I am Implementing the first step of Generating Distribution Archives ,

python3 -m pip install --user --upgrade setuptools wheel

I am facing the following error in the following step of installing latest setup tool and wheel versions.

ERROR: Can not perform a '--user' install. User site-packages are not visible in this virtualenv.

Able to implement the step only after removing ( --user )

Is your feature request related to a problem? Please describe.

No

Describe the solution you'd like

We need access for client and realm level logs. We are mainly looking for audit logs related to user and agent management functions.

Describe alternatives you've considered

A clear and concise description of any alternative solutions or features you've considered.

Additional context

Add any other context about the feature request here.

Description

This client domain should be configured in Keycloak clients to accept CORs.
NOTE: # ( Describe the problem you're encountering. )

Steps to Reproduce

Expected Behaviour

Print client-side warning "The request has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.”
NOTE: # ( Tell us what you did and what you expected to happen and what you instead saw. )

Your Environment

• Custos branch or release version used:
• Operating system and version:

Additional Context

Write project metadata and detailed documentation in the readme with clear directions for reporting issues, documentation, installation, usage, samples.

In addition, provide details on project governance, contributing and license information.

Get certificate path should be corrected as,

String vaultPath = Constants.VAULT_RESOURCE_SECRETS_PATH + tenantId + "/" + secret.getOwnerId() +
                "/" + Constants.CERTIFICATES + "/" + secret.getId();

Currently, the group membership types are limited to "OWNER" and "MEMBER" only which may be needed to be flexible.

There should be a way to enable tenant-level logging for each tenant in separated log files.

Is your feature request related to a problem? Please describe.

A clear and concise description of what the problem is.

Describe the solution you'd like

A clear and concise description of what you want to happen.

Describe alternatives you've considered

A clear and concise description of any alternative solutions or features you've considered.

Additional context

Add any other context about the feature request here.

scim-service is using some dependencies which are hosted outside maven central. These dependencies available in https://maven.wso2.org/nexus/content/repositories/releases/.

Solution - Add a repository for scim-service

Move Airavata Sharing Service (https://github.com/apache/airavata/tree/master/modules/sharing-registry/sharing-registry-server) into Custos
[NOTE]: # ( ^^ Provide a general summary of the request in the title above. ^^ )

Is your feature request related to a problem? Please describe.

A clear and concise description of what the problem is.

Describe the solution you'd like

A clear and concise description of what you want to happen.

Describe alternatives you've considered

A clear and concise description of any alternative solutions or features you've considered.

Additional context

Add any other context about the feature request here.

I have a few queries regarding the agent management client:

1. What is an agent?
2. In the agent management client samples, a username and password is used to get a token. Can we obtain some username and password for running our test cases

def register_and_enable():
    agent = {
        "id": "agent-asdasda-ebnmvf",
        "realm_roles": [],
        "attributes": [{
            "key": "agent_cluster_id",
            "values": ["123123131"]
        }]
    }
    id_res = id_client.token(token, username="isjarana", password="Custos1234", grant_type="password")
    response = client.register_and_enable_agent(id_res['access_token'], agent)
    print(response)

register_and_enable()

What credentials can we use for running a similar code in test case?

Following methods are not exposed to outside in Java sdk.

• addCertificateCredential
• getCertificateCredential
• deleteCertificateCredential
• updateCertificateCredential
• addKVCredential
• getKVCredential
• deleteKVCredential

Searching or filtering by group name or any other attributes.

In cases where a Custos client is not using idphint support (#40) to bypass the Custos/Keycloak login screen, it's nice to be able to customize the login screen with a project logo and other theming. Currently the Custos team can manually configure the Keycloak theme for a tenant, but otherwise I think the logo/theme is not customizable via the Custos tenant management service.

Some possible options for this feature:

1. The tenant management client API includes a logo_uri parameter that could be used for specifying a logo for the tenant. This is a simple option that wouldn't require a lot of CSS customization, I think.
2. The tenant management interface could provide a selection of predefined themes to choose from.
3. The tenant management interface could support upload of CSS/etc. for full theme customization. In my opinion, this option is probably overkill.

I'm not sure if this is a possibility. But, when I'm logged in as a super tenant, is there any way I could create a child tenant below a specified admin tenant.

for admin tenant creation, no authorization header, and for child tenant creations, the authorization header is base64 encoded clientId:secret of the admin tenant. But, when I'm logged in as the super tenant, I technically do not know the secret of admin tenants even though I can retrieve them through a rest API call. I wonder if I really should do that.

I would say if I could pass the parent client id, it could be a better approach while the authorization and tenant type identification could be done through an access token.

1. It's again the requester_email parameter on the tenant update request. Is there any requirement for this?

PUT /oauth2/tenant

The current implementation requires the user and group management endpoints to be authorized by their own tenant admin user tokens. This also should be authorized to whoever above tenant admins as well.

Current Behavior
The following request returns all the "REQUESTED" tenants.
GET https://custos.scigap.org/apiserver/tenant-management/v1.0.0/tenants?limit=1000&offset=0

Expected Behavior
This should return all of the tenants regardless of the status.

Is your feature request related to a problem? Please describe.

Yes. We need to retrieve institution name from the institution cache get response.

Describe the solution you'd like

Can you please add "display_name" for each institution?
Something similar to following

{"institutions": [
  {
   "entity_id": "http://adfs.asu.edu.om/adfs/services/trust",
    "display_name": "A'SHARQIYAH UNIVERSITY"
  }
]}

Describe alternatives you've considered

A clear and concise description of any alternative solutions or features you've considered.

Additional context

Add any other context about the feature request here.

• Develop a Cert Renewer Task that will connect to Let’s Encrypt APIs and create certificates, update certificates
• Created certificates and keys are stored in Custos
• Client application should be able to fetch certificates from Custos

Is your feature request related to a problem? Please describe.

We want the ability to customize the look and feel of the Keycloak/Custos login page for our realms and applications. While this is possible with Keycloak, it is not possible yet with Custos.

Describe the solution you'd like

Expose the Keycloak theming features through Custos APIs.

Describe alternatives you've considered

N/A.

Additional context

Our app (HTRC Analytics Gateway) is designed to always redirect to an IDP for authentication and now we need to support local accounts (for users who don't have institutional accounts). Our plan is to redirect to Custos for local account authentication and we would like to customize the look and feel of the login page.

• client provide Id should mapped to external Id
• client provide secret should be stored(SSH, PASSWORD)

Description

Steps to Reproduce

Expected Behaviour

Your Environment

• Custos branch or release version used:
• Operating system and version:

Additional Context

Is your feature request related to a problem? Please describe.

Describe the solution you'd like

Implement token-based credential retrieval for users.
Implement SSH key generation and retrieval

Describe alternatives you've considered

A clear and concise description of any alternative solutions or features you've considered.

Additional context

Add any other context about the feature request here.

Hi @isururanawaka

Is it correct to say there are only three levels for tenants as below

(1) super-tenant
(2) admin-tenant
(3) client-tenant

As of now, I can see that tenants who are in level (3) are not authorized to tenant endpoints. But, for end-users, the logo, tenant name (required), etc. are may be needed to show on the front-end application. Are there separate endpoints authorized and available? Also, those should be able to provide the tenant information by taking the client id (maybe as a parameter or through the token) since that's all the keys available in the frontend unless tenant ids also kept in the frontend config files.

Tenants who are in level (2) are authorized to tenant endpoints. (eg: create and manage tenants)

I doubt the existence and what's going on in the level (1). Are there any use-cases from that for the end-users?

@dinukadesilva

Investigate and integrate Shamir's secret sharing scheme as the default secret delivery scheme.

In the new UX designs, the client id and the secret are required to show even later in the system which means not just right after the creation. So, is there an endpoint to retrieve them separately or can those also be merged to the tenant objects?

POST https://custos.scigap.org/apiserver/tenant-management/v1.0.0/oauth2/tenant
{
"client_id": "custos-ax354lwrwacyt5hahhiv-10001504",
"client_secret": "ULjC6OKPk37rQ1FW4Bk1aitA9COVV3KNfL1Qd63o",
"is_activated": true,
"client_id_issued_at": 1618550500000,
"client_secret_expires_at": 0,
"registration_client_uri": "https://custos.scigap.org:32036/tenant-management/v1.0.0/oauth2/tenant?client_id=custos-ax354lwrwacyt5hahhiv-10001504",
"token_endpoint_auth_method": "client_secret_basic",
"msg": "Credentials are activated"
}

Description

Steps to Reproduce

Update client scopes and updates are not reflected on CILogon client
NOTE: # ( Include details description or commands to reproduce. )

Expected Behaviour

Your Environment

• Custos branch or release version used:
• Operating system and version:

Additional Context

Description

Getting error while executing the following code in update tenant.

"Error occurred at updateTenant INTERNAL: Error occurred during updateTenantjava.lang.RuntimeException: Error creating Realm in Keycloak Server, reason: HTTP 404 Not Found"

client_id = "custos-msc8yfonps763adtp8za-10000425"
response = client.update_tenant(token, client_id,
                                        "Custos Portal",
                                        "[email protected]", "Isuru", "Ranawaka", "[email protected]", "isjarana",
                                        "Custos1234",
                                        self.contacts, self.redirect_uris, "https://custos.scigap.org/",
                                        "openid profile email org.cilogon.userinfo", "domain.org",
                                        "https://custos.scigap.org/", "Custos Portal")

Steps to Reproduce

1. Create a new admin tenant
   2, Execute get the tenant to verify that the tenant exists
2. Update the tenant with new data using the client ID returned in create_admin_tenant.
3. Update tenant API call will throw an error.

we have a requirement to access user accounts via admin console. Currently it's possible via keycloak admin console. since you don't recommend to use keycloak interface, we are wondering whether this feature will be available via custos dashboard?

Description

A clean build fails to find proto generated files

Steps to Reproduce

I am able to wipe off my local maven repo and reproduce.
Detailed build trace is here- https://travis-ci.org/github/apache/airavata-custos/builds/683339241

Description

Getting a "Client ID should not be null" error while trying to delete a client. Even though I just created the client using create_admin_client API
def test_delete_tenant(tenant): response = client.delete_tenant(token, tenant.client_id) print(response)

Steps to Reproduce

def test_delete_tenant(tenant):
    response = client.delete_tenant(token, "custos-al6tf9r1aggetx6nrt1p-10000519")

Error Message

rpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
status = StatusCode.INVALID_ARGUMENT
details = "Error occurred at deleteTenant UNKNOWN: Error while validating method deleteClient Client Id should not be null"
debug_error_string = "{"created":"@1592589585.887821071","description":"Error received from peer ipv4:149.165.168.38:31499","file":"src/core/lib/surface/call.cc","file_line":1056,"grpc_message":"Error occurred at deleteTenant UNKNOWN: Error while validating method deleteClient Client Id should not be null","grpc_status":3}"

Expected message

message DeleteTenantRequest {
string client_id = 1;
int64 tenant_id = 2;
Credentials credentials = 3;
org.apache.custos.tenant.profile.service.Tenant body = 4;
}

What is the difference between the tenant_id and the client_id?? In the response. after "create_admin_tenant" API is called only the client_id is returned.

I can see some requests are authorized by the access token while some are not authorized at all and some are authorized by the base64 encoded clientId:secret. I wonder why

ResourceSecretManagementService should have a method to set secrets
e.g SSHKeys, OAuthTokens

Description

Restrict adding empty permission types.
NOTE: # ( Describe the problem you're encountering. )

Steps to Reproduce

1. Admin user logs in
2. Clicks on 'Add Permission Type'
3. Clicks add without adding text.
4. Error thrown
5. vue.runtime.esm.js:1888 Error: Request failed with status code 500
   at t.exports (createError.js:16)
   at t.exports (settle.js:17)
   at XMLHttpRequest.f.onreadystatechange (xhr.js:69)
6. TO the portal user no error message is displayed, appears to be processing the bad request.
   NOTE: # ( Include details description or commands to reproduce. )

Expected Behaviour

Your Environment

https://demo.gateway.custos.scigap.org/

• Custos branch or release version used:
• Operating system and version:

Additional Context

Is your feature request related to a problem? Please describe.

No

Describe the solution you'd like

Currently we keep CILogon IDP list locally. We expect to get this list from Custos in future.

Describe alternatives you've considered

A clear and concise description of any alternative solutions or features you've considered.

Additional context

Add any other context about the feature request here.

Is your feature request related to a problem? Please describe.

Yes. We need to get all users for stat purpose.

Describe the solution you'd like

API method to get all users

Describe alternatives you've considered

No alternative

Additional context

A truncated logo uri is returned by the getTenant API.

'''

  assert response.logo_uri == self.logo_uri

E AssertionError: assert 'https://domain.org/' == 'https://doma...c/favicon.png'
E - https://domain.org/static/favicon.png
E + https://domain.org/
'''

Originally posted by @virendrawali in #76

Currently, the endpoint has offset and limit params that supports pagination. But, in order to visualize a pagination UI component, metadata (total rows or pages, etc.) about the pagination is required.

I wonder why the API responses do not follow the camel case instead of the snake case in the JSON properties.

https://en.wikipedia.org/wiki/Naming_convention_(programming)

by status, domain, name, etc

Is your feature request related to a problem? Please describe.

No

Describe the solution you'd like

Currently Custos agent API only supports realm level roles for agents. It would be great if we can add client level roles to agents too. Since in HTRC we mainly work with client level roles.

Describe alternatives you've considered

A clear and concise description of any alternative solutions or features you've considered.

Additional context

Add any other context about the feature request here.

• Examine existing helm charts
• Figure out the best strategy to develop Custos operators to deploy those microservices (Helm operator might help)
• Operators should be able to deploy Custos microservice, do rollouts ..etc
• Come up with Custom resource types for Custos in Kubernetes

I think it's a good idea to have interactive API documentation. Maybe a kind of swagger.

• client revocation
• sweeping client data
• automatic revocation based on time

The dependencies to non-maven central repositories should be removed before production, especially removing dependency to milestone repos:

• spring-milestones
• [] bintray-lognet-maven

Draft a privacy policy for Custos. Can refer to CILogon policy for reference - https://ca.cilogon.org/policy/privacy

Following are missing in java-sdk for resource-secret-management-client

• getKVCredential
• setKVCredential
• updateKVCredential
• deleteKVCredential

In the develop branch root folder, there is a custos-clients folder in the root directory, is that required or legacy? If any of these are required can they be merged with custos-java-sdk folder?

In the develop branch root folder there is a credential-store directory, is that a legacy one, can it be removed?