feat: identity group auth #497
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
5 tasks
bburky
previously requested changes
Jun 24, 2024
mjnagel
reviewed
Jun 27, 2024
mjnagel
reviewed
Jun 27, 2024
mjnagel
approved these changes
Jun 28, 2024
UnicornChance
dismissed
bburky’s stale review
requested changes have been addressed, gh pr seems to think they weren't
mjnagel
pushed a commit
that referenced
this pull request
Jul 8, 2024
🤖 I have created a release *beep* *boop* --- ## [0.23.0](v0.22.2...v0.23.0) (2024-07-04) ### ⚠ BREAKING CHANGES * remove emulated gitlab endpoints from keycloak ([#483](#483)) ### Features * identity group auth ([#497](#497)) ([d71d83e](d71d83e)) ### Bug Fixes * **docs:** re-ordered small paragraphs, clarified wording, and added links to tech homepages ([#531](#531)) ([6b2b46b](6b2b46b)) * **docs:** removed double-link which broke the markdown formatting in pr template ([#532](#532)) ([f41ced4](f41ced4)) * **docs:** uds-config.yaml example in k3d-slim-dev README ([#530](#530)) ([2e1c53e](2e1c53e)) * operator retries and error logging ([#511](#511)) ([cae5aab](cae5aab)) ### Miscellaneous * **deps:** update checkout action to latest sha ([#481](#481)) ([c6f0137](c6f0137)) * **deps:** update dependency weaveworks/eksctl to v0.183.0 ([#499](#499)) ([9cb8e4d](9cb8e4d)) * **deps:** update grafana to 11.1.0 ([#380](#380)) ([499058a](499058a)) * **deps:** update istio to v1.22.2 ([#512](#512)) ([dcdadb4](dcdadb4)) * **deps:** update jest to v29.1.5 ([#485](#485)) ([9c392b9](9c392b9)) * **deps:** update neuvector to 5.3.3 ([#467](#467)) ([261057d](261057d)) * **deps:** update pepr to 0.32.2 ([#473](#473)) ([ab4bee9](ab4bee9)) * **deps:** update pepr to 0.32.3 ([#494](#494)) ([2e28897](2e28897)) * **deps:** update pepr to 0.32.6 ([#516](#516)) ([a9d3eec](a9d3eec)) * **deps:** update promtail to 3.1.0 ([#335](#335)) ([4457fce](4457fce)) * **deps:** update uds to v0.12.0 ([#521](#521)) ([8e587ff](8e587ff)) * **deps:** update uds-common tasks to 0.6.1 ([#498](#498)) ([4aa6e33](4aa6e33)) * **deps:** update zarf to v0.35.0 ([#490](#490)) ([86957cf](86957cf)) * docs linting changes ([#505](#505)) ([0fe2015](0fe2015)) * remove emulated gitlab endpoints from keycloak ([#483](#483)) ([495960c](495960c)) * update docs for group auth and readme for docs site ([#540](#540)) ([ace7041](ace7041)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
rjferguson21
pushed a commit
that referenced
this pull request
Jul 11, 2024
## Description Identity Plugin Pepr component for managing group authorization to applications. This is only the implementation, meaning a package (i.e. grafana) will need to be configured for this to work. This is also dependent on a new release of uds-identity-config. ## How to test Update the identity config image [here](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/zarf.yaml#L24) and [here](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/values.yaml#L10) to include/change : `ttl.sh/uds-core-config:group-plugin-groups-attribute` In addition to the identity config image, update the grafana package to require a specific group to access the application like so: ```yaml apiVersion: uds.dev/v1alpha1 kind: Package metadata: name: grafana namespace: {{ .Release.Namespace }} spec: sso: - name: Grafana Dashboard clientId: uds-core-admin-grafana redirectUris: - "https://grafana.admin.{{ .Values.domain }}/login/generic_oauth" groups: anyOf: - /UDS Core/Admin ``` With those changes utilize the `test-uds-core` task to test, no user is created by default so either go into keycloak and setup the user manually or go to `sso.uds.dev` and register a user there, then navigate to the `grafana.admin.uds.dev` and you should be redirected to a login page and depending on if you're in the admin group or not be granted access to the grafana dashboard. ## Related Issue Relates to `uds-identity-config` [PR](defenseunicorns/uds-identity-config#107) ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)(https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md#submitting-a-pull-request) followed
rjferguson21
pushed a commit
that referenced
this pull request
Jul 11, 2024
🤖 I have created a release *beep* *boop* --- ## [0.23.0](v0.22.2...v0.23.0) (2024-07-04) ### ⚠ BREAKING CHANGES * remove emulated gitlab endpoints from keycloak ([#483](#483)) ### Features * identity group auth ([#497](#497)) ([d71d83e](d71d83e)) ### Bug Fixes * **docs:** re-ordered small paragraphs, clarified wording, and added links to tech homepages ([#531](#531)) ([6b2b46b](6b2b46b)) * **docs:** removed double-link which broke the markdown formatting in pr template ([#532](#532)) ([f41ced4](f41ced4)) * **docs:** uds-config.yaml example in k3d-slim-dev README ([#530](#530)) ([2e1c53e](2e1c53e)) * operator retries and error logging ([#511](#511)) ([cae5aab](cae5aab)) ### Miscellaneous * **deps:** update checkout action to latest sha ([#481](#481)) ([c6f0137](c6f0137)) * **deps:** update dependency weaveworks/eksctl to v0.183.0 ([#499](#499)) ([9cb8e4d](9cb8e4d)) * **deps:** update grafana to 11.1.0 ([#380](#380)) ([499058a](499058a)) * **deps:** update istio to v1.22.2 ([#512](#512)) ([dcdadb4](dcdadb4)) * **deps:** update jest to v29.1.5 ([#485](#485)) ([9c392b9](9c392b9)) * **deps:** update neuvector to 5.3.3 ([#467](#467)) ([261057d](261057d)) * **deps:** update pepr to 0.32.2 ([#473](#473)) ([ab4bee9](ab4bee9)) * **deps:** update pepr to 0.32.3 ([#494](#494)) ([2e28897](2e28897)) * **deps:** update pepr to 0.32.6 ([#516](#516)) ([a9d3eec](a9d3eec)) * **deps:** update promtail to 3.1.0 ([#335](#335)) ([4457fce](4457fce)) * **deps:** update uds to v0.12.0 ([#521](#521)) ([8e587ff](8e587ff)) * **deps:** update uds-common tasks to 0.6.1 ([#498](#498)) ([4aa6e33](4aa6e33)) * **deps:** update zarf to v0.35.0 ([#490](#490)) ([86957cf](86957cf)) * docs linting changes ([#505](#505)) ([0fe2015](0fe2015)) * remove emulated gitlab endpoints from keycloak ([#483](#483)) ([495960c](495960c)) * update docs for group auth and readme for docs site ([#540](#540)) ([ace7041](ace7041)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Identity Plugin Pepr component for managing group authorization to applications. This is only the implementation, meaning a package (i.e. grafana) will need to be configured for this to work. This is also dependent on a new release of uds-identity-config.
How to test
Update the identity config image here and here to include/change :
ttl.sh/uds-core-config:group-plugin-groups-attributeIn addition to the identity config image, update the grafana package to require a specific group to access the application like so:
With those changes utilize the
test-uds-coretask to test, no user is created by default so either go into keycloak and setup the user manually or go tosso.uds.devand register a user there, then navigate to thegrafana.admin.uds.devand you should be redirected to a login page and depending on if you're in the admin group or not be granted access to the grafana dashboard.Related Issue
Relates to
uds-identity-configPRType of change
Checklist before merging