Bug 1469173 - [RFE] Automatic group / membership sync from external IdP [NEEDINFO]
[RFE] Automatic group / membership sync from external IdP
Status: NEW
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE (Show other bugs)
unspecified
Unspecified Unspecified
unspecified Severity urgent
: ---
: 3.10.0
Assigned To: Simo Sorce
Xiaoli Tian
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-10 11:08 EDT by Ruben Romero Montes
Modified: 2018-07-19 03:01 EDT (History)
17 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
dmoessne: needinfo? (mbarrett)


Attachments (Terms of Use)

  None (edit)
Description Ruben Romero Montes 2017-07-10 11:08:57 EDT
From the RFE template:

> 3. What is the nature and description of the request?  

Group synchronization is only possible through a manual intervention or through a scheduled job that needs to be configured by the administrators (e.g. CronJobs).
This only allows synchronization from an external LDAP and not from any other IdP supporting Groups and memberships, like RH SSO.

After a user logs in for the first time, even though a synchronization has taken place, the user will only belong to the preconfigured groups (e.g. system:authenticated) but not to the groups the user belongs to in the IdP (or IdPs). Then the administrator should need to synchronize the groups again.

> 4. Why does the customer need this? (List the business requirements here)  

The customer has an Active Directory with more than 18.000 groups and also a RH SSO with this Active Directory configured and would like to be simplify and automate the synchronization after a membership is modified, a user is created or a user is logged into Openshift for the first time.

> 5. How would the customer like to achieve this? (List the functional requirements here)  

- As a user existing in the external IdP belonging to group A I would like to belong to the same groups after login into Openshift for the first time.
- As an administrator I would like to be able to automate the group/membership synchronization or simplify it using the configuration.
- As an administrator I would like to be able to synchronize groups/memberships from RH SSO

> 6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.  

- A user John belongs to group DEVELOPERS in the external IdP. Group DEVELOPERS already exists in Openshift and has the Admin role on project "Demo". When John logs into Openshift for the first time, he has admin role due to his membership to group DEVELOPERS
- In the IdentityProviders configuration for the master-config.yaml file. The administrator can configure if he/she wants to automatically sync the groups and provide a frequency in a cron format
- Openshift configured with RH SSO as one of its external IdP should be able to synchronize the existing groups of the realm used and all the existing memberships.

> 10. List any affected packages or components.  
Auth
Comment 2 Steve Kuznetsov 2017-07-10 13:22:20 EDT
(In reply to Ruben Romero Montes from comment #0)
> After a user logs in for the first time, even though a synchronization has
> taken place, the user will only belong to the preconfigured groups (e.g.
> system:authenticated) but not to the groups the user belongs to in the IdP
> (or IdPs). Then the administrator should need to synchronize the groups
> again.

I do not think this is accurate. If a group sync is executed, the resulting Group record in OpenShift will contain all users from LDAP, regardless of whether they have logged in previously to OpenShift or not. As soon as a user logs in for the first time, they will have privileges automatically, as they are already listed as a member of the group.

The only requisite configuration for this is that user's identity mappings are the same for authentication and authorization (e.g. they are identified by the same LDAP attribute in OpenShift for both systems).

> - A user John belongs to group DEVELOPERS in the external IdP. Group 
> DEVELOPERS already exists in Openshift and has the Admin role on project 
> "Demo". When John logs into Openshift for the first time, he has admin role 
> due to his membership to group DEVELOPERS

If the original group sync occurred when John was in the DEVELOPERS group in LDAP but had not logged in to OpenShift for the first time, as above, this should already work as you describe.

Note You need to log in before you can comment on or make changes to this bug.