From 7f28cca8bebaa9a069cd8678a60933f68fd65f9d Mon Sep 17 00:00:00 2001
From: Carmelo Pellegrino <carmelo.pellegrino@gmail.com>
Date: Thu, 28 Mar 2024 16:52:43 +0100
Subject: [PATCH 1/4] how to change authorized IAM group for ownCloud

---
 .../sysadmin/storage/sync_and_share_aas.rst   | 49 +++++++++++++++++++
 1 file changed, 49 insertions(+)

diff --git a/source/users_guides/sysadmin/storage/sync_and_share_aas.rst b/source/users_guides/sysadmin/storage/sync_and_share_aas.rst
index 7442711d..bd4bfbc0 100644
--- a/source/users_guides/sysadmin/storage/sync_and_share_aas.rst
+++ b/source/users_guides/sysadmin/storage/sync_and_share_aas.rst
@@ -319,6 +319,55 @@ How to access your data via cli
 
 ownCloud offers a user-friendly web interface for managing and sharing your data. In some cases, you may need to access your data from your environment, e.g. mounting your storage space on your local machine. Rclone is a powerful command-line tool that allows to manage files on a cloud storage. In `this guide <https://guides.cloud.infn.it/docs/users-guides/en/latest/users_guides/general/rclone_sync_and_share.html>`_ you can find some useful tips on how to use Rclone.
 
+How to change the authorized IAM group
+======================================
+
+ownCloud
+--------
+
+If you deployed an ownCloud instance and want to change the name of the IAM
+group that users must be members of to have access granted, you need to update
+the file located in ``/opt/storageservice/oidc.config.php``. Here is an example
+of its content:
+
+  .. code-block:: php
+     <?php
+     $CONFIG = [
+       'http.cookie.samesite' => 'None',
+       'openid-connect' => [
+             'provider-url' => 'https://iam.cloud.infn.it',
+             'client-id' => 'REDACTED',
+             'client-secret' => 'REDACTED',
+             'loginButtonName' => 'INFN Cloud IAM',
+             'auto-provision' => [
+                     'enabled' => true,
+                     'email-claim' => 'email',
+                     'display-name-claim' => 'name',
+                     'provisioning-claim' => 'groups',
+                     'provisioning-attribute' => 'users/example',
+             ],
+             'mode' => 'userid',
+             'search-attribute' => 'preferred_username',
+       ]
+     ];
+
+The value to be updated to change the group the user authorization is based on
+is that on line 14, i.e. the value at
+``$CONFIG.openid-connect.auto-provision.provision-attribute`` that is the
+``users/example`` string.
+
+Furthermore, to make the change effective, a restart of the service has to be
+performed:
+
+  .. code-block:: bash
+     cd /opt/storageservice/
+     docker-compose restart
+
+
+NextCloud
+---------
+
+
 Troubleshooting
 ===============
 
-- 
GitLab


From 5d1451d72eef22b43bc2d9ad84f245a16c5ffb6a Mon Sep 17 00:00:00 2001
From: Carmelo Pellegrino <carmelo.pellegrino@gmail.com>
Date: Fri, 29 Mar 2024 15:09:24 +0100
Subject: [PATCH 2/4] how to change authorized IAM groups in JupyterHub

---
 .../sysadmin/compute/jh_with_persistence.rst  | 38 +++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/source/users_guides/sysadmin/compute/jh_with_persistence.rst b/source/users_guides/sysadmin/compute/jh_with_persistence.rst
index d5be8d6b..7f2e933b 100644
--- a/source/users_guides/sysadmin/compute/jh_with_persistence.rst
+++ b/source/users_guides/sysadmin/compute/jh_with_persistence.rst
@@ -190,3 +190,41 @@ On successful completion ("CREATE_COMPLETE"),
     :alt: Step 4
 
 Use the reported IP address to connect to the services you deployed.
+
+How to change the authorized IAM group
+======================================
+
+If you deployed an instance of JupyterHub with persistence of Notebooks and
+want to change the name of the IAM group that users must be members of to have
+access granted, you need to update the file located in
+``/usr/local/share/dodasts/jupyterhub/compose.yaml``. Here is an example of its
+content:
+
+  .. code-block:: yaml
+     version: "3.9"
+
+     services:
+       jupyterhub:
+         depends_on:
+           - http_proxy
+         [...]
+         environment:
+           - [...]
+           - OAUTH_GROUPS=users/example admins/example
+           - ADMIN_OAUTH_GROUPS=admins/example
+           - [...]
+
+In the example, the ``OAUTH_GROUPS`` environment variable is used to define the
+IAM groups of users that granted user-role access within the JupyterHub
+instance, while the ``ADMIN_OAUTH_GROUPS`` environment variable defines the IAM
+group of users with admin-role access. Multiple groups can be defined,
+separated by a space `` `` character.
+
+Furthermore, to make the change effective, a restart of the service has to be
+performed:
+
+  .. code-block:: bash
+     cd /usr/local/share/dodasts/jupyterhub/
+     docker-compose down
+     docker-compose up -d
+
-- 
GitLab


From fa61b45fb7422d5a676d109e82533b9b4608be3f Mon Sep 17 00:00:00 2001
From: Carmelo Pellegrino <carmelo.pellegrino@gmail.com>
Date: Wed, 3 Apr 2024 11:25:03 +0200
Subject: [PATCH 3/4] make docker compose commands more generic

to incorporate the change between the docker-compose standalone and the compose plugin
---
 source/users_guides/sysadmin/compute/jh_with_persistence.rst | 4 ++--
 source/users_guides/sysadmin/storage/sync_and_share_aas.rst  | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/source/users_guides/sysadmin/compute/jh_with_persistence.rst b/source/users_guides/sysadmin/compute/jh_with_persistence.rst
index 7f2e933b..2318e397 100644
--- a/source/users_guides/sysadmin/compute/jh_with_persistence.rst
+++ b/source/users_guides/sysadmin/compute/jh_with_persistence.rst
@@ -225,6 +225,6 @@ performed:
 
   .. code-block:: bash
      cd /usr/local/share/dodasts/jupyterhub/
-     docker-compose down
-     docker-compose up -d
+     docker-compose down || docker compose down
+     docker-compose up -d || docker compose up -d
 
diff --git a/source/users_guides/sysadmin/storage/sync_and_share_aas.rst b/source/users_guides/sysadmin/storage/sync_and_share_aas.rst
index bd4bfbc0..00955553 100644
--- a/source/users_guides/sysadmin/storage/sync_and_share_aas.rst
+++ b/source/users_guides/sysadmin/storage/sync_and_share_aas.rst
@@ -361,7 +361,7 @@ performed:
 
   .. code-block:: bash
      cd /opt/storageservice/
-     docker-compose restart
+     docker-compose restart || docker compose restart
 
 
 NextCloud
-- 
GitLab


From b63226fa89e385686460211573963961f1f81e53 Mon Sep 17 00:00:00 2001
From: Federica Fanzago <federica.fanzago@pd.infn.it>
Date: Fri, 5 Apr 2024 17:54:59 +0200
Subject: [PATCH 4/4] Adding info about NextCloud changing iam groups

---
 .../users_guides/sysadmin/storage/sync_and_share_aas.rst   | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/source/users_guides/sysadmin/storage/sync_and_share_aas.rst b/source/users_guides/sysadmin/storage/sync_and_share_aas.rst
index 00955553..7404c508 100644
--- a/source/users_guides/sysadmin/storage/sync_and_share_aas.rst
+++ b/source/users_guides/sysadmin/storage/sync_and_share_aas.rst
@@ -351,7 +351,7 @@ of its content:
        ]
      ];
 
-The value to be updated to change the group the user authorization is based on
+The value to be updated to change the group the user authorization is based on 
 is that on line 14, i.e. the value at
 ``$CONFIG.openid-connect.auto-provision.provision-attribute`` that is the
 ``users/example`` string.
@@ -366,7 +366,10 @@ performed:
 
 NextCloud
 ---------
-
+If you deployed an NextCloud instance and want to change the name of the IAM
+group that users must be members of to have access granted, you need to modify or 
+add groups through the service's webui at the link ``https://data.<ip>.myip.cloud.infn.it/settings/admin/sociallogin``,
+in the section ``Custom OpenID Connect`` --> ``add group mapping`` 
 
 Troubleshooting
 ===============
-- 
GitLab