Bug 1469173

Summary: [RFE] Automatic group / membership sync from external IdP
Product: OpenShift Container Platform Reporter: Ruben Romero Montes <rromerom>
Component: RFEAssignee: Mo <mkhan>
Status: CLOSED DEFERRED QA Contact: Xiaoli Tian <xtian>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: aos-bugs, cshereme, david.sastre, dmoessne, erich, erjones, farandac, haowang, hgomes, jlieskov, jokerman, jpazdziora, knewcomer, liangch, mbarrett, mkhan, mmccomas, mnozell, mwysocki, nagrawal, patrick.andrieux, rabdulra, skuznets, sponnaga, ssorce, sychen, travi
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-20 19:26:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ruben Romero Montes 2017-07-10 15:08:57 UTC 
From the RFE template:

> 3. What is the nature and description of the request?  

Group synchronization is only possible through a manual intervention or through a scheduled job that needs to be configured by the administrators (e.g. CronJobs).
This only allows synchronization from an external LDAP and not from any other IdP supporting Groups and memberships, like RH SSO.

After a user logs in for the first time, even though a synchronization has taken place, the user will only belong to the preconfigured groups (e.g. system:authenticated) but not to the groups the user belongs to in the IdP (or IdPs). Then the administrator should need to synchronize the groups again.

> 4. Why does the customer need this? (List the business requirements here)  

The customer has an Active Directory with more than 18.000 groups and also a RH SSO with this Active Directory configured and would like to be simplify and automate the synchronization after a membership is modified, a user is created or a user is logged into Openshift for the first time.

> 5. How would the customer like to achieve this? (List the functional requirements here)  

- As a user existing in the external IdP belonging to group A I would like to belong to the same groups after login into Openshift for the first time.
- As an administrator I would like to be able to automate the group/membership synchronization or simplify it using the configuration.
- As an administrator I would like to be able to synchronize groups/memberships from RH SSO

> 6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.  

- A user John belongs to group DEVELOPERS in the external IdP. Group DEVELOPERS already exists in Openshift and has the Admin role on project "Demo". When John logs into Openshift for the first time, he has admin role due to his membership to group DEVELOPERS
- In the IdentityProviders configuration for the master-config.yaml file. The administrator can configure if he/she wants to automatically sync the groups and provide a frequency in a cron format
- Openshift configured with RH SSO as one of its external IdP should be able to synchronize the existing groups of the realm used and all the existing memberships.

> 10. List any affected packages or components.  
Auth
Comment 2 Steve Kuznetsov 2017-07-10 17:22:20 UTC 
(In reply to Ruben Romero Montes from comment #0)
> After a user logs in for the first time, even though a synchronization has
> taken place, the user will only belong to the preconfigured groups (e.g.
> system:authenticated) but not to the groups the user belongs to in the IdP
> (or IdPs). Then the administrator should need to synchronize the groups
> again.

I do not think this is accurate. If a group sync is executed, the resulting Group record in OpenShift will contain all users from LDAP, regardless of whether they have logged in previously to OpenShift or not. As soon as a user logs in for the first time, they will have privileges automatically, as they are already listed as a member of the group.

The only requisite configuration for this is that user's identity mappings are the same for authentication and authorization (e.g. they are identified by the same LDAP attribute in OpenShift for both systems).

> - A user John belongs to group DEVELOPERS in the external IdP. Group 
> DEVELOPERS already exists in Openshift and has the Admin role on project 
> "Demo". When John logs into Openshift for the first time, he has admin role 
> due to his membership to group DEVELOPERS

If the original group sync occurred when John was in the DEVELOPERS group in LDAP but had not logged in to OpenShift for the first time, as above, this should already work as you describe.
Comment 19 Simo Sorce 2018-12-18 11:23:27 UTC 
Mo, please take a look and reassign/close as needed.
Comment 24 Eric Rich 2019-04-20 19:26:13 UTC 
Please see https://jira.coreos.com/browse/PROD-631
Comment 25 knewcomer 2019-04-23 18:18:24 UTC 
(In reply to Eric Rich from comment #24)
> Please see https://jira.coreos.com/browse/PROD-631

Please reference this RFE instead: https://jira.coreos.com/browse/RFE-106. Thanks!
Comment 26 Standa Laznicka 2019-10-18 08:50:07 UTC 
*** Bug 1762447 has been marked as a duplicate of this bug. ***