You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

 COmanageHEXAAPerun
At a glance 
 

*

*this is the new ui

 
User Facing features   
user Onboarding

Configurable enrollment flows

  • self sign-up
  • email
  • conscription with approval
  • custom
  • email Invite, mass email invite
  • URL, optionally with seat limit
  • direct (by admin)
 
VO structure

(VO-s in COmanage are called COs)

  • very flexible structure, arbitrary depth group and unit hierarchy
  • separate sp permissions within units are not invented yet
  • VO and custom roles (+VO manager)
  • 2 level structure
  • roles can have their own subset of permissions within those available to the VO
 
SP onboardingmanual, in JRA3-developed sql db (as of v1.0.5)1) Login with any eduGAIN idp 2) select sp entityID 3) token is sent by email to contact info from metadata. The owner of those addresses becomes manager of the SP 
SP managers-(as of v1.0.5 - might be added in next version)managers can invite additional managers 
SP permissions?. It seems that we are not planning such thingSP managers can define permissions and grant them to VO-s 
Subscription to SPs? manual for now

"subscription model"

1) VO manager applies for public SP+permission 2) SP manager accepts application

"invite model"

1) contact and deal is made off-band 2) SP admin generates token for permission and sends via email/etc. 3) VO manager connects by the token

 
ProfileA big drawback in my (Mihaly) opinion of COmanage is that profile data (User SSH key, email, etc) is not fully separated from VO data, thus the VO admin is able to change these without the knowledge of the user.
  • Profile data and VO membership-based data are separated.
  • Profile attributes can be different towards different SPs
  • It makes sense to use HEXAA without a VO membership, since it can complement the data coming from the IdP with the HEXAA-based profile data.
 
Member notificationMass notifications can be sent at COUsA nice feature of HEXAA is that it is able to send a message to all VO or VO/Role members via email. 
Technical features   
eduGAIN metadata integartion-all eduGAIN SP-s are automatically added to the system via cron+xsl script 
APIAPI for a considerable number of functions but not for templates, and other advanced stufffull API, the GUI itself uses the REST API 
custom GUIit should be possible to some extent, but no partial access
  • Custom GUI possible, enables custom workflows.
  • Example in production: NIIF HPC portal
  • API users can manage their own VO, SP, Permission (everything) but only in their own security domain - no true admin access necessary for custom GUIs
 
deprovisioningplugins?hooks, that call urls with json parameters at defined events, like user removal from group 
Development model"COmanage, a project funded by the NSF and Internet2", details TBA
  • HEXAA received GN3+ Open Call funding in 2013-14
  • HEXAA is actively developed since then at MTA (Hungarian Academy of Sciences) SZTAKI (Institute for Computer Science and Control)
    • MTA partially (up to the minimum Hungarian wage) refunds the wage of a certain number (<=25% of permanent stuff) employed students, if they are diploma-mentored by research fellows at Sztaki
    • We can maintain 1-2 intern positions to federation-related stuff
 
Operation model

as an eduTEAM service

  • GÉANT OP?
  • hexaa.eduid.hu
    • The eduID.hu federation and its operator KIFU relies on hexaa.eduid.hu instance for its internal and core services, hence it's operators monitor it as a core component
    • Anybody with an eduGAIN user / SP can use this same instance on the side, but user support is limited
  • as an eduTEAMS service
    • TBA
 
Roadmap1.1.1 is upcoming, with several new features useful for us (TBA)
  • New UI is upcoming
  • consistent API v2 - same functionality, but easier to user for custom GUIs and scripts
  • ORCID integration (currently in planning)
 
  • No labels