This howto explains how to manage the "New user to be pre-checked" i.e. requests for a user to register to the Cloud and asking for the affiliation to an existing project.
The procedure to be followed is described in the following flowchart
Details on the single steps are described below
"New user to be pre-checked" request [1]
To manage a user registration request, log as admin in the Dashboard and click on Admin → Identity panel → Registrations. You will see the list of the pending requests.
Select the relevant request and click on Action → Details to see all the information concerning the request
Did the user register using an IdP? [2]
Supported IdPs are INFN-AAI and Unipd SSO
If a user registered via INFN-AAI, the proposed user name is something like user@infn.it. If the username is somehow weird (e.g. TF-18555@infn.it), before pre-checking the request, please contact the Servizio Calcolo @ INFN Padova to check if this is normal or if they need to fix something in the INFN-AAI account of this person)
You can check if a user registered via the Unipd Idp (Unipd SSO) if the proposed user name is something like user@unipd.it or user@studenti.unipd.it.
Could the user register using an IdP ? Or is this a "spam" [3]
If the user didn't try the registration using an IdP. In this case you should try to figure out if the user really can't register through a supported IDP.
- To check if a user is registered in AAI you can refer to this info: http://wiki.infn.it/cn/ccr/aai/howto/useldap. In particular you can configure the AAI address book and search the user in that address book. Besides verifying that the user is in the address book, you have to also verify also that the placework (e.g. 'pd', 'lnl', etc.)is specified. This info should be among the "Work" related information.
- UNIPD SSO: Unfortunately there are not blessed methods to figure out if a user is registered in the UniPd SSO (but in general all Unipd staff and all students should be registered in the Unipd SSO)
Other hints:
- You can use this link to see if a user willing to register is known to INFN Padova (and also to know the expiration of his contract)
In general you might need to interact with the user (via e-mail) to understand why she didn't/she couldn't register using an IdP (and also to understand if the request is "valid" and is not a spam)
Reject request [4]
Select the relevant request and click on Action → Reject.
In the message field you might need to motivate the decision (e.g. if the request is coming from a user that could use an IdP, asks him/her to re-register, but using INFN-AAI / Unipd SSO)
If the request is rejected because this is a request for an INFN project and the user is not compliant with the INFN policies, please tell the user to follow the procedure described at: http://userguide.cloudveneto.it/en/latest/Registration.html#prerequisites-for-using-infn-resources
Please also discuss with the user, via e-mail, about the problem
Is this request for a project using INFN resources ? [5]
A project used INFN resources if:
- it is an INFN project and/or
- it uses a 10.64.x.0/24 network
To check if this is a INFN project, log as admin in the Dashboard and click on Admin → Identity panel → Projects.
The project is a INFN project if it has the "O=infn.it" tag
Is the user compliant with the INFN policies ? [6]
To be compliant with the INFN policies the user must be registered in INFN-AAI and:
- he/she must have a verified digital identity (LoA2)
- he/she must declare to have read and accepted the INFN rules for the use of IT resources
- he/she must have followed the "Corso di Sicurezza Informatica - BASE"
To check if a user is complaint with these rules you can use the script /usr/local/bin/check_compliance_to_infn_rules.sh on cld-ctrl-01.
Some examples that show how to use this script:
[root@cld-ctrl-01 Comp]# /usr/local/bin/check_compliance_to_infn_rules.sh 'massimo sgaravatto' Trovati i seguenti utenti in INFN-AAI: ----------------- Massimo.Sgaravatto@pd.infn.it .... -->Utente compliant con le disposizioni INFN: l'account puo' essere concesso
[root@cld-ctrl-01 Comp]# /usr/local/bin/check_compliance_to_infn_rules.sh '*arcaro*' Trovati i seguenti utenti in INFN-AAI: ----------------- Cornelia.Arcaro@pd.infn.it .... L'utente non ha fatto il corso -->Utente NON compliant con le disposizioni INFN: l'account NON puo' essere concesso ----------------- cornelia.arcaro@gmail.com .... L'utente non ha una identita' Loa2 L'utente non ha accettato il disciplinare L'utente non ha fatto il corso -->Utente NON compliant con le disposizioni INFN: l'account NON puo' essere concesso
[root@cld-ctrl-01 Comp]# /usr/local/bin/check_compliance_to_infn_rules.sh '*andres gadea*' Trovati i seguenti utenti in INFN-AAI: ----------------- andres.gadea@lnl.infn.it .... Utente deve ancora fare il corso ma e' ancora nel grace period -->L'account puo' essere concesso, ma ricordare all'utente che deve fare il corso entro 30 giorni dalla data di registrazione (altrimenti l'account sara' sospeso)
If the account can be created, but "ricordare all'utente che deve fare il corso entro 30 giorni dalla data di registrazione (altrimenti l'account sara' sospeso)" the text of the e-mail can be something like:
We received your request for registration for CloudVeneto infrastructure .
Your request was approved but since you requested the access to INFN resources, please note what is reported at:
https://userguide.cloudveneto.it/en/latest/Registration.html#prerequisites-for-using-infn-resources
In particular we noticed that you didn't follow the IT Security course. This must be done within 30 days after the registration.
To follow the course, please go to:
https://elearning.infn.it/course/view.php?id=105
Regards
The CloudVeneto support team
If the user is not compliant with the INFN rules, reject the request. Tell the user to reapply the registration process once he/she is compliant
Pre-check [7]
Select the relevant request and click on Action → Pre check.
If the user register using user-password (i.e. not through an Idp) you might need to change the user name. In general the user name should be the family name, or "contains" part of the family name
E.g. for user Mario Rossi, valid user name could be "mrossi", "mariorossi", "rossi" ("mario", "sonofigo", "wjuve" are instead not acceptable as username)
After the pre-check, the Description field will be "User requires membership"
Wait until project manager approves/rejects request [8]
The request will have to be managed by the relevant project (tenant) manager(s).
support AT cloudveneto.it will be notified when this is done.
Did the project manager approve the request ? [9]
At that point the user registration request status will be "User requires post registration actions":
Create account on gate [10]
You now need to create the user on the gate machine. This must be done for each user, even if he/she doesn't need it.
Login with your personal account in gate.cloudveneto.it
Acquire root privileges:
sudo su -
Execute the script:
add-user-gate <USERNAME> <USER_EMAIL>
(e.g. add-user-gate pmazzon paoloemilio.mazzon@unipd.it)
The username on the gate will be the first char of name with the surname for a maximum of 8 characters (modulo conflicts). Examples:
- Gianpietro Sella –> gsella
- Paolo Mazzon –> pmazzon
- Massimo Sgaravatto –> msgarava
To find the user email, select on the dashboard the relevant request and click on Action → Details.
Click the "Done" button [11]
Select on the dashboard the relevant request and click on Action → Done.