nerc-project / coldfront-plugin-api Goto Github PK

Currently there is no way to search a username based on the user's email address through the SCIM User API.

This functionality is necessary since some users have changed their username and we need to be able to find their corresponding account through the email address.

Also update the registration script to make use of the new filtering functionality once it is in place.

The ColdFront API already supports authentication via OAuth (NERC Keycloak), so it can work with a user's own account.

In the current state of our API, only administrators can manage user/group memberships (staff flag in ColdFront,) and the user registration script supports authentication only using client credentials.

We should allow PIs and managers to issue API requests with their OAuth token to manage a project are PI or have the manager role on.

(Optionally, Investigate) Another advantage for implementing assignment of users to a project through the SCIM v2 API is to also to allow the possibility of universities to integrate their own tooling into the SCIM API. There is a myriad of tools already providing support for provisioning of users and group memberships into a SCIM API as listed here http://simplecloud.info and I would bet that a lot of the university and partner organizations are already making use of SCIM already for provisioning Google Workspace, Office 365, etc.

Currently am the only person with experience in running it. More people should know how so that there isn't any single person bottleneck for the operation.

Currently it is not possible to add someone with a manager role through the API, so we've had to do this manually for TAs of a class.

There are two design issues to work out

• Groups currently represent users of a Resource Allocation, whereas the Manager role is on the Project rather than Resource Allocations.
• We're not exposing Projects through the API.

One possible solutions is to expose both memberships through the API as different groups:

Ex.
/Groups/allocation-123 would return the users of Resource Allocation 123 (currently /Groups/123).
/Groups/project-1234-users would return the users with a User role on Project 123.
/Groups/project-1234-managers would return the users with a Manager role on Project 123.

Currently the invoicing tools make an API request to /api/allocations?all=true. This responds with ALL the allocations, which doesn't scale.

We need to allow filtering by a specific attribute so that we can search for the allocation that we need.

This should be based on SCIM, to allow for interoperability with external provisioning tools.

The repo currently does not have a linter workflow or any provided linter pre-commit hook to help with enforcing a uniform Python formatting convention.

#31 moved over the SCIM Users endpoint to using django_scim2, we should do the same for Groups.

The script to register users currently requires a service account to authenticate with Keycloak, however Keycloak also supports OAuth 2.0 Device Authorization Grant. This is the flow in which the CLI generates a code and link, you open a browser and authenticate using that link, which gives you a token, and you insert that into the CLI. This is the flow that you authenticate to streaming services on your TV and the flow that OpenShift uses for CLI authentication.

If we support/document this flow, we can allow users to interact with the API through the CLI without requiring a Keycloak service account.

If we additionally support #11 we could allow PIs themselves to bulk add through the script.

In the current flow of using ColdFront through the web browser, a PI and all members of a project register through RegApp, which creates for them an account in Keycloak. Afterwards the PI logs in to ColdFront with their institutional account and requests PI status, creates a project, resource allocation, and then adds users to the project through a search box. The search box finds users that are registered with the NERC Keycloak even though ColdFront is unaware of them since they haven’t logged in to it.

#9 that merged today, allows adding/removing users that are present in ColdFront. However it is unlikely that normal members log in to ColdFront since it doesn’t provide them any functionality, but just register through RegApp.

1. Every user needs to have signed the Terms of Service, which we are currently handling through the manual registration process and email verification in RegApp. Therefore, with the current state of the system, we can only allow adding users that exist in Keycloak.
2. The username of users may unfortunately be different from the email address, as currently RegApp allows that flexibility. Therefore the SCIM API needs to allow a mechanism for resolving usernames for email, as I’m assuming PIs will have a list of emails rather than usernames.
3. The solution shouldn’t make API requests directly to Keycloak, but should make use of the functionality of ColdFront to search for users, which we have already extended through https://github.com/nerc-project/coldfront-plugin-keycloak

Solution

• Connect the Groups API from #9 to the user functions above to allow adding Keycloak users to project. -> #12
• Implement list users -> #13
• Implement searching users via email
• Implement getting information for a specific user -> #13

Currently, /api/allocations only returns resource allocations that are in Active state.

As an API consumer, I want the ability to query resource allocations that are not Active.

This is important for invoicing as a resource allocation may have been active at some point during the last month and therefore its information needs to be queried when generating the invoices.

Should return 404.

Access to the resource allocation will work fine, but the user won't see it show up in their ColdFront list.

As a ColdFront administrator or PI, I want to be able to manage users and membership to my Resource Allocations through an API.

This will enable mass subscriptions.