In the current drupal8 environment we have the option to configure roles by group
administrator:egroups,=,alice-webmaster|
alice_member:egroups,=,alice-member|
convener:egroups,=,alice-physics-coordination|
convener:egroups,~=,alice-project-leaders|
convener:egroups,~=,alice-convenor-pwg|
A pipe separated list of rules. Each rule consists of a Drupal role id, a SimpleSAML attribute name, an operation and a value to match. e.g. role_id1:attribute_name,operation,value|role_id2:attribute_name2,operation,value... etc
Each operation may be either "@", "@=" or "~=".
"=" requires the value exactly matches the attribute;
"@=" requires the portion after a "@" in the attribute to match the value;
"~=" allows the value to match any part of any element in the attribute array.
We use a regular expression to synchronize one role with several e-groups using “~=” option.
How we can implement a similar expression in the new openshift role application?
To simplify, there’s two points that have to be accounted:
We import from the old rules to the new ones by parsing as follows: "if the rule is NOT egroups , we discard it as it is not supported under the new SSO, after which, we can only parse groups that are fully given, so if you had a rule for “~=drupal-admins”, we will try using just drupal-admins, however groups such as drupal-admins-gmesaper will not work and you will have to add it manually.
New rules can be formed by going to application-portal.web.cern.ch/ , then to the specific application, and on the roles you can change them, there’s documentation here to guide you:
You can follow the full flow either (the way the guide explains).
First point.
I have been frozen, not using regex in the relationship between roles and e-groups is a huge loss.
In order for you to be aware of the impact of the new system to Alice’s websites, we work with:
Role => E-groups
convenor-pwg => 16 egroups containing alice-convenor-pwg-xx
convenor-pag => 42 egroups containing alice-convenor-pag-xx
PC-chair => 300 egroups containing alice-paperdraft-xx
PAG => 50 egroups containing alice-pag-xx
PWG => 50 egroups containing alice-pwg-xx
It means that I have to add all the e-groups by hand, is it the only solution?
Many thanks for your feedback. We can escalate your issue up to our colleagues in the Authorization team, since this is something non-Drupal specific.
The Drupal Service, and concretely, the openid configuration, makes usage of the Authentication service offered by our colleagues, so as long as they allow using regex in e-groups, will be possible to use it while configuring roles in Drupal.
I will get back to you to see if this is possible for the time being, otherwise I’m afraid you will have to add them by hand (or at least provide us the list of e-groups a potentially add them for you in a more automated way).
Just confirmed from the Authorization team, and it is not possible adding groups with an specific regex. Also, let you know that this can pose a security risk in your site, since if somebody knows that you are using something like alice-group-*, nothing prevents to an intentionated user create its alice-group-fake and escalate permissions into your role assignment.
So, better adding them one by one, so the match is fixed.
Our user checking system is more complex than what you are describing.
I explain, all the users of our system must be members of the alice-member group, it is a closed and managed group.The user must be active in the FENCE/GLANCE database and must also exist in xldap.cern.ch.
The roles in our system depend on a categorization system, user can be a member of the alice-convener-pwg-dq group, them he has the role of CONVENER, but he has rights to check the nodes if the node terms are of type alice-pwg-dq and without rights on other nodes with different terms. This is part of our user and role control system. If you are interested in more information, we will be show you the ALICE people module.
Many thanks for clarification. For sure, I would like and @kosamara to hearing from you in order to see how we can match both your requirements and ours in terms of authorization matters.
We can also discuss a workaround for now so that you can move on on the upgrade to D9.