Hi all, Had a chat with Prabath, Sumedha and AmilaM regarding this and decided to move the <SelfSignUp> config to tenant's registry so that tenant's could specify per tenant default sign up roles. Also, we need to provide a new UI so tenant admins can configure the sign up roles for their tenancy.
On Thu, Jan 23, 2014 at 11:03 AM, Dimuthu Leelarathne <[email protected]>wrote: > Hi Sumedha, > > > On Thu, Jan 23, 2014 at 10:31 AM, Sumedha Rubasinghe <[email protected]>wrote: > >> For external users this is part of single story. The fact that these >> components are coming from different projects is irrelevant. >> >> So it needs to happen like how you have mentioned. >> >> We can make CloudApp the starting point and execute this logic in there. >> > > Yes. I was proposing to do it in CloudApp. And one step further - do it in > CloudApp only. That is how we plan to handle user-mgt and etc .. for AF. > So when AF is deployed in a MT scenario, it goes with the CloudApp. > > thanks, > dimuthu > > >> >> >> On Thu, Jan 23, 2014 at 9:49 AM, Dimuthu Leelarathne >> <[email protected]>wrote: >> >>> Hi all, >>> >>> If terms of WSO2 Cloud then I think we have to think in terms of the >>> CloudApp as well. For example. Firstly tenants sign up to the cloud. And >>> are they again suppose to sign up to the API Store? >>> >>> In the CloudMgt App we have three selections >>> >>> - Integration Cloud >>> - App Cloud >>> - API Cloud >>> >>> So if a person ticks API cloud all of these things should happen. >>> >>> thanks, >>> dimuthu >>> >>> >>> >>> >>> >>> On Thu, Jan 23, 2014 at 12:36 AM, Lalaji Sureshika <[email protected]>wrote: >>> >>>> Hi, >>>> >>>> >>>> On Wed, Jan 22, 2014 at 10:34 PM, Chamath Gunawardana < >>>> [email protected]> wrote: >>>> >>>>> >>>>> >>>>> >>>>> On Wed, Jan 22, 2014 at 7:29 PM, Lalaji Sureshika <[email protected]>wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> >>>>>> On Wed, Jan 22, 2014 at 5:36 PM, Prabath Siriwardena < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> If this is per tenant - you cannot do it via a configuration in the >>>>>>> identity.xml... >>>>>>> >>>>>>> Ideally the tenant admin should have an option in the UI to >>>>>>> enable/disable SelfSignUp and if it is enabled he should be able to >>>>>>> specify >>>>>>> the default role or the role list. >>>>>>> >>>>>> >>>>>> If I understood correctly,with current approach SelfSignUp >>>>>> function through UserSelfRegistrationService, is enabled for each >>>>>> tenant and it picks same custom defined role in identity.xml for each >>>>>> tenant. If we are going to support the use-case of ability to configure >>>>>> self signup and its assigning custom roles per tenant basis,we have >>>>>> to move the self-signup config from identity.xml used in " >>>>>> UserSelfRegistrationService" to a registry config. >>>>>> >>>>> In IS next release (4.7.0) we are planning to save configuration >>>>> (email templates) tenant wise. Actually it will be the contents of >>>>> email-admin-config.xml will be saved tenant wise and provide an view in >>>>> management console for editing. So I think you can extend it to save the >>>>> identity.xml based on tenants in the registry as well. >>>>> >>>> >>>> >>>> If going to make identity.xml as tenant awared,it will be >>>> relatively big change as it uses by different IS components.What I meant >>>> was,only the <SelfSignUp> config to move for registry as a separate >>>> file..And one more point I forgot from my previous comment is that we have >>>> to have ability of defining custom permissions for the created custom role >>>> from this <SelfSignup> config as well..Reason for that is,previously we do >>>> create the custom role from APIM during server startup and tenant >>>> initialization with our custom permissions,before a user trigger >>>> signupfunction from APIStore. But since we are going to move this >>>> <selfsignup> >>>> dynamically configurable via registry,we don't have the control to >>>> explicitly create changing roles dynamically from a separate code,before >>>> trigger signup function. >>>> >>>> Thanks; >>>> >>>> >>>> >>>>> >>>>> >>>>>> Then the tenant admin can change that config file accordingly from >>>>>> management console which is similar to the tiers.xml usage in APIM. >>>>>> Is there any other better approach of doing this? Else shall we >>>>>> proceed with above change in IS self-signup related code? >>>>>> >>>>>> Thanks; >>>>> >>>>>> >>>>>>> Thanks & regards, >>>>>>> -Prabath >>>>>>> >>>>>>> >>>>>>> On Wed, Jan 22, 2014 at 5:30 PM, Asela Pathberiya <[email protected]>wrote: >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Wed, Jan 22, 2014 at 4:51 PM, Lalaji Sureshika >>>>>>>> <[email protected]>wrote: >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I checked the code and found below configuration need to be added >>>>>>>>> to identity.xml,in-order to configure the self signup user's >>>>>>>>> assigning role. >>>>>>>>> >>>>>>>>> <SelfSignUp> >>>>>>>>> <SignUpRole> >>>>>>>>> <Name>test</Name> >>>>>>>>> <External>true</External> >>>>>>>>> </SignUpRole> >>>>>>>>> </SelfSignUp> >>>>>>>>> >>>>>>>>> Addition to configuring custom roles for self registration >>>>>>>>> function,is there a config element to enable/disable self >>>>>>>>> signupfunctionality? As I found there's no such config.It's based on >>>>>>>>> the >>>>>>>>> users-store read-only mode/not. >>>>>>>>> I'm asking this because, ,in api-manager.xml file also we are >>>>>>>>> keeping a a <selfsignup> section as below.That api-manager.xml >>>>>>>>> contains one >>>>>>>>> additional attribute to enable/disable self signup functionality >>>>>>>>> in running server ,which is not available in the config of >>>>>>>>> identity.xml. If >>>>>>>>> there is a similar config attribute in identity.xml,we can totally >>>>>>>>> deprecate the use of <SelfSignUp> in api-manager.xml and stick only to >>>>>>>>> identity.xml config.. >>>>>>>>> >>>>>>>>> <SelfSignUp> >>>>>>>>> <Enabled>true</Enabled> >>>>>>>>> <SubscriberRoleName>subscriber1</SubscriberRoleName> >>>>>>>>> >>>>>>>>> </SelfSignUp> >>>>>>>>> >>>>>>>>> If there's no such config element available in identity.xml,shall >>>>>>>>> we add such property to <SelfSignUp> config in identity.xml and >>>>>>>>> improve the >>>>>>>>> code of self-signup service based on it,as I feel it's a useful >>>>>>>>> improvement >>>>>>>>> from IS side as well.. Appreciate thoughts on this.. >>>>>>>>> >>>>>>>> >>>>>>>> +1. It is better to have a property to enable/disable in the >>>>>>>> identity.xml. I o not think we can configure multiple roles >>>>>>>> (multiple >>>>>>>> SignUpRole elements) , If not, we can fix it as well >>>>>>>> >>>>>>>> Thanks. >>>>>>>> Asela. >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> Thanks; >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Wed, Jan 22, 2014 at 2:30 PM, Lalaji Sureshika <[email protected] >>>>>>>>> > wrote: >>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> On Wed, Jan 22, 2014 at 2:04 PM, Prabath Siriwardena < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> I think the right approach is to use [1]. >>>>>>>>>>> UserSelfRegistrationService >>>>>>>>>>> will add users to the Identity role by default. But, if you want to >>>>>>>>>>> add the >>>>>>>>>>> user to the subscriber role, you can make it configurable. >>>>>>>>>>> >>>>>>>>>> Thanks for pointing it. Wasn't aware that the default role for >>>>>>>>>> add users from "UserSelfRegistrationService" service is >>>>>>>>>> configurable.Will follow this approach without using a separate >>>>>>>>>> listener >>>>>>>>>> class. >>>>>>>>>> >>>>>>>>>> Thanks; >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Also - with UserSelfRegistrationService - you can specify to >>>>>>>>>>> which user stores you need to add users. >>>>>>>>>>> >>>>>>>>>>> Thanks & regards, >>>>>>>>>>> -Prabath >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Wed, Jan 22, 2014 at 11:22 AM, Lalaji Sureshika < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi, >>>>>>>>>>>> >>>>>>>>>>>> With current WSO2 APIStore self signup functionality,we do >>>>>>>>>>>> support only for super tenant APIStore. We are planning to extend >>>>>>>>>>>> it to >>>>>>>>>>>> support for tenant users as well. >>>>>>>>>>>> >>>>>>>>>>>> With current signup approach, we do two web service calls as; >>>>>>>>>>>> 1) call "UserSelfRegistrationService" to add the user >>>>>>>>>>>> 2) call "UserAdmin" to assign the subscriber role to the user >>>>>>>>>>>> >>>>>>>>>>>> With above approach,for the 2) call,we need to authenticate and >>>>>>>>>>>> thus need to have admin credentials predefined.But in tenant >>>>>>>>>>>> mode,to do >>>>>>>>>>>> above 2) we cannot keep tenant admin credentials predefined in a >>>>>>>>>>>> config >>>>>>>>>>>> file and use. >>>>>>>>>>>> >>>>>>>>>>>> Thus without doing above 2) web service call,we are going to >>>>>>>>>>>> achieve the role assignment from writing a custom user store >>>>>>>>>>>> listener >>>>>>>>>>>> implementation and do the role-assignment as a PreAddUser >>>>>>>>>>>> operation.This >>>>>>>>>>>> way,it'll not required to keep tenant admin/super admin >>>>>>>>>>>> credentials and >>>>>>>>>>>> will only do one web service call for signup. >>>>>>>>>>>> >>>>>>>>>>>> Appreciate your feedback on this. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Thanks; >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Lalaji Sureshika >>>>>>>>>>>> WSO2, Inc.; http://wso2.com/ >>>>>>>>>>>> email: [email protected]; >>>>>>>>>>>> blog: http://lalajisureshika.blogspot.com >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> Architecture mailing list >>>>>>>>>>>> [email protected] >>>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Thanks & Regards, >>>>>>>>>>> Prabath >>>>>>>>>>> >>>>>>>>>>> Twitter : @prabath >>>>>>>>>>> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena >>>>>>>>>>> >>>>>>>>>>> Mobile : +94 71 809 6732 >>>>>>>>>>> >>>>>>>>>>> http://blog.facilelogin.com >>>>>>>>>>> http://blog.api-security.org >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Architecture mailing list >>>>>>>>>>> [email protected] >>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Lalaji Sureshika >>>>>>>>>> WSO2, Inc.; http://wso2.com/ >>>>>>>>>> email: [email protected]; cell: +94 71 608 6811 >>>>>>>>>> blog: http://lalajisureshika.blogspot.com >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Lalaji Sureshika >>>>>>>>> WSO2, Inc.; http://wso2.com/ >>>>>>>>> email: [email protected]; cell: +94 71 608 6811 >>>>>>>>> blog: http://lalajisureshika.blogspot.com >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Architecture mailing list >>>>>>>>> [email protected] >>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Thanks & Regards, >>>>>>>> Asela >>>>>>>> >>>>>>>> ATL >>>>>>>> Mobile : +94 777 625 933 >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Thanks & Regards, >>>>>>> Prabath >>>>>>> >>>>>>> Twitter : @prabath >>>>>>> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena >>>>>>> >>>>>>> Mobile : +94 71 809 6732 >>>>>>> >>>>>>> http://blog.facilelogin.com >>>>>>> http://blog.api-security.org >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> [email protected] >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Lalaji Sureshika >>>>>> WSO2, Inc.; http://wso2.com/ >>>>>> email: [email protected]; cell: +94 71 608 6811 >>>>>> blog: http://lalajisureshika.blogspot.com >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> [email protected] >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Best Regards, >>>>> Chamath Gunawardana >>>>> Technical Lead; WSO2 Inc. >>>>> Mobile : +94776322240 >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> Lalaji Sureshika >>>> WSO2, Inc.; http://wso2.com/ >>>> email: [email protected]; cell: +94 71 608 6811 >>>> blog: http://lalajisureshika.blogspot.com >>>> >>>> >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> Dimuthu Leelarathne >>> Architect & Product Lead of App Factory >>> >>> WSO2, Inc. (http://wso2.com) >>> email: [email protected] >>> Mobile : 0773661935 >>> >>> Lean . Enterprise . Middleware >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> /sumedha >> m: +94 773017743 >> b : bit.ly/sumedha >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Dimuthu Leelarathne > Architect & Product Lead of App Factory > > WSO2, Inc. (http://wso2.com) > email: [email protected] > Mobile : 0773661935 > > Lean . Enterprise . Middleware > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Thanks, M. S. M. Shariq. Senior Software Engineer Phone: +94 777 202 225
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
