https://dev.arvados.org/https://dev.arvados.org/favicon.ico?15576888422018-01-24T20:51:34ZArvadosArvados - Idea #12995: [Workbench] Allow user to add a new Google account to their Arvados accounthttps://dev.arvados.org/issues/12995?journal_id=596752018-01-24T20:51:34ZLucas Di Pentimalucas.dipentima@curii.com
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/59675/diff?detail_id=57017">diff</a>)</li></ul> Arvados - Idea #12995: [Workbench] Allow user to add a new Google account to their Arvados accounthttps://dev.arvados.org/issues/12995?journal_id=611732018-03-21T18:57:51ZTom Morristfmorris@veritasgenetics.com
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-3 priority-4 priority-default closed parent" href="/issues/12626">Feature #12626</a>: [API] Merge user accounts (redirect=true case)</i> added</li></ul> Arvados - Idea #12995: [Workbench] Allow user to add a new Google account to their Arvados accounthttps://dev.arvados.org/issues/12995?journal_id=611772018-03-21T19:41:50ZPeter Amstutzpeter.amstutz@curii.com
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/61177/diff?detail_id=58300">diff</a>)</li></ul> Arvados - Idea #12995: [Workbench] Allow user to add a new Google account to their Arvados accounthttps://dev.arvados.org/issues/12995?journal_id=611802018-03-21T19:53:36ZPeter Amstutzpeter.amstutz@curii.com
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/61180/diff?detail_id=58303">diff</a>)</li></ul> Arvados - Idea #12995: [Workbench] Allow user to add a new Google account to their Arvados accounthttps://dev.arvados.org/issues/12995?journal_id=611922018-03-21T20:40:51ZPeter Amstutzpeter.amstutz@curii.com
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/61192/diff?detail_id=58312">diff</a>)</li></ul> Arvados - Idea #12995: [Workbench] Allow user to add a new Google account to their Arvados accounthttps://dev.arvados.org/issues/12995?journal_id=611942018-03-21T21:03:49ZTom Morristfmorris@veritasgenetics.com
<ul><li><strong>Related to</strong> deleted (<i><a class="issue tracker-2 status-3 priority-4 priority-default closed parent" href="/issues/12626">Feature #12626</a>: [API] Merge user accounts (redirect=true case)</i>)</li></ul> Arvados - Idea #12995: [Workbench] Allow user to add a new Google account to their Arvados accounthttps://dev.arvados.org/issues/12995?journal_id=611972018-03-21T21:04:06ZTom Morristfmorris@veritasgenetics.com
<ul><li><strong>Blocked by</strong> <i><a class="issue tracker-2 status-3 priority-4 priority-default closed parent" href="/issues/12626">Feature #12626</a>: [API] Merge user accounts (redirect=true case)</i> added</li></ul> Arvados - Idea #12995: [Workbench] Allow user to add a new Google account to their Arvados accounthttps://dev.arvados.org/issues/12995?journal_id=611982018-03-21T21:10:41ZTom Morristfmorris@veritasgenetics.com
<ul><li><strong>Story points</strong> set to <i>3.0</i></li></ul> Arvados - Idea #12995: [Workbench] Allow user to add a new Google account to their Arvados accounthttps://dev.arvados.org/issues/12995?journal_id=611992018-03-21T21:22:59ZPeter Amstutzpeter.amstutz@curii.com
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/61199/diff?detail_id=58319">diff</a>)</li></ul> Arvados - Idea #12995: [Workbench] Allow user to add a new Google account to their Arvados accounthttps://dev.arvados.org/issues/12995?journal_id=619432018-04-18T15:43:37ZTom Morristfmorris@veritasgenetics.com
<ul><li><strong>Target version</strong> changed from <i>To Be Groomed</i> to <i>Arvados Future Sprints</i></li></ul> Arvados - Idea #12995: [Workbench] Allow user to add a new Google account to their Arvados accounthttps://dev.arvados.org/issues/12995?journal_id=620822018-04-25T14:56:11ZTom Morristfmorris@veritasgenetics.com
<ul><li><strong>Target version</strong> changed from <i>Arvados Future Sprints</i> to <i>2018-05-09 Sprint</i></li></ul> Arvados - Idea #12995: [Workbench] Allow user to add a new Google account to their Arvados accounthttps://dev.arvados.org/issues/12995?journal_id=621172018-04-25T15:36:53ZTom Morristfmorris@veritasgenetics.com
<ul><li><strong>Target version</strong> changed from <i>2018-05-09 Sprint</i> to <i>2018-05-23 Sprint</i></li></ul> Arvados - Idea #12995: [Workbench] Allow user to add a new Google account to their Arvados accounthttps://dev.arvados.org/issues/12995?journal_id=625322018-05-09T15:36:57ZPeter Amstutzpeter.amstutz@curii.com
<ul><li><strong>Assigned To</strong> set to <i>Peter Amstutz</i></li></ul> Arvados - Idea #12995: [Workbench] Allow user to add a new Google account to their Arvados accounthttps://dev.arvados.org/issues/12995?journal_id=627272018-05-16T14:32:07ZPeter Amstutzpeter.amstutz@curii.com
<ul><li><strong>Related to</strong> <i><a class="issue tracker-6 status-3 priority-4 priority-default closed" href="/issues/12703">Idea #12703</a>: [Workbench] Self serve account merge</i> added</li></ul> Arvados - Idea #12995: [Workbench] Allow user to add a new Google account to their Arvados accounthttps://dev.arvados.org/issues/12995?journal_id=627772018-05-17T22:12:27ZPeter Amstutzpeter.amstutz@curii.com
<ul></ul><p>12995-wb-merge-acct @ <a class="changeset" title="12995: Can now merge with inactive accounts. Checks that the remaining account is active so user..." href="https://dev.arvados.org/projects/arvados/repository/arvados/revisions/4aa2e9342254971e92b5836a56728015e9cfc714">4aa2e9342254971e92b5836a56728015e9cfc714</a></p>
<p>Adds a /users/link_account page accessible from user menu and on the "inactive user" page.</p>
<ul>
<li>User can choose whether to add a login to the current account, or link the current login to another account</li>
<li>When one of the accounts is inactive, can only merge the login of the inactive account to the active account</li>
</ul>
<p>Manually tested:</p>
<ul>
<li>From existing user, select "Add another login to this account", login as the "new" user, then link accounts.</li>
<li>From new, active user, select "Use this login to access another account", login as "old" user, then link accounts</li>
<li>From new, inactive user, select "Use this login to access another account", login as "old" user, then link accounts.</li>
</ul>
<p>No automated tests. The problem is, this process relies on the SSO server, which the run-tests.sh / workbench test environment doesn't provide. Hard to work around. Could possibly rig something up based on arvbox.</p>
<p>Also:</p>
<p>12995-session-timeout @ commit:21f2ee32fe8fc6391c95b5dcdb59d787629dceff branch on the sso-provider repository.</p>
<ul>
<li>Sets session timeout to 1 second so that users always have to log in (otherwise sessions mess up the "log in as a different user" part of the flow.)</li>
</ul> Arvados - Idea #12995: [Workbench] Allow user to add a new Google account to their Arvados accounthttps://dev.arvados.org/issues/12995?journal_id=627932018-05-18T15:29:52ZLucas Di Pentimalucas.dipentima@curii.com
<ul></ul><ul>
<li>Maybe it would be convenient to add a date on the group name to avoid possible conflicts when the merge action fails after the group is created, or just reuse it.</li>
<li>Using either direction, I get the api error: "supplied API token is not from a trusted client" - API Request URL: <a class="external" href="https://172.17.0.2:8000/arvados/v1/users/merge">https://172.17.0.2:8000/arvados/v1/users/merge</a></li>
<li>Tests done with arvbox</li>
</ul> Arvados - Idea #12995: [Workbench] Allow user to add a new Google account to their Arvados accounthttps://dev.arvados.org/issues/12995?journal_id=628022018-05-18T17:34:30ZLucas Di Pentimalucas.dipentima@curii.com
<ul></ul><ul>
<li>After adding the trusted client setting, manual tests on both directions worked well.</li>
<li>The first bulletpoint from note-16 may be a valid one, just in case there's some transient api server problem.</li>
<li>Is there an explicit way for workbench to ask for the new sso-provider (package dependency)?</li>
<li>Issues that may not be for this review but instead for the api server side:
<ul>
<li>When linking an admin account into a non-admin account left me without admin access</li>
<li>After linking account A into account B, and later on linking account B into account C, when try to login with account A, I get an error like this: <code>{"errors":["#<Exception: identity_url <a href="https://arvadosapi.com/h793v-tpzed-f1svf5ts12yw4c3">h793v-tpzed-f1svf5ts12yw4c3</a> redirects to nonexistent uuid <a href="https://arvadosapi.com/2bs4c-tpzed-2cx7fuz2l783jhi">2bs4c-tpzed-2cx7fuz2l783jhi</a>>"],"error_token":"1526663055+db8a355d"}</code></li>
</ul>
</li>
<li>After clicking any of the linking buttons, the next thing the user sees is a login dialog saying "Your session expired, please sign in again to continue." and I think it can be confusing, if this is not worth correcting on the SSO's side, maybe we could have a message on wb's link account page warning what will happen after clicking.</li>
</ul> Arvados - Idea #12995: [Workbench] Allow user to add a new Google account to their Arvados accounthttps://dev.arvados.org/issues/12995?journal_id=628072018-05-18T18:41:33ZTom Cleggtom@curii.com
<ul></ul><blockquote>
<p>A→B + B→C = error during login</p>
</blockquote>
<p>Can the merge API detect this when B→C is happening, and flatten the tree by changing A→B to A→C?</p>
<blockquote>
<p>admin→non-admin</p>
</blockquote>
<p>Yes, Workbench should warn if you're about to do this, but I suppose we might as well go ahead and do it if you accept/ignore the warning.</p> Arvados - Idea #12995: [Workbench] Allow user to add a new Google account to their Arvados accounthttps://dev.arvados.org/issues/12995?journal_id=628132018-05-18T20:37:47ZPeter Amstutzpeter.amstutz@curii.com
<ul></ul><p>Lucas Di Pentima wrote:</p>
<blockquote>
<ul>
<li>The first bulletpoint from note-16 may be a valid one, just in case there's some transient api server problem.</li>
</ul>
</blockquote>
<p>Added ensure_unique_name: true</p>
<blockquote>
<ul>
<li>Is there an explicit way for workbench to ask for the new sso-provider (package dependency)?</li>
</ul>
</blockquote>
<p>No, there isn't.</p>
<blockquote>
<ul>
<li>Issues that may not be for this review but instead for the api server side:
<ul>
<li>When linking an admin account into a non-admin account left me without admin access</li>
</ul></li>
</ul>
</blockquote>
<p>Fixed workbench so it detects that case and won't let you do that.</p>
<blockquote>
<ul>
<li>After linking account A into account B, and later on linking account B into account C, when try to login with account A, I get an error like this: <code>{"errors":["#<Exception: identity_url <a href="https://arvadosapi.com/h793v-tpzed-f1svf5ts12yw4c3">h793v-tpzed-f1svf5ts12yw4c3</a> redirects to nonexistent uuid <a href="https://arvadosapi.com/2bs4c-tpzed-2cx7fuz2l783jhi">2bs4c-tpzed-2cx7fuz2l783jhi</a>>"],"error_token":"1526663055+db8a355d"}</code></li>
</ul>
</blockquote>
<p>This was an API server bug in following chained redirects. Fixed & added tests.</p>
<blockquote>
<ul>
<li>After clicking any of the linking buttons, the next thing the user sees is a login dialog saying "Your session expired, please sign in again to continue." and I think it can be confusing, if this is not worth correcting on the SSO's side, maybe we could have a message on wb's link account page warning what will happen after clicking.</li>
</ul>
</blockquote>
<p>I noticed that too. I don't really want to mess with the SSO server too much. It might be possible to change the flow to have it go through the logout procedure and then immediately to the login procedure, which would also eliminate the need to upgrade SSO server.</p>
<p>Now @ <a class="changeset" title="12995: Bugfix to support following chained user uuid redirection. Arvados-DCO-1.1-Signed-off-by:..." href="https://dev.arvados.org/projects/arvados/repository/arvados/revisions/6237a718e292de02dc06c2885e4a96260616ce03">6237a718e292de02dc06c2885e4a96260616ce03</a></p>
<p>Still todo: add a documentation page.</p> Arvados - Idea #12995: [Workbench] Allow user to add a new Google account to their Arvados accounthttps://dev.arvados.org/issues/12995?journal_id=628212018-05-21T15:12:57ZPeter Amstutzpeter.amstutz@curii.com
<ul></ul><p>12995-wb-merge-acct e2632a25d3aab230bdc44936fa42a3d27ff15d30</p>
<ul>
<li>Added username to the link accounts page to further disambiguate the two accounts being linked</li>
<li>Added documentation pages</li>
<li>Updated to use a login/logout flow instead of relying on session timeout. However, the SSO server still needs to be updated (see below)</li>
</ul>
<p>12995-session-timeout 4ed380efb64d50a6c74defe74ffef08166f4f0c7</p>
<ul>
<li>Added a "choose" page when more than one provider is configured. Enables users to select between LDAP and Google.</li>
</ul> Arvados - Idea #12995: [Workbench] Allow user to add a new Google account to their Arvados accounthttps://dev.arvados.org/issues/12995?journal_id=628342018-05-21T16:42:43ZPeter Amstutzpeter.amstutz@curii.com
<ul></ul><p>Fix tests @ <a class="changeset" title="12995: Fix tests Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <pamstutz@veritasgenetics.com>" href="https://dev.arvados.org/projects/arvados/repository/arvados/revisions/7f09dd101fd16830a6e7ebd6dee0df7aa023c9e6">7f09dd101fd16830a6e7ebd6dee0df7aa023c9e6</a></p>
<p>Running tests here:</p>
<p><a class="external" href="https://ci.curoverse.com/job/developer-run-tests/720/">https://ci.curoverse.com/job/developer-run-tests/720/</a></p> Arvados - Idea #12995: [Workbench] Allow user to add a new Google account to their Arvados accounthttps://dev.arvados.org/issues/12995?journal_id=628382018-05-21T16:56:55ZLucas Di Pentimalucas.dipentima@curii.com
<ul></ul><p>Manually tested updates on both branches, providing that Jenkins' run goes well, LGTM. Thanks!</p> Arvados - Idea #12995: [Workbench] Allow user to add a new Google account to their Arvados accounthttps://dev.arvados.org/issues/12995?journal_id=628932018-05-23T14:41:58ZPeter Amstutzpeter.amstutz@curii.com
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Resolved</i></li></ul> Arvados - Idea #12995: [Workbench] Allow user to add a new Google account to their Arvados accounthttps://dev.arvados.org/issues/12995?journal_id=647222018-07-23T18:41:44ZTom Morristfmorris@veritasgenetics.com
<ul><li><strong>Release</strong> set to <i>13</i></li></ul>