Feature #5413

[DRAFT] [API/SSO] Use externally-defined (e.g., LDAP) groups as permission groups

Added by Tom Clegg over 5 years ago. Updated about 3 years ago.

Assigned To:
Target version:
Start date:
Due date:
% Done:


Estimated time:
Story points:


If groups/permissions have already been encoded in another system, it should be possible to import or use them directly, rather than manually synchronizing them using the Admin→Users checkboxes.


#1 Updated by Tom Clegg over 5 years ago

  • Description updated (diff)
  • Category set to API

#2 Updated by Brett Smith about 5 years ago

  • Subject changed from [API/SSO] Use externally-defined (e.g., LDAP) groups as permission groups to [DRAFT] [API/SSO] Use externally-defined (e.g., LDAP) groups as permission groups
  • Target version set to Arvados Future Sprints

#3 Updated by Lucas Di Pentima about 3 years ago

We've been talking about asking the LDAP server for groups memberships when a user logs into Arvados (from the SSO, for example), and also have a periodic sync process that ask all groups that a list of users belongs to.

  • LDAP searches:
    • SSO: at login time: get all groups from a specific user
      • (&(objectClass=posixGroup)(memberUid=user1)) (for OpenLDAP servers)
      • (&(objectClass=group)(member=cn=user name,ou=some_ou,dc=company,dc=com)) (for AD servers)
    • From a user list → get all groups those users belongs to (same as above but with OR operators)
      • (&(objectClass=posixGroup)(|(memberUid=user1)(memberUid=user2)…)) (for OpenLDAP servers)
      • (&(objectClass=group)(|(member=dn-user1)(member=dn-user2)…) (for AD servers)
    • I’ve read that AD filter size limit is within 10 megabytes so unless we have lots of users, the query won’t surpass the limit. We could also batch searches with some max number of users.
  • Instead of executing “ldapsearch”, we can use http://www.rubydoc.info/gems/ruby-net-ldap/Net/LDAP
    filter = Net::LDAP::Filter.eq( “objectclass”, “group" ) & Net::LDAP::Filter.eq( “member", "cn=user name,ou=some_ou,dc=company,dc=com” )
    ldap.search( :base => treebase, :filter => filter ) do |entry|
      entry.each do |attribute, values|
        values.each do |value|
  • We may need to save a mapping between the user’s distinguished name (for AD servers) and the local Arvados username
  • Are we going to accept Arvados Groups that aren’t part of the LDAP server? We may have collisions (should we add a prefix?)
  • Should the search base & filter be a configuration parameter to be able to adapt to different schemas?
  • Does the SSO have the necessary rights on API Server to create/update groups and their relations with users, or is that an addition we we’ll need to write?

Also available in: Atom PDF