diff --git a/source/users_guides/sysadmin/compute/jh_with_persistence.rst b/source/users_guides/sysadmin/compute/jh_with_persistence.rst index d5be8d6bdb46b7b87bba55e4810427ce115f2336..2318e3978e1ddcf811503fc4b3041a5f17577859 100644 --- a/source/users_guides/sysadmin/compute/jh_with_persistence.rst +++ b/source/users_guides/sysadmin/compute/jh_with_persistence.rst @@ -190,3 +190,41 @@ On successful completion ("CREATE_COMPLETE"), :alt: Step 4 Use the reported IP address to connect to the services you deployed. + +How to change the authorized IAM group +====================================== + +If you deployed an instance of JupyterHub with persistence of Notebooks and +want to change the name of the IAM group that users must be members of to have +access granted, you need to update the file located in +``/usr/local/share/dodasts/jupyterhub/compose.yaml``. Here is an example of its +content: + + .. code-block:: yaml + version: "3.9" + + services: + jupyterhub: + depends_on: + - http_proxy + [...] + environment: + - [...] + - OAUTH_GROUPS=users/example admins/example + - ADMIN_OAUTH_GROUPS=admins/example + - [...] + +In the example, the ``OAUTH_GROUPS`` environment variable is used to define the +IAM groups of users that granted user-role access within the JupyterHub +instance, while the ``ADMIN_OAUTH_GROUPS`` environment variable defines the IAM +group of users with admin-role access. Multiple groups can be defined, +separated by a space `` `` character. + +Furthermore, to make the change effective, a restart of the service has to be +performed: + + .. code-block:: bash + cd /usr/local/share/dodasts/jupyterhub/ + docker-compose down || docker compose down + docker-compose up -d || docker compose up -d + diff --git a/source/users_guides/sysadmin/storage/sync_and_share_aas.rst b/source/users_guides/sysadmin/storage/sync_and_share_aas.rst index 7442711d4c7890448805fd0ec3cc35a1333c3585..7404c50892a7175b00404806d10156f835a3b788 100644 --- a/source/users_guides/sysadmin/storage/sync_and_share_aas.rst +++ b/source/users_guides/sysadmin/storage/sync_and_share_aas.rst @@ -319,6 +319,58 @@ How to access your data via cli ownCloud offers a user-friendly web interface for managing and sharing your data. In some cases, you may need to access your data from your environment, e.g. mounting your storage space on your local machine. Rclone is a powerful command-line tool that allows to manage files on a cloud storage. In `this guide <https://guides.cloud.infn.it/docs/users-guides/en/latest/users_guides/general/rclone_sync_and_share.html>`_ you can find some useful tips on how to use Rclone. +How to change the authorized IAM group +====================================== + +ownCloud +-------- + +If you deployed an ownCloud instance and want to change the name of the IAM +group that users must be members of to have access granted, you need to update +the file located in ``/opt/storageservice/oidc.config.php``. Here is an example +of its content: + + .. code-block:: php + <?php + $CONFIG = [ + 'http.cookie.samesite' => 'None', + 'openid-connect' => [ + 'provider-url' => 'https://iam.cloud.infn.it', + 'client-id' => 'REDACTED', + 'client-secret' => 'REDACTED', + 'loginButtonName' => 'INFN Cloud IAM', + 'auto-provision' => [ + 'enabled' => true, + 'email-claim' => 'email', + 'display-name-claim' => 'name', + 'provisioning-claim' => 'groups', + 'provisioning-attribute' => 'users/example', + ], + 'mode' => 'userid', + 'search-attribute' => 'preferred_username', + ] + ]; + +The value to be updated to change the group the user authorization is based on +is that on line 14, i.e. the value at +``$CONFIG.openid-connect.auto-provision.provision-attribute`` that is the +``users/example`` string. + +Furthermore, to make the change effective, a restart of the service has to be +performed: + + .. code-block:: bash + cd /opt/storageservice/ + docker-compose restart || docker compose restart + + +NextCloud +--------- +If you deployed an NextCloud instance and want to change the name of the IAM +group that users must be members of to have access granted, you need to modify or +add groups through the service's webui at the link ``https://data.<ip>.myip.cloud.infn.it/settings/admin/sociallogin``, +in the section ``Custom OpenID Connect`` --> ``add group mapping`` + Troubleshooting ===============