Feature #5413
closed
[DRAFT] [API/SSO] Use externally-defined (e.g., LDAP) groups as permission groups
Added by Tom Clegg about 9 years ago.
Updated over 3 years ago.
Description
If groups/permissions have already been encoded in another system, it should be possible to import or use them directly, rather than manually synchronizing them using the Admin→Users checkboxes.
- Description updated (diff)
- Category set to API
- Subject changed from [API/SSO] Use externally-defined (e.g., LDAP) groups as permission groups to [DRAFT] [API/SSO] Use externally-defined (e.g., LDAP) groups as permission groups
- Target version set to Arvados Future Sprints
We've been talking about asking the LDAP server for groups memberships when a user logs into Arvados (from the SSO, for example), and also have a periodic sync process that ask all groups that a list of users belongs to.
- LDAP searches:
- SSO: at login time: get all groups from a specific user
(&(objectClass=posixGroup)(memberUid=user1))
(for OpenLDAP servers)
(&(objectClass=group)(member=cn=user name,ou=some_ou,dc=company,dc=com))
(for AD servers)
- From a user list → get all groups those users belongs to (same as above but with OR operators)
(&(objectClass=posixGroup)(|(memberUid=user1)(memberUid=user2)…))
(for OpenLDAP servers)
(&(objectClass=group)(|(member=dn-user1)(member=dn-user2)…)
(for AD servers)
- I’ve read that AD filter size limit is within 10 megabytes so unless we have lots of users, the query won’t surpass the limit. We could also batch searches with some max number of users.
- Instead of executing “
ldapsearch
”, we can use http://www.rubydoc.info/gems/ruby-net-ldap/Net/LDAP
filter = Net::LDAP::Filter.eq( “objectclass”, “group" ) & Net::LDAP::Filter.eq( “member", "cn=user name,ou=some_ou,dc=company,dc=com” )
ldap.search( :base => treebase, :filter => filter ) do |entry|
entry.each do |attribute, values|
values.each do |value|
do_stuff
end
end
end
- We may need to save a mapping between the user’s distinguished name (for AD servers) and the local Arvados username
- Are we going to accept Arvados Groups that aren’t part of the LDAP server? We may have collisions (should we add a prefix?)
- Should the search base & filter be a configuration parameter to be able to adapt to different schemas?
- Does the SSO have the necessary rights on API Server to create/update groups and their relations with users, or is that an addition we we’ll need to write?
- Target version deleted (
Arvados Future Sprints)
- Status changed from New to Closed
Also available in: Atom
PDF