Uploaded image for project: 'Red Hat Cluster Management Cloud Services'
  1. Red Hat Cluster Management Cloud Services
  2. CMCS-4

Adding group sync and RBAC for the IDP client

    XMLWordPrintable

Details

    Description

      Epic Goal

      • Build group sync capabilities and RBAC support into the existing IDP client operator.
      • Example: using GitHub for IDP, it provides the authN today. We want to build additional capability for AuthZ so that the auth-realm can gather the groups (GitHub Teams) from the IDP and sync them to the managed clusters that match the given auth realm.

      Why is this important?

      • Adoption of the IDP client operator will hinge on its ability to configure the necessary parts for full Identity of the managed cluster. Groups and RBAC are critical parts to rendering a cluster usable by a non-cluster-admin, eg Developers.

      Scenarios (sub-epics)

      1. Leverage GroupSync to define the groups
      2. With the role definition at the hub then sync that down to managed clusters
      1. With the role-binding definition at the hub then sync that down to managed clusters

      Acceptance Criteria

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.
      • ...

      Dependencies (internal and external)

      1. Group Sync Operator: https://github.com/redhat-cop/group-sync-operator

      Previous Work (Optional):

      1. Group Sync Operator: https://github.com/redhat-cop/group-sync-operator
      2.  

      Open questions:

      1. We need to be careful about how far we go with the IDP/providers support; limited scope for a few key use cases. GitHub, LDAP
      2. How often do we sync the groups? is this configurable? Is this a scale/perf challenge?
      3. Do we intend to support the Group Sync Operator? This could open us up to a very broad user base that now expects support for the operator.
      4. Or, Do we just want to provide the user cases and not be mentioning the Group Sync Operator

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

      Attachments

        Issue Links

          relates to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. AUTH-8 [Auth]Consume group membership information from an identity provider

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          links to

          Web Link Group sync operator design/concerns doc

          Activity

            People

              sberens@redhat.com Scott Berens
              sberens@redhat.com Scott Berens
              Brian King Brian King
              Robin Bobbitt Robin Bobbitt
              Timothy Pouyer Timothy Pouyer
              Scott Berens Scott Berens
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: