XML

Word

Printable

Type: Epic
Resolution: Done
Priority: Major
Fix Version/s: IDP 1.0 GA
Affects Version/s: IDP 1.0 TP
Component/s: Client Side Idp Operator
Labels:
- gh-sync

Epic Name:
Adding group sync and RBAC for the IDP client
Blocked:
False
Ready:
False
Epic Status:
To Do
GitHub Issue:
https://app.zenhub.com/workspaces/engineering-backlog-do-not-delete-604fab62d4b98d00150a2854/issues/stolostron/backlog/19846

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Market:

Epic Goal

Build group sync capabilities and RBAC support into the existing IDP client operator.
Example: using GitHub for IDP, it provides the authN today. We want to build additional capability for AuthZ so that the auth-realm can gather the groups (GitHub Teams) from the IDP and sync them to the managed clusters that match the given auth realm.

Why is this important?

Adoption of the IDP client operator will hinge on its ability to configure the necessary parts for full Identity of the managed cluster. Groups and RBAC are critical parts to rendering a cluster usable by a non-cluster-admin, eg Developers.

Scenarios (sub-epics)

Leverage GroupSync to define the groups
With the role definition at the hub then sync that down to managed clusters

With the role-binding definition at the hub then sync that down to managed clusters

Acceptance Criteria

CI - MUST be running successfully with tests automated
Release Technical Enablement - Provide necessary release enablement details and documents.
...

Dependencies (internal and external)

Group Sync Operator: https://github.com/redhat-cop/group-sync-operator

Previous Work (Optional):

Group Sync Operator: https://github.com/redhat-cop/group-sync-operator

Open questions:

We need to be careful about how far we go with the IDP/providers support; limited scope for a few key use cases. GitHub, LDAP
How often do we sync the groups? is this configurable? Is this a scale/perf challenge?
Do we intend to support the Group Sync Operator? This could open us up to a very broad user base that now expects support for the operator.
Or, Do we just want to provide the user cases and not be mentioning the Group Sync Operator

Done Checklist

CI - CI is running, tests are automated and merged.
Release Enablement <link to Feature Enablement Presentation>
DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
DEV - Downstream build attached to advisory: <link to errata>
QE - Test plans in Polarion: <link or reference to Polarion>
QE - Automated tests merged: <link or reference to automated tests>
DOC - Downstream documentation merged: <link to meaningful PR>

relates to

AUTH-8 [Auth]Consume group membership information from an identity provider

Closed

links to

Group sync operator design/concerns doc

Assignee:: Scott Berens

Reporter:: Scott Berens

Manager:: Brian King

Technical Lead:: Robin Bobbitt

Architect:: Timothy Pouyer

Product Manager:: Scott Berens

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2021/11/17 7:34 PM

Updated:: 2022/03/21 4:11 PM

Resolved:: 2022/03/21 4:11 PM

Details

Description

Epic Goal

Why is this important?

Scenarios (sub-epics)

Acceptance Criteria

Dependencies (internal and external)

Previous Work (Optional):

Open questions:

Done Checklist

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates