Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "AAI guide for VO managers"

From EGIWiki
Jump to navigation Jump to search
(Replaced content with "{{TOC_right}} The documentation has moved to https://docs.egi.eu/users/check-in/vos/.")
Tag: Replaced
(41 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{TOC_right}}
{{TOC_right}}


= Overview  =
The documentation has moved to https://docs.egi.eu/users/check-in/vos/.
 
This wiki page contains information about using the [[AAI|EGI AAI Check-in service]] to manage Virtual Organisations (VOs).
 
= VO management =
This guide contains information about managing VOs. VOs in Check-in are represented as Collaborative Organisation Units (COUs). A COU is more than just a group. It is the concept of groups combined with membership management and advanced enrolment workflows. COUs can also be organised in a hierarchical structure.
 
It is assumed that COU administrators and members have already registered in https://aai.egi.eu/registry.
 
If you haven’t registered yet, please visit https://aai.egi.eu/signup
 
A step-by-step guide for the registration process is provided in the link below:
https://wiki.egi.eu/wiki/AAI_usage_guide#Signing_Up_for_an_EGI_Account
 
== Glossary ==
{| class="wikitable" style="width: 50%;"
|-
! Term !! Definition
|-
| CO (Collaborative Organizations) || EGI User Community
|-
| COU (Collaboration Unit) || VO (Virtual Organization)
|-
| Organizational Identity || User’s relationship with their "real" Identity Provider, e.g. University, Institute, etc
|-
| CO Person || User belonging in '''EGI User Community CO'''llaboration
|-
| CO Person Role</br>(EGI Community Title) || User’s Role in a VO
|-
| CO Person Affiliation</br>(EGI Community Affiliation) || User’s Affiliation with a VO as defined in [https://www.internet2.edu/media/medialibrary/2013/09/04/internet2-mace-dir-eduperson-201203.html#eduPersonAffiliation RFC4512].</br>Permissible values are: <ul><li>faculty<li>student<li>staff<li>alum<li>member<li>affiliate<li>employee<li>library-walk-in</ul>
|-
| eduPersonEntitlement || Attribute value expressing group membership and role information
|}
 
== Abbreviations ==
{| class="wikitable" style="width:50%"
|-
! Term !! Definition
|-
| EOF || Enrollment Flow
|}
 
== Creating COUs ==
COUs can be created by Check-in platform administrators. To add or remove a COU please contact [mailto:checkin-support@mailman.egi.eu Checkin Support] indicating the following information:
* COU name
* COU description
* COU scope (e.g. mailing list, other)
* COU administrators, i.e. one or more users responsible for managing COU members
* COU owners, i.e. one or more users who can manage COU members and appoint other users as COU administrators
 
== Viewing COU members ==
{| class="wikitable" style="width: 60%;table-layout: fixed;"
| Visit EGI Check-in Registry
| [[image:Registry endpoint.png|thumb|none|300px]]
|-
| Click '''Login''' and authenticate using any of the login credentials already linked to your EGI account
| [[File:Login.png|thumb|none|300px]]
|-
| After logging in to the service, under '''Available Collaborations''',<br/>select '''EGI User Community''' from the list of collaborations.
| [[File:Available colaborations.png|thumb|none|500px]]
|-
| To view the existing members, expand the '''People''' drop down menu and<br/>click on '''My <COU-name> Population'''<br/>(for example, '''My vo.example.com Population''')
| [[File:People menu.png|thumb|none|300px]]
|-
| Then you are able to see all COU’s members.
| [[File:Cou members.png|500px|thumb|none]]
|}
 
== Adding new members to a COU ==
{| class="wikitable" style="width: 60%;table-layout: fixed;"
| Visit EGI Check-in Registry
| [[image:Registry endpoint.png|thumb|none|300px]]
|-
| Click '''Login''' and authenticate using any of the login credentials already linked to your EGI account
| [[File:Login.png|thumb|none|300px]]
|-
| After logging in to the service, under '''Available Collaborations''',<br/>select '''EGI User Community''' from the list of collaborations.
| [[File:Available colaborations.png|thumb|none|500px]]
|-
| Then expand the '''People''' drop down menu and click '''Enroll'''.
| [[File:People menu.png|thumb|none|300px]]
|-
| Choose and click the Enrollment flow of the VO you want to join, e.g. for VO vo.geoss.eu click '''Begin''' for the EOF Join vo.geoss.eu
|
[[File:Join geoss eof.png|500px|thumb|none]]
|-
| Under '''Role Attributes''' find the newly added VO.
| [[File:Cou added.png|500px|thumb|none]]
|}
 
== Removing members ==
{| class="wikitable" style="width: 60%;table-layout: fixed;"
| Visit EGI Check-in Registry
| [[image:Registry endpoint.png|thumb|none|300px]]
|-
| Click '''Login''' and authenticate using any of the login credentials already linked to your EGI account
| [[File:Login.png|thumb|none|300px]]
|-
| After logging in to the service, under '''Available Collaborations''',<br/>select '''EGI User Community''' from the list of collaborations.
| [[File:Available colaborations.png|thumb|none|500px]]
|-
| To view the existing members, expand the '''People''' drop down menu and<br/>click on '''My <COU-name> Population'''<br/>(for example, '''My vo.example.com Population''')
| [[File:People menu.png|thumb|none|300px]]
|-
| Click '''Edit''' on  the person that is going to be removed.
| [[File:Cou members.png|500px|thumb|none]]
|-
| Under '''Role Attributes''' click  '''Delete'''  on the right of the COU  entry of interest (for example, vo.example.com).<br/>On success the selected row will be removed.<br/>In this example we removed the '''vo.geoss.eu''' that we previously added.
| [[File:Cou removed.png|500px|thumb|none]]
|}
 
== Managing Affiliation and Role of VO Member ==
 
User’s '''Affiliation''' to a VO, as defined in [https://www.internet2.edu/media/medialibrary/2013/09/04/internet2-mace-dir-eduperson-201203.html#eduPersonAffiliation RFC4512], has eight permissible values. These are faculty, student, staff, alum, member, affiliate, employee, library-walk-in. EGI Check-in assigns to all user’s the affiliation Member by default,  during the VO(COU) enrollment process. This value is immutable for the user but editable for the VO administrator. As a result, if there is a change of status the administrator can always step in and change it appropriately.<br/>
Additionally, the user’s '''Role''' in a VO is the '''EGI User Community Title''' column, in Co Person Role’s View. This column can be either a custom text value; or a value chosen from a drop down list. The drop down list administration is an EGI Check-in CO administrator task and can not be managed by any VO admin.
{| class="wikitable" style="width: 60%;table-layout: fixed;"
| Update User’s VO affiliation
| <ul>
  <li>Navigate to Co Person Role view
  [[File:Co person role path.png|none|frame]]
  <li>Choose Affiliation from drop down list 
  [[File:Vo affiliation.png|none|frame]]
</ul>
|-
| Update User’s VO Role
| <ul>
  <li>Navigate to Co Person Role view
  [[File:Co person role path.png|none|frame]]
  <li>Choose Role from drop down list, if available, or add custom text if no list is present.
  [[File:Role title.png|frame|none]]
  </ul>
|}
 
Subsequently, EGI Check-in uses the CO Person’s group membership and role information in order to construct the eduPersonEntitlement values, in short entitlements. These URN-formatted attributes can be used for representing group membership, as well as to indicate rights to resources.<br/>
According to the [https://aarc-community.org/guidelines/aarc-g002 AARC-G002 specification], a user that is a member of the VO vo.example.org, and has the role supervisor, obtains the following entitlements:
<pre>urn:mace:egi.eu:group:vo.example.org:role=member#aai.egi.eu</pre>
<pre>urn:mace:egi.eu:group:vo.example.org:role=supervisor#aai.egi.eu</pre>
 
= VO membership API =
 
Check-in provide a REST API that allows clients to manage membership information only for the VOs they are authoritative for.
 
Features:
* Members of the VO are identified via their EGI Check-in ePUID
* Membership can be limited to a specified period
* Different membership status values are supported, namely <code>Active</code>, <code>Expired</code>, <code>Deleted</code>
* Check-in automatically changes the membership status from <code>Active</code> to <code>Expired</code> beyond the validity period
 
== Authentication ==
The REST client is authenticated via username/password credentials transmitted over HTTPS using the Basic Authentication scheme. More sophisticated authentication mechanisms, such as OpenID Connect/OAuth 2.0 access tokens, may be supported in the future.
 
== Methods ==
 
1. Adding a user to a VO requires specifying the user’s EGI Check-in ePUID, the name of the VO (e.g. <code>vo.access.egi.eu</code> in the case of LToS), the status (<code>Active</code>) and the valid from/through dates. All these parameters are mandatory. Here is an example using curl (see example <code>add.json</code> file below):
 
<pre>
curl -vX POST https://aai.egi.eu/api/v1/VoMembers \
  --user "example-client":"veryverysecret" \
  --data @add.json \
  --header "Content-Type: application/json"
</pre>
 
File: <code>add.json</code>
<pre>
{
  "RequestType": "VoMembers",
  "Version": "1.0",
  "VoMembers": [
    {
      "Version": "1.0",
      "VoId": "vo.access.egi.eu",
      "Person": {
        "Type": "CO",
        "Id": "01234567890123456789@egi.eu"
      },
      "Status": "Active",
      "ValidFrom": "2017-05-21",
      "ValidThrough": "2017-06-21"
    }
  ]
}
</pre>
 
2. Retrieving the VO membership information for a given EGI Check-in ePUID:
 
<pre>
curl -vX GET https://aai.egi.eu/api/v1/VoMembers/01234567890123456789@egi.eu \
  --user "example-client":"veryverysecret"
</pre>
 
Output:
<pre>
[{"id":85,"epuid":"01234567890123456789@egi.eu","vo_id":"vo.access.egi.eu","valid_from":"2017-05-20T22:00:00.000Z","valid_through":"2017-06-21T22:00:00.000Z","status":"Active"}]
</pre>
 
Beyond the valid_through date, the status will be automatically changed to <code>Expired</code>. So, when querying for VO membership information, it’s important to check that the status is actually set to <code>Active</code> for each of the identified VOs (see the <code>vo_id</code> attribute)
 
3. Updating existing VO membership record:
 
<pre>
curl -vX PUT https://aai.egi.eu/api/v1/VoMembers \
  --user "example-client":"veryverysecret"  \
  --data @update.json \
  --header "Content-Type: application/json"
</pre>
 
The request body is the same as the one used for adding new members but update requires using <code>PUT</code> instead of <code>POST</code>.
 
4. Removing VO member:
 
Same as the update but requires setting the membership status to <code>Deleted</code>

Revision as of 00:59, 5 November 2020


The documentation has moved to https://docs.egi.eu/users/check-in/vos/.