Shariq, How this will affect the cloud deployment? If this configuration is not found in the tenant registry what will happen? I think we need to have a method which we can pass the roles which we want to assign to the signed up users (then we can use it in the cloud scenario). You will have to add it to registration service.
Also, can you post the configuration which you are going to add in the registry? AFAIR, Prabath mentioned about some other facts such as which user store the tenant wants to add this user, whether the role is internal or external, etc. On Tue, Apr 1, 2014 at 6:24 PM, Shariq Muhammed <[email protected]> wrote: > Hi all, > > Had a chat with Prabath, Sumedha and AmilaM regarding this and decided to > move the <SelfSignUp> config to tenant's registry so that tenant's could > specify per tenant default sign up roles. Also, we need to provide a new UI > so tenant admins can configure the sign up roles for their tenancy. > > > > On Thu, Jan 23, 2014 at 11:03 AM, Dimuthu Leelarathne > <[email protected]>wrote: > >> Hi Sumedha, >> >> >> On Thu, Jan 23, 2014 at 10:31 AM, Sumedha Rubasinghe <[email protected]>wrote: >> >>> For external users this is part of single story. The fact that these >>> components are coming from different projects is irrelevant. >>> >>> So it needs to happen like how you have mentioned. >>> >>> We can make CloudApp the starting point and execute this logic in there. >>> >> >> Yes. I was proposing to do it in CloudApp. And one step further - do it >> in CloudApp only. That is how we plan to handle user-mgt and etc .. forAF. >> So when AF is deployed in >> a MT scenario, it goes with the CloudApp. >> >> thanks, >> dimuthu >> >> >>> >>> >>> On Thu, Jan 23, 2014 at 9:49 AM, Dimuthu Leelarathne >>> <[email protected]>wrote: >>> >>>> Hi all, >>>> >>>> If terms of WSO2 Cloud then I think we have to think in terms of the >>>> CloudApp as well. For example. Firstly tenants sign up to the cloud. And >>>> are they again suppose to sign up to the API Store? >>>> >>>> In the CloudMgt App we have three selections >>>> >>>> - Integration Cloud >>>> - App Cloud >>>> - API Cloud >>>> >>>> So if a person ticks API cloud all of these things should happen. >>>> >>>> thanks, >>>> dimuthu >>>> >>>> >>>> >>>> >>>> >>>> On Thu, Jan 23, 2014 at 12:36 AM, Lalaji Sureshika <[email protected]>wrote: >>>> >>>>> Hi, >>>>> >>>>> >>>>> On Wed, Jan 22, 2014 at 10:34 PM, Chamath Gunawardana < >>>>> [email protected]> wrote: >>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Wed, Jan 22, 2014 at 7:29 PM, Lalaji Sureshika <[email protected]>wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> >>>>>>> On Wed, Jan 22, 2014 at 5:36 PM, Prabath Siriwardena < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> If this is per tenant - you cannot do it via a configuration in the >>>>>>>> identity.xml... >>>>>>>> >>>>>>>> Ideally the tenant admin should have an option in the UI to >>>>>>>> enable/disable SelfSignUp and if it is enabled he should be able to >>>>>>>> specify >>>>>>>> the default role or the role list. >>>>>>>> >>>>>>> >>>>>>> If I understood correctly,with current approach SelfSignUp >>>>>>> function through UserSelfRegistrationService, is enabled for each >>>>>>> tenant and it picks same custom defined role in identity.xml for each >>>>>>> tenant. If we are going to support the use-case of ability to configure >>>>>>> self signup and its assigning custom roles per tenant basis,we have >>>>>>> to move the self-signup config from identity.xml used in " >>>>>>> UserSelfRegistrationService" to a registry config. >>>>>>> >>>>>> In IS next release (4.7.0) we are planning to save configuration >>>>>> (email templates) tenant wise. Actually it will be the contents of >>>>>> email-admin-config.xml will be saved tenant wise and provide an view in >>>>>> management console for editing. So I think you can extend it to save the >>>>>> identity.xml based on tenants in the registry as well. >>>>>> >>>>> >>>>> >>>>> If going to make identity.xml as tenant awared,it will be >>>>> relatively big change as it uses by different IS components.What I meant >>>>> was,only the <SelfSignUp> config to move for registry as a separate >>>>> file..And one more point I forgot from my previous comment is that we have >>>>> to have ability of defining custom permissions for the created custom role >>>>> from this <SelfSignup> config as well..Reason for that is,previously we do >>>>> create the custom role from APIM during server startup and tenant >>>>> initialization with our custom permissions,before a user trigger >>>>> signup function from APIStore. But since we are going to move this >>>>> <selfsignup> dynamically configurable via registry,we don't have the >>>>> control to explicitly create changing roles dynamically from a separate >>>>> code,before trigger signup function. >>>>> >>>>> Thanks; >>>>> >>>>> >>>>> >>>>>> >>>>>> >>>>>>> Then the tenant admin can change that config file accordingly from >>>>>>> management console which is similar to the tiers.xml usage in APIM. >>>>>>> Is there any other better approach of doing this? Else shall we >>>>>>> proceed with above change in IS self-signup related code? >>>>>>> >>>>>>> Thanks; >>>>>> >>>>>>> >>>>>>>> Thanks & regards, >>>>>>>> -Prabath >>>>>>>> >>>>>>>> >>>>>>>> On Wed, Jan 22, 2014 at 5:30 PM, Asela Pathberiya >>>>>>>> <[email protected]>wrote: >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Wed, Jan 22, 2014 at 4:51 PM, Lalaji Sureshika <[email protected] >>>>>>>>> > wrote: >>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> I checked the code and found below configuration need to be added >>>>>>>>>> to identity.xml,in-order to configure the self signup user's >>>>>>>>>> assigning role. >>>>>>>>>> >>>>>>>>>> <SelfSignUp> >>>>>>>>>> <SignUpRole> >>>>>>>>>> <Name>test</Name> >>>>>>>>>> <External>true</External> >>>>>>>>>> </SignUpRole> >>>>>>>>>> </SelfSignUp> >>>>>>>>>> >>>>>>>>>> Addition to configuring custom roles for self registration >>>>>>>>>> function,is there a config element to enable/disable self >>>>>>>>>> signupfunctionality? As I found there's no such config.It's based on >>>>>>>>>> the >>>>>>>>>> users-store read-only mode/not. >>>>>>>>>> I'm asking this because, ,in api-manager.xml file also we are >>>>>>>>>> keeping a a <selfsignup> section as below.That api-manager.xml >>>>>>>>>> contains one >>>>>>>>>> additional attribute to enable/disable self signup functionality >>>>>>>>>> in running server ,which is not available in the config of >>>>>>>>>> identity.xml. If >>>>>>>>>> there is a similar config attribute in identity.xml,we can totally >>>>>>>>>> deprecate the use of <SelfSignUp> in api-manager.xml and stick only >>>>>>>>>> to >>>>>>>>>> identity.xml config.. >>>>>>>>>> >>>>>>>>>> <SelfSignUp> >>>>>>>>>> <Enabled>true</Enabled> >>>>>>>>>> <SubscriberRoleName>subscriber1</SubscriberRoleName> >>>>>>>>>> >>>>>>>>>> </SelfSignUp> >>>>>>>>>> >>>>>>>>>> If there's no such config element available in identity.xml,shall >>>>>>>>>> we add such property to <SelfSignUp> config in identity.xml and >>>>>>>>>> improve the >>>>>>>>>> code of self-signup service based on it,as I feel it's a useful >>>>>>>>>> improvement >>>>>>>>>> from IS side as well.. Appreciate thoughts on this.. >>>>>>>>>> >>>>>>>>> >>>>>>>>> +1. It is better to have a property to enable/disable in the >>>>>>>>> identity.xml. I o not think we can configure multiple roles >>>>>>>>> (multiple >>>>>>>>> SignUpRole elements) , If not, we can fix it as well >>>>>>>>> >>>>>>>>> Thanks. >>>>>>>>> Asela. >>>>>>>>> >>>>>>>>> >>>>>>>>>> >>>>>>>>>> Thanks; >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Wed, Jan 22, 2014 at 2:30 PM, Lalaji Sureshika < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> On Wed, Jan 22, 2014 at 2:04 PM, Prabath Siriwardena < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> I think the right approach is to use [1]. >>>>>>>>>>>> UserSelfRegistrationService >>>>>>>>>>>> will add users to the Identity role by default. But, if you want >>>>>>>>>>>> to add the >>>>>>>>>>>> user to the subscriber role, you can make it configurable. >>>>>>>>>>>> >>>>>>>>>>> Thanks for pointing it. Wasn't aware that the default role for >>>>>>>>>>> add users from "UserSelfRegistrationService" service is >>>>>>>>>>> configurable.Will follow this approach without using a separate >>>>>>>>>>> listener >>>>>>>>>>> class. >>>>>>>>>>> >>>>>>>>>>> Thanks; >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Also - with UserSelfRegistrationService - you can specify to >>>>>>>>>>>> which user stores you need to add users. >>>>>>>>>>>> >>>>>>>>>>>> Thanks & regards, >>>>>>>>>>>> -Prabath >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Wed, Jan 22, 2014 at 11:22 AM, Lalaji Sureshika < >>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hi, >>>>>>>>>>>>> >>>>>>>>>>>>> With current WSO2 APIStore self signup functionality,we do >>>>>>>>>>>>> support only for super tenant APIStore. We are planning to extend >>>>>>>>>>>>> it to >>>>>>>>>>>>> support for tenant users as well. >>>>>>>>>>>>> >>>>>>>>>>>>> With current signup approach, we do two web service calls as; >>>>>>>>>>>>> 1) call "UserSelfRegistrationService" to add the user >>>>>>>>>>>>> 2) call "UserAdmin" to assign the subscriber role to the user >>>>>>>>>>>>> >>>>>>>>>>>>> With above approach,for the 2) call,we need to authenticate >>>>>>>>>>>>> and thus need to have admin credentials predefined.But in tenant >>>>>>>>>>>>> mode,to do >>>>>>>>>>>>> above 2) we cannot keep tenant admin credentials predefined in a >>>>>>>>>>>>> config >>>>>>>>>>>>> file and use. >>>>>>>>>>>>> >>>>>>>>>>>>> Thus without doing above 2) web service call,we are going to >>>>>>>>>>>>> achieve the role assignment from writing a custom user store >>>>>>>>>>>>> listener >>>>>>>>>>>>> implementation and do the role-assignment as a PreAddUser >>>>>>>>>>>>> operation.This >>>>>>>>>>>>> way,it'll not required to keep tenant admin/super admin >>>>>>>>>>>>> credentials and >>>>>>>>>>>>> will only do one web service call for signup. >>>>>>>>>>>>> >>>>>>>>>>>>> Appreciate your feedback on this. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks; >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Lalaji Sureshika >>>>>>>>>>>>> WSO2, Inc.; http://wso2.com/ >>>>>>>>>>>>> email: [email protected]; >>>>>>>>>>>>> blog: http://lalajisureshika.blogspot.com >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>> Architecture mailing list >>>>>>>>>>>>> [email protected] >>>>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Thanks & Regards, >>>>>>>>>>>> Prabath >>>>>>>>>>>> >>>>>>>>>>>> Twitter : @prabath >>>>>>>>>>>> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena >>>>>>>>>>>> >>>>>>>>>>>> Mobile : +94 71 809 6732 >>>>>>>>>>>> >>>>>>>>>>>> http://blog.facilelogin.com >>>>>>>>>>>> http://blog.api-security.org >>>>>>>>>>>> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> Architecture mailing list >>>>>>>>>>>> [email protected] >>>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Lalaji Sureshika >>>>>>>>>>> WSO2, Inc.; http://wso2.com/ >>>>>>>>>>> email: [email protected]; cell: +94 71 608 6811 >>>>>>>>>>> blog: http://lalajisureshika.blogspot.com >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Lalaji Sureshika >>>>>>>>>> WSO2, Inc.; http://wso2.com/ >>>>>>>>>> email: [email protected]; cell: +94 71 608 6811 >>>>>>>>>> blog: http://lalajisureshika.blogspot.com >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Architecture mailing list >>>>>>>>>> [email protected] >>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Thanks & Regards, >>>>>>>>> Asela >>>>>>>>> >>>>>>>>> ATL >>>>>>>>> Mobile : +94 777 625 933 >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Thanks & Regards, >>>>>>>> Prabath >>>>>>>> >>>>>>>> Twitter : @prabath >>>>>>>> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena >>>>>>>> >>>>>>>> Mobile : +94 71 809 6732 >>>>>>>> >>>>>>>> http://blog.facilelogin.com >>>>>>>> http://blog.api-security.org >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Architecture mailing list >>>>>>>> [email protected] >>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Lalaji Sureshika >>>>>>> WSO2, Inc.; http://wso2.com/ >>>>>>> email: [email protected]; cell: +94 71 608 6811 >>>>>>> blog: http://lalajisureshika.blogspot.com >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Architecture mailing list >>>>>>> [email protected] >>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Best Regards, >>>>>> Chamath Gunawardana >>>>>> Technical Lead; WSO2 Inc. >>>>>> Mobile : +94776322240 >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> [email protected] >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Lalaji Sureshika >>>>> WSO2, Inc.; http://wso2.com/ >>>>> email: [email protected]; cell: +94 71 608 6811 >>>>> blog: http://lalajisureshika.blogspot.com >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> [email protected] >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> Dimuthu Leelarathne >>>> Architect & Product Lead of App Factory >>>> >>>> WSO2, Inc. (http://wso2.com) >>>> email: [email protected] >>>> Mobile : 0773661935 >>>> >>>> Lean . Enterprise . Middleware >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> [email protected] >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> /sumedha >>> m: +94 773017743 >>> b : bit.ly/sumedha >>> >>> _______________________________________________ >>> Architecture mailing list >>> [email protected] >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Dimuthu Leelarathne >> Architect & Product Lead of App Factory >> >> WSO2, Inc. (http://wso2.com) >> email: [email protected] >> Mobile : 0773661935 >> >> Lean . Enterprise . Middleware >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Thanks, > M. S. M. Shariq. > Senior Software Engineer > Phone: +94 777 202 225 > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- *Amila Maharachchi* Senior Technical Lead WSO2, Inc.; http://wso2.com Blog: http://maharachchi.blogspot.com Mobile: +94719371446
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
