Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EOSC Node AAI #121

Merged
merged 13 commits into from
Jul 15, 2024
Merged

EOSC Node AAI #121

merged 13 commits into from
Jul 15, 2024

Conversation

enolfc
Copy link
Contributor

@enolfc enolfc commented Jun 18, 2024
edited
Loading

Summary

Implement the support for the personal projects as the primary group of the user so this can be properly reported in accounting.

Creates a new EOSCNodeAuthenticator that will try to get the primary group of the user from the entitlements by matching a personal_project_re regular expression with default value:

r"^urn:geant:eosc-federation.eu:group:pp:Personal%20Project%20Name-(.*)$"

If the RE contains a group, the match will be used as the name for the primary group of the user. If it does not match, the primary group will be the first group of the user that matches the allowed_groups.

Sample configuration

c.JupyterHub.authenticator_class = "eoscauthenticator"
c.EOSCNodeAuthenticator.allow_all = True
c.EOSCNodeAuthenticator.claim_groups_key = "eduperson_entitlement"
c.EOSCNodeAuthenticator.personal_project = r"^urn:mace:egi.eu:group:fedcloud-([^#]*)#.*$"

This will match urn:mace:egi.eu:group:fedcloud-users#sso.egi.eu and return users as primary group

Without groups in the re:

c.JupyterHub.authenticator_class = "eoscauthenticator"
c.EOSCNodeAuthenticator.allow_all = True
c.EOSCNodeAuthenticator.claim_groups_key = "eduperson_entitlement"
c.EOSCNodeAuthenticator.personal_project = r"^urn:mace:egi.eu:group:fedcloud-.*$"

This will match urn:mace:egi.eu:group:fedcloud-users#sso.egi.eu and return urn:mace:egi.eu:group:fedcloud-users#sso.egi.eu as primary group

Related issue :

@enolfc
Avoid error 500 when context is not available
8f6ecb8 
Instead show a 403 error, that looks better
@enolfc
Copy link
Contributor Author

enolfc commented Jun 18, 2024

We would benefit from some automated testing here as we are bit blind on whether this works or not :(

@enolfc
Add support for EOSC Node group management
0fd286b 
Filter groups based on a regular expression for matching the personal
projects of EOSC Node AAI
@enolfc enolfc requested a review from valtri June 18, 2024 13:18
@enolfc enolfc requested a review from andrea-manzi June 18, 2024 13:27
andrea-manzi
andrea-manzi requested changes Jun 20, 2024
View reviewed changes
Copy link
Contributor

@andrea-manzi andrea-manzi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please check comment

@valtri
Copy link
Contributor

valtri commented Jul 12, 2024

Works like a charm.

The default regular expression for personal group is OK? In testing AAI is working this: ^urn:geant:eosc-federation.eu:group:(pp-.*)$.

And maybe we could tune login_service variable for EGI and EOSC authenticator? Something like:

    @default("login_service")
    def _login_service_default(self):
        return "EGI Check-in"

...but that is just a cosmetics and overrode by html customizations anyway.

@enolfc
Copy link
Contributor Author

enolfc commented Jul 12, 2024

Works like a charm.

The default regular expression for personal group is OK? In testing AAI is working this: ^urn:geant:eosc-federation.eu:group:(pp-.*)$.

And maybe we could tune login_service variable for EGI and EOSC authenticator? Something like:

    @default("login_service")
    def _login_service_default(self):
        return "EGI Check-in"

...but that is just a cosmetics and overrode by html customizations anyway.

I think we can just define login_service in the EOSC one to something like "EOSC AAI", no need to define a default

valtri
valtri approved these changes Jul 12, 2024
View reviewed changes
Copy link
Contributor

@valtri valtri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@enolfc enolfc requested a review from andrea-manzi July 12, 2024 15:00
andrea-manzi
andrea-manzi approved these changes Jul 12, 2024
View reviewed changes
Copy link
Contributor

@andrea-manzi andrea-manzi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! and tested by @valtri

@enolfc enolfc merged commit 77836cb into EGI-Federation:main Jul 15, 2024
3 checks passed
@enolfc enolfc deleted the personal-project branch July 15, 2024 07:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@valtri valtri valtri approved these changes

@andrea-manzi andrea-manzi andrea-manzi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@enolfc @valtri @andrea-manzi