Feature #10287
closed[SSO] [API] Assign Arvados username from site-configured LDAP field when available
Description
Currently Arvados generates a username from a user's email address. However, some installations using external authentication (e.g. LDAP) may have usernames assigned which are separate from the email address used to log in, and don't match.
Arvados should be able to discover and use the username from external authentication so that the username used for VM login, git, and other accounting is consistent with the rest of the organization.
Implementation¶
New API server configuration parameter "sso_username_field":- "email" (default) means use local part of email address (i.e., current behavior)
- "uid", "cn", or anything else means use the indicated field from the SSO info hash
Ensure SSO provider propagates the "uid" and "cn" fields (and any other available fields) from LDAP to Arvados API.
Updated by Tom Clegg about 8 years ago
- Subject changed from [SSO] Assign Arvados 'username' from LDAP 'username' when available to [SSO] [API] Assign Arvados username from site-configured LDAP field when available
- Description updated (diff)
Updated by Peter Amstutz about 8 years ago
- Category set to SSO
- Status changed from New to In Progress
- Assigned To set to Peter Amstutz
- Target version set to 2016-10-26 sprint
Updated by Peter Amstutz about 8 years ago
Posted branches:
10287-sso-username (sso-provider repo)
10287-ldap-username (arvados)
Updated by Tom Clegg about 8 years ago
Updated 10287-ldap-username (arvados) to avoid bypassing the duplicate/blacklisted username checks, and add some basic tests
Updated by Nico César about 8 years ago
sso_provider in app/controllers/users/omniauth_callbacks_controller.rb
+ + username = if ldap_conf['username'] + request.env['omniauth.auth']['extra']['raw_info'][ldap_conf['username'].to_sym][0] + end +
What if we don't have ldap_conf['username'] ? shall we have an "else" there that assigns something safe ? If this get's propagated to api servers, I would not like to override existing usernames.
Updated by Nico César about 8 years ago
test 8ffceeb0bddd457cee62586d405afd8e082e1d6f
arvados api changes are good as far as I can tell, assuming user.set_initial_username() does the right thing
Updated by Tom Clegg about 8 years ago
Nico Cesar wrote:
What if we don't have ldap_conf['username'] ? shall we have an "else" there that assigns something safe ? If this get's propagated to api servers, I would not like to override existing usernames.
API server will ignore this (i.e., fall back on previous behavior and use the local part of the email address) if username ends up nil here.
Updated by Nico César about 8 years ago
- Status changed from In Progress to Resolved
tested username gets populate correctly