Merge pull request #539 from chrisburr/add-more-docs

Add more docs

Author: chaen

.pre-commit-config.yaml

@@ -53,6 +53,7 @@ repos:
     - id: mdformat
       args: ["--number"]
       additional_dependencies:
+      - mdformat-mkdocs
       - mdformat-gfm
       - mdformat-black
 

docs/SECURITY.md

@@ -11,65 +11,63 @@
 
 1. Log in to your VO’s IdP instance.
 2. Create a new OIDC client with:
-   - **Client secret**: _none_
-   - **Redirect URIs**:
-     ```
-     https://<your‑diracx‑url>/api/auth/authorize/complete
-     ```
-   - **Grant type**: `authorization_code`
-   - **Scope**: at minimum `openid`, `profile` and `email`
+    - **Client secret**: _none_
+    - **Redirect URIs**:
+        ```
+        https://<your‑diracx‑url>/api/auth/authorize/complete
+        ```
+    - **Grant type**: `authorization_code`
+    - **Scope**: at minimum `openid`, `profile` and `email`
 
 ### 2. Configure DiracX
 
 1. In your DIRAC CS, add under `DiracX > CsSync > VOs > <VO> > IdP`:
 
-   ```yaml
-   DiracX
-   {
-     CsSync
-     {
-       VOs
-       {
-         <VO>
-         {
-           IdP
-           {
-             ClientID = "<OIDC‑client‑ID>"
-             URL = "https://<your‑idp‑instance>/"
-           }
-         }
-       }
-     }
-   }
-   ```
+    ```yaml
+    DiracX
+    {
+      CsSync
+      {
+        VOs
+        {
+          <VO>
+          {
+            IdP
+            {
+              ClientID = "<OIDC‑client‑ID>"
+              URL = "https://<your‑idp‑instance>/"
+            }
+          }
+        }
+      }
+    }
+    ```
 
 2. To add specific users, list their subject‑IDs under `UserSubjects`:
 
-   ```yaml
-   DiracX
-   {
-     CsSync
-     {
-       VOs
-       {
-         <VO>
-         {
-           UserSubjects
-           {
-             <username from dirac> = <user id from the IdP instance>
-             ...
-           }
-         }
-       }
-     }
-   }
-   ```
-
-   !!! note
-
-   ```
+    ```yaml
+    DiracX
+    {
+      CsSync
+      {
+        VOs
+        {
+          <VO>
+          {
+            UserSubjects
+            {
+              <username from dirac> = <user id from the IdP instance>
+              ...
+            }
+          }
+        }
+      }
+    }
+    ```
+
+!!! note
+
     User IDs are associated to the usernames that are defined in the `Registry > Users` section. This allows DiracX to retrieve the groups they belong to and their properties.
-   ```
 
 After saving, you should sync the configuration with DiracX. Dirac Groups and properties should then be associated to users defined in the `DiracX` section.
 See [Convert CS](./convert-cs.md) for next steps.

docs/admin/how-to/register-a-vo.md

@@ -12,85 +12,85 @@ We currently support [Indigo IAM](https://indigo-iam.github.io/) and [dex](https
 
 1. Log in to your VO’s IdP instance (e.g. Indigo IAM).
 2. Create a new OIDC client with:
-   - **Client secret**: _none_
-   - **Redirect URIs**:
-     ```
-     https://<your‑diracx‑url>/api/auth/authorize/complete
-     ```
-   - **Grant type**: `authorization_code`
-   - **Scope**: at minimum `openid`, `profile` and `email`
+    - **Client secret**: _none_
+    - **Redirect URIs**:
+        ```
+        https://<your‑diracx‑url>/api/auth/authorize/complete
+        ```
+    - **Grant type**: `authorization_code`
+    - **Scope**: at minimum `openid`, `profile` and `email`
 
 ## 2. Configure DiracX
 
 1. In your DIRAC CS, add under `DiracX > CsSync > VOs > <VO> > IdP`:
 
-   ```yaml
-   DiracX
-   {
-     CsSync
-     {
-       VOs
-       {
-         diracx_admin
-         {
-           IdP
-           {
-             ClientID = "<OIDC‑client‑ID>"
-             URL = "https://<your‑idp‑instance>/"
-           }
-         }
-       }
-     }
-   }
-   ```
+    ```yaml
+    DiracX
+    {
+      CsSync
+      {
+        VOs
+        {
+          diracx_admin
+          {
+            IdP
+            {
+              ClientID = "<OIDC‑client‑ID>"
+              URL = "https://<your‑idp‑instance>/"
+            }
+          }
+        }
+      }
+    }
+    ```
 
 2. Add an admin group to the `Registry`:
 
-   ```yaml
-   Registry
-   {
-     Groups
-     {
-       diracx_admin
-       {
-         Users = <username from dirac>
-         VO = diracx_admin
-         Properties = Operator
-         Properties += FullDelegation
-         Properties += ProxyManagement
-         Properties += ServiceAdministrator
-         Properties += JobAdministrator
-         Properties += CSAdministrator
-         Properties += AlarmsManagement
-         Properties += FileCatalogManagement
-         Properties += SiteManager
-       }
-     }
-   }
-   ```
+    ```yaml
+    Registry
+    {
+      Groups
+      {
+        diracx_admin
+        {
+          Users = <username from dirac>
+          VO = diracx_admin
+          Properties = Operator
+          Properties += FullDelegation
+          Properties += ProxyManagement
+          Properties += ServiceAdministrator
+          Properties += JobAdministrator
+          Properties += CSAdministrator
+          Properties += AlarmsManagement
+          Properties += FileCatalogManagement
+          Properties += SiteManager
+        }
+      }
+    }
+    ```
 
 3. To add specific users, list their subject‑IDs under `UserSubjects`:
 
-   ```yaml
-   DiracX
-   {
-     CsSync
-     {
-       VOs
-       {
-         diracx_admin
-         {
-           UserSubjects
-           {
-             <username from dirac> = <user id from the IdP instance>
-             ...
-           }
-           DefaultGroup = diracx_admin
-         }
-       }
-     }
-   }
-   ```
+    ```yaml
+    DiracX
+    {
+      CsSync
+      {
+        VOs
+        {
+          diracx_admin
+          {
+            UserSubjects
+            {
+              <username from dirac> = <user id from the IdP instance>
+              ...
+            }
+            DefaultGroup = diracx_admin
+          }
+        }
+      }
+    }
+    ```
 
 After saving, you should sync the configuration with DiracX.
 See [Convert CS](./convert-cs.md) for next steps.

docs/admin/how-to/register-the-admin-vo.md

@@ -6,39 +6,39 @@ Version: v0.9.0
 
 1. [Introduction](#introduction)
 
-   - [Terms and Definitions](#terms-and-definitions)
+    - [Terms and Definitions](#terms-and-definitions)
 
 2. [DiracX Authorisation and Authentication](#diracx-authorisation-and-authentication)
 
-   - [User and Group Management](#user-and-group-management)
-   - [Lifetime](#lifetime)
-   - [Token Profile](#token-profile)
-   - [Signature Verification](#signature-verification)
-   - [Issuance](#issuance)
-     - [Supported Authorisation Flows](#supported-authorisation-flows)
-   - [Pilot Jobs](#pilot-jobs)
-   - [Installation Administrators](#installation-administrators)
+    - [User and Group Management](#user-and-group-management)
+    - [Lifetime](#lifetime)
+    - [Token Profile](#token-profile)
+    - [Signature Verification](#signature-verification)
+    - [Issuance](#issuance)
+        - [Supported Authorisation Flows](#supported-authorisation-flows)
+    - [Pilot Jobs](#pilot-jobs)
+    - [Installation Administrators](#installation-administrators)
 
 3. [External Authorization and Authentication](#external-authorization-and-authentication)
 
-   - [Storage Access](#storage-access)
-   - [Computing Resources](#computing-resources)
+    - [Storage Access](#storage-access)
+    - [Computing Resources](#computing-resources)
 
 4. [Network Communication](#network-communication)
 
-   - [Certificate Signing](#certificate-signing)
+    - [Certificate Signing](#certificate-signing)
 
 5. [Threat Analysis](#threat-analysis)
 
-   - [Compromised External IdP](#compromised-external-idp)
-   - [Compromised Batch Submission System](#compromised-batch-submission-system)
-   - [Compromised Worker Node](#compromised-worker-node)
-   - [Compromised Refresh Token](#compromised-refresh-token)
-   - [Compromised User Identity](#compromised-user-identity)
-   - [Compromised JWK](#compromised-jwk)
-   - [Compromised DB](#compromised-db)
-   - [Compromised Hosts](#compromised-hosts)
-   - [Malicious Legitimate User](#malicious-legitimate-user)
+    - [Compromised External IdP](#compromised-external-idp)
+    - [Compromised Batch Submission System](#compromised-batch-submission-system)
+    - [Compromised Worker Node](#compromised-worker-node)
+    - [Compromised Refresh Token](#compromised-refresh-token)
+    - [Compromised User Identity](#compromised-user-identity)
+    - [Compromised JWK](#compromised-jwk)
+    - [Compromised DB](#compromised-db)
+    - [Compromised Hosts](#compromised-hosts)
+    - [Malicious Legitimate User](#malicious-legitimate-user)
 
 6. [Legacy Compatibility and Migration](#legacy-compatibility-and-migration)
 
@@ -275,14 +275,14 @@ In the event of malicious activity, refer to existing procedures in addition to
 - v0.1.0 (2023-06-07): Initial draft for internal review.
 - v0.2.0 (2023-06-12): Add glossary of common terms.
 - v0.3.0 (2023-06-27):
-  - Define Identity
-  - Specify token issuer
-  - Change property to capability
-  - Add diagram of the role of the external IdP, DiracX and the user
+    - Define Identity
+    - Specify token issuer
+    - Change property to capability
+    - Add diagram of the role of the external IdP, DiracX and the user
 - v0.9.0 (2023-10-11):
-  - Specify traceability consideration
-  - Specify reference of the registered claim
-  - `vo` field in the token may change if it becomes a standard
-  - Better description of alternative mechanism to issue a token
-  - Explicit the reason for not needing to issue `id_token`
-  - Recommend to contact VO admins in case of compromission
+    - Specify traceability consideration
+    - Specify reference of the registered claim
+    - `vo` field in the token may change if it becomes a standard
+    - Better description of alternative mechanism to issue a token
+    - Explicit the reason for not needing to issue `id_token`
+    - Recommend to contact VO admins in case of compromission