From 7f28cca8bebaa9a069cd8678a60933f68fd65f9d Mon Sep 17 00:00:00 2001 From: Carmelo Pellegrino <carmelo.pellegrino@gmail.com> Date: Thu, 28 Mar 2024 16:52:43 +0100 Subject: [PATCH 1/4] how to change authorized IAM group for ownCloud --- .../sysadmin/storage/sync_and_share_aas.rst | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/source/users_guides/sysadmin/storage/sync_and_share_aas.rst b/source/users_guides/sysadmin/storage/sync_and_share_aas.rst index 7442711d..bd4bfbc0 100644 --- a/source/users_guides/sysadmin/storage/sync_and_share_aas.rst +++ b/source/users_guides/sysadmin/storage/sync_and_share_aas.rst @@ -319,6 +319,55 @@ How to access your data via cli ownCloud offers a user-friendly web interface for managing and sharing your data. In some cases, you may need to access your data from your environment, e.g. mounting your storage space on your local machine. Rclone is a powerful command-line tool that allows to manage files on a cloud storage. In `this guide <https://guides.cloud.infn.it/docs/users-guides/en/latest/users_guides/general/rclone_sync_and_share.html>`_ you can find some useful tips on how to use Rclone. +How to change the authorized IAM group +====================================== + +ownCloud +-------- + +If you deployed an ownCloud instance and want to change the name of the IAM +group that users must be members of to have access granted, you need to update +the file located in ``/opt/storageservice/oidc.config.php``. Here is an example +of its content: + + .. code-block:: php + <?php + $CONFIG = [ + 'http.cookie.samesite' => 'None', + 'openid-connect' => [ + 'provider-url' => 'https://iam.cloud.infn.it', + 'client-id' => 'REDACTED', + 'client-secret' => 'REDACTED', + 'loginButtonName' => 'INFN Cloud IAM', + 'auto-provision' => [ + 'enabled' => true, + 'email-claim' => 'email', + 'display-name-claim' => 'name', + 'provisioning-claim' => 'groups', + 'provisioning-attribute' => 'users/example', + ], + 'mode' => 'userid', + 'search-attribute' => 'preferred_username', + ] + ]; + +The value to be updated to change the group the user authorization is based on +is that on line 14, i.e. the value at +``$CONFIG.openid-connect.auto-provision.provision-attribute`` that is the +``users/example`` string. + +Furthermore, to make the change effective, a restart of the service has to be +performed: + + .. code-block:: bash + cd /opt/storageservice/ + docker-compose restart + + +NextCloud +--------- + + Troubleshooting =============== -- GitLab From 5d1451d72eef22b43bc2d9ad84f245a16c5ffb6a Mon Sep 17 00:00:00 2001 From: Carmelo Pellegrino <carmelo.pellegrino@gmail.com> Date: Fri, 29 Mar 2024 15:09:24 +0100 Subject: [PATCH 2/4] how to change authorized IAM groups in JupyterHub --- .../sysadmin/compute/jh_with_persistence.rst | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/source/users_guides/sysadmin/compute/jh_with_persistence.rst b/source/users_guides/sysadmin/compute/jh_with_persistence.rst index d5be8d6b..7f2e933b 100644 --- a/source/users_guides/sysadmin/compute/jh_with_persistence.rst +++ b/source/users_guides/sysadmin/compute/jh_with_persistence.rst @@ -190,3 +190,41 @@ On successful completion ("CREATE_COMPLETE"), :alt: Step 4 Use the reported IP address to connect to the services you deployed. + +How to change the authorized IAM group +====================================== + +If you deployed an instance of JupyterHub with persistence of Notebooks and +want to change the name of the IAM group that users must be members of to have +access granted, you need to update the file located in +``/usr/local/share/dodasts/jupyterhub/compose.yaml``. Here is an example of its +content: + + .. code-block:: yaml + version: "3.9" + + services: + jupyterhub: + depends_on: + - http_proxy + [...] + environment: + - [...] + - OAUTH_GROUPS=users/example admins/example + - ADMIN_OAUTH_GROUPS=admins/example + - [...] + +In the example, the ``OAUTH_GROUPS`` environment variable is used to define the +IAM groups of users that granted user-role access within the JupyterHub +instance, while the ``ADMIN_OAUTH_GROUPS`` environment variable defines the IAM +group of users with admin-role access. Multiple groups can be defined, +separated by a space `` `` character. + +Furthermore, to make the change effective, a restart of the service has to be +performed: + + .. code-block:: bash + cd /usr/local/share/dodasts/jupyterhub/ + docker-compose down + docker-compose up -d + -- GitLab From fa61b45fb7422d5a676d109e82533b9b4608be3f Mon Sep 17 00:00:00 2001 From: Carmelo Pellegrino <carmelo.pellegrino@gmail.com> Date: Wed, 3 Apr 2024 11:25:03 +0200 Subject: [PATCH 3/4] make docker compose commands more generic to incorporate the change between the docker-compose standalone and the compose plugin --- source/users_guides/sysadmin/compute/jh_with_persistence.rst | 4 ++-- source/users_guides/sysadmin/storage/sync_and_share_aas.rst | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/source/users_guides/sysadmin/compute/jh_with_persistence.rst b/source/users_guides/sysadmin/compute/jh_with_persistence.rst index 7f2e933b..2318e397 100644 --- a/source/users_guides/sysadmin/compute/jh_with_persistence.rst +++ b/source/users_guides/sysadmin/compute/jh_with_persistence.rst @@ -225,6 +225,6 @@ performed: .. code-block:: bash cd /usr/local/share/dodasts/jupyterhub/ - docker-compose down - docker-compose up -d + docker-compose down || docker compose down + docker-compose up -d || docker compose up -d diff --git a/source/users_guides/sysadmin/storage/sync_and_share_aas.rst b/source/users_guides/sysadmin/storage/sync_and_share_aas.rst index bd4bfbc0..00955553 100644 --- a/source/users_guides/sysadmin/storage/sync_and_share_aas.rst +++ b/source/users_guides/sysadmin/storage/sync_and_share_aas.rst @@ -361,7 +361,7 @@ performed: .. code-block:: bash cd /opt/storageservice/ - docker-compose restart + docker-compose restart || docker compose restart NextCloud -- GitLab From b63226fa89e385686460211573963961f1f81e53 Mon Sep 17 00:00:00 2001 From: Federica Fanzago <federica.fanzago@pd.infn.it> Date: Fri, 5 Apr 2024 17:54:59 +0200 Subject: [PATCH 4/4] Adding info about NextCloud changing iam groups --- .../users_guides/sysadmin/storage/sync_and_share_aas.rst | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/source/users_guides/sysadmin/storage/sync_and_share_aas.rst b/source/users_guides/sysadmin/storage/sync_and_share_aas.rst index 00955553..7404c508 100644 --- a/source/users_guides/sysadmin/storage/sync_and_share_aas.rst +++ b/source/users_guides/sysadmin/storage/sync_and_share_aas.rst @@ -351,7 +351,7 @@ of its content: ] ]; -The value to be updated to change the group the user authorization is based on +The value to be updated to change the group the user authorization is based on is that on line 14, i.e. the value at ``$CONFIG.openid-connect.auto-provision.provision-attribute`` that is the ``users/example`` string. @@ -366,7 +366,10 @@ performed: NextCloud --------- - +If you deployed an NextCloud instance and want to change the name of the IAM +group that users must be members of to have access granted, you need to modify or +add groups through the service's webui at the link ``https://data.<ip>.myip.cloud.infn.it/settings/admin/sociallogin``, +in the section ``Custom OpenID Connect`` --> ``add group mapping`` Troubleshooting =============== -- GitLab