Thanks Chamila! Here is the workflow that I would like to see in the API Cloud:
Scenario A: User Self Sign-Up: 1. Plato is an app developer and wants to develop an app for the population of the Atlantis island to track the water level and notify when the island goes under the sea. He finds that gods have set up a website with the developer program: apis.atlantisisland.gr and goes to the site to read about the APIs. 2. When browsing the API Store at some point Plato tries to access functionality which requires authentication (e.g. Subscribe to an API), 3. Plato is presented to choice to log in or sign-up, 4. If Plato clicks Sign Up, he is asked provide his email address. 5. Plato provides his gmail address, 6. He gets an email inviting him to join the Atlatis developer program with a one-time link that takes him to the Store, asks him to specify and confirm new password. 7. Plato is now logged into the Atlastic API Store, and can perform all activity there. 8. Plato has Subscriber role - so he cannot actually go to Atlatis API Publisher, etc. Possible variations of that: Scenario B: Approval is required: Zeus is the administrator of the API program and gets a request to approve Plato's membership. In this case, this needs to be properly communicated to both Zeus and Plato, so they know what is going on, what is expected of them, current status, etc. Scenario C: Zeus actually wants to invite Plato to the development program: Zeus goes to the corresponding UI, provides Plato's email address, and Plato receives email with the invitation and one-time link (obviously approvals are not required in this case.) Scenario D: 1. Homer decides to also write an Atlatis app, and wants to sign-up. 2. When he tries to sign-up he gets notified that he already has an account from WSO2 which he used for his Trojan app and which he can reuse. All the emails that get sent need to be brandable by the tenant administrators so when Troy have their API program, Trojan emails look different from the ones for Atlantis. I understand that some of these steps will be different in the cloud and in on-premise API Manager because of the custom authentication. You will need to discuss with the cloud team to make sure that the implementation is compatible, etc. I hope this helps. :) Dmitry On Thu, Sep 4, 2014 at 11:09 PM, Chamila Adhikarinayake <chami...@wso2.com> wrote: > looping Dmitry to the thread > > > On Fri, Sep 5, 2014 at 10:26 AM, Chamila Adhikarinayake <chami...@wso2.com > > wrote: > >> Hi all, >> >> The current user signup method (jsFunction_addUser() [1]) in API manager >> uses addUser method in UserRegistrationService[2] (through >> UserRegistrationAdminService from APIM) to register the user and suggested >> to use that same method for tenant user signup as well (Shariq has modified >> this so that tenant-wise roles can be taken from the registry and assign >> them to the tenant user ). But with that modification, This method cannot >> be used for tenant signup with the current user signup workflow in the api >> manager. >> >> When signing up an user to super user store, first add a user by calling >> adduser method (from this method, user is assigned with default >> internal/identity role from UserRegistrationService) and then follow the >> signup workflow and finally add the role to that user. In the signup >> workflow, user approval process is managed and till then the user cannot >> log in. But when addUser method is called for tenant signup, a tenant user >> is created and all his roles are assigned to him at the creation point. As >> a result, second point (approval process) cannot be done. (user can log in >> before the approval process is done). As a result, method to assign roles >> by using '/_system/governance/repository/identity/sign-up-config' >> (mentioned in 'User roles for tenants' in my first mail ) cannot be used in >> this case. >> >> *Modified method to add user roles for tenants* >> >> As a result of above mentioned problem, a registry entry in >> /_system/governance/repository/identity/sign-up-config won't be created as >> mentioned in the first mail. Without this config, all the tenants created >> using addUser method will have default internal/identity role. Registry >> resource similar to 'sign-up-config' is created in seperate registry >> location and this entry can be used to add roles to the tenant during the >> final step. as a result approval process can be carried out during the >> second step. >> >> >> [1] >> https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/components/apimgt/org.wso2.carbon.apimgt.hostobjects/1.2.3/src/main/java/org/wso2/carbon/apimgt/hostobjects/APIStoreHostObject.java >> [2] >> https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/components/identity/org.wso2.carbon.identity.user.registration/4.2.2/src/main/java/org/wso2/carbon/identity/user/registration/UserRegistrationService.java >> >> >> Thanks, >> Chamila. >> >> >> On Thu, Sep 4, 2014 at 12:15 AM, Amila De Silva <ami...@wso2.com> wrote: >> >>> Hi Chamila, >>> >>> I think you have to start the TenantFlow and set the ID for the tenant >>> correctly before fetching the configuration. In the method >>> jsFunction_resumeWorkflow, this is done by calling >>> PrivilegedCarbonContext.startTenantFlow(); >>> >>> PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenantDomain, >>> true); >>> >>> >>> >>> On Wed, Sep 3, 2014 at 10:47 PM, Chamila Adhikarinayake < >>> chami...@wso2.com> wrote: >>> >>>> Actually the tasks are created with that executor for other tenants as >>>> well. but not inside the correct tenant domain in the BPS. They are created >>>> in carbon.super tenant domain and the related task can be viewed in >>>> workflow-admin ui only by login as super user. >>>> >>>> following is the reason I think that causes this. >>>> >>>> In the method jsFunction_addUser() in APIStoreHostObject following code >>>> is there to create the workflow >>>> >>>> WorkflowExecutor userSignUpWFExecutor = >>>> WorkflowExecutorFactory.getInstance() >>>> >>>> .getWorkflowExecutor(WorkflowConstants.WF_TYPE_AM_USER_SIGNUP); >>>> >>>> This WorkflowExecutor is created using carbon.super user configuration >>>> information in the registry. In the 'getWorkflowConfigurations()' method in >>>> WorkflowExecutorFactory class >>>> PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain(); is >>>> used to get the domain name. (aslo tenant id). So even though there is a >>>> different tenant domain, these values do not change. So superuser conf is >>>> used and the request is sent to the carbon.super tenant in BPS. not to the >>>> tenant's one. So I'm working on passing the correct domain info to this >>>> >>>> >>>> On Wed, Sep 3, 2014 at 9:06 PM, Nuwan Dias <nuw...@wso2.com> wrote: >>>> >>>>> On Wed, Sep 3, 2014 at 9:02 PM, Chamila Adhikarinayake < >>>>> chami...@wso2.com> wrote: >>>>> >>>>>> Hi all, >>>>>> I'm creating user self signup feature for tenant store in API >>>>>> Manager. Current api manager provides only self signup facility for >>>>>> carbon.super store. To add tenant users, tenant admin has to manually add >>>>>> it through the carbon console. >>>>>> >>>>>> Following parts will be implemented >>>>>> >>>>>> *UI changes* (see attached images) >>>>>> >>>>>> 1. enable the sign-up button for tenant user store >>>>>> 2. add the domain name extension for the user name field in the user >>>>>> registration form. (this is appended to the user name) >>>>>> >>>>>> *User roles for tenants * >>>>>> >>>>>> Tenant signup configuration will be moved to the registry location >>>>>> '/_system/governance/repository/identity/sign-up-config'. This part is >>>>>> already implemented by Shariq for a IS component(See discussion in the >>>>>> thread "Provide support for self signup for tenants' APIStores" for more >>>>>> info on the configuration). But this resource needed to be created >>>>>> manually. So as a part of the implementation, This resource will be added >>>>>> with default values when creating a tenant. Default value will be >>>>>> >>>>>> <SelfSignUp> >>>>>> <SignUpDomain>PRIMARY</SignUpDomain> >>>>>> <SignUpRole> >>>>>> <RoleName>subscriber</RoleName> >>>>>> <IsExternalRole>false</IsExternalRole> >>>>>> </SignUpRole> >>>>>> </SelfSignUp> >>>>>> >>>>>> >>>>>> *Modification to current work-flow for tenant sign-up. * >>>>>> >>>>>> The current implemented method does not work when >>>>>> UserSignUpWSWorkflowExecutor is used in the work-flow. this can be only >>>>>> used with tenants signups for superuser. Existing code uses configuration >>>>>> in the carbon super user's registry entry >>>>>> '/_system/governance/apimgt/applicationdata/workflow-extensions.xml' for >>>>>> tenants as well ( see jsFunction_addUser() in >>>>>> org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject class. ). When >>>>>> registering a tenant user for different tenant, configuration in the >>>>>> tenant's workflow-extensions.xml needed to be used. >>>>>> >>>>>> I have implemented basic functionality[1] as requested by AmilaM >>>>>> (Users can signup for tenant stores. But Tenant admin has to manually add >>>>>> the registry entry with user roles to the given location. If this entry >>>>>> is >>>>>> not there, a default 'identity' user role is assigned to the user. Only >>>>>> UserSignUpSimpleWorkflowExecutor for the workflow can be used with this. >>>>>> If >>>>>> UserSignUpWSWorkflowExecutor is used to connect to the BPS, the tenant >>>>>> approval tasks are not created properly) >>>>>> >>>>> >>>>> Do we know the reason for the tasks of the BPS not being created when >>>>> the UserSignUpWSWorkflowExecutor is used? We will need to dig into that >>>>> IMO. >>>>> >>>>>> >>>>>> [1] https://wso2.org/jira/browse/APIMANAGER-2785 >>>>>> >>>>>> Comments are highly appreciated >>>>>> Thanks, >>>>>> Chamila. >>>>>> >>>>>> -- >>>>>> Regards, >>>>>> Chamila Adhikarinayake >>>>>> Software Engineer >>>>>> WSO2, Inc. >>>>>> Mobile - +94712346437 >>>>>> Email - chami...@wso2.com >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Nuwan Dias >>>>> >>>>> Associate Tech Lead - WSO2, Inc. http://wso2.com >>>>> email : nuw...@wso2.com >>>>> Phone : +94 777 775 729 >>>>> >>>> >>>> >>>> >>>> -- >>>> Regards, >>>> Chamila Adhikarinayake >>>> Software Engineer >>>> WSO2, Inc. >>>> Mobile - +94712346437 >>>> Email - chami...@wso2.com >>>> >>> >>> >>> >>> -- >>> *Amila De Silva* >>> >>> WSO2 Inc. >>> mobile :(+94) 775119302 >>> >>> >> >> >> -- >> Regards, >> Chamila Adhikarinayake >> Software Engineer >> WSO2, Inc. >> Mobile - +94712346437 >> Email - chami...@wso2.com >> > > > > -- > Regards, > Chamila Adhikarinayake > Software Engineer > WSO2, Inc. > Mobile - +94712346437 > Email - chami...@wso2.com > -- Dmitry Sotnikov VP of Cloud; WSO2, Inc.; http://wso2.com/ email: dmi...@wso2.com; cell: +1.949.303.9653; Skype: DSotnikov Lean . Enterprise . Middleware <http://wso2.com/events/>
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
