Uploaded image for project: 'Red Hat Cluster Management Cloud Services'
  1. Red Hat Cluster Management Cloud Services
  2. CMCS-68

RFE Option to configure username character case behavior in Identitatem

XMLWordPrintable

      Epic Goal

      • We would like an option to configure username character CaSe behavior in Identitatem.

      Why is this important?

      • Users want consistency with the way that their username appears in the user interface.
      • This not an issue for smaller clusters with not that many RBAC.
      • But for customers with thousands of users with established groups/RBAC, this will be cumbersome to update.
      • An option to modify user character CaSe would be useful.

      Scenarios

      1. When configuring GitHub authentication via Identitatem, we (Operate First) encountered the following scenario:

      – OCP cluster (client) has OAuth via keycloak – using GitHub as underlying idp so, usernames are mapped to github usernames
      – Keycloak converts github usernames to lowercase  
      – All our RBAC in OCP uses these lowercase ocp usernames
      – Switch same cluster Oauth via identitatem – using GitHub as underlying idp
      – Now identitatem maintains character cases in github usernames, so now some OCP usernames are not fully lowercase, invalidating the OCP RBAC (ocp groups seem to be case sensitive)

      Example:

      ~ $ oc whoami
kube:admin

~ $ oc get group cluster-admins -o=jsonpath='{.users[0]}{"\n"}'                   
humairak

~ $ oc login --token=$(pbpaste) --server=https://api.morty.emea.operate-first.cloud:6443  
Logged into "https://api.morty.emea.operate-first.cloud:6443" as "HumairAK" 

~ $ oc whoami
HumairAK

~ $ oc get group cluster-admins -o=jsonpath='{.users[0]}{"\n"}'
Error from server (Forbidden): groups.user.openshift.io "cluster-admins" is forbidden: User "HumairAK" cannot get re
source "groups" in API group "user.openshift.io" at the cluster scope

~ $

      Acceptance Criteria

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.
      • ...

      Dependencies (internal and external)

      1. ...

      Previous Work (Optional):

      Open questions::

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

       

              sberens@redhat.com Scott Berens
              humairkhan Humair Khan
              Brian King Brian King
              Robin Bobbitt Robin Bobbitt
              Timothy Pouyer Timothy Pouyer
              Scott Berens Scott Berens
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: