Arvados

We've been talking about asking the LDAP server for groups memberships when a user logs into Arvados (from the SSO, for example), and also have a periodic sync process that ask all groups that a list of users belongs to.

• LDAP searches:
  • SSO: at login time: get all groups from a specific user
    • (&(objectClass=posixGroup)(memberUid=user1)) (for OpenLDAP servers)
    • (&(objectClass=group)(member=cn=user name,ou=some_ou,dc=company,dc=com)) (for AD servers)
  • From a user list → get all groups those users belongs to (same as above but with OR operators)
    • (&(objectClass=posixGroup)(|(memberUid=user1)(memberUid=user2)…)) (for OpenLDAP servers)
    • (&(objectClass=group)(|(member=dn-user1)(member=dn-user2)…) (for AD servers)
  • I’ve read that AD filter size limit is within 10 megabytes so unless we have lots of users, the query won’t surpass the limit. We could also batch searches with some max number of users.
• Instead of executing “ldapsearch”, we can use http://www.rubydoc.info/gems/ruby-net-ldap/Net/LDAP
  

  filter = Net::LDAP::Filter.eq( “objectclass”, “group" ) & Net::LDAP::Filter.eq( “member", "cn=user name,ou=some_ou,dc=company,dc=com” )
  ldap.search( :base => treebase, :filter => filter ) do |entry|
    entry.each do |attribute, values|
      values.each do |value|
        do_stuff
      end
    end
  end
  

• We may need to save a mapping between the user’s distinguished name (for AD servers) and the local Arvados username
• Are we going to accept Arvados Groups that aren’t part of the LDAP server? We may have collisions (should we add a prefix?)
• Should the search base & filter be a configuration parameter to be able to adapt to different schemas?
• Does the SSO have the necessary rights on API Server to create/update groups and their relations with users, or is that an addition we we’ll need to write?