REMS/AAI integration with LocalEGA

[blankdots]

Description

Part of the M3 (milestone) - "REMS integrated for managing access permissions to datasets that are not part of the EGA" we are aiming to integrate REMS + AAI + LocalEGA.

A solution could be a proxy that translates requests from Elixir AAI to rems

https://github.com/CSCfi/rems
https://rems2docs.rahtiapp.fi/

DoD (Definition of Done)

Proxy retrieves permissions for a user.

Testing

Use a REMS instance (local or remote) and (mock) a Elixir AAI request, the proxy should retrieve permissions of a user added to the REMS database.

[teemukataja]

Example

1

ELIXIR AAI sends GET request to Proxy

GET https://PROXY/entitlements
headers = {"elixir-id": string,
           "api-key": string}

Store api-key on PROXY and send only elixir-id? Or send both from ELIXIR AAI to PROXY?

2

Proxy sends GET request to REMS

GET https://REMS/api/entitlements
headers = {"x-rems-api-key": string,
           "x-rems-user-id": string}

ISSUE: How to get x-rems-user-id with elixir-id? In testing the REMS user ID could be the same as ELIXIR user ID.

3

REMS sends a response to Proxy

response = [{"resource": string,
            "application-id": int,
            "start": string,
            "mail": string}]

4

Proxy sends a response to ELIXIR AAI

response = [{"resource": string,
             "application-id": int,
             "start": string,
             "mail": string}]

QUESTION: What are start and mail? Date of permission start and owner email?

[blankdots]

How to connect services to Elixir AAI https://docs.google.com/document/d/1ihb0hH2YJqSCPZS0syVpvAOeQP1HTxdf_XMsZZLe_W0/edit#

Preferred username is equivalent to eduPersonPrincipalName (EPPN) according to https://docs.google.com/document/d/1hD0lsxotLvPaML_CSydVX6rJ-zogAH2nRVl4ax4gW1o/edit#heading=h.9y9s22xyiwk1

How to get x-rems-user-id with elixir-id? In testing the REMS user ID could be the same as ELIXIR user ID.

It seems that they will always be the same.

Next task would be to install a test instance of REMS and mock a call from ELIXIR AAI to get some resource permissions.

[teemukataja]

Video demo of the picture above.

[teemukataja]

Video demo of the proxy calling the actual REMS API.

• NOTE: There is a bug in the REMS API, so for now we have to make the request from the developer user and filtering results with query parameter user=.
• NOTE: When we move on to test REMS with actual ELIXIR user IDs, the database must be populated manually, but the REMS-Team will develop a PUT-API in the future for creating new users in the database.

How to perform this test:

• Install REMS, follow the instructions.
• Populate REMS postgres with test data using lein run test-data.
• Launch the proxy.py from here.
• Call the proxy with curl -H "api-key: 42" -H "elixir-id: developer" localhost:5001/entitlements?user=alice

[jrambla]

I will like to better understand the purpose and scope of this feature.

[blankdots]

Considering the date this issue was created, it is a result of the F2F meeting (and discussions) from 26-27 June 2018.
@jrambla we have a Milestone (namely M3 "REMS integrated for managing access permissions to datasets that are not part of the EGA") as part of D-1 Tryggve2, this issue aims to move forward towards completing this milestone.