Uploaded image for project: 'Hybrid Cloud Console'
  1. Hybrid Cloud Console
  2. RHCLOUD-34770

(User import job) Bootstrap existing Tenants, default group members, and user_id (standard JWT "sub") so access checks work and can use JWTs or identity header without having to use PII or lookup UUID from RBAC

XMLWordPrintable

    • 5
    • Access & Management Sprint 96, Access & Management Sprint 97, Access & Management Sprint 98

      We can't use the principal's uuid created by RBAC in the relationships, which would mean any permission check would need the UUID from RBAC.

      We also don't want to use username because we don't want to store PII in the Relations data, and usernames can change in some circumstances.

      The user service user ID (sub value from properly formed tokens) should be used instead.

      • Make use of the exported data from IT DBA to populate this.
      • Update principal objects to store this information so it can be leveraged by dual write & default group migrator

      This will be a ClowderJobInvocation using an RBAC command.

      This should probably be combined with RHCLOUD-34859

            rh-ee-zhzeng Jay Zeng
            rh-ee-zhzeng Jay Zeng
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: