Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move away from LDAP #4348

Open
4 of 7 tasks
mlehotskylf opened this issue Jun 10, 2024 · 14 comments
Open
4 of 7 tasks

Move away from LDAP #4348

mlehotskylf opened this issue Jun 10, 2024 · 14 comments
Assignees
@nickmango
Labels
enhancement New feature or request internal Internal tickets ldap

Comments

@mlehotskylf
Copy link
Contributor

mlehotskylf commented Jun 10, 2024
edited by nickmango

Move away from LDAP

Docs:
@mlehotskylf mlehotskylf added enhancement New feature or request internal Internal tickets labels Jun 10, 2024
@emsearcy
Copy link

emsearcy commented Jun 10, 2024
edited

There is no "migration" of users from LDAP to Auth0 as part of this, and the second link is not very relevant to EasyCLA, it's just another part of the overarching project.

What's principally needed from EasyCLA is: 1) stop taking/storing "ICLA/CCLA node IDs" in the onboarding APIs and PCC UI, and remove any reference to setting these up in the EasyCLA and/or PCC docs 2) change the onboarding prompts in PCC to show the EasyCLA "CLA group" IDs which need configuration by an Auth0 administrator configuration (in addition to the Gerrit snippet configurations), 3) stop attempting to push ICLA and ECLA participants to the Drupal Identity API, and 4) share with me the API calls needed to fetch ICLA and/or ECLA signature status by LDAP username lookup (multiple calls are OK, but should take less than 5 seconds total for all calls--so pagination will likely not be supported if the time is theoretically unbounded, and we'd need a specific username-lookup endpoint in that case).

@nickmango
Copy link
Collaborator

nickmango commented Jun 11, 2024
edited

Much appreciated @emsearcy for the clarifications and this is clearer, I had a couple of questions on 2 & 4.
2) change the onboarding prompts in PCC to show the EasyCLA "CLA group" IDs which need configuration by an Auth0 administrator configuration (in addition to the Gerrit snippet configurations).
I suppose the configurations would be handled by Easycla API endpoint on onboarding ? If yes , could you detail these configurations needed to be processed and if theres any external calls (same idea we use for Github)
4) share with me the API calls needed to fetch ICLA and/or ECLA signature status by LDAP username lookup (multiple calls are OK, but should take less than 5 seconds total for all calls--so pagination will likely not be supported if the time is theoretically unbounded, and we'd need a specific username-lookup endpoint in that case).
Would this be to support backward compatability with our existing LDAP users. And moving forward this will remain the same approach much as we are shifting from LDAP ?

Thanks, can we have a session to discuss the overall approach as well such that PCC and the Easycla integration is well aligned ?
cc @mlehotskylf

@nickmango
Copy link
Collaborator

nickmango commented Jun 13, 2024
edited

@emsearcy the implemented the lfid authorized endpoint https://api-gw.dev.platform.linuxfoundation.org/cla-service/v4/api-docs#tag/signatures/operation/isAuthorized

@nickmango
Copy link
Collaborator

@emsearcy I have decommissioned the group sync feature for the gerrit flow by removing the existing logic that added icla,ecla users to the LDAP group. However theres a use case when we add/remove approval list by email . In this case if the user was a gerrit user we added/removed the user to the LDAP group upon updating the approval list items (This happens in the lfx company dashboard for easycla). Based on this update, are we able to integrate auth0 update of adding or removing a gerrit user ?
cc @mlehotskylf

@emsearcy
Copy link

As long as those users will subsequently return "true" in the "isAuthorized" endpoint, it should function identically from the end users perspective to the group-add flow. (groups were only synced into Gerrit from LDAP on their next login, anyhow, same as when /cla/authorization will be checked)

@nickmango
Copy link
Collaborator

well noted !

nickmango added a commit to nickmango/easycla that referenced this issue Jun 18, 2024
@nickmango
[communitybridge#4357,communitybridge#4348] Bug/LF Users
4876d47 
- Handled exception case for users that dont exist
- Updated response with ccla,icla,ccla_requires_icla fields

Signed-off-by: Harold Wanyama <hwanyama@contractor.linuxfoundation.org>
nickmango added a commit that referenced this issue Jun 18, 2024
@nickmango
Merge pull request #4364 from nickmango/bug/lfid-authorized
bed19f1 
[#4357,#4348] Bug/LF Users
@amolsontakke3576
Copy link
Contributor

@nickmango is it deployed to dev ? I got below error
.../cla-group/01af041c-fa69-4052-a23c-fb8c1d3bef24/project/lfhR1vwaB7uuX5ExzO/gerrit Request Method: POST
Payload : {"gerritName":"ONAP","gerritUrl":"https://gerrit.onap.org/","version":"v1"}
Response :

{
    "status": 400,
    "stack": "",
    "details": null,
    "message": "should specify at least a LDAP group for ICLA or CCLA",
    "code": "error",
    "requestId": "7e67535a-3424-4667-9eef-a4400f4b6c7a",
    "data": {
        "gerritName": "ONAP",
        "gerritUrl": "https://gerrit.onap.org/",
        "version": "v1"
    }
}

@emsearcy
Copy link

emsearcy commented Jul 9, 2024

just for reference, here is the script I wrote for doing comparisons between group membership and EasyCLA API status: https://github.com/LF-Engineering/easycla-gerrit-compare-script/blob/main/compare_authorizations.py

@nickmango
Copy link
Collaborator

@nickmango is it deployed to dev ? I got below error .../cla-group/01af041c-fa69-4052-a23c-fb8c1d3bef24/project/lfhR1vwaB7uuX5ExzO/gerrit Request Method: POST Payload : {"gerritName":"ONAP","gerritUrl":"https://gerrit.onap.org/","version":"v1"} Response :

{
    "status": 400,
    "stack": "",
    "details": null,
    "message": "should specify at least a LDAP group for ICLA or CCLA",
    "code": "error",
    "requestId": "7e67535a-3424-4667-9eef-a4400f4b6c7a",
    "data": {
        "gerritName": "ONAP",
        "gerritUrl": "https://gerrit.onap.org/",
        "version": "v1"
    }
}

@amolsontakke3576 this should be good. I had reverted this when we were to move to prod but have restored this functionality. Kindly review

@emsearcy
Copy link

emsearcy commented Jul 9, 2024
edited

@mlehotskylf as discussed in Slack -- QA fail for #2 while working on #7 (which is otherwise ready). Please see following discrepancies between EasyCLA-managed LDAP groups, and the live API responses. I need help from the EasyCLA team to identify the cause of the discrepancies and determine a path forward, possibly with support from the RelEng team.

My expectations:

  • Previous invalidations (ICLA invalidations, CCLA invalidations, or removal of employees from CCLA lists) of Gerrit-linked groups should have been synced as LDAP group removals: if that wasn't done in the past, that's not ideal, but the good news is that moving to the API will solve it for us! (Even so, it might not be the only source of the discrepancies...needs confirmation!)
  • Out-of-band signatures (including migration of pre-EasyCLA authorizations) should have been added to the EasyCLA DB via the established process.
  • Support & engineering staff should be "unauthorized", but RelEng team has a workaround that adds an override on the Gerrit side. Anyone previously getting this type of override via LDAP group memberrship needs to be migrated to the Gerrit group-membership-override (nested group setup).
  • Product support & RelEng teams should review the solution(s) to ensure they understand the amount of potential user disruption / support burden due to any outstanding user transitions from authorized to unauthorized.

ONAP: 229 users authorized, 653 unauthorized, 15 errors
OPNFV: 68 users authorized, 42 unauthorized, 0 errors
ORAN-SC (OSS): 153 users authorized, 154 unauthorized, 1 errors
ORAN-ASC: 30 users authorized, 15 unauthorized, 0 errors

nickmango added a commit to nickmango/easycla that referenced this issue Jul 10, 2024
@nickmango
[communitybridge#4348]Bug/User Fetch unmarshalling
01e9b60 
- Resolved fetch by lfusername bug caused due to string set map value of user emails

Signed-off-by: Harold Wanyama <hwanyama@contractor.linuxfoundation.org>
nickmango added a commit that referenced this issue Jul 10, 2024
@nickmango
Merge pull request #4381 from nickmango/bug/lfid-auth-gerrit
536b294 
[#4348]Bug/User Fetch unmarshalling
nickmango added a commit to nickmango/easycla that referenced this issue Jul 11, 2024
@nickmango
[communitybridge#4348] Bug Icla and Company check
898f1f4 
- Resolved authorization cla endpoint with users on a non existant company

Signed-off-by: Harold Wanyama <hwanyama@contractor.linuxfoundation.org>
nickmango added a commit that referenced this issue Jul 11, 2024
@nickmango
Merge pull request #4382 from nickmango/bug/icla-auth-check
cf3aeb9 
[#4348] Bug Icla and Company check
@amolsontakke3576
Copy link
Contributor

@nickmango is it deployed to dev ? I got below error .../cla-group/01af041c-fa69-4052-a23c-fb8c1d3bef24/project/lfhR1vwaB7uuX5ExzO/gerrit Request Method: POST Payload : {"gerritName":"ONAP","gerritUrl":"https://gerrit.onap.org/","version":"v1"} Response :

{
    "status": 400,
    "stack": "",
    "details": null,
    "message": "should specify at least a LDAP group for ICLA or CCLA",
    "code": "error",
    "requestId": "7e67535a-3424-4667-9eef-a4400f4b6c7a",
    "data": {
        "gerritName": "ONAP",
        "gerritUrl": "https://gerrit.onap.org/",
        "version": "v1"
    }
}

@nickmango It again reproduced on dev.

@amolsontakke3576
Copy link
Contributor

@nickmango any updates? I can still see the same errors.

@nickmango
Copy link
Collaborator

@amolsontakke3576 with the latest updates I reverted this section. There was a window it was ready for testing.

@nickmango
Copy link
Collaborator

@amolsontakke3576 kindly retest

nickmango added a commit to nickmango/easycla that referenced this issue Jul 30, 2024
@nickmango
[communitybridge#4348] Bug/Ecla Check
fd771bc 
- Resolved bug for ecla checks against emails in the email approval list

Signed-off-by: Harold Wanyama <hwanyama@contractor.linuxfoundation.org>
nickmango added a commit that referenced this issue Jul 30, 2024
@nickmango
Merge pull request #4396 from nickmango/bug/ecla-check
9bde61e 
[#4348] Bug/Ecla Check
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nickmango nickmango

Labels
enhancement New feature or request internal Internal tickets ldap
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@emsearcy @mlehotskylf @amolsontakke3576 @nickmango