Actions
Feature #5413
closed[DRAFT] [API/SSO] Use externally-defined (e.g., LDAP) groups as permission groups
Status:
Closed
Priority:
Normal
Assigned To:
-
Category:
API
Target version:
-
Story points:
-
Description
If groups/permissions have already been encoded in another system, it should be possible to import or use them directly, rather than manually synchronizing them using the Admin→Users checkboxes.
Updated by Tom Clegg about 9 years ago
- Description updated (diff)
- Category set to API
Updated by Brett Smith about 9 years ago
- Subject changed from [API/SSO] Use externally-defined (e.g., LDAP) groups as permission groups to [DRAFT] [API/SSO] Use externally-defined (e.g., LDAP) groups as permission groups
- Target version set to Arvados Future Sprints
Updated by Lucas Di Pentima almost 7 years ago
We've been talking about asking the LDAP server for groups memberships when a user logs into Arvados (from the SSO, for example), and also have a periodic sync process that ask all groups that a list of users belongs to.
- LDAP searches:
- SSO: at login time: get all groups from a specific user
(&(objectClass=posixGroup)(memberUid=user1))
(for OpenLDAP servers)(&(objectClass=group)(member=cn=user name,ou=some_ou,dc=company,dc=com))
(for AD servers)
- From a user list → get all groups those users belongs to (same as above but with OR operators)
(&(objectClass=posixGroup)(|(memberUid=user1)(memberUid=user2)…))
(for OpenLDAP servers)(&(objectClass=group)(|(member=dn-user1)(member=dn-user2)…)
(for AD servers)
- I’ve read that AD filter size limit is within 10 megabytes so unless we have lots of users, the query won’t surpass the limit. We could also batch searches with some max number of users.
- SSO: at login time: get all groups from a specific user
- Instead of executing “
ldapsearch
”, we can use http://www.rubydoc.info/gems/ruby-net-ldap/Net/LDAPfilter = Net::LDAP::Filter.eq( “objectclass”, “group" ) & Net::LDAP::Filter.eq( “member", "cn=user name,ou=some_ou,dc=company,dc=com” ) ldap.search( :base => treebase, :filter => filter ) do |entry| entry.each do |attribute, values| values.each do |value| do_stuff end end end
- We may need to save a mapping between the user’s distinguished name (for AD servers) and the local Arvados username
- Are we going to accept Arvados Groups that aren’t part of the LDAP server? We may have collisions (should we add a prefix?)
- Should the search base & filter be a configuration parameter to be able to adapt to different schemas?
- Does the SSO have the necessary rights on API Server to create/update groups and their relations with users, or is that an addition we we’ll need to write?
Updated by Ward Vandewege over 3 years ago
- Target version deleted (
Arvados Future Sprints) - Status changed from New to Closed
Actions