Bug 1437324 - rolebindings not applied to users in nested LDAP groups
Summary: rolebindings not applied to users in nested LDAP groups
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 3.4.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: ---
Assignee: Mo
QA Contact: Chuan Yu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-03-30 05:32 UTC by Brennan Vincello
Modified: 2023-09-14 03:55 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Feature: Nested group sync between Openshift and Active Directory Reason: It is common to have nested groups in Active Directory. Users wanted to be able to sync such groups with Openshift. This feature was always supported, but lacked any formal documentation and was difficult to discover. Result: Docs added at https://docs.openshift.org/latest/install_config/syncing_groups_with_ldap.html#sync-ldap-nested-example
Clone Of:
Environment:
Last Closed: 2017-08-10 05:20:02 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift openshift-docs pull 4315 0 None None None 2017-05-30 08:31:33 UTC
Github openshift origin issues 12168 0 None None None 2017-05-30 08:33:33 UTC
Red Hat Product Errata RHEA-2017:1716 0 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.6 RPM Release Advisory 2017-08-10 09:02:50 UTC

Description Brennan Vincello 2017-03-30 05:32:02 UTC 
Description of problem:

Permissions for nested LDAP groups are not applied as expected for users in nested groups. 

For example: OSE-CLUSTER-ADMINS -> ITS-OSE-ADMINS -> Smith, John
    - Adding the cluster role "cluster-admin" to the group OSE-CLUSTER-ADMINS, rights do not propagate down to Smith, John

The privileges only apply properly if users are directly in the LDAP group getting permissions.

Expected outcome:

Rights propagated to users in nested groups.

Version-Release number of selected component (if applicable): OCP 3.4

How reproducible: Very

Steps to Reproduce:

oadm groups sync --sync-config=ldap_sync_new.yaml
oadm groups sync --sync-config=/root/ldap_sync_new.yaml --confirm --match-server-version
oadm policy add-cluster-role-to-group cluster-admin OSE-CLUSTER-ADMINS

Actual results:

Nested users do not appear in:
oc describe clusterrolebinding cluster-admins

Expected results:

Nested users added to clusterrolebinding

Additional info: n/a
Comment 1 Jordan Liggitt 2017-04-03 01:40:02 UTC 
Groups within OpenShift do not nest. If you want nested group membership in LDAP to transfer to OpenShift, the nested membership must be flattened by the group sync process.

For example, after syncing with LDAP, the OSE-CLUSTER-ADMINS group in OpenShift would contain both the direct and indirect members of the group
Comment 15 Wang Haoran 2017-05-31 02:26:19 UTC 
It works well with the guild, marked verified.
Comment 17 errata-xmlrpc 2017-08-10 05:20:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1716
Comment 18 Red Hat Bugzilla 2023-09-14 03:55:47 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days
Note You need to log in before you can comment on or make changes to this bug.