-
Epic
-
Resolution: Done
-
Undefined
-
None
-
None
-
Force catalog ingestion for prod users
-
False
-
-
False
-
To Do
-
RHIDP-2999 - Standardize authentication providers
-
QE Needed, Docs Needed, TE Needed, Customer Facing, PX Needed
-
0% To Do, 0% In Progress, 100% Done
-
-
Enhancement
-
Done
-
-
EPIC Goal
What are we trying to solve here?
Currently, RHDH allows the configuration of auth providers without forcing the need to have catalog entities for users and groups. This is not a prod-ready configuration
Background/Feature Origin
Auth provider investigation revealed that many of our providers default to allowing sign-in without a pre-existing User/Group entity. The recommendation is to remove
SignInWithCatalogUserOptional
but in order to not break customers, allow it to work with development configs by default. If users switch to Prod, they will see an error
Why is this important?
This is a problem for prod ready deployments since identities need to exist and originate from a trusted source (the IdP) in order for security controls such as RBAC and Audit logging to be effective.
User Scenarios
- By default, RHDH will work the same way as long as config is designated as "development"
- Users will encounter an error if production config is used
Dependencies (internal and external)
- There may be some upstream changes. Need to investigate
Acceptance Criteria
- Test changes
- Update error message so it's informative enough to fix i.e. "deployment failed because users/groups need to be ingested"
- Documentation
Release Enablement/Demo - Provide necessary release enablement details
and documents
DEV - Upstream code and tests merged: <link to meaningful PR or GitHub
Issue>
DEV - Upstream documentation merged: <link to meaningful PR or GitHub
Issue>
DEV - Downstream build attached to advisory: <link to errata>
QE - Test plans in Playwright: <link or reference to playwright>
QE - Automated tests merged: <link or reference to automated tests>
DOC - Downstream documentation merged: <link to meaningful PR>
- is duplicated by
-
RHIDP-3074 Signing in without user in the software catalog is now disabled by default
- Closed