Uploaded image for project: 'Red Hat Internal Developer Platform'
  1. Red Hat Internal Developer Platform
  2. RHIDP-2736

Force catalog ingestion for production users

Prepare for Y ReleasePrepare for Z ReleaseRemove QuarterXMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Done
    • Icon: Undefined Undefined
    • 1.3
    • None
    • Security
    • None
    • Force catalog ingestion for prod users
    • False
    • Hide

      None

      Show
      None
    • False
    • To Do
    • RHIDP-2999 - Standardize authentication providers
    • QE Needed, Docs Needed, TE Needed, Customer Facing, PX Needed
    • 0% To Do, 0% In Progress, 100% Done
    • Hide
      By default, it is now required for the user entity to exist in the software catalog to allow sign in.
      This is required for production ready deployments since identities need to exist and originate from a trusted source (i.e. the Identity Provider) in order for security controls such as RBAC and Audit logging to be effective.
      To bypass this, enable the `dangerouslySignInWithoutUserInCatalog` configuration that allows sign in without the user being in the catalog.
      Enabling this option is dangerous as it might allow unauthorized users to gain access.
      Show
      By default, it is now required for the user entity to exist in the software catalog to allow sign in. This is required for production ready deployments since identities need to exist and originate from a trusted source (i.e. the Identity Provider) in order for security controls such as RBAC and Audit logging to be effective. To bypass this, enable the `dangerouslySignInWithoutUserInCatalog` configuration that allows sign in without the user being in the catalog. Enabling this option is dangerous as it might allow unauthorized users to gain access.
    • Enhancement
    • Done

      EPIC Goal

      What are we trying to solve here?

      Currently, RHDH allows the configuration of auth providers without forcing the need to have catalog entities for users and groups. This is not a prod-ready configuration

      Background/Feature Origin

      Auth provider investigation revealed that many of our providers default to allowing sign-in without a pre-existing User/Group entity. The recommendation is to remove

      SignInWithCatalogUserOptional

      but in order to not break customers, allow it to work with development configs by default. If users switch to Prod, they will see an error

      Why is this important?

      This is a problem for prod ready deployments since identities need to exist and originate from a trusted source (the IdP) in order for security controls such as RBAC and Audit logging to be effective.

      User Scenarios

      • By default, RHDH will work the same way as long as config is designated as "development"
      • Users will encounter an error if production config is used

      Dependencies (internal and external)

      • There may be some upstream changes. Need to investigate

      Acceptance Criteria

      • Test changes
      • Update error message so it's informative enough to fix i.e. "deployment failed because users/groups need to be ingested"
      • Documentation

      Release Enablement/Demo - Provide necessary release enablement details
      and documents

      DEV - Upstream code and tests merged: <link to meaningful PR or GitHub
      Issue>

      DEV - Upstream documentation merged: <link to meaningful PR or GitHub
      Issue>

      DEV - Downstream build attached to advisory: <link to errata>

      QE - Test plans in Playwright: <link or reference to playwright>

      QE - Automated tests merged: <link or reference to automated tests>

      DOC - Downstream documentation merged: <link to meaningful PR>

            ktsao@redhat.com Kim Tsao
            ktsao@redhat.com Kim Tsao
            RHIDP - Security
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: