CAS and user credentials

[ess-acppo-djd]

This issue placed here as the CAS is currently linked to the BIE.

• [ ] Some user credentials must be pre-loaded.
• [ ] User management requires integration with departmental protocols.
• [ ] The UI needs some work to make it easier to use.

[mbohun]

User management requires integration with departmental protocols

• I did analysis on this one, the notes are for now here: https://gist.github.com/mbohun/f4579baf3e4ec680834524bd1ddeded2
• we had a meeting with Glen of DAWR's ISD who provided info and SAML config files for the integration (of ag-bie cas with DAWR's SAML IdP)
• Because DAWR's SAML IdP will be providing only
  • email
  • given name
  • surname There is no information to create authorization automatically; meaning this information will have to be added to the ag-bie user profiles by an ag-bie administrator.

NOTE: This task was put on hold, resp. other task-s were given higher priority

[mbohun]

Some user credentials must be pre-loaded

• @charvolant described this in: https://github.com/ess-acppo/ag-bie/tree/master/ansible#cas

  # mysql
  use emmet;
  select * from users;
  update users set activated = 1 where userid = 1;
  insert into user_role values (1, 'ROLE_ADMIN');

  We will script/automate it, and add it to the ag-bie installer.
  NOTE: This can be done:

• either in ansible (adding admin username, password, etc. to the the ansible inventory; and adding/extending the ansible tasks for mysql installation/setup)
• or by adding the above setup manually to the mysql DB, and then exporting the mysql dump, and adding to the ansible tasks for mysql import of mysql dump

This is only a NOTE/TODO about cas/role-management/URI-filtering/jenkins-integration-configuration:

grails.plugin.springsecurity.controllerAnnotations.staticRules = [
    '/jenkins':                  ['ROLE_ADMIN'],
    '/jenkins.*':                ['ROLE_ADMIN'],
    '/jenkins/**':               ['ROLE_ADMIN']

FURTHER NOTE:

• https://wiki.jenkins.io/display/JENKINS/CAS+Plugin
• TODO:

[ess-acppo-djd]

The preferable approach (IMO) is to add the location of a list of users and permissions to the inventory. The list itself should be in our private repository.

[moziauddin]

Not relevant any more. We aren't using CAS and it is disabled