From Fedora Project Wiki
(Add mobiles rendering screenshots)
(→‎What left to be done for a staging instace: Remove packages already in fedora)
 
(27 intermediate revisions by the same user not shown)
Line 21: Line 21:
 
* FAS 3.0 - Desktop rendering
 
* FAS 3.0 - Desktop rendering
 
**[https://laxathom.fedorapeople.org/infra-fp/FAS-3.0/Mockups/ Initial 1rst mockup idea]
 
**[https://laxathom.fedorapeople.org/infra-fp/FAS-3.0/Mockups/ Initial 1rst mockup idea]
:* v0.1
+
**[https://laxathom.fedorapeople.org/infra-fp/FAS-3.0/diagram/fas-3.0-view_hierarchy.png workflow diagram]
<gallery>
 
</gallery>
 
:* v0.5
 
<gallery>
 
</gallery>
 
 
 
* FAS 3.0 - Mobile rendering
 
**v0.5
 
<gallery>
 
File:FAS3.0-v0.5-Mobile-landing_page.png| FAS 3.0 - Landing page
 
File:FAS3.0-v0.5-Mobile-people_list.png| FAS 3.0 - People list
 
File:FAS3.0-v0.5-Mobile-dropdown_menu.png| FAS 3.0 - People list with dropdown-menu
 
</gallery>
 
 
 
== Status ==
 
*
 
  
 
== Goals ==
 
== Goals ==
  
* Move web framwork from TurboGears 1 to Pyramid
+
* Move web framwork from TurboGears 1 (no longer maintained upstream) to Pyramid.
* A real endpoint API
+
* Provide a real/dedicated endpoint API.
* Better membership management/workflows
+
* Provide a better group's membership management/workflows.
* Improved database model
+
* Improved database model/Provide different backend.
* Make it more Fedora agnostic
+
* Make it Fedora agnostic.
* Bring new features
+
* Provide new features (see below).
* A better administration mangement.
+
* Provide a better administration management.
* A dynamic configuration management
+
* Provide a dynamic configuration management.
 +
* Make it Social-network friendly.
  
 
== Features ==
 
== Features ==
Line 54: Line 39:
 
==== Groups and people visibility ====
 
==== Groups and people visibility ====
  
No need to log in anymore to review groups and people's profile.
+
: No need to log in anymore to review groups and people's profile (only public info will be disapled).
  
 
==== RESTful API ====
 
==== RESTful API ====
  
Provide a dedicated ENDPOINT to retrive accounts' data.
+
: Provide a dedicated ENDPOINT to retrive accounts' data.
Access to this API requires a generated token that people can get from their
+
: Access to this API requires a generated token that people can get from their
profile's page.
+
: profile's page.
 +
 
 +
==== Profile's status ====
 +
 
 +
: We will introduce some new status for workflow we wanted to manage
 +
:* on_vaction: allow contributors to set a better view of their current activity. Also usefull for Fedora-Hub
 +
:* disable: allow contributors to disable their account which will lead a complete revokation of all access on fedora system.
  
 
==== Profile Avatar ====
 
==== Profile Avatar ====
  
People will be able to add an avatar to their profile (from a 3rd party service)
+
: People will be able to add an avatar to their profile (from a 3rd party service)
This avatar will be available to 3rd-party which can use it in their views or more.
+
: This avatar will be available to 3rd-party which can use it in their views or more.
  
 
==== Profile Bio ====
 
==== Profile Bio ====
  
People would be able to write their bio and will be view-able from their
+
: Allow people to write up a bio (view-able from their profile's page).
profile's page.
 
Also available from the API
 
  
 
==== Group 3rd-party binding ====
 
==== Group 3rd-party binding ====
  
As we (Fedora project) has a specific way of using group (i.e providing VCS access and the like)
+
: As we (Fedora project) has a specific way of using group (i.e providing VCS access and the like)
group will provide a way to bind its ACLs to 3rd party in order to retrieve people or to give people
+
: group will provide a way to bind its ACLs to 3rd party in order to retrieve people or to give people
some rights to this 3rd party if its members exist from this 3rd party.
+
: some rights to this 3rd party if its members exist from this 3rd party.
 +
 
 +
: Current target for now is:
  
Current target for now is:
+
:* GitHub organization
 +
:: Admin or group's admin could bind a group to a github organization's team.
 +
:: Which, create github's team if not exist and add its members to it if its members exist on github.
 +
:: If group is VCS related, create a github's repo if not exist already and give its members commit access.
  
* GitHub organization
+
:* Pagure
: Admin or group's admin could bind a group to a github organization's team.
+
:: Same as github for the workflow.
: Which, create github's team if not exist and add its members to it if its members exist on github.
 
: If group is VCS related, create a github's repo if not exist already and give its members commit access.
 
  
 
==== Group ownership ====
 
==== Group ownership ====
  
Group's owner has been renamed to "principal Administrator" as group's admin can now
+
: Group's owner has been renamed to "principal Administrator" as group's admin can now
 +
: pass along their group's ownership to another admin of the same group.
 +
: Account's administrator can do the same.
 +
 
 +
==== Group's status ====
 +
 
 +
: Introducing group's status that admin can manage to better track activities.
 +
:* active
 +
:* inactive: no more sync in between services
 +
:* archive: access revoked
 +
 
 +
==== Group Membership status ====
 +
 
 +
: A new status on membership to better track activities.
 +
:* inactive: no more sync in between services for this member
 +
:* archived: revokes any access this group provides. Also provides a way to track former group members (from the web view).
 +
 
 +
==== Group Membership management ====
  
pass along their group's ownership to another admin of the same group.
+
:* User will be able to join a group without being sponsored or approved by an admin if group hasn't any rules to join.
 +
:* Group role: Admin will be able to choose what kind of role a group can provide from pre-defined one.
 +
:: '''Fact''': Most of our current groups provide a "sponsor" role, which actually make no sense as this role has no effect where this group is being used.
 +
:: Group's Admin can choose which role he/her want to upgrade a member to. No need to go through each role every time.
 +
:: Pre-defined roles we are think about:
 +
::* user
 +
::* editor
 +
::* sponsor
 +
::* moderator
 +
::* administrator
  
Account's administrator can do the same.
+
:* Membership requirement: user will have to proceed through different step (if need to be) in order to get approved based on group requirement such as:
 +
:** '''ssh key:''' if group requires it. Members will receive an email/UI notification to update their profile for this group.
 +
:** '''license agreement:''' same as above.
 +
:** '''2x factor auth:''' same as above.
 +
:** '''Client certificate:''' group's admin will be able to attach a CA to a group and only members of this group will be able to get a client certificate to access target resources.
  
 
==== Settings panel ====
 
==== Settings panel ====
  
Account's admin will have a dashboard where they could
+
: Account's admin will have a dashboard where they could manage account related elements
manage account related elements
+
: An overview with number of registerged people, groups, license, etc.
* people management
+
 
** Remove an account
+
Also, they will be able to:
** Block, disable or archive account
+
:* people management
* groups management
+
:** Remove an account
** Add, edit and remove groups
+
:** Block, disable or archive account
** Block or archive groups
+
:* groups management
* groups' types management
+
:** Add, edit and remove groups
* license agreement management
+
:** Block or archive groups
** Add, edit and remove Licenses
+
:* groups' types management
** Enable license at sign-up which flag the license signing as mandatory
+
:* license agreement management
* private API access management
+
:** Add, edit and remove Licenses
** Generate private token for trusted applications
+
:** Enable license at sign-up which flag the license signing as mandatory
 +
:* private API access management
 +
:** Generate private token for trusted applications
  
 
==== Account activities ====
 
==== Account activities ====
  
A new page where people can review their account's activities
+
: A new page where people can review their account's activities with datetime, events and locations.
with datetime, events and locations.
+
: This feature will basically log every action a contributor made to its account as in it will be able to review the last time he/her logged in and from where.
  
 
==== Connected applications ====
 
==== Connected applications ====
  
* Github
+
:* Github
: Allow people to connect their github account and share their public infos with Fedora services.
+
:: Allow people to connect their github account and share their public infos with Fedora services.
  
* Twitter
+
:* Twitter
: Allow people to connect their twitter account and share their public infos with Fedora service.
+
:: Allow people to connect their twitter account and share their public infos with Fedora service. Enabling twitting fedora info on request.
  
 
==== 2 factors authentication ====
 
==== 2 factors authentication ====
  
* Gauth token
+
This 2 factors auth will be required from every login request (web app including)
Optional 2nd auth wihch once activated, will ask people after entered a valid login+password
+
which mean, if user active it, and want to log in to mediawiki, they will have to enter both login+password then 2nd factor.
their Gauth token to let them in.
+
 
 +
'''Request from [[User:puiterwijk|Patrick]]:''' Add an option which allow trusted apps to request login without 2xfactor auth.
 +
{{admon/note|Note| A group can requires that a 2 factor auth has to be enabled for its members, which mean user won't be approved until they enable this feature.
 +
For approved members, they will received an email ask them to enable it. A time period could be necessary otherwise member will be set as inactive.
 +
}}
  
* Yubikey
+
:* Gauth token or FreeOTP?
This one will not be added as a 2nd auth but as a combo with the login and password (i.e login+password+otp)
+
:: Optional 2nd auth wihch once activated.
(as discussed last flock).
+
 
 +
:* Yubikey
 +
:: This one will not be added as a combo with the login and password (i.e login+password+otp)
 +
:: (as discussed last flock-2014).
 +
 
 +
:* Fido U2F (TBD)
 +
:: Requires a FIDO key and a chrome browser.
 +
:: a plugins for firefox should come out soon though.
  
 
==== LDAP backend ====
 
==== LDAP backend ====
  
Change SQL backend to LDAP's for groups and people management.
+
: Add another users & groups dict by Changing SQL backend to LDAP's for groups and people management.
  
 
== Ideas ==
 
== Ideas ==
 +
 +
 +
== Status ==
 +
 +
* Demo instance:
 +
: '''URL:''' http://fas3-dev.fedorainfracloud.org (poke me on IRC '''#fedora-apps''' if page is blanc)
 +
: '''login:''' jbezorg
 +
: '''pass:''' jbezorg
 +
 +
* Pyramid move [[File:Green_check.png|15px|]]
 +
 +
=== Release 3.0 ===
 +
==== Features (being updating) ====
 +
: REST API
 +
::*Public (user with token)
 +
::: People infos  [[File:Green_check.png|15px|]]
 +
::: Groups infos  [[File:Green_check.png|15px|]]
 +
 +
::*Private (trusted 3rd party with token and secret)
 +
::: Login request [[File:Green_check.png|15px|]]
 +
::: Account permission request that user grant. [[File:Green_check.png|15px|]]
 +
 +
: Registration
 +
::* registration by step [[File:Green_check.png|15px|]]
 +
::* License agreement at registration [[File:Green_check.png|15px|]]
 +
::* Send an email with a generated token to validation email/registration [[File:Green_check.png|15px|]]
 +
 +
: Search
 +
::* Groups [[File:Green_check.png|15px|]]
 +
::* People [[File:Green_check.png|15px|]]
 +
 +
: Group Management [[https://laxathom.fedorapeople.org/infra-fp/FAS-3.0/demo/FAS-3.0-membership_request-demo_20150226.webm demo video]]
 +
::* group hierarchy [[File:Green_check.png|15px|]]
 +
::* Membership request (with visual feedback on status) [[File:Green_check.png|15px|]]
 +
::* Pending requests (also from user's drop-down menu) [[File:Green_check.png|15px|]]
 +
::* List members view with action per members [[File:Green_check.png|15px|]]
 +
::* Group's owner edit-able [[File:Green_check.png|15px|]]
 +
::* Join group when there's no requirements [[File:Green_check.png|15px|]]
 +
::* Github sync/binding [[File:Green_check.png|15px|]]
 +
 +
: People profile's page
 +
::* Avatar [[File:Green_check.png|15px|]]
 +
::* Status update [[File:Green_check.png|15px|]]
 +
::* Bio [[File:Green_check.png|15px|]]
 +
::* Password update [[File:Green_check.png|15px|]]
 +
::* Access token [[File:Green_check.png|15px|]]
 +
::* Account activities [[File:Green_check.png|15px|]]
 +
::* Membership listing with contextual action from a drop-down menu [[File:Green_check.png|15px|]]
 +
 +
: Login failure
 +
::* Lock account on pre-configured x login failure [[File:Green_check.png|15px|]]
 +
::* Lock account for a pre-configured time [[File:Green_check.png|15px|]]
 +
::* Reset password [[File:Green_check.png|15px|]]
 +
 +
: Admin dashboard
 +
::* Create/edit/delete groups [[File:Green_check.png|15px|]]
 +
::* Create/edit/delete group type [[File:Green_check.png|15px|]]
 +
::* Create/edit/delete license agreement [[File:Green_check.png|15px|]]
 +
::* Create/edit/delete Certificate [[File:Green_check.png|15px|]]
 +
::* Edit/delete account [[File:Green_check.png|15px|]]
 +
 +
: Notification
 +
::* Email
 +
::: Group membership (request, removal, join, owner update, group update) [[File:Green_check.png|15px|]]
 +
::: People profile (update, password change, activities)
 +
::: New license agreement
 +
::: New group type
 +
::: New group
 +
::: New Certificate
 +
::* Fedmsg [[File:Green_check.png|15px|]]
 +
 +
==== What left to be done for a staging instace ====
 +
 +
:* Build the test suite.
 +
:* Fas-client upgrade to new API [[File:Green_check.png|15px|]] (Available [https://github.com/fedora-infra/fas-client here])
 +
:* Ipsilon binding
 +
:* python-fedora upgrade to new API [[File:Green_check.png|15px|]] (Available [https://github.com/fedora-infra/python-fedora/tree/feature/fas3_support here])
 +
:* supybot-fedora upgrade to new API [[File:Green_check.png|15px|]] (Available [https://github.com/fedora-infra/supybot-fedora/tree/feature/fas3.0_support here])
 +
:* Fedora staging services update (bodhi, tahir, pkgdb, etc)
 +
:* Package 3rd party libs added to FAS3 (I will add them to copr at first place)
 +
:** cryptacular
 +
:** flufl.enum
 +
:** fake-factory (optional but I want to add it)
 +
 +
==== Desktop rendering ====
 +
:* v0.1
 +
<gallery>
 +
</gallery>
 +
:* v0.5
 +
<gallery>
 +
File:FAS3.0-v0.5-Desktop-landing_page.png| Landing page
 +
File:FAS3.0-v0.5-Desktop-login.png| Login
 +
File:FAS3.0-v0.5-Desktop-people_list.png| People list
 +
File:FAS3.0-v0.5-Desktop-account_activities.png| Account activities
 +
File:FAS3.0-v0.5-Desktop-Account_access.png| Account access
 +
File:FAS3.0-v0.5-Desktop-group_details.png| Group details
 +
</gallery>
 +
 +
==== Mobile rendering ====
 +
:*v0.5
 +
<gallery>
 +
File:FAS3.0-v0.5-Mobile-landing_page.png| FAS 3.0 - Landing page
 +
File:FAS3.0-v0.5-Mobile-people_list.png| FAS 3.0 - People list
 +
File:FAS3.0-v0.5-Mobile-dropdown_menu.png| FAS 3.0 - People list with dropdown-menu
 +
</gallery>
 +
 +
=== Release 3.1 ===

Latest revision as of 10:13, 26 August 2015

Note.png
This is a draft
This is a draft of potential features for FAS v3.0. It is meant to spawn discussion and will most likely evolve in the future.


Mockups

  • FAS 2 as reference


Goals

  • Move web framwork from TurboGears 1 (no longer maintained upstream) to Pyramid.
  • Provide a real/dedicated endpoint API.
  • Provide a better group's membership management/workflows.
  • Improved database model/Provide different backend.
  • Make it Fedora agnostic.
  • Provide new features (see below).
  • Provide a better administration management.
  • Provide a dynamic configuration management.
  • Make it Social-network friendly.

Features

Groups and people visibility

No need to log in anymore to review groups and people's profile (only public info will be disapled).

RESTful API

Provide a dedicated ENDPOINT to retrive accounts' data.
Access to this API requires a generated token that people can get from their
profile's page.

Profile's status

We will introduce some new status for workflow we wanted to manage
  • on_vaction: allow contributors to set a better view of their current activity. Also usefull for Fedora-Hub
  • disable: allow contributors to disable their account which will lead a complete revokation of all access on fedora system.

Profile Avatar

People will be able to add an avatar to their profile (from a 3rd party service)
This avatar will be available to 3rd-party which can use it in their views or more.

Profile Bio

Allow people to write up a bio (view-able from their profile's page).

Group 3rd-party binding

As we (Fedora project) has a specific way of using group (i.e providing VCS access and the like)
group will provide a way to bind its ACLs to 3rd party in order to retrieve people or to give people
some rights to this 3rd party if its members exist from this 3rd party.
Current target for now is:
  • GitHub organization
Admin or group's admin could bind a group to a github organization's team.
Which, create github's team if not exist and add its members to it if its members exist on github.
If group is VCS related, create a github's repo if not exist already and give its members commit access.
  • Pagure
Same as github for the workflow.

Group ownership

Group's owner has been renamed to "principal Administrator" as group's admin can now
pass along their group's ownership to another admin of the same group.
Account's administrator can do the same.

Group's status

Introducing group's status that admin can manage to better track activities.
  • active
  • inactive: no more sync in between services
  • archive: access revoked

Group Membership status

A new status on membership to better track activities.
  • inactive: no more sync in between services for this member
  • archived: revokes any access this group provides. Also provides a way to track former group members (from the web view).

Group Membership management

  • User will be able to join a group without being sponsored or approved by an admin if group hasn't any rules to join.
  • Group role: Admin will be able to choose what kind of role a group can provide from pre-defined one.
Fact: Most of our current groups provide a "sponsor" role, which actually make no sense as this role has no effect where this group is being used.
Group's Admin can choose which role he/her want to upgrade a member to. No need to go through each role every time.
Pre-defined roles we are think about:
  • user
  • editor
  • sponsor
  • moderator
  • administrator
  • Membership requirement: user will have to proceed through different step (if need to be) in order to get approved based on group requirement such as:
    • ssh key: if group requires it. Members will receive an email/UI notification to update their profile for this group.
    • license agreement: same as above.
    • 2x factor auth: same as above.
    • Client certificate: group's admin will be able to attach a CA to a group and only members of this group will be able to get a client certificate to access target resources.

Settings panel

Account's admin will have a dashboard where they could manage account related elements
An overview with number of registerged people, groups, license, etc.

Also, they will be able to:

  • people management
    • Remove an account
    • Block, disable or archive account
  • groups management
    • Add, edit and remove groups
    • Block or archive groups
  • groups' types management
  • license agreement management
    • Add, edit and remove Licenses
    • Enable license at sign-up which flag the license signing as mandatory
  • private API access management
    • Generate private token for trusted applications

Account activities

A new page where people can review their account's activities with datetime, events and locations.
This feature will basically log every action a contributor made to its account as in it will be able to review the last time he/her logged in and from where.

Connected applications

  • Github
Allow people to connect their github account and share their public infos with Fedora services.
  • Twitter
Allow people to connect their twitter account and share their public infos with Fedora service. Enabling twitting fedora info on request.

2 factors authentication

This 2 factors auth will be required from every login request (web app including) which mean, if user active it, and want to log in to mediawiki, they will have to enter both login+password then 2nd factor.

Request from Patrick: Add an option which allow trusted apps to request login without 2xfactor auth.

Note.png
Note
A group can requires that a 2 factor auth has to be enabled for its members, which mean user won't be approved until they enable this feature. For approved members, they will received an email ask them to enable it. A time period could be necessary otherwise member will be set as inactive.
  • Gauth token or FreeOTP?
Optional 2nd auth wihch once activated.
  • Yubikey
This one will not be added as a combo with the login and password (i.e login+password+otp)
(as discussed last flock-2014).
  • Fido U2F (TBD)
Requires a FIDO key and a chrome browser.
a plugins for firefox should come out soon though.

LDAP backend

Add another users & groups dict by Changing SQL backend to LDAP's for groups and people management.

Ideas

Status

  • Demo instance:
URL: http://fas3-dev.fedorainfracloud.org (poke me on IRC #fedora-apps if page is blanc)
login: jbezorg
pass: jbezorg
  • Pyramid move Green check.png

Release 3.0

Features (being updating)

REST API
  • Public (user with token)
People infos Green check.png
Groups infos Green check.png
  • Private (trusted 3rd party with token and secret)
Login request Green check.png
Account permission request that user grant. Green check.png
Registration
  • registration by step Green check.png
  • License agreement at registration Green check.png
  • Send an email with a generated token to validation email/registration Green check.png
Search
  • Groups Green check.png
  • People Green check.png
Group Management [demo video]
  • group hierarchy Green check.png
  • Membership request (with visual feedback on status) Green check.png
  • Pending requests (also from user's drop-down menu) Green check.png
  • List members view with action per members Green check.png
  • Group's owner edit-able Green check.png
  • Join group when there's no requirements Green check.png
  • Github sync/binding Green check.png
People profile's page
  • Avatar Green check.png
  • Status update Green check.png
  • Bio Green check.png
  • Password update Green check.png
  • Access token Green check.png
  • Account activities Green check.png
  • Membership listing with contextual action from a drop-down menu Green check.png
Login failure
  • Lock account on pre-configured x login failure Green check.png
  • Lock account for a pre-configured time Green check.png
  • Reset password Green check.png
Admin dashboard
  • Create/edit/delete groups Green check.png
  • Create/edit/delete group type Green check.png
  • Create/edit/delete license agreement Green check.png
  • Create/edit/delete Certificate Green check.png
  • Edit/delete account Green check.png
Notification
  • Email
Group membership (request, removal, join, owner update, group update) Green check.png
People profile (update, password change, activities)
New license agreement
New group type
New group
New Certificate
  • Fedmsg Green check.png

What left to be done for a staging instace

  • Build the test suite.
  • Fas-client upgrade to new API Green check.png (Available here)
  • Ipsilon binding
  • python-fedora upgrade to new API Green check.png (Available here)
  • supybot-fedora upgrade to new API Green check.png (Available here)
  • Fedora staging services update (bodhi, tahir, pkgdb, etc)
  • Package 3rd party libs added to FAS3 (I will add them to copr at first place)
    • cryptacular
    • flufl.enum
    • fake-factory (optional but I want to add it)

Desktop rendering

  • v0.1
  • v0.5

Mobile rendering

  • v0.5

Release 3.1