Bug 1469173
Summary: | [RFE] Automatic group / membership sync from external IdP | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Ruben Romero Montes <rromerom> |
Component: | RFE | Assignee: | Mo <mkhan> |
Status: | CLOSED DEFERRED | QA Contact: | Xiaoli Tian <xtian> |
Severity: | urgent | Docs Contact: | |
Priority: | unspecified | ||
Version: | unspecified | CC: | aos-bugs, cshereme, david.sastre, dmoessne, erich, erjones, farandac, haowang, hgomes, jlieskov, jokerman, jpazdziora, knewcomer, liangch, mbarrett, mkhan, mmccomas, mnozell, mwysocki, nagrawal, patrick.andrieux, rabdulra, skuznets, sponnaga, ssorce, sychen, travi |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-04-20 19:26:13 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ruben Romero Montes
2017-07-10 15:08:57 UTC
(In reply to Ruben Romero Montes from comment #0) > After a user logs in for the first time, even though a synchronization has > taken place, the user will only belong to the preconfigured groups (e.g. > system:authenticated) but not to the groups the user belongs to in the IdP > (or IdPs). Then the administrator should need to synchronize the groups > again. I do not think this is accurate. If a group sync is executed, the resulting Group record in OpenShift will contain all users from LDAP, regardless of whether they have logged in previously to OpenShift or not. As soon as a user logs in for the first time, they will have privileges automatically, as they are already listed as a member of the group. The only requisite configuration for this is that user's identity mappings are the same for authentication and authorization (e.g. they are identified by the same LDAP attribute in OpenShift for both systems). > - A user John belongs to group DEVELOPERS in the external IdP. Group > DEVELOPERS already exists in Openshift and has the Admin role on project > "Demo". When John logs into Openshift for the first time, he has admin role > due to his membership to group DEVELOPERS If the original group sync occurred when John was in the DEVELOPERS group in LDAP but had not logged in to OpenShift for the first time, as above, this should already work as you describe. Mo, please take a look and reassign/close as needed. Please see https://jira.coreos.com/browse/PROD-631 (In reply to Eric Rich from comment #24) > Please see https://jira.coreos.com/browse/PROD-631 Please reference this RFE instead: https://jira.coreos.com/browse/RFE-106. Thanks! *** Bug 1762447 has been marked as a duplicate of this bug. *** |