group management #113
group management #113
Conversation
There was a problem hiding this comment.
Thanks for the documentation @AyadiAmen, documentation about user/group is well explained. I just fix some typos. See my comment for TensorFlow.
USERGUIDE.md
Outdated
| @@ -348,7 +348,105 @@ Choose `Minimal environment` and click on `Spawn`. | |||
|
|
|||
|  | |||
|
|
|||
| For more information on how to use Superset, see the [official Jupyter documentation](https://jupyter.readthedocs.io/en/latest/) | |||
| * Now, we will do some Tensorflow processing in the notebook. Before starting, you need to change the environment. So: | |||
There was a problem hiding this comment.
@AyadiAmen Thanks for this documentation. I think nevertheless that this example should be somewhere else than in the USERGUIDE. Because the idea of the userguide is to present a sample use case: monitoring CETIC offices building, which is not the case with your example I think. Maybe add your example in the example folder?
There was a problem hiding this comment.
@alexnuttinck thanks for your feedback, i thought it was a part of the user guide since it's a usecase, i'll make the necessary changes .
There was a problem hiding this comment.
I'd suggest to move Tensorflow doc to the "examples" folder and link it somewhere at the end of the user guide and in the examples README
There was a problem hiding this comment.
In a separate folder like we did for Kafka would be ideal
USERGUIDE.md
Outdated
| * Now, we will do some Tensorflow processing in the notebook. Before starting, you need to change the environment. So: | ||
| * Click on `Control panel` | ||
| * Click on `Stop my server` | ||
| * Finally, click on `Start server`, choose `tensorfllow environment` and click on `Spawn`. |
doc/USERMANAGEMENT.md
Outdated
|
|
||
|
|
||
| This page provides information on how to configure FADI user authentication and authorization (LDAP, RBAC, ...). | ||
| This page provides informations on how to configure FADI user authentication and authorization (LDAP, RBAC, ...). |
There was a problem hiding this comment.
"information" is a non-countable noun, several instances to fix in this page
https://ell.stackexchange.com/questions/17748/information-or-informations
doc/USERMANAGEMENT.md
Outdated
|
|
||
| * Username: `admin` | ||
| * Password: `password1` | ||
|
|
||
| Once created we either add the users/groups manually through the phpLDAPadmin web interface, or you can pass a [LDIF file](https://en.wikipedia.org/wiki/LDAP_Data_Interchange_Format) (see the [sample ldif file](/examples/basic/example.ldif)). | ||
| Once created, we either add the users/groups manually through the phpLDAPadmin web interface, or you can pass a [LDIF file](https://en.wikipedia.org/wiki/LDAP_Data_Interchange_Format) (see the [sample ldif file](/examples/basic/example.ldif)). |
There was a problem hiding this comment.
we ... you ...
I'd suggest to remove "you can"
doc/USERMANAGEMENT.md
Outdated
| @@ -51,12 +51,12 @@ JupyterHub configuration allows you to give access to users/groups through templ | |||
| * `uid={username},cn=admin,dc=ldap,dc=cetic,dc=be` | |||
| * `uid={username},ou=developers,dc=ldap,dc=cetic,dc=be` | |||
|
|
|||
| where `{username}` will be overwrought by the value the user passes as username in the authentication screen. Let's suppose we only have those two templates, when the user david passes his name for authentication, for him to successfully sign on, his entry should be one of the following: | |||
| where `{username}` will be overwrought by the value the user passes as username in the authentication screen. Let's suppose we only have those two templates. When the user david passes his name for authentication, for him to successfully sign on, his entry should be one of the following: | |||
There was a problem hiding this comment.
overwrought -> overwritten
sign on -> sign in
doc/USERMANAGEMENT.md
Outdated
|
|
||
| ### PostgreSQL | ||
|
|
||
| LDAP authentication method in PostgreSQL uses LDAP as the password verification method. LDAP is used only to validate the username/password pairs. Therefore there's a Cron job that executes the tool [pg-ldap-sync](https://github.com/larskanis/pg-ldap-sync) to synchronise the users between the LDAP server and the database. | ||
|
|
||
| Client authentication is controlled by a configuration file called `pg_hba.conf`, you can pass your authentication config through the variable `pghba` in the `values.yaml` file. | ||
|
|
||
| The most common formats of authentication configuration are : | ||
|
|
||
| The most common formats of authentication configuration are: |
There was a problem hiding this comment.
The configuration for the most common methods of authentication are:
doc/USERMANAGEMENT.md
Outdated
|
|
||
| To add users, there are two ways: using a tempalte and manually. | ||
| To add users, there are two ways: using a tempalte and manually. |
|
|
||
| <img src="images/installation/Create_new.gif" alt="Create user"/> | ||
|
|
||
| You can for example create a user in the default admin group `cn=admin,dc=ldap,dc=cetic,dc=be`, or create a new group in which you can create new users. | ||
|
|
||
| In this example we are going to create a simple user under the default admin user (which is also a group). | ||
| In this example, we are going to create a simple user under the default admin user (which is also a group). |
There was a problem hiding this comment.
Not sure I understand what "under" does mean?
Why mention that admin is a group here?
There was a problem hiding this comment.
The default user ( admin ) can be a group in which we can add users, this is the case where you don't need to divide users into multiple groups.
There was a problem hiding this comment.
ok¸please clarify the sentence to reflect this info.
doc/USERMANAGEMENT.md
Outdated
|
|
||
| When you click on `⭐️Create new entry here`, a new window called `Select a template for the creation process` will show up with all the different entries you can create: | ||
|
|
||
| <img src="images/installation/Generic_User_Account.png" alt="Create a new user"/> | ||
|
|
||
| Go to `Generic: User Account` and a list of fields will show up. Enter the information about the user you want to create and click `Create Object`. | ||
|
|
||
| ## Creating groups | ||
|
|
||
| The LDAP protocol do not define how programs function either on the server or client, but the messages exchanged between an LDAP server and an LDAP client, to manage your users well you need to know how to create users/groups in the LDAP server and then you need to assign every user/group to the right service or application **through the application's configuration on the `values.yaml` file**. |
There was a problem hiding this comment.
do -> does
Split the sentence in 2 after "...and a LDAP client"
Remove "well"
doc/USERMANAGEMENT.md
Outdated
|
|
||
| The LDAP protocol do not define how programs function either on the server or client, but the messages exchanged between an LDAP server and an LDAP client, to manage your users well you need to know how to create users/groups in the LDAP server and then you need to assign every user/group to the right service or application **through the application's configuration on the `values.yaml` file**. | ||
|
|
||
| We are going to create a group called **devs** and add a user in that group and then **configure each service** to authenticate that particular group. The LDAP protocol do not define how programs function either on the server or client, but the messages exchanged between an LDAP server and an LDAP client, to manage your users well you need to know how to create users/groups in the LDAP server and then you need to assign every user/group to the right service or application **through the application's configuration in the `values.yaml` file**. |
There was a problem hiding this comment.
The 2nd part of this section is a repeat of the previous sentence and the first part a simplified version of the next section.
doc/USERMANAGEMENT.md
Outdated
|
|
||
| #### Create groups in openldap | ||
|
|
||
| When using openldap you will probably need to create different groups and give them different roles or assign them on different services. To manage your LDAP server, head to phpLDAPadmin: |
There was a problem hiding this comment.
provide example of group/role/service/permissions
doc/USERMANAGEMENT.md
Outdated
|
|
||
| To copy the groups/users in postgreSQL you need to configure the Cron job that executes the tool [pg-ldap-sync](https://github.com/larskanis/pg-ldap-sync) to synchronise the users between the LDAP server and the database, there for we are configuring pg-ldap-sync to add the users of our group. |
There was a problem hiding this comment.
"there for" -> therefor
you... we ...
doc/USERMANAGEMENT.md
Outdated
| lowercase_name: true | ||
| ``` | ||
|
|
||
| And the ldap_groups section looks like this: |
doc/USERMANAGEMENT.md
Outdated
|
|
||
| ## PostgreSQL |
There was a problem hiding this comment.
This title and the following should be numbered and included in the TOC of the page.
Maybe put them under a "Services configuration" section
doc/USERMANAGEMENT.md
Outdated
| ``` | ||
| The main change here is the **filter `filter: (|(cn=devs)(ou=people)(cn=admins))`** in which we add the names of the groups we want to be added to PostgreSQL, for example if our filter is `filter: (|(cn=devs)(ou=people))` the group **admins** will not be added. | ||
|
|
||
| ## Grafana |
There was a problem hiding this comment.
Give a concrete explanation of what we want the dev vs admin to be able to do in Grafana, and add a link to Grafana permissions overview https://grafana.com/docs/grafana/latest/permissions/overview/
Same for other services (pgsql, Jupyter, ...) when applicable
doc/USERMANAGEMENT.md
Outdated
|
|
||
| ## JupyterHub | ||
|
|
||
| For JupyterHub, head to the variable `jupyterhub.auth.ldap.dn.templates` and put only the list of DNs to be accepted, for instance if we want to add the **group devs** and give them access to this service we add this line `cn={username},cn=devs,dc=ldap,dc=cetic,dc=be` where `{username}` is the username that will be put by the user, while we won't add `cn={username},cn=admins,dc=ldap,dc=cetic,dc=be` so the group **admins** won't have access, the list shoud look something like this: |
There was a problem hiding this comment.
This sentence is too long, should be splitted.
won't -> will not
|
@AyadiAmen, please move the tensorflow usecase in the examples folder. Not the doc folder. + rename it, don't let a space in the file name. |
|
And also don't forget to update the TOC, like @banzo said. 😄 |
|
@AyadiAmen Please review the TOC and strucure of the titles, some TOC items have no corresponding sections. Other than that I think it is ready to be merged. |
* Feature/zabbix (#110) * Documentation links fix (#95) * fix the password to connect to Adminer (#99) * Update logging doc (#103) * fix #105 (#115) * Feature/rancher proxmox (#117) * Documentation/binderhub (#112) * group management (#113) * Feature/tests (#123) - Setup the testing framework for fadi. Add automated testing of the services using Jest and Puppeteer, test cases and scenarios specifications and implementation. * Usermanagement documentation (Nifi) + Tensorflow use case (#130) * NiFi - LDAP Documentation * Feature/seldon - ML models management (#122) * Add new flag to helm repo add to overwrite the cetic chart repo if already present (#133) * Add zakaria2905 to contributors * Userguide update (#135) * Monitoring and various documentation fixes (#111) * Update INSTALL.md * CI/CD with minikube * ldap documentation * elastic-stack ldap documentation * Details on JHub LDAP documentation * Helm 3 - Remove deprecated tiller ref, updated traefik install version * Feature/zabbix (#110) * Documentation links fix (#95) * fix the password to connect to Adminer (#99) * Update logging doc (#103) * Zabbix doc: cetic/helm-fadi#27 * fix #105 (#115) * fix #121 Co-authored-by: Sebastien Dupont <sebastien.dupont@cetic.be> Co-authored-by: Amen Ayadi <ayadi.amen@gmail.com> Co-authored-by: Alexandre Nuttinck <alexandre.nuttinck@cetic.be> Co-authored-by: Faiez Zalila <fzalila@users.noreply.github.com> Co-authored-by: Sellto <selleslagh.tom@gmail.com> Co-authored-by: Faiez Zalila <faiez.zalila@cetic.be> Co-authored-by: Rami Sellami <rami.sellami@cetic.be>
Add a section of group management in the user management documentation.