[SCIM] make oidc_group_claim and oidc_group_role_sync_strict user-modifiable#36775
Merged
mtabebe merged 1 commit intoMay 29, 2026
Merged
Conversation
mtabebe
force-pushed
the
ma/sso/oidc-vars-user-modifiable
branch
from
0e5d97c to
4bf8e83
Compare
jubrad
approved these changes
May 28, 2026
def-
reviewed
May 29, 2026
Contributor
def-
left a comment
def-
left a comment
There was a problem hiding this comment.
Both oidc_group_claim and oidc_grouP_role_sync_strict are dyncfg-backed, and all dyncfgs register with user_visible: false. The ALTER SYSTEM SET authorization path calls var.visible(), which rejects user_visible: false vars for anyone who isn't mz_system/mz_support. So an environment superuser (a Superuser that is not internal) still can't set or use them. Is that intentional?
Reproducer:
$ postgres-connect name=mz_system url=postgres://mz_system:materialize@${testdrive.materialize-internal-sql-addr}
$ postgres-execute connection=mz_system
CREATE ROLE env_superuser SUPERUSER LOGIN;
$ postgres-connect name=env_superuser url=postgres://env_superuser@${testdrive.materialize-sql-addr}
# Control: a user-modifiable + user-visible var works, proving env_superuser is a
# real superuser (not a "must be a superuser" rejection).
$ postgres-execute connection=env_superuser
ALTER SYSTEM SET cluster TO quickstart;
# Regression: fails on the buggy code with "unrecognized configuration parameter".
$ postgres-execute connection=env_superuser
ALTER SYSTEM SET oidc_group_claim = 'my_groups';
ALTER SYSTEM SET oidc_group_role_sync_strict = on;
> SHOW oidc_group_claim
my_groups
> SHOW oidc_group_role_sync_strict
onFails with:
>> ALTER SYSTEM SET oidc_group_claim = 'my_groups';
^^^ +++
oidc-group-sync-vars.td:45:1: error: executing postgres query: db error: ERROR: unrecognized configuration parameter "oidc_group_claim"
4bf8e83 to
36c0a97
Compare
Member
|
Yeah, I though this would work as well, but this should follow the pattern for vars in |
…ifiable Allow environment superusers to configure OIDC group-sync settings via ALTER SYSTEM SET without needing mz_system access. This is appropriate since these control how a customer's own OIDC claims map to roles.
mtabebe
force-pushed
the
ma/sso/oidc-vars-user-modifiable
branch
from
36c0a97 to
87e8a2a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Allow environment superusers to configure OIDC group-sync settings via ALTER SYSTEM SET without needing mz_system access. This is appropriate since these control how a customer's own OIDC claims map to roles.
Fixes SQL-321