Hi all, The current user signup method (jsFunction_addUser() [1]) in API manager uses addUser method in UserRegistrationService[2] (through UserRegistrationAdminService from APIM) to register the user and suggested to use that same method for tenant user signup as well (Shariq has modified this so that tenant-wise roles can be taken from the registry and assign them to the tenant user ). But with that modification, This method cannot be used for tenant signup with the current user signup workflow in the api manager.
When signing up an user to super user store, first add a user by calling adduser method (from this method, user is assigned with default internal/identity role from UserRegistrationService) and then follow the signup workflow and finally add the role to that user. In the signup workflow, user approval process is managed and till then the user cannot log in. But when addUser method is called for tenant signup, a tenant user is created and all his roles are assigned to him at the creation point. As a result, second point (approval process) cannot be done. (user can log in before the approval process is done). As a result, method to assign roles by using '/_system/governance/repository/identity/sign-up-config' (mentioned in 'User roles for tenants' in my first mail ) cannot be used in this case. *Modified method to add user roles for tenants* As a result of above mentioned problem, a registry entry in /_system/governance/repository/identity/sign-up-config won't be created as mentioned in the first mail. Without this config, all the tenants created using addUser method will have default internal/identity role. Registry resource similar to 'sign-up-config' is created in seperate registry location and this entry can be used to add roles to the tenant during the final step. as a result approval process can be carried out during the second step. [1] https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/components/apimgt/org.wso2.carbon.apimgt.hostobjects/1.2.3/src/main/java/org/wso2/carbon/apimgt/hostobjects/APIStoreHostObject.java [2] https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/components/identity/org.wso2.carbon.identity.user.registration/4.2.2/src/main/java/org/wso2/carbon/identity/user/registration/UserRegistrationService.java Thanks, Chamila. On Thu, Sep 4, 2014 at 12:15 AM, Amila De Silva <[email protected]> wrote: > Hi Chamila, > > I think you have to start the TenantFlow and set the ID for the tenant > correctly before fetching the configuration. In the method > jsFunction_resumeWorkflow, this is done by calling > PrivilegedCarbonContext.startTenantFlow(); > > PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenantDomain, > true); > > > > On Wed, Sep 3, 2014 at 10:47 PM, Chamila Adhikarinayake <[email protected] > > wrote: > >> Actually the tasks are created with that executor for other tenants as >> well. but not inside the correct tenant domain in the BPS. They are created >> in carbon.super tenant domain and the related task can be viewed in >> workflow-admin ui only by login as super user. >> >> following is the reason I think that causes this. >> >> In the method jsFunction_addUser() in APIStoreHostObject following code >> is there to create the workflow >> >> WorkflowExecutor userSignUpWFExecutor = >> WorkflowExecutorFactory.getInstance() >> >> .getWorkflowExecutor(WorkflowConstants.WF_TYPE_AM_USER_SIGNUP); >> >> This WorkflowExecutor is created using carbon.super user configuration >> information in the registry. In the 'getWorkflowConfigurations()' method in >> WorkflowExecutorFactory class >> PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain(); is >> used to get the domain name. (aslo tenant id). So even though there is a >> different tenant domain, these values do not change. So superuser conf is >> used and the request is sent to the carbon.super tenant in BPS. not to the >> tenant's one. So I'm working on passing the correct domain info to this >> >> >> On Wed, Sep 3, 2014 at 9:06 PM, Nuwan Dias <[email protected]> wrote: >> >>> On Wed, Sep 3, 2014 at 9:02 PM, Chamila Adhikarinayake < >>> [email protected]> wrote: >>> >>>> Hi all, >>>> I'm creating user self signup feature for tenant store in API Manager. >>>> Current api manager provides only self signup facility for carbon.super >>>> store. To add tenant users, tenant admin has to manually add it through the >>>> carbon console. >>>> >>>> Following parts will be implemented >>>> >>>> *UI changes* (see attached images) >>>> >>>> 1. enable the sign-up button for tenant user store >>>> 2. add the domain name extension for the user name field in the user >>>> registration form. (this is appended to the user name) >>>> >>>> *User roles for tenants * >>>> >>>> Tenant signup configuration will be moved to the registry location >>>> '/_system/governance/repository/identity/sign-up-config'. This part is >>>> already implemented by Shariq for a IS component(See discussion in the >>>> thread "Provide support for self signup for tenants' APIStores" for more >>>> info on the configuration). But this resource needed to be created >>>> manually. So as a part of the implementation, This resource will be added >>>> with default values when creating a tenant. Default value will be >>>> >>>> <SelfSignUp> >>>> <SignUpDomain>PRIMARY</SignUpDomain> >>>> <SignUpRole> >>>> <RoleName>subscriber</RoleName> >>>> <IsExternalRole>false</IsExternalRole> >>>> </SignUpRole> >>>> </SelfSignUp> >>>> >>>> >>>> *Modification to current work-flow for tenant sign-up. * >>>> >>>> The current implemented method does not work when >>>> UserSignUpWSWorkflowExecutor is used in the work-flow. this can be only >>>> used with tenants signups for superuser. Existing code uses configuration >>>> in the carbon super user's registry entry >>>> '/_system/governance/apimgt/applicationdata/workflow-extensions.xml' for >>>> tenants as well ( see jsFunction_addUser() in >>>> org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject class. ). When >>>> registering a tenant user for different tenant, configuration in the >>>> tenant's workflow-extensions.xml needed to be used. >>>> >>>> I have implemented basic functionality[1] as requested by AmilaM (Users >>>> can signup for tenant stores. But Tenant admin has to manually add the >>>> registry entry with user roles to the given location. If this entry is not >>>> there, a default 'identity' user role is assigned to the user. Only >>>> UserSignUpSimpleWorkflowExecutor for the workflow can be used with this. If >>>> UserSignUpWSWorkflowExecutor is used to connect to the BPS, the tenant >>>> approval tasks are not created properly) >>>> >>> >>> Do we know the reason for the tasks of the BPS not being created when >>> the UserSignUpWSWorkflowExecutor is used? We will need to dig into that >>> IMO. >>> >>>> >>>> [1] https://wso2.org/jira/browse/APIMANAGER-2785 >>>> >>>> Comments are highly appreciated >>>> Thanks, >>>> Chamila. >>>> >>>> -- >>>> Regards, >>>> Chamila Adhikarinayake >>>> Software Engineer >>>> WSO2, Inc. >>>> Mobile - +94712346437 >>>> Email - [email protected] >>>> >>> >>> >>> >>> -- >>> Nuwan Dias >>> >>> Associate Tech Lead - WSO2, Inc. http://wso2.com >>> email : [email protected] >>> Phone : +94 777 775 729 >>> >> >> >> >> -- >> Regards, >> Chamila Adhikarinayake >> Software Engineer >> WSO2, Inc. >> Mobile - +94712346437 >> Email - [email protected] >> > > > > -- > *Amila De Silva* > > WSO2 Inc. > mobile :(+94) 775119302 > > -- Regards, Chamila Adhikarinayake Software Engineer WSO2, Inc. Mobile - +94712346437 Email - [email protected]
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
