pattern language Quicksort Spacetime Web page Point (geometry) Slide rule Solvable group Sequel Computer file Online help Mass Drop (liquid) Rule of inference Thresholding (image processing) Product (business) Goodness of fit Term (mathematics) Authorization Energy level Address space Form (programming) Authentication Default (computer science) Stapeldatei Standard deviation Dot product Key (cryptography) Information Model theory Content (media) Basis <Mathematik> Student information system Total S.A. Directory service Limit (category theory) System call Word Personal digital assistant Table (information) Window Library (computing) Building Code INTEGRAL View (database) Multiplication sign Direction (geometry) 1 (number) Set (mathematics) Frustration Food energy Facebook Mathematics Strategy game Bit rate Entropie <Informationstheorie> Cuboid Flag Data conversion Area Scripting language Email Data storage device Representational state transfer Variable (mathematics) Public-key cryptography Flow separation Substitute good Type theory Exterior algebra Googol Right angle Remote procedure call Row (database) Mobile app Functional (mathematics) Implementation Service (economics) Link (knot theory) Virtual machine Attribute grammar Revision control Intranet Natural number String (computer science) Operator (mathematics) System programming Module (mathematics) Mobile Web Validity (statistics) Gender Forcing (mathematics) Projective plane Interactive television Database Particle system Password Customer relationship management Blog Local ring
but that be the and the and and the and the and the but which guys it's
been fun ever copies and lunches and dinners are discovering how many of you work with Django in academia and it's you know it's something I sort of came into by default in academia but in other roles have had to champion push for so I'm seeing how many of you have had success in generally enterprises pretty exciting so I worked on at the California College of Arts got currently working on the portal system but before I could build that I had to build a big identity management system in all get to what that means exactly in these slides are at this URL of your tracking down later the and so the California at 0 yes so quick notes 1st and so when I give this talk at SF pi sup Python beat up on 1 of his feedback I got was that there was too much code walk through and so in can eliminate a of code that people said when you have a when you find the slides and will sit months now you want the code in their good point so we're done is moved most of the code samples into the end of the slide shows so therefore future Google searches are mental disorder touch on those are briefly here so California College of Arts of 2 campuses Oakland sentences go relatively small campus about 20 200 students of hundreds of faculty and staff and I'm as is a larger poly familiar with an IT system spread across decades and dozens and dozens of systems that on the talk to each other some of the modern so the legacy some of them with API some with no API is but somehow I've got a glued all together on
engineer like most campuses we have lots of external on and internally hosted web systems everything from 1 little learning management system to Voicethread for collaborating on our projects in real-time simplicity for selecting housing paper cut for the art students to print their work media core for sharing large media razor's edge of balls web adviser for course selection and and 1 way or another I'm everybody needs to get into these systems is able will find them and needs to have a central and unified identity so now we have to get this right and so you know there's a lot of uh the a mission-critical weight leaning on this project so and you know it all comes down l that in the end our we had traditional all server which we recently migrated to Fedora 3 9 were also Google Apps school so everybody has no Google male and oxen calendar and then there's the SAS the student information system which is currently in data tell from colleague which is a very old and cranky legacy system in which I found really elegant way to talk to and then recently the introduction of work day which is the human resources system and will later replaced or student information system so when people log into all of these external systems you never wanna go through the process of of making them register signed up for an account and instead we cook up something called Casasola centralized authentication service common on campuses Casson turns talks to all that so you know see try to log into moodle or WordPress side or whatever you're taken straight off the caste caste excelled at all that's is you are you say war since the token back so you know the systems are set up like whoever that says OK good and create internal account for them here on the WordPress removal or whatever it is and
so this system that we need to build a new day by the way that familiar to anybody we'll Daniel Johnson just around the block is this neural on the corner of a Russian called how are you assume the system we need to bill would do things like activate new student accounts you've been accepted by the campus and you give an ID now you need to create this account in if all you throughout Europe campus experience and we also have newly hired faculty and staff or coming through work day they need to do the same thing of staff people to change wrong password staffers interview will change passage for people of you contractors need accounts we need a set L that entitlements so so and so can use the big fancy printer I wish to set Google organizational units because using the Google at admin API as well of the super users need to build edit raw l that fields enabling disabling accounts e-mail aliases delegated accounts in Google older groups all kinds of crazy stuff and all had to be done for this 1 central place so the experience of this for a student is that they can change the password they can activate an account and experience of it for logged-in users they can change a known passive but the experience for help desk is a whole bunch of powerful but tools and utilities and for super uses even
more of them but now because when you authenticated Casas going to create a shadow account in that system that comes the caste standard on you need to be mindful that whatever user names that are going to be created in l that we need to conform to the lowest common denominator of systems so while Google may allow a 48 character username of the old data tell system is not going to allow even in the so you need shrink dancing with diacritical characters in foreign courtesy the service survey all the campus systems so what are the lowest common denominators that were going to allow into 1 until that the passwords not issue because those are all handling held up your so log through cast and I 1 of his stories will pass through that system anyway so just a quick work flow of the process of of activation so this is the gender-based system over here also the hired work day in the maze they come in and verify the count against work dates is a verified and that's will create well they create select a username and password now that can create a Google account and then new wildly to get the new features e-mail back into work day or back into colleague depending on the type of user that is that's a lot of a lot of steps
that we need to keep track of and and we have various permission level so know a little bit of what this system end up looking like so yes so so the activation pass for us to vs 7 faculty they start differently so students are validated against a student information system the legacy system so that the against work day but they both do the same username and password selection so 2 different forms from 1 and a 1 shared form that and that doing all of this stuff and so there's a name so previously when when with the old 1st initial last name thing but the namespace is running out been around for a few years and uh and people want more flexibility but we don't wanna give an infinite flexibility because people can find innumerable ways to create offensive words so what we wanna do is if you you know said if your name is Django Reinhardt we would provide you with a prefab list of of user names that are guaranteed to exist in all that so evidence of some some Python could to come up with these these variance if you have a nickname we allow you to put that in there as well so I'm working on Django projects and Ford's ever since 0 . 9 6 and now worked on a dozen major ones and the 1 thing they all have in common in the thing that most of us love about gender was how amazing it is it managing data and you know sort this philosophy that start with your data modeling get it right in everything flows nicely from there really big difference with this system is that it didn't store any data internal it's all about talking to external systems and so that's the 1st big Django project I worked on it really wasn't about internal data management and all of largest minimal genders off systems and that I put dotted lines around these TMI is a semi exceptional talk about and and and and same with lots of but that you know the the systems they were talking to attack and API as we're talking x in our talk in so doing the CSV shuffle into and out of legacy systems and and because we're getting rid of a lot of uh the things the jagged traditionally does the or em namely I'm gonna let let lot less boilerplate lawless stuff you can find the Django Doxy running a lot more raw Python i'm NOT that these permission tears in a typical anonymous user login using a super user and I know people who are in group help desk so this is not the Commission become interesting for this helped us users because it's not the usual you know if user can edit books a of user can create analyze the or whatever on subway system we need that were based on your group membership and I can't believe I never came you know hit upon this 1 before but bleeding out there is no native decorator a template tag to determine of users in the world this seems like basic I would like to contribute to Django I would talk to so the commenters and see if there's a use case for because I think Europe there is I'm so integral in my own template tags and decorators to determine group membership and handle it accordingly of the code samples for that in the in the appendix to this presentation of and there was a check them out but not that complicated difficult but it just seems like the kind of thing you would you get by default so then the question is well if you're not using in the all-around you know which is sort of the core why use Django at all what's left over whether xactly lots in others and still the enforcement of clean and structures and and uh styles to system architecture for validation was huge is a lot of form validation you know usually you work with model forms but in this case there 2 for all forms with really crazy validation methods were calling out to other systems and verifying your birthday and in doing the same stuff you always do inform validation except the more complicated and gender provides you nice you all routing and the temple in system in this session framework used quite a bit because we've got multiple forms were trying to save state between these 2 forms and then there's the whole batteries included aspect of of Python Django ecosystem and enable the Poland on a common libraries like gender Carson G which allows a Django out to talk to these castes servers so Dustin information systems of lots of out there and most of them are really old and Janke cranky and impenetrable impenetrable from proprietary systems of ours is data tell and it has more than 800 tables and they're mostly poorly designed and no enforcement of schemas No API which is really different from you know when you create a Django models it creates a beautifully designed database on so I really really didn't want to and you do everything with with CSP shuffles I wanted to find a way to interact with this legacy systems through the R and I have 1 ace in the hole which is a system called TMI which stood up my sequel layer between a student information system was read-only so I can write to it but I can of these get data out and so on what we end up doing is that this year's typical multiple database approach is here above my local post prayers and another 1 is defined on some of the host of as of as a my sequel server elsewhere and then there's this wonderful command inspected the a lot of you may have seen it but was you point your Django instance at external database and do its best introspective and figure out what it's saying models would be it's not perfect and but it works will a default database to temporarily switches default database run that management command and in my case it was you during literally go get some coffee well the thing runs and I discussed this in a multi megabyte text dump of and lot of that is secure sensitive information which I do not want to risk exposing my act so you know you don't have to take the whole thing was able to just copy and paste bits of that out of the dump file and bring it might have not putting the dump file and version control and because we just never won a risk that that information going out and you know once I just copied and pasted just the basics that I need back in and on we will you bring them into my at a couple things to note about this and we running models you can actually specify the column that maps to so these are the new its internal names but I can use a nice from the lower case names and in the matter manage equals false so this tells Django that's a read-only database and talking to I'm not going try migrated matter trying to anything fancy with under aware of it and then you know what personal master I can even write your own model methods in your own strings on that etc. so in this query doesn't look like very much but holy crap unable to do or and queries against this legacy information system that was pretty exciting in that opened up all kinds of doors for us the at so progress that's great except next similar to run my tests but they crash and burn and because this is a little bit of an outside use case for GenGO and and it doesn't really know what to do when you're talking to read-only databases because when you run tests it wants to create a copy of each database on the same database server and doesn't have write access to do that so it turned out to be a number of steps to get around this problem so 1st of all you want to create a separate settings file for double just invoked when when you're running a test so aware of my test as specifying the special test set file and that I created a separate list of test databases which were similar to the original ones except the remote 1 was specified as a local post prayers table of and I had also tell genuine the test where of that where previously defined all those that external databases unmanaged now treated as managed and and so is the result of the way run the tests it looks at that remote really my school database instead tested against a local Postgres on other was way too hard and I wish that had helped me more with that but the the uh in the appendix you'll find an example of that sample test settings file that I used to get that all working I know that and another go too deep into their learning l that it's a pre arcane language you were spoiled by working the Django warned about how easy it is to read and write data and deal with relational data of L that is not a relational database and lot fancy terminology there is a library called
on Python held out come back to in a 2nd which simplifies query held that but it's definitely the or em so it turns out that those calls required quite a bit of code and I didn't want a little my ideas with that code because they were really view code what I really want to focus on was like my views handle the request response life cycle for that uses web interaction and the interaction with that with that with all that would happen through an external library so writing a pick installable library with all of my code for creating users and managing groups and managing aliases etc. and then with just 1 college and the like and I think it is a true or false from that of so in that became an action actually with those functions like reuse issue that return true or false should return the new object or falls or should raise an exception were true I it was kind of case-sensitive I made different decisions in different parts of that but this is not finished at a work-in-progress it also includes a similar functions for interacting with with the Google API eyes and I I was thinking maybe care campuses out there who could use something similar and watch invite at campuses to collaborate with us on this on an interior fork and you pull requests or you may determine that you know the stuff in this too specific to your campus are indeed something different so do you feel free to fork it but there's the URL on so if you wanna join me in this project please do course CCA utils but so yeah so just an example of the kind of functions that are in that external library of this is no pi is speaking part funneled take a dictionary of properties in create now that user out of it and then once that's defined imported from within my view of you know performers vowel I can do as a one-liner if l that create user with the dictionary of of arguments and in this display at water so it really cleaned up my my view code of the hassle so Python held-out Lightweight Directory Access Protocol you know acid had forget everything I knew about relational databases and you the I can't his is really frustrating points on this is a great example of this is its inability to do reverse look ups so in a given and you know that group I could really easily get a list of its users but given L that user there's no way to get a list of the groups that the end of without going through all the groups and iterating them there is apparently in all that plug into that the system and can configure but in had just come out of the box in our system and wasn't wasn't on that for this project the so Python l that provides us you know some basic right operations which this makes this a very quick and easy but you know building these models in particular how to how to construct those took a lot of trial and error and you'll see examples of those in the in the CCA chills so we had this talk yesterday from Russell Keith McGee about the new metamodel are interfaces and am wouldn't it be awesome if somebody took that new capability at 2 to wrap them famous slide whatever on it so he took that they capability and wrapped it around so that we could use some some or and like syntax through the warm itself to speak to an external elder that system because this is seriously how I felt compared how I was used to feeling if so um I went into the project committed to Python 3 of you know I Greenfields projects should be on Python 3 but it turned out that Google's pipe on client library for the MMSE SEK wasn't yet Python 3 reading and I was really depend on that so I was I was stuck with Python 2 and so on I there is a totally separate l that library for Python 3 is called elder that 3 the syntax is different it's not a drop-in replacement fortunately Google did update their Python API Client library to work of Python 3 right for the end my project as was at a time and couldn't be so as frustrated and especially for reasons like this because all that expects UTF-8 encoding is everywhere and so my code is littered with these stupid that encode things Python 3 1 of it's no big deal that everything is is unit code and so that would have not been necessary but maybe next summer also do use example conducting a simple l that search and you know the this syntax is not too horrible so 1 of the interesting things that came up with that lot of stakeholders in this product a lot of people who all too I keep track of what's going on there were no every action that's taken place in the system that modifies data in any other system in any way shape or form and they wanna know who committed that action at what time and where there was a success or a failure and and in a rather than just to typical large enough that was kind of a perfect opportunity to use the the Django the Django admin and so it goes a simple simple logging utility a function to to college a now the you know any stakeholder on the campus can now filter in the admin like build up a Google work day and my successes failures and they can search for user names and things and there's is also 1 of anonymous use of the system for people create accounts for the 1st time so in those cases is the user was a non but but we distracter username and logic as well so we can still see what was going on I love how easy it was to write this
code which is a really really simple model with a few fields and you know and and this function of and things call Olog action with the a series of activities username and and the action messages the success failure start status etc. and so all that just happens automatically I've been also really management can and run by chronic would query for all long entries markers failures in the past 24 hours in e-mail that out a bunch of stakeholders every day the I don't the system does and we also import scripts so were doing certain actions that are at you know getting CSB imports in processing those unhcr on jobs and it can also write to the same logging utility to random node if you need to create passwords and do not try and do it yourself and deal with all the nasty encryption library stuff import hash lived to pip install and it's you really this simple was picking encryption algorithm and and then when you said in the L. about the pattern field prefaced by the algorithm was in use makes it so easy and have to worry about it so all that seems pretty clean but under some ideas and way I the they're certain aspects of the system that no matter how much trying to clean them up and simplified the views on it you know like anyone don't want long crazy functions but in the case of activate user you know ones that form is valid a whole bunch of things have to happen in sequence and Digilog all those things so that different types of users started the activation differently receiving state between the forms of some users have nicknames displaying success in error messages differently to different types users user submissions vs. from end users and try to build the data objects correctly so the old apple accept them hashing the passage correctly and the right is you the right groups entitlements of handling going on creating a Google uses in the same step so you know I'm ashamed to say that got now a 200 line function in their activate step to you but I can figure out any way to make it shorter because the all has to happen at once OK talking to google so there's the other piece of this is that for every old other
colonies matching a Google account in their and their directory so for this user Google have been STK AKI the directory API supplies a Python client library of every action has to be done by what's known as a service users especially as you create in in Google and give access to and also new reference by sub user which is a human on your team who is ultimately responsible for that change to be like a sysadmins e-mail address or something so these calls have to actually both and I have to learn about 2 ligand all officers three-legged or so so three-legged is the kind you're used to seeing wary of Facebook would like to do such and such on your behalf and it's OK with you in internal dialog and user's screen in this case you want our system director Google transparently to the user they never needs no about so that's to make it all what it's just between the 2 Google and our system and the user doesn't know anything about it and so you basically the way that's set up and I won't go into all the detail here so that you do you look at the ATP eyes in every API call has what's called scope and the scope is your all that now refers to some capability to follow 1 and get a group I discover this this scope and I capture them and then step 2 is and you go into the Google outstanding consul the way the been security advanced EPI Client access and you associate the service account without scope and that gives that that service account permission to execute on the scope and and in the end I'm able to write his reusable functions just like the old up 1 of these live often are are reusable people solvable sister utils library so there no reusable get off which involves opening the key file they provided and sign it with the decline in male and the private key and that scope in sub user in mentioned and and then finally returning that that off handle which then can be utilized by the 2nd functions such as a new building service to his of the user record in Google on a few because of this step of getting the off you build a service so this is the of alternative to you're working with that the RESTful of URL so you build a service in the admin STK the API Version directory of V 1 and once I've got a handle on the service service that uses that update with the key that be the e-mail so that's the of user operating on and the body would be the data of a dictionary data they can execute all at once so whether that's easier then using the REST API I'm not sure but what they got down was pretty pretty straightforward and then you know once all that exists then becomes a one-liner in my view so not littering you go with all that stuff and all I have to do is you build a message string and displayed to screen and wanted to belongs so then we have this need to set up e-mail delegates so that can Google has a school system where people can axis another account with and without entering the pattern for it so I can say Joe's delicate for Mary joke access Mary's e-mail without with his own password but unfortunately that's not hobby Minister case for the e-mail was decay which hasn't been updated to these newer systems and so the whole nother API exploration hopefully and it's not service based on I have some sample code for that if anybody needs it returns XML's adjacent so now beautiful Soup land such that very fast all right more fun so rethinking passwords on WWII got really frustrated with the the more massive password advice that's out there because people end users are getting contradictory password advice from every system into 1 system is saying random random random has to be random along and others saying correct force battery stable you can use plain english words as long as it's wall and unguessable on many other saying will shorten random that's better and of of you know you've got system saying only after an uppercase or lowercase and punctuation mark in 1 what we care 0 and you believe it was into a mobile device right so people what have different desires in terms of the Creative a strong password of the without the rules of the wave of good pass-phrases but in a way we link here were just like the batch we don't care how you got there right so if you wanna do an a character fully random password that is considered strong that's great or if you wanna do you correct go battery staple that's cool to the problem is that now your outside of rules in know and so now how do you do your form validation of intranets be pretty difficult with different sets of of rules nicer looking into this problem I discovered the drop box of actually created an open sourced a solution to just this it's called this z z x Debian for those in the lower left rover keyboard on intersection with the use of union production a drop box the but it measures pattern strength as a matter of of the call entropy but essentially just set at a strength threshold and takes a whole bunch of things into account does crazy dictionary lookups and lets you penalize certain strings so I was able to penalize the name of the college penalize your own user name of penalize examples are given on the on password help page of and and let people create passwords however they want so the issue with that is that it's it's JavaScript-based and of his script-based that means dictionary lookups are hard because you can be transmitting dictionaries over the wire on and we when the we would the really rich interactions we wanted a whizzy no strength body will go up and down as you typed in real time so when somebody put this to Python that was excellent so now I could do back end but I would lose the rich job script goodness so what I ended up doing was I use it on the back and making a simple Jason in point but you can call within a given password string and would return z exceed Indians Dictionary of attributes and and penalties in ultimate strength of and I relative G creative that's because we wiped would have no pre real-time interaction but I don't want to call it API every time you touch a key on the keyboard so I use g created bounce to weigh 250 ms after you start typing and would call the standpoint and anything would go up and down as going to alive delible we've got some screen-sharing issues here so but this does exactly what I was saying even have the characters of the of of totally random or we can have a nice long memorable Sgt. Pepper's Mr. Kite type passwords whatever you like the of doing a big of blog posts so all the sample code for the system is at that your old you can get out of the slides later finished at system like that so work day work this modern that he would probably mostly human resources and you know payment and scheduling system and they are also introduces student information system to it for the future and and other pieces will come along of we're 1 of 3 pilot schools out there who were unity experimenting with their student information systems but we did move all of our all of our higher and and payment stuff to them so because they have to validate the user against worked it had to talk to the rate the eyes and In quickly hit some roadblocks and it got it got frustrated because you know in my world in our Python Django modern web application development world is all about rest now API all about rest but they're very much of the job low windows heavyweight system world and most of the stuff is so based they claim to have a REST API but it doesn't do everything so after trying and failing to get what I needed out of the system with rest I was thrown back on so only defined that it's you know considered so sort of deprecated in our modern world that the there's you know the even sides which is the most famous soap library has been deprecated place Westside's Jericho and I couldn't find a single person online who was interacting with work day and soaps so so it took a fair bit of experimentation to get that working but I did in road just so if anybody is out there and this do this but there's a link to how we could solving that so that's what that today a and yet the code samples you here if anybody wants to see them or we can open it up for questions if but the any questions should not knowing there's like inverse out there knowing what you know now like what would you summary as you do this again what would you do differently having gone through this huge project right I am differently well I when the data times so would have made a start with Python 3 so that would have sold those save a lot of frustration of but no if I had to do it back when I did that I would still would not have that option I I I know word alignment process it have gone a lot quicker would have a lot of a lot more sample code to work with but a yeah I think I think my biggest mistake was not communicating enough with some of the legacy data teams about you know certain ways we they want interact with student information system of the absolute communications proper the basin I am we talked about the least common denominator for when you're trying to design it but what if that changes in the middle like you need to interact with another system due which seems to have a maximum the 5 for use FIL contrived example but many right i is a case by case basis the 1 the 1 issue that we get there that we didn't when able to anticipate was of these Canon copiers and their fax capabilities so that somebody could be in fact from a copy here and it turns out that they didn't like dots in usernames Academy of our in your e-mail addresses right so we're able to update from where on those to fix that from another system there you know suddenly had a much lower and we try to fix that system right we're finally moving to the next area here hopefully not be dragged back by the legacy of the past but if a forced to you when I we might have a limited user names to 12 characters robota whatever efficiently dipso depends on the system whether it can be upgraded thank you and you mention that you stored some information in the session and I was wondering if found you ever ran into conflicts with some like where your gender session was getting out of 30 with another like systems session anything like that nothing the only a few issues that I had had to do with like the help desk users of the super users who were doing things like helping users reset passwords over and over again and so you have a concession variable left over that was interfering so you know those are blogs and declared just that session variable and if I understand right something changing Django I think in 1 . 8 you know makes a 1st approach and that was just to kill all session variables that term that there now it didn't used to it now elected log you out of the GenGO after logged into so that turned out to be not viable solution I actually had actually delete session variables 1 q time of but haven't had any comfort with other systems on campus my views method the Pollock and then have gone back and forth in my apps like I've tried to make it so that and were just using their and Active Directory groups for all of our off like authorization the and permissions I I guess yeah authentication and authorization and then at the end of hadronic something to a quick where action of using the Django from the permissions you know to putting in the database I have you give opinions on any have you had to do that and you have a preferences I I haven't had to and I would strongly resisted you know this is this system and building is not a canonical data it's a canonical place to make these kinds of changes but it is me making these changes of natural systems that are not within itself so that no other system the gonna look to my system saying what permissions does such such user have and we eventually will bring in Grouper and all that and that will make it even more you know in in all that land and and not in my space so yeah I'm trying to store as little data as possible really just the logging data is the only thing and literally never done that this is more of a comment than a question but no excited because of his NASA on particle stay which is AI and the system further sexual sobbing contents as using implementation of the CVV and and it's really it was super helpful and I love the locked here and so we have to include that thoughts and thinking very happy that the this is another common as well look like in the example or you're building a and now that filter string using Python string substitution but actually there's and l that string substitutional serve in the same way that database string at the substitution will prevent the about code execution so so with the advantage of doing that way so the so characters so that years trying to substitute in you will be able to sort of break out of your l that filters the of the elites state characters just as we have a security of a security advantage of something too that I do know that I was writing Python and so I wrote a Python ically but all look at that the I a total of about testing and was only when what you had in place for but only a test but mostly interested functional unit tests with today I should talk to the legacy systems 0 yeah good question and so I mean the sort of several levels of that there is the the CCU tilde which has the little the modules for talking to hold up in Google arm and those have varied base basic unit tests of I would mark data and have a test user that know runs for a lot of stuff from and then there's the the side and it has and this was the functional tests are so testing interviews and things which is your is your question about the risk of modifying data analyzed all that system right so and on a mike is restricted very carefully to a single designated local direct test user of it would be great to have a secondary held that system like could test against us like you have a test database I'd feel better about that but it's not feasible on case the questions we we the so we also have something at work of the slightly not related to uh that exactly but when you talked about testing on US been up here on the conditional DVD to do the testing against and so we do a work flight were on right now and that's something we're going to solve the problem next week and in Django when it comes with the keep DB flight and everyone run tests locally other on my system then we've run it again so good EV with we set up 1st but how they can you talk a little about how all what you had to do exactly that you had a custom manager work round will appear to be is this something that is if you thought about it that you do that 0 yeah I mean I I do it because I have to do you know whether we run tests as long as you define 2 databases it's gonna try and create a test version of the database on that same host by default so I place on literally could not run tests mostly gone through this process of as for DB the the the point that is with a speed up in test right mean there's you know your situation well enough to know that there's no downside to keep innocent test database between test runs of sit down I think that what we do is we actually just on these on my local that machine not see of we use the of an instance of the deviate too develop with and we II strong matters on that would keep TV this way I don't have to fill up a separate DB for testing which is far from ideal please don't ever do 1 of the advantages we have a lot of us sequel that we need to get those tables up and running from reason production we use of that so this is the advantage that we get because we also use the manage false flags and moving on to the system we don't define the models for so I don't know if this is like it seems like a poor strategy is any test data which conflicts with the that data can cause issues but and so so that's an alternative to construct in that copy of remote bicycle there is a local post database this users keep to be all the time so the ideas in the and the concern about the integrity of the test yes because now you don't have a 100 percent guarantee that the test database data you think your test is actually the beta testing or do I mean a luxury many this is this seems like it's been a long conversation on a lot of that energy here is encode it yeah yeah I did come across keep DB is a is a tip for speed things up like in most of my writing it by this and then it still has the general how long so there is gap out of some think and these new at the thank but not the best use of the and the more the the the fear