Merge branch 'latest' into sync-w-latest

Rakefile

@@ -8,7 +8,7 @@ namespace :docker do
 
   desc "Build docs using docker"
   task :build do
-    exec 'docker run --rm -i -t -v "${PWD}:/doc" -u "$(id -u):$(id -g)" ohiosupercomputer/ood-doc-build make html'
+    exec 'docker run --rm -i -t -v "${PWD}:/doc" -u "$(id -u):$(id -g)" ohiosupercomputer/ood-doc-build:v2.0.0 make html'
   end
 end
 

source/authentication.rst

@@ -40,4 +40,5 @@ No Open OnDemand functionality is available without authentiction.
    authentication/tutorial-oidc-keycloak-rhel7
    authentication/duo-2fa-with-keycloak
    authentication/adfs-with-auth-mellon
+   authentication/nsf-access
    authentication/insecure

source/authentication/nsf-access.rst

@@ -0,0 +1,100 @@
+.. _nsf-access:
+
+NSF ACCESS
+----------
+
+If your site is a part of the `National Science Foundation`_'s (NSF)
+`ACCESS`_ program (formerley `XSEDE`_) you can use their Identity Provider (IDP)
+to authenticate users for your Open OnDemand instance.
+
+OIDC Client Registration
+************************
+
+You should read the `ACCESS IDP documentation`_ on how to register your Open OnDemand
+instance as an Open ID Connect (OIDC) client.
+ACCESS uses `CILogon`_ to provide a bridge from campus authentication, via the InCommon Federation,
+to OAuth/OIDC-based research cyberinfrastructure (CI).
+
+Once you've registered your Open OnDemand instance, you can then configure it accordingly.
+Since `ACCESS`_ uses Open ID Connect (OIDC) you can see our :ref:`oidc documentation <authentication-oidc>`
+for more details on how to configure Open OnDemand with what CILogon has provided in
+registering your application.
+
+Here's an example you can use to get started. Note that ``oidc_client_id`` and ``oidc_client_secret``
+are commented out because they are specific to your site.
+
+.. code-block:: yaml
+  :emphasize-lines: 3-4
+
+  oidc_uri: "/oidc"
+  oidc_provider_metadata_url: "https://cilogon.org/.well-known/openid-configuration"
+  # oidc_client_id: "cilogon:/client_id/..."
+  # oidc_client_secret: "..."
+  oidc_remote_user_claim: "sub"
+  oidc_scope: "openid email profile org.cilogon.userinfo"
+  oidc_session_inactivity_timeout: 28800
+  oidc_session_max_duration: 28800
+  oidc_state_max_number_of_cookies: "10 true"
+  oidc_settings:
+    OIDCPassIDTokenAs: "serialized"
+    OIDCPassRefreshToken: "On"
+    OIDCPassClaimsAs: "environment"
+    OIDCStripCookies: "mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1"
+    OIDCAuthRequestParams: "idphint=https%3A%2F%2Faccess-ci.org%2Fidp"
+
+
+Shibboleth and InCommon
+***********************
+
+If your campus already runs Shibboleth authentication, you have an alternative to the Open ID Connect
+configuration above.
+
+The SAML metadata for idp.access-ci.org is published by InCommon and can be downloaded using the 
+Metadata Query (MDQ) Service from https://mdq.incommon.org/entities/https%3A%2F%2Faccess-ci.org%2Fidp . 
+Alternatively, you can download the metadata from https://identity.access-ci.org/access-metadata.xml 
+and configure it in a local file.
+
+See our :ref:`shibboleth documentation <authentication-shibboleth>` for more information on
+Shibboleth authentication.
+
+Mapping Users
+*************
+
+`ACCESS`_ users have allocations on many `ACCESS`_ resource, of which you are one.
+This means they have disparate usernames on all these systems and a unique username
+on _your_ system.
+
+So you'll need an additional utility provided by access `ACCESS`_, namely the
+`access-oauth-mapfile`_.
+
+Follow the instructions to install that utility and you'll get a lookup table
+in ``/etc/grid-security/access-oauth-mapfile`` like so:
+
+.. code-block:: sh
+
+  [email protected] aoakley
+
+
+You can set the `user_map_cmd`_ in ``ood_portal.yml`` to search this file and return
+the local user given the ACCESS username.
+
+.. code-block:: sh
+
+  #!/bin/bash
+
+  MAPPED_USER=$(grep "$1" ./delme.txt | awk '{print $2}')
+  if [[ "$MAPPED_USER" != "" ]]; then
+    echo -n "$MAPPED_USER"
+  else
+    echo "$1-not-found"
+  fi
+
+
+.. _mod_auth_openidc: https://github.com/zmartzone/mod_auth_openidc
+.. _National Science Foundation: https://www.nsf.gov/
+.. _ACCESS: https://access-ci.org/
+.. _XSEDE: https://www.xsede.org/
+.. _ACCESS IDP documentation: https://identity.access-ci.org/about-access-idp
+.. _CILogon: https://www.cilogon.org/faq
+.. _access-oauth-mapfile: https://github.com/access-ci-org/access-oauth-mapfile
+.. _user_map_cmd: ood-portal-generator-user-map-cmd

source/authentication/overview/map-user.rst

@@ -112,6 +112,7 @@ If I were to run and test this script - it would return values like these:
   Jan 19 15:03:14 localhost.localdomain ood-mapping[149352]: cannot map [email protected]
   $
 
+.. _gridmap_user_mapping:
 
 File User Mapping
 -----------------

source/customizations.rst

@@ -332,25 +332,29 @@ If you want to disable file upload altogether, set ``FILE_UPLOAD_MAX`` to 0 and
 the ``nginx_file_upload_max`` configuration alone (or comment it out so the default
 is used).
 
-Whitelist Directories
----------------------
+Block or Allow Directory Access
+-------------------------------
+
+By default, all directories are open and accessible through Open OnDemand (barring POSIX file permissions. Open OnDemand
+can never read files the user cannot read).
 
-By setting a colon delimited WHITELIST_PATH environment variable, the Job Composer, File Editor, and Files app respect the whitelist in the following manner:
+By setting a colon delimited `OOD_ALLOWLIST_PATH` environment variable, the Job Composer, File Editor, and Files app
+respect the allowlist in the following manner:
 
-1. Users will be prevented from navigating to, uploading or downloading, viewing, editing files that is not an eventual child of the whitelisted paths
-2. Users will be prevented from copying a template directory from an arbitrary path in the Job Composer if the arbitrary path that is not an eventual child of the whitelisted paths
+1. Users will be prevented from navigating to, uploading, downloading, viewing, or editing files that are not an eventual child of the allowlisted paths
+2. Users will be prevented from copying a template directory from an arbitrary path in the Job Composer if the arbitrary path that is not an eventual child of the allowlisted paths
 3. Users should not be able to get around this using symlinks
 
 We recommend setting this environment variable in ``/etc/ood/config/nginx_stage.yml`` as a YAML mapping (key value pairs) in the mapping (hash/dictionary) ``pun_custom_env`` i.e. below would whitelist home directories, project space, and scratch space at OSC:
 
 .. code:: yaml
 
    pun_custom_env:
-     WHITELIST_PATH: "/users:/fs/project:/fs/scratch"
+    OOD_ALLOWLIST_PATH: "/users:/fs/project:/fs/scratch"
 
 .. warning:: This is not yet used in production at OSC, so we consider this feature "experimental" for now.
 
-.. warning:: This whitelist is not enforced across every action a user can take in an app (including the developer views in the Dashboard). Also, it is enforced via the apps themselves, which is not as robust as using cgroups on the PUN.
+.. warning:: This allowlist is not enforced across every action a user can take in an app (including the developer views in the Dashboard). Also, it is enforced via the apps themselves, which is not as robust as using cgroups on the PUN.
 
 .. _set-default-ssh-host:
 

source/installation/install-software.rst

@@ -22,6 +22,12 @@ Some operating systems use `Software Collections`_ to satisfy these.
    Be sure to check :ref:`Supported Operating Systems <os-support>` before proceeding with install to verify
    you are on a supported operating system.
 
+..  warning::
+
+  If you are an administrator responsible for Open OnDemand, you are now an administrator of
+  Apache Httpd as well.  As such, you should get comfortable with it as from time to time you will
+  have to troubleshoot it.
+
 1. Enable Dependencies
 ----------------------
 
@@ -143,6 +149,21 @@ You may also want to :ref:`enable SELinux <modify-system-security>`.
 If you're seeing the default apache page (Ubuntu users will) you will have to :ref:`debug virtualhosts <show-virtualhosts>`
 and likely :ref:`configure a servername <ood-portal-generator-servername>`.
 
+Building From Source
+--------------------
+
+Building from source is left as an exercise to the reader. 
+
+It's not particularly difficult to build the code, but installing it with all the various files is. Should you be interested, 
+review the ``Dockerfile`` and packaging specs for what would be involved.
+
+- https://github.com/OSC/ondemand/blob/master/Dockerfile
+- https://github.com/OSC/ondemand/tree/master/packaging
+
+If you'd like a package built for a system that we don't currently support, feel free to open a ticket!
+
+- https://github.com/OSC/ondemand/issues/new
+
 .. _software collections: https://www.softwarecollections.org/en/
 .. _apache http server 2.4: https://www.softwarecollections.org/en/scls/rhscl/httpd24/
 .. _ohio supercomputer center: https://www.osc.edu/

source/release-notes/v2.0-release-notes.rst

@@ -23,6 +23,45 @@ Highlights in 2.0:
 - `Memcached Ruby gem available for use in apps`_
 - `Dependency updates`_
 
+Upgrading to v2.0.29
+--------------------
+
+Major Changes
+.............
+
+Require NodeJS 14
+*****************
+
+NodeJS 14 is now required as NodeJS 12 is currently End-Of-Life.
+
+Upgrade directions
+..................
+
+.. tabs::
+
+   .. tab:: RHEL/CentOS 7
+
+      .. code-block:: sh
+
+         sudo yum update ondemand
+
+   .. tab:: RHEL/Rocky Linux 8
+
+      .. code-block:: sh
+
+         sudo dnf module reset nodejs
+         sudo dnf module enable nodejs:14
+         sudo dnf update ondemand
+
+   .. tab:: Ubuntu
+
+      .. code-block:: sh
+
+         wget -O /tmp/ondemand-release-web_2.0.1_all.deb https://apt.osc.edu/ondemand/2.0/ondemand-release-web_2.0.1_all.deb
+         sudo apt -o Dpkg::Options::="--force-confnew" install /tmp/ondemand-release-web_2.0.1_all.deb
+         sudo apt update
+         sudo apt install --only-upgrade ondemand
+
 Upgrading from v1.8
 -------------------
 
@@ -92,7 +131,7 @@ each other, so passenger apps will also need to update their bundler dependencie
 ActiveJobs configuration changes
 ********************************
 
-Because ActiveJobs now integrated with the Dashboard app, configuration files are no longer
+Because ActiveJobs is now integrated with the Dashboard app, configuration files are no longer
 being read from ``/etc/ood/config/apps/activejobs``.
 
 If you have initializers here in this directory, they need to move to
@@ -109,7 +148,7 @@ Because Files app is now integrated with the Dashboard app, configurations
 in ``/etc/ood/config/apps/files`` need to move to ``/etc/ood/config/apps/dashboard`` for
 them to take effect.
 
-The use of the environment variable ``OOD_SHELL`` to hide the Terminal button has been deprecated 
+The use of the environment variable ``OOD_SHELL`` to hide the Terminal button has been deprecated
 and can now be set with the ``files_enable_shell_button`` parameter in the ``/etc/ood/config/ondemand.d/*.yml`` file.
 
 Changes to the interactive cards
@@ -210,7 +249,7 @@ Upgrade directions
       sudo yum clean all
       sudo yum update ondemand
 
-#. (Optional) If using Dex based authentiction, update the ``ondemand-dex`` package.
+#. (Optional) If using Dex based authentication, update the ``ondemand-dex`` package.
 
    .. code-block:: sh
 
@@ -274,7 +313,7 @@ for a particular user.
 
 2.0 now allows sites to pin a grid of application icons to the dashboard for easy access
 and to a subset of apps that you want to feature. The grid layout of application icons
-is is meant to give users a desktop look and feel to the dashboard.
+is meant to give users a desktop look and feel to the dashboard.
 
 There are several strategies available to choose which apps to pin. For example, metadata
 in the app manifests could specify a field_of_science attribute, and then the pinned apps
@@ -295,13 +334,13 @@ See the :ref:`documentation on customizing dashboard layouts <dashboard_custom_l
 Adding metadata to app manifests
 ................................
 
-App manifest files now allow for metedata fields for grouping and diplay in the all apps table.
+App manifest files now allow for metadata fields for grouping and display in the all apps table.
 See :ref:`documentation on manifest files <app-development-manifest>` for more details.
 
 Shell app now has themes
 ........................
 
-The shell app now allows for users to choose a color themes than the default and ships with
+The shell app now allows for users to choose a color theme other than the default and ships with
 thirteen extra themes.
 
 
@@ -322,7 +361,7 @@ Passenger application processes. These are all now served by a single Passenger
 
 This change has the following effects:
 
-- The URL has changed, but redirects from the old URLs should still work for backwards compatibilty.
+- The URL has changed, but redirects from the old URLs should still work for backwards compatibility.
 - The navbar and branding across the dashboard is visible in Active Jobs and File Editor
 - the Active Jobs and Files apps both load without opening a new window
 - the Active Jobs and Files apps load much faster than before