Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-6239

Allow team synchronization via Quay OIDC configuration

    XMLWordPrintable

Details

    • Feature
    • Resolution: Done
    • Critical
    • None
    • None
    • -area/auth, quay
    • False
    • None
    • False
    • Not Selected
    • 100
    • 100% 100%
    • 0

    Description

      Goal

      • Enable customers to leverage an OIDC identity provider that supports grouping users to connect team definitions in Quay to OIDC user groups so they can apply repository permissions to an variable set of users

      Why is this important?

      • We currently support team synchronization with LDAP groups to allow flexible permission assignments to groups of users identified by an LDAP query
      • however users are increasingly moving to OIDC-based identity providers such as Azure Active Directory as the central authentication source
      • Without an equivalent OIDC group sync support, users are forced to manually create and sync group definitions in Quay with an OIDC group which is not scalable
      • Users typically leverage group membership of users to tie them to a certain role in the company or department on the basis of which they should be given a limited set of permissions. 

      Scenarios

      1. A Quay admin has configured an OIDC identity provider for Quay and configured a claim for the group membership data
      2. A Quay organization owner can leverage the team sync feature to create teams in their organization and tie them to a group used in the OIDC provider via the group name
      3. A Quay user, which OIDC identity is part of potentially several groups, gets permission in a Quay organization as part of one or more team being associated with groups the user is a member of in the OIDC backend
      4. When group membership is updated in the OIDC providers backend and the users either ceases to be member of a certain group or becomes member of a new group, this information is immediately taken into account inside Quay when scoping the permissions of the user in question

      Acceptance Criteria

      • Quay allows to configure the field name used for group data in an OIDC claim
      • Quay allows to tie team definitions to OIDC group definitions
      • Quay matches the team definitions to OIDC-supplied group membership of every user and adds the respective team permissions to the scope of the user

      Dependencies (internal and external)

      1. Azure Active Directory has a limitation of 200 groups which membership can be returned via a JWT token (https://learn.microsoft.com/en-us/security/zero-trust/develop/configure-tokens-group-claims-app-roles)

      Open questions:

      1. OpenShift automatically creates groups in the system as they appear in OIDC claims for users, it also automatically updates group membership in OpenShift based on the most recent OIDC claim for every user - should Quay do the same and offer to auto-populate group definitions in all / select organizations?

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

       

      Attachments

        Issue Links

          incorporates

          Feature Request - Feature requests from customers and/or users RFE-4419 RFE - Allow team synchronization via Quay OIDC configuration

          • Undefined - Priority not specified.
          • Accepted
          relates to

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. PROJQUAY-673 OpenShift OAuth Integration

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • New

          Activity

            People

              sdadi@redhat.com Sunanda Dadi
              DanielMesser Daniel Messer
              Eric Rich Eric Rich
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: