Re: [Architecture] API Manager - Self Signup for tenant's API Store
Perfect! Thanks Chamila! Dmitry On Wed, Oct 1, 2014 at 8:33 PM, Chamila Adhikarinayake chami...@wso2.com wrote: Hi Dmitry, This feature is already done and we ship this with APIM 1.8. Sorry for not updating this thread. Regarding the scenarios, We have provided facility to add custom workflow extension. Currently we ship UserSignUpWSWorkflowExecutor which also has a user approval process [1]. We can also create custom workflow extension to suit the scenario mentioned and plug them in. We can also deploy scenario as a business process in WSO2 BPS and connect using our UserSignUpWSWorkflowExecutor. [1] https://docs.wso2.com/display/AM170/Adding+a+User+Signup+Workflow Thanks, Chamila. On Thu, Oct 2, 2014 at 3:05 AM, Dmitry Sotnikov dmi...@wso2.com wrote: Any update on that? What is the ETA for the feature? Is there something we can review yet? Were you able to satisfy all the end-user experience requirements? Dmitry On Fri, Sep 5, 2014 at 10:09 AM, Dmitry Sotnikov dmi...@wso2.com wrote: Thanks Chamila! Here is the workflow that I would like to see in the API Cloud: Scenario A: User Self Sign-Up: 1. Plato is an app developer and wants to develop an app for the population of the Atlantis island to track the water level and notify when the island goes under the sea. He finds that gods have set up a website with the developer program: apis.atlantisisland.gr and goes to the site to read about the APIs. 2. When browsing the API Store at some point Plato tries to access functionality which requires authentication (e.g. Subscribe to an API), 3. Plato is presented to choice to log in or sign-up, 4. If Plato clicks Sign Up, he is asked provide his email address. 5. Plato provides his gmail address, 6. He gets an email inviting him to join the Atlatis developer program with a one-time link that takes him to the Store, asks him to specify and confirm new password. 7. Plato is now logged into the Atlastic API Store, and can perform all activity there. 8. Plato has Subscriber role - so he cannot actually go to Atlatis API Publisher, etc. Possible variations of that: Scenario B: Approval is required: Zeus is the administrator of the API program and gets a request to approve Plato's membership. In this case, this needs to be properly communicated to both Zeus and Plato, so they know what is going on, what is expected of them, current status, etc. Scenario C: Zeus actually wants to invite Plato to the development program: Zeus goes to the corresponding UI, provides Plato's email address, and Plato receives email with the invitation and one-time link (obviously approvals are not required in this case.) Scenario D: 1. Homer decides to also write an Atlatis app, and wants to sign-up. 2. When he tries to sign-up he gets notified that he already has an account from WSO2 which he used for his Trojan app and which he can reuse. All the emails that get sent need to be brandable by the tenant administrators so when Troy have their API program, Trojan emails look different from the ones for Atlantis. I understand that some of these steps will be different in the cloud and in on-premise API Manager because of the custom authentication. You will need to discuss with the cloud team to make sure that the implementation is compatible, etc. I hope this helps. :) Dmitry On Thu, Sep 4, 2014 at 11:09 PM, Chamila Adhikarinayake chami...@wso2.com wrote: looping Dmitry to the thread On Fri, Sep 5, 2014 at 10:26 AM, Chamila Adhikarinayake chami...@wso2.com wrote: Hi all, The current user signup method (jsFunction_addUser() [1]) in API manager uses addUser method in UserRegistrationService[2] (through UserRegistrationAdminService from APIM) to register the user and suggested to use that same method for tenant user signup as well (Shariq has modified this so that tenant-wise roles can be taken from the registry and assign them to the tenant user ). But with that modification, This method cannot be used for tenant signup with the current user signup workflow in the api manager. When signing up an user to super user store, first add a user by calling adduser method (from this method, user is assigned with default internal/identity role from UserRegistrationService) and then follow the signup workflow and finally add the role to that user. In the signup workflow, user approval process is managed and till then the user cannot log in. But when addUser method is called for tenant signup, a tenant user is created and all his roles are assigned to him at the creation point. As a result, second point (approval process) cannot be done. (user can log in before the approval process is done). As a result, method to assign roles by using '/_system/governance/repository/identity/sign-up-config' (mentioned in 'User roles for tenants' in my first mail ) cannot be used in this case. *Modified method to add user roles for tenants* As a
Re: [Architecture] API Manager - Self Signup for tenant's API Store
Any update on that? What is the ETA for the feature? Is there something we can review yet? Were you able to satisfy all the end-user experience requirements? Dmitry On Fri, Sep 5, 2014 at 10:09 AM, Dmitry Sotnikov dmi...@wso2.com wrote: Thanks Chamila! Here is the workflow that I would like to see in the API Cloud: Scenario A: User Self Sign-Up: 1. Plato is an app developer and wants to develop an app for the population of the Atlantis island to track the water level and notify when the island goes under the sea. He finds that gods have set up a website with the developer program: apis.atlantisisland.gr and goes to the site to read about the APIs. 2. When browsing the API Store at some point Plato tries to access functionality which requires authentication (e.g. Subscribe to an API), 3. Plato is presented to choice to log in or sign-up, 4. If Plato clicks Sign Up, he is asked provide his email address. 5. Plato provides his gmail address, 6. He gets an email inviting him to join the Atlatis developer program with a one-time link that takes him to the Store, asks him to specify and confirm new password. 7. Plato is now logged into the Atlastic API Store, and can perform all activity there. 8. Plato has Subscriber role - so he cannot actually go to Atlatis API Publisher, etc. Possible variations of that: Scenario B: Approval is required: Zeus is the administrator of the API program and gets a request to approve Plato's membership. In this case, this needs to be properly communicated to both Zeus and Plato, so they know what is going on, what is expected of them, current status, etc. Scenario C: Zeus actually wants to invite Plato to the development program: Zeus goes to the corresponding UI, provides Plato's email address, and Plato receives email with the invitation and one-time link (obviously approvals are not required in this case.) Scenario D: 1. Homer decides to also write an Atlatis app, and wants to sign-up. 2. When he tries to sign-up he gets notified that he already has an account from WSO2 which he used for his Trojan app and which he can reuse. All the emails that get sent need to be brandable by the tenant administrators so when Troy have their API program, Trojan emails look different from the ones for Atlantis. I understand that some of these steps will be different in the cloud and in on-premise API Manager because of the custom authentication. You will need to discuss with the cloud team to make sure that the implementation is compatible, etc. I hope this helps. :) Dmitry On Thu, Sep 4, 2014 at 11:09 PM, Chamila Adhikarinayake chami...@wso2.com wrote: looping Dmitry to the thread On Fri, Sep 5, 2014 at 10:26 AM, Chamila Adhikarinayake chami...@wso2.com wrote: Hi all, The current user signup method (jsFunction_addUser() [1]) in API manager uses addUser method in UserRegistrationService[2] (through UserRegistrationAdminService from APIM) to register the user and suggested to use that same method for tenant user signup as well (Shariq has modified this so that tenant-wise roles can be taken from the registry and assign them to the tenant user ). But with that modification, This method cannot be used for tenant signup with the current user signup workflow in the api manager. When signing up an user to super user store, first add a user by calling adduser method (from this method, user is assigned with default internal/identity role from UserRegistrationService) and then follow the signup workflow and finally add the role to that user. In the signup workflow, user approval process is managed and till then the user cannot log in. But when addUser method is called for tenant signup, a tenant user is created and all his roles are assigned to him at the creation point. As a result, second point (approval process) cannot be done. (user can log in before the approval process is done). As a result, method to assign roles by using '/_system/governance/repository/identity/sign-up-config' (mentioned in 'User roles for tenants' in my first mail ) cannot be used in this case. *Modified method to add user roles for tenants* As a result of above mentioned problem, a registry entry in /_system/governance/repository/identity/sign-up-config won't be created as mentioned in the first mail. Without this config, all the tenants created using addUser method will have default internal/identity role. Registry resource similar to 'sign-up-config' is created in seperate registry location and this entry can be used to add roles to the tenant during the final step. as a result approval process can be carried out during the second step. [1] https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/components/apimgt/org.wso2.carbon.apimgt.hostobjects/1.2.3/src/main/java/org/wso2/carbon/apimgt/hostobjects/APIStoreHostObject.java [2]
Re: [Architecture] API Manager - Self Signup for tenant's API Store
Hi Dmitry, This feature is already done and we ship this with APIM 1.8. Sorry for not updating this thread. Regarding the scenarios, We have provided facility to add custom workflow extension. Currently we ship UserSignUpWSWorkflowExecutor which also has a user approval process [1]. We can also create custom workflow extension to suit the scenario mentioned and plug them in. We can also deploy scenario as a business process in WSO2 BPS and connect using our UserSignUpWSWorkflowExecutor. [1] https://docs.wso2.com/display/AM170/Adding+a+User+Signup+Workflow Thanks, Chamila. On Thu, Oct 2, 2014 at 3:05 AM, Dmitry Sotnikov dmi...@wso2.com wrote: Any update on that? What is the ETA for the feature? Is there something we can review yet? Were you able to satisfy all the end-user experience requirements? Dmitry On Fri, Sep 5, 2014 at 10:09 AM, Dmitry Sotnikov dmi...@wso2.com wrote: Thanks Chamila! Here is the workflow that I would like to see in the API Cloud: Scenario A: User Self Sign-Up: 1. Plato is an app developer and wants to develop an app for the population of the Atlantis island to track the water level and notify when the island goes under the sea. He finds that gods have set up a website with the developer program: apis.atlantisisland.gr and goes to the site to read about the APIs. 2. When browsing the API Store at some point Plato tries to access functionality which requires authentication (e.g. Subscribe to an API), 3. Plato is presented to choice to log in or sign-up, 4. If Plato clicks Sign Up, he is asked provide his email address. 5. Plato provides his gmail address, 6. He gets an email inviting him to join the Atlatis developer program with a one-time link that takes him to the Store, asks him to specify and confirm new password. 7. Plato is now logged into the Atlastic API Store, and can perform all activity there. 8. Plato has Subscriber role - so he cannot actually go to Atlatis API Publisher, etc. Possible variations of that: Scenario B: Approval is required: Zeus is the administrator of the API program and gets a request to approve Plato's membership. In this case, this needs to be properly communicated to both Zeus and Plato, so they know what is going on, what is expected of them, current status, etc. Scenario C: Zeus actually wants to invite Plato to the development program: Zeus goes to the corresponding UI, provides Plato's email address, and Plato receives email with the invitation and one-time link (obviously approvals are not required in this case.) Scenario D: 1. Homer decides to also write an Atlatis app, and wants to sign-up. 2. When he tries to sign-up he gets notified that he already has an account from WSO2 which he used for his Trojan app and which he can reuse. All the emails that get sent need to be brandable by the tenant administrators so when Troy have their API program, Trojan emails look different from the ones for Atlantis. I understand that some of these steps will be different in the cloud and in on-premise API Manager because of the custom authentication. You will need to discuss with the cloud team to make sure that the implementation is compatible, etc. I hope this helps. :) Dmitry On Thu, Sep 4, 2014 at 11:09 PM, Chamila Adhikarinayake chami...@wso2.com wrote: looping Dmitry to the thread On Fri, Sep 5, 2014 at 10:26 AM, Chamila Adhikarinayake chami...@wso2.com wrote: Hi all, The current user signup method (jsFunction_addUser() [1]) in API manager uses addUser method in UserRegistrationService[2] (through UserRegistrationAdminService from APIM) to register the user and suggested to use that same method for tenant user signup as well (Shariq has modified this so that tenant-wise roles can be taken from the registry and assign them to the tenant user ). But with that modification, This method cannot be used for tenant signup with the current user signup workflow in the api manager. When signing up an user to super user store, first add a user by calling adduser method (from this method, user is assigned with default internal/identity role from UserRegistrationService) and then follow the signup workflow and finally add the role to that user. In the signup workflow, user approval process is managed and till then the user cannot log in. But when addUser method is called for tenant signup, a tenant user is created and all his roles are assigned to him at the creation point. As a result, second point (approval process) cannot be done. (user can log in before the approval process is done). As a result, method to assign roles by using '/_system/governance/repository/identity/sign-up-config' (mentioned in 'User roles for tenants' in my first mail ) cannot be used in this case. *Modified method to add user roles for tenants* As a result of above mentioned problem, a registry entry in /_system/governance/repository/identity/sign-up-config won't be created as
Re: [Architecture] API Manager - Self Signup for tenant's API Store
looping Dmitry to the thread On Fri, Sep 5, 2014 at 10:26 AM, Chamila Adhikarinayake chami...@wso2.com wrote: Hi all, The current user signup method (jsFunction_addUser() [1]) in API manager uses addUser method in UserRegistrationService[2] (through UserRegistrationAdminService from APIM) to register the user and suggested to use that same method for tenant user signup as well (Shariq has modified this so that tenant-wise roles can be taken from the registry and assign them to the tenant user ). But with that modification, This method cannot be used for tenant signup with the current user signup workflow in the api manager. When signing up an user to super user store, first add a user by calling adduser method (from this method, user is assigned with default internal/identity role from UserRegistrationService) and then follow the signup workflow and finally add the role to that user. In the signup workflow, user approval process is managed and till then the user cannot log in. But when addUser method is called for tenant signup, a tenant user is created and all his roles are assigned to him at the creation point. As a result, second point (approval process) cannot be done. (user can log in before the approval process is done). As a result, method to assign roles by using '/_system/governance/repository/identity/sign-up-config' (mentioned in 'User roles for tenants' in my first mail ) cannot be used in this case. *Modified method to add user roles for tenants* As a result of above mentioned problem, a registry entry in /_system/governance/repository/identity/sign-up-config won't be created as mentioned in the first mail. Without this config, all the tenants created using addUser method will have default internal/identity role. Registry resource similar to 'sign-up-config' is created in seperate registry location and this entry can be used to add roles to the tenant during the final step. as a result approval process can be carried out during the second step. [1] https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/components/apimgt/org.wso2.carbon.apimgt.hostobjects/1.2.3/src/main/java/org/wso2/carbon/apimgt/hostobjects/APIStoreHostObject.java [2] https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/components/identity/org.wso2.carbon.identity.user.registration/4.2.2/src/main/java/org/wso2/carbon/identity/user/registration/UserRegistrationService.java Thanks, Chamila. On Thu, Sep 4, 2014 at 12:15 AM, Amila De Silva ami...@wso2.com wrote: Hi Chamila, I think you have to start the TenantFlow and set the ID for the tenant correctly before fetching the configuration. In the method jsFunction_resumeWorkflow, this is done by calling PrivilegedCarbonContext.startTenantFlow(); PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenantDomain, true); On Wed, Sep 3, 2014 at 10:47 PM, Chamila Adhikarinayake chami...@wso2.com wrote: Actually the tasks are created with that executor for other tenants as well. but not inside the correct tenant domain in the BPS. They are created in carbon.super tenant domain and the related task can be viewed in workflow-admin ui only by login as super user. following is the reason I think that causes this. In the method jsFunction_addUser() in APIStoreHostObject following code is there to create the workflow WorkflowExecutor userSignUpWFExecutor = WorkflowExecutorFactory.getInstance() .getWorkflowExecutor(WorkflowConstants.WF_TYPE_AM_USER_SIGNUP); This WorkflowExecutor is created using carbon.super user configuration information in the registry. In the 'getWorkflowConfigurations()' method in WorkflowExecutorFactory class PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain(); is used to get the domain name. (aslo tenant id). So even though there is a different tenant domain, these values do not change. So superuser conf is used and the request is sent to the carbon.super tenant in BPS. not to the tenant's one. So I'm working on passing the correct domain info to this On Wed, Sep 3, 2014 at 9:06 PM, Nuwan Dias nuw...@wso2.com wrote: On Wed, Sep 3, 2014 at 9:02 PM, Chamila Adhikarinayake chami...@wso2.com wrote: Hi all, I'm creating user self signup feature for tenant store in API Manager. Current api manager provides only self signup facility for carbon.super store. To add tenant users, tenant admin has to manually add it through the carbon console. Following parts will be implemented *UI changes* (see attached images) 1. enable the sign-up button for tenant user store 2. add the domain name extension for the user name field in the user registration form. (this is appended to the user name) *User roles for tenants * Tenant signup configuration will be moved to the registry location '/_system/governance/repository/identity/sign-up-config'. This part is already implemented by Shariq for a
Re: [Architecture] API Manager - Self Signup for tenant's API Store
Thanks Chamila! Here is the workflow that I would like to see in the API Cloud: Scenario A: User Self Sign-Up: 1. Plato is an app developer and wants to develop an app for the population of the Atlantis island to track the water level and notify when the island goes under the sea. He finds that gods have set up a website with the developer program: apis.atlantisisland.gr and goes to the site to read about the APIs. 2. When browsing the API Store at some point Plato tries to access functionality which requires authentication (e.g. Subscribe to an API), 3. Plato is presented to choice to log in or sign-up, 4. If Plato clicks Sign Up, he is asked provide his email address. 5. Plato provides his gmail address, 6. He gets an email inviting him to join the Atlatis developer program with a one-time link that takes him to the Store, asks him to specify and confirm new password. 7. Plato is now logged into the Atlastic API Store, and can perform all activity there. 8. Plato has Subscriber role - so he cannot actually go to Atlatis API Publisher, etc. Possible variations of that: Scenario B: Approval is required: Zeus is the administrator of the API program and gets a request to approve Plato's membership. In this case, this needs to be properly communicated to both Zeus and Plato, so they know what is going on, what is expected of them, current status, etc. Scenario C: Zeus actually wants to invite Plato to the development program: Zeus goes to the corresponding UI, provides Plato's email address, and Plato receives email with the invitation and one-time link (obviously approvals are not required in this case.) Scenario D: 1. Homer decides to also write an Atlatis app, and wants to sign-up. 2. When he tries to sign-up he gets notified that he already has an account from WSO2 which he used for his Trojan app and which he can reuse. All the emails that get sent need to be brandable by the tenant administrators so when Troy have their API program, Trojan emails look different from the ones for Atlantis. I understand that some of these steps will be different in the cloud and in on-premise API Manager because of the custom authentication. You will need to discuss with the cloud team to make sure that the implementation is compatible, etc. I hope this helps. :) Dmitry On Thu, Sep 4, 2014 at 11:09 PM, Chamila Adhikarinayake chami...@wso2.com wrote: looping Dmitry to the thread On Fri, Sep 5, 2014 at 10:26 AM, Chamila Adhikarinayake chami...@wso2.com wrote: Hi all, The current user signup method (jsFunction_addUser() [1]) in API manager uses addUser method in UserRegistrationService[2] (through UserRegistrationAdminService from APIM) to register the user and suggested to use that same method for tenant user signup as well (Shariq has modified this so that tenant-wise roles can be taken from the registry and assign them to the tenant user ). But with that modification, This method cannot be used for tenant signup with the current user signup workflow in the api manager. When signing up an user to super user store, first add a user by calling adduser method (from this method, user is assigned with default internal/identity role from UserRegistrationService) and then follow the signup workflow and finally add the role to that user. In the signup workflow, user approval process is managed and till then the user cannot log in. But when addUser method is called for tenant signup, a tenant user is created and all his roles are assigned to him at the creation point. As a result, second point (approval process) cannot be done. (user can log in before the approval process is done). As a result, method to assign roles by using '/_system/governance/repository/identity/sign-up-config' (mentioned in 'User roles for tenants' in my first mail ) cannot be used in this case. *Modified method to add user roles for tenants* As a result of above mentioned problem, a registry entry in /_system/governance/repository/identity/sign-up-config won't be created as mentioned in the first mail. Without this config, all the tenants created using addUser method will have default internal/identity role. Registry resource similar to 'sign-up-config' is created in seperate registry location and this entry can be used to add roles to the tenant during the final step. as a result approval process can be carried out during the second step. [1] https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/components/apimgt/org.wso2.carbon.apimgt.hostobjects/1.2.3/src/main/java/org/wso2/carbon/apimgt/hostobjects/APIStoreHostObject.java [2] https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/components/identity/org.wso2.carbon.identity.user.registration/4.2.2/src/main/java/org/wso2/carbon/identity/user/registration/UserRegistrationService.java Thanks, Chamila. On Thu, Sep 4, 2014 at 12:15 AM, Amila De Silva ami...@wso2.com wrote: Hi Chamila, I think you have to start the
Re: [Architecture] API Manager - Self Signup for tenant's API Store
Hi all, The current user signup method (jsFunction_addUser() [1]) in API manager uses addUser method in UserRegistrationService[2] (through UserRegistrationAdminService from APIM) to register the user and suggested to use that same method for tenant user signup as well (Shariq has modified this so that tenant-wise roles can be taken from the registry and assign them to the tenant user ). But with that modification, This method cannot be used for tenant signup with the current user signup workflow in the api manager. When signing up an user to super user store, first add a user by calling adduser method (from this method, user is assigned with default internal/identity role from UserRegistrationService) and then follow the signup workflow and finally add the role to that user. In the signup workflow, user approval process is managed and till then the user cannot log in. But when addUser method is called for tenant signup, a tenant user is created and all his roles are assigned to him at the creation point. As a result, second point (approval process) cannot be done. (user can log in before the approval process is done). As a result, method to assign roles by using '/_system/governance/repository/identity/sign-up-config' (mentioned in 'User roles for tenants' in my first mail ) cannot be used in this case. *Modified method to add user roles for tenants* As a result of above mentioned problem, a registry entry in /_system/governance/repository/identity/sign-up-config won't be created as mentioned in the first mail. Without this config, all the tenants created using addUser method will have default internal/identity role. Registry resource similar to 'sign-up-config' is created in seperate registry location and this entry can be used to add roles to the tenant during the final step. as a result approval process can be carried out during the second step. [1] https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/components/apimgt/org.wso2.carbon.apimgt.hostobjects/1.2.3/src/main/java/org/wso2/carbon/apimgt/hostobjects/APIStoreHostObject.java [2] https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/components/identity/org.wso2.carbon.identity.user.registration/4.2.2/src/main/java/org/wso2/carbon/identity/user/registration/UserRegistrationService.java Thanks, Chamila. On Thu, Sep 4, 2014 at 12:15 AM, Amila De Silva ami...@wso2.com wrote: Hi Chamila, I think you have to start the TenantFlow and set the ID for the tenant correctly before fetching the configuration. In the method jsFunction_resumeWorkflow, this is done by calling PrivilegedCarbonContext.startTenantFlow(); PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenantDomain, true); On Wed, Sep 3, 2014 at 10:47 PM, Chamila Adhikarinayake chami...@wso2.com wrote: Actually the tasks are created with that executor for other tenants as well. but not inside the correct tenant domain in the BPS. They are created in carbon.super tenant domain and the related task can be viewed in workflow-admin ui only by login as super user. following is the reason I think that causes this. In the method jsFunction_addUser() in APIStoreHostObject following code is there to create the workflow WorkflowExecutor userSignUpWFExecutor = WorkflowExecutorFactory.getInstance() .getWorkflowExecutor(WorkflowConstants.WF_TYPE_AM_USER_SIGNUP); This WorkflowExecutor is created using carbon.super user configuration information in the registry. In the 'getWorkflowConfigurations()' method in WorkflowExecutorFactory class PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain(); is used to get the domain name. (aslo tenant id). So even though there is a different tenant domain, these values do not change. So superuser conf is used and the request is sent to the carbon.super tenant in BPS. not to the tenant's one. So I'm working on passing the correct domain info to this On Wed, Sep 3, 2014 at 9:06 PM, Nuwan Dias nuw...@wso2.com wrote: On Wed, Sep 3, 2014 at 9:02 PM, Chamila Adhikarinayake chami...@wso2.com wrote: Hi all, I'm creating user self signup feature for tenant store in API Manager. Current api manager provides only self signup facility for carbon.super store. To add tenant users, tenant admin has to manually add it through the carbon console. Following parts will be implemented *UI changes* (see attached images) 1. enable the sign-up button for tenant user store 2. add the domain name extension for the user name field in the user registration form. (this is appended to the user name) *User roles for tenants * Tenant signup configuration will be moved to the registry location '/_system/governance/repository/identity/sign-up-config'. This part is already implemented by Shariq for a IS component(See discussion in the thread Provide support for self signup for tenants' APIStores for more info on the configuration). But this resource
Re: [Architecture] API Manager - Self Signup for tenant's API Store
On Wed, Sep 3, 2014 at 9:02 PM, Chamila Adhikarinayake chami...@wso2.com wrote: Hi all, I'm creating user self signup feature for tenant store in API Manager. Current api manager provides only self signup facility for carbon.super store. To add tenant users, tenant admin has to manually add it through the carbon console. Following parts will be implemented *UI changes* (see attached images) 1. enable the sign-up button for tenant user store 2. add the domain name extension for the user name field in the user registration form. (this is appended to the user name) *User roles for tenants * Tenant signup configuration will be moved to the registry location '/_system/governance/repository/identity/sign-up-config'. This part is already implemented by Shariq for a IS component(See discussion in the thread Provide support for self signup for tenants' APIStores for more info on the configuration). But this resource needed to be created manually. So as a part of the implementation, This resource will be added with default values when creating a tenant. Default value will be SelfSignUp SignUpDomainPRIMARY/SignUpDomain SignUpRole RoleNamesubscriber/RoleName IsExternalRolefalse/IsExternalRole /SignUpRole /SelfSignUp *Modification to current work-flow for tenant sign-up. * The current implemented method does not work when UserSignUpWSWorkflowExecutor is used in the work-flow. this can be only used with tenants signups for superuser. Existing code uses configuration in the carbon super user's registry entry '/_system/governance/apimgt/applicationdata/workflow-extensions.xml' for tenants as well ( see jsFunction_addUser() in org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject class. ). When registering a tenant user for different tenant, configuration in the tenant's workflow-extensions.xml needed to be used. I have implemented basic functionality[1] as requested by AmilaM (Users can signup for tenant stores. But Tenant admin has to manually add the registry entry with user roles to the given location. If this entry is not there, a default 'identity' user role is assigned to the user. Only UserSignUpSimpleWorkflowExecutor for the workflow can be used with this. If UserSignUpWSWorkflowExecutor is used to connect to the BPS, the tenant approval tasks are not created properly) Do we know the reason for the tasks of the BPS not being created when the UserSignUpWSWorkflowExecutor is used? We will need to dig into that IMO. [1] https://wso2.org/jira/browse/APIMANAGER-2785 Comments are highly appreciated Thanks, Chamila. -- Regards, Chamila Adhikarinayake Software Engineer WSO2, Inc. Mobile - +94712346437 Email - chami...@wso2.com -- Nuwan Dias Associate Tech Lead - WSO2, Inc. http://wso2.com email : nuw...@wso2.com Phone : +94 777 775 729 ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] API Manager - Self Signup for tenant's API Store
Actually the tasks are created with that executor for other tenants as well. but not inside the correct tenant domain in the BPS. They are created in carbon.super tenant domain and the related task can be viewed in workflow-admin ui only by login as super user. following is the reason I think that causes this. In the method jsFunction_addUser() in APIStoreHostObject following code is there to create the workflow WorkflowExecutor userSignUpWFExecutor = WorkflowExecutorFactory.getInstance() .getWorkflowExecutor(WorkflowConstants.WF_TYPE_AM_USER_SIGNUP); This WorkflowExecutor is created using carbon.super user configuration information in the registry. In the 'getWorkflowConfigurations()' method in WorkflowExecutorFactory class PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain(); is used to get the domain name. (aslo tenant id). So even though there is a different tenant domain, these values do not change. So superuser conf is used and the request is sent to the carbon.super tenant in BPS. not to the tenant's one. So I'm working on passing the correct domain info to this On Wed, Sep 3, 2014 at 9:06 PM, Nuwan Dias nuw...@wso2.com wrote: On Wed, Sep 3, 2014 at 9:02 PM, Chamila Adhikarinayake chami...@wso2.com wrote: Hi all, I'm creating user self signup feature for tenant store in API Manager. Current api manager provides only self signup facility for carbon.super store. To add tenant users, tenant admin has to manually add it through the carbon console. Following parts will be implemented *UI changes* (see attached images) 1. enable the sign-up button for tenant user store 2. add the domain name extension for the user name field in the user registration form. (this is appended to the user name) *User roles for tenants * Tenant signup configuration will be moved to the registry location '/_system/governance/repository/identity/sign-up-config'. This part is already implemented by Shariq for a IS component(See discussion in the thread Provide support for self signup for tenants' APIStores for more info on the configuration). But this resource needed to be created manually. So as a part of the implementation, This resource will be added with default values when creating a tenant. Default value will be SelfSignUp SignUpDomainPRIMARY/SignUpDomain SignUpRole RoleNamesubscriber/RoleName IsExternalRolefalse/IsExternalRole /SignUpRole /SelfSignUp *Modification to current work-flow for tenant sign-up. * The current implemented method does not work when UserSignUpWSWorkflowExecutor is used in the work-flow. this can be only used with tenants signups for superuser. Existing code uses configuration in the carbon super user's registry entry '/_system/governance/apimgt/applicationdata/workflow-extensions.xml' for tenants as well ( see jsFunction_addUser() in org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject class. ). When registering a tenant user for different tenant, configuration in the tenant's workflow-extensions.xml needed to be used. I have implemented basic functionality[1] as requested by AmilaM (Users can signup for tenant stores. But Tenant admin has to manually add the registry entry with user roles to the given location. If this entry is not there, a default 'identity' user role is assigned to the user. Only UserSignUpSimpleWorkflowExecutor for the workflow can be used with this. If UserSignUpWSWorkflowExecutor is used to connect to the BPS, the tenant approval tasks are not created properly) Do we know the reason for the tasks of the BPS not being created when the UserSignUpWSWorkflowExecutor is used? We will need to dig into that IMO. [1] https://wso2.org/jira/browse/APIMANAGER-2785 Comments are highly appreciated Thanks, Chamila. -- Regards, Chamila Adhikarinayake Software Engineer WSO2, Inc. Mobile - +94712346437 Email - chami...@wso2.com -- Nuwan Dias Associate Tech Lead - WSO2, Inc. http://wso2.com email : nuw...@wso2.com Phone : +94 777 775 729 -- Regards, Chamila Adhikarinayake Software Engineer WSO2, Inc. Mobile - +94712346437 Email - chami...@wso2.com ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Re: [Architecture] API Manager - Self Signup for tenant's API Store
Hi Chamila, I think you have to start the TenantFlow and set the ID for the tenant correctly before fetching the configuration. In the method jsFunction_resumeWorkflow, this is done by calling PrivilegedCarbonContext.startTenantFlow(); PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenantDomain, true); On Wed, Sep 3, 2014 at 10:47 PM, Chamila Adhikarinayake chami...@wso2.com wrote: Actually the tasks are created with that executor for other tenants as well. but not inside the correct tenant domain in the BPS. They are created in carbon.super tenant domain and the related task can be viewed in workflow-admin ui only by login as super user. following is the reason I think that causes this. In the method jsFunction_addUser() in APIStoreHostObject following code is there to create the workflow WorkflowExecutor userSignUpWFExecutor = WorkflowExecutorFactory.getInstance() .getWorkflowExecutor(WorkflowConstants.WF_TYPE_AM_USER_SIGNUP); This WorkflowExecutor is created using carbon.super user configuration information in the registry. In the 'getWorkflowConfigurations()' method in WorkflowExecutorFactory class PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain(); is used to get the domain name. (aslo tenant id). So even though there is a different tenant domain, these values do not change. So superuser conf is used and the request is sent to the carbon.super tenant in BPS. not to the tenant's one. So I'm working on passing the correct domain info to this On Wed, Sep 3, 2014 at 9:06 PM, Nuwan Dias nuw...@wso2.com wrote: On Wed, Sep 3, 2014 at 9:02 PM, Chamila Adhikarinayake chami...@wso2.com wrote: Hi all, I'm creating user self signup feature for tenant store in API Manager. Current api manager provides only self signup facility for carbon.super store. To add tenant users, tenant admin has to manually add it through the carbon console. Following parts will be implemented *UI changes* (see attached images) 1. enable the sign-up button for tenant user store 2. add the domain name extension for the user name field in the user registration form. (this is appended to the user name) *User roles for tenants * Tenant signup configuration will be moved to the registry location '/_system/governance/repository/identity/sign-up-config'. This part is already implemented by Shariq for a IS component(See discussion in the thread Provide support for self signup for tenants' APIStores for more info on the configuration). But this resource needed to be created manually. So as a part of the implementation, This resource will be added with default values when creating a tenant. Default value will be SelfSignUp SignUpDomainPRIMARY/SignUpDomain SignUpRole RoleNamesubscriber/RoleName IsExternalRolefalse/IsExternalRole /SignUpRole /SelfSignUp *Modification to current work-flow for tenant sign-up. * The current implemented method does not work when UserSignUpWSWorkflowExecutor is used in the work-flow. this can be only used with tenants signups for superuser. Existing code uses configuration in the carbon super user's registry entry '/_system/governance/apimgt/applicationdata/workflow-extensions.xml' for tenants as well ( see jsFunction_addUser() in org.wso2.carbon.apimgt.hostobjects.APIStoreHostObject class. ). When registering a tenant user for different tenant, configuration in the tenant's workflow-extensions.xml needed to be used. I have implemented basic functionality[1] as requested by AmilaM (Users can signup for tenant stores. But Tenant admin has to manually add the registry entry with user roles to the given location. If this entry is not there, a default 'identity' user role is assigned to the user. Only UserSignUpSimpleWorkflowExecutor for the workflow can be used with this. If UserSignUpWSWorkflowExecutor is used to connect to the BPS, the tenant approval tasks are not created properly) Do we know the reason for the tasks of the BPS not being created when the UserSignUpWSWorkflowExecutor is used? We will need to dig into that IMO. [1] https://wso2.org/jira/browse/APIMANAGER-2785 Comments are highly appreciated Thanks, Chamila. -- Regards, Chamila Adhikarinayake Software Engineer WSO2, Inc. Mobile - +94712346437 Email - chami...@wso2.com -- Nuwan Dias Associate Tech Lead - WSO2, Inc. http://wso2.com email : nuw...@wso2.com Phone : +94 777 775 729 -- Regards, Chamila Adhikarinayake Software Engineer WSO2, Inc. Mobile - +94712346437 Email - chami...@wso2.com -- *Amila De Silva* WSO2 Inc. mobile :(+94) 775119302 ___ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture