Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-6239

Allow team synchronization via Quay OIDC configuration

XMLWordPrintable

    • Icon: Feature Feature
    • Resolution: Done
    • Icon: Critical Critical
    • None
    • None
    • -area/auth, quay
    • BU Product Work
    • False
    • None
    • False
    • Not Selected
    • 0% To Do, 0% In Progress, 100% Done

      Goal

      • Enable customers to leverage an OIDC identity provider that supports grouping users to connect team definitions in Quay to OIDC user groups so they can apply repository permissions to an variable set of users

      Why is this important?

      • We currently support team synchronization with LDAP groups to allow flexible permission assignments to groups of users identified by an LDAP query
      • however users are increasingly moving to OIDC-based identity providers such as Azure Active Directory as the central authentication source
      • Without an equivalent OIDC group sync support, users are forced to manually create and sync group definitions in Quay with an OIDC group which is not scalable
      • Users typically leverage group membership of users to tie them to a certain role in the company or department on the basis of which they should be given a limited set of permissions. 

      Scenarios

      1. A Quay admin has configured an OIDC identity provider for Quay and configured a claim for the group membership data
      2. A Quay organization owner can leverage the team sync feature to create teams in their organization and tie them to a group used in the OIDC provider via the group name
      3. A Quay user, which OIDC identity is part of potentially several groups, gets permission in a Quay organization as part of one or more team being associated with groups the user is a member of in the OIDC backend
      4. When group membership is updated in the OIDC providers backend and the users either ceases to be member of a certain group or becomes member of a new group, this information is immediately taken into account inside Quay when scoping the permissions of the user in question

      Acceptance Criteria

      • Quay allows to configure the field name used for group data in an OIDC claim
      • Quay allows to tie team definitions to OIDC group definitions
      • Quay matches the team definitions to OIDC-supplied group membership of every user and adds the respective team permissions to the scope of the user

      Dependencies (internal and external)

      1. Azure Active Directory has a limitation of 200 groups which membership can be returned via a JWT token (https://learn.microsoft.com/en-us/security/zero-trust/develop/configure-tokens-group-claims-app-roles)

      Open questions:

      1. OpenShift automatically creates groups in the system as they appear in OIDC claims for users, it also automatically updates group membership in OpenShift based on the most recent OIDC claim for every user - should Quay do the same and offer to auto-populate group definitions in all / select organizations?

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

       

            sdadi@redhat.com Sunanda Dadi
            DanielMesser Daniel Messer
            Eric Rich Eric Rich
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: