Project

General

Profile

Actions

Feature #10287

closed

[SSO] [API] Assign Arvados username from site-configured LDAP field when available

Added by Peter Amstutz over 7 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
SSO
Target version:
Story points:
-

Description

Currently Arvados generates a username from a user's email address. However, some installations using external authentication (e.g. LDAP) may have usernames assigned which are separate from the email address used to log in, and don't match.

Arvados should be able to discover and use the username from external authentication so that the username used for VM login, git, and other accounting is consistent with the rest of the organization.

Implementation

New API server configuration parameter "sso_username_field":
  • "email" (default) means use local part of email address (i.e., current behavior)
  • "uid", "cn", or anything else means use the indicated field from the SSO info hash

Ensure SSO provider propagates the "uid" and "cn" fields (and any other available fields) from LDAP to Arvados API.


Subtasks 2 (0 open2 closed)

Task #10307: Review 10287-sso-usernameResolved10/24/2016Actions
Task #10306: Review 10287-ldap-username (sso-provider repository)Resolved10/24/2016Actions
Actions #1

Updated by Peter Amstutz over 7 years ago

  • Description updated (diff)
Actions #2

Updated by Tom Clegg over 7 years ago

  • Subject changed from [SSO] Assign Arvados 'username' from LDAP 'username' when available to [SSO] [API] Assign Arvados username from site-configured LDAP field when available
  • Description updated (diff)
Actions #3

Updated by Peter Amstutz over 7 years ago

  • Category set to SSO
  • Status changed from New to In Progress
  • Assigned To set to Peter Amstutz
  • Target version set to 2016-10-26 sprint
Actions #4

Updated by Peter Amstutz over 7 years ago

Posted branches:

10287-sso-username (sso-provider repo)

10287-ldap-username (arvados)

Actions #5

Updated by Tom Clegg over 7 years ago

Updated 10287-ldap-username (arvados) to avoid bypassing the duplicate/blacklisted username checks, and add some basic tests

test 8ffceeb0bddd457cee62586d405afd8e082e1d6f

Actions #6

Updated by Nico César over 7 years ago

sso_provider in app/controllers/users/omniauth_callbacks_controller.rb

+
+    username = if ldap_conf['username']
+                 request.env['omniauth.auth']['extra']['raw_info'][ldap_conf['username'].to_sym][0]
+               end
+

What if we don't have ldap_conf['username'] ? shall we have an "else" there that assigns something safe ? If this get's propagated to api servers, I would not like to override existing usernames.

Actions #7

Updated by Nico César over 7 years ago

test 8ffceeb0bddd457cee62586d405afd8e082e1d6f

arvados api changes are good as far as I can tell, assuming user.set_initial_username() does the right thing

Actions #8

Updated by Tom Clegg over 7 years ago

Nico Cesar wrote:

What if we don't have ldap_conf['username'] ? shall we have an "else" there that assigns something safe ? If this get's propagated to api servers, I would not like to override existing usernames.

API server will ignore this (i.e., fall back on previous behavior and use the local part of the email address) if username ends up nil here.

Actions #9

Updated by Nico César over 7 years ago

  • Status changed from In Progress to Resolved

tested username gets populate correctly

Actions

Also available in: Atom PDF