Active directory login is making entry of username in webapi.sec_role

[ambuj369]

Hello,

I have integrated Active Directory with Atlas which is working as expected except few issues which I would like to bring to your notice to see if any alternative solution or build is available to fix.

Issue 1: An Active Directory user have to login as "mydomain\username ". How can we stop adding domain name everytime we login?

Issue 2: Once logged in, can we have a default role that will be applied to the users logging in for the first time?

Issue 3: Why the login information is getting stored in webapi.sec_role table (attached screenshot), this looks like a security breach.

WebAPI version - 2.7.4
Atlas - 2.7.4
DB - PostgreSQL

Thank You

[konstjar]

Hello

1. Yes, you can remove domain name by setting correct values depending on your AD configuration

security.ad.principalSuffix=@domain.com
security.ad.userMapping.displaynameAttr={AD property for username without domain}

2. This is more interesting topic. I see 2 options here:

• Add needed permissions to 'public' role. This role is granted by default.
• More correct way is to use AD import/synchronization option and map Atlas role to AD group. This can be done my configuring ATLAS to use AD global catalogue.

3. Each user gets the same name role. It's not visible in UI but used by WebAPI to track user permissions for created content. This is per design and is not an issue.

[ambuj369]

@konstjar
Thank you for clearing the things out. Based upon the answers provided, I have few questions to address:

1. Yes, you can remove domain name by setting correct values depending on your AD configuration
   security.ad.principalSuffix=@domain.com
   security.ad.userMapping.displaynameAttr={AD property for username without domain}
   Q: Assuming the domain name is @gmail.com which will be put under security.ad.principalSuffix. What should I add to security.ad.userMapping,displaynameAttr? Should it be the "domain" which I have to enter along with username. For example: domainname\username? So, by putting security.ad.userMapping.displaynameAttr =domainname will work or should I user security.ad.userMapping.displaynameAttr ={AD property for username without domain}.

2. End user do not want to have all the users imported from AD to Atlas which is why only few users from AD will login and they will get the public role. Is that correct?

3. Storing usernames in webapi.sec_role; wouldn't it be a security breach however it is meant not to reflect on the Atlas screen but any user with webapi access can read out the usernames in it. Is there a way not to populate it in the table?

Thank You

[konstjar]

@ambuj369

1. security.ad.userMapping.displaynameAttr - you need to check your AD, for example use ldapsearch tool to get record for your own user and identify what is the best field to use. Each organization has own rules/AD structure. It should be field with user name without domain name.

2. If you need only few users to be authenticated, you can assign roles manually in ATLAS when they log in. Or you can create AD group with these users to map with ATLAS roles.

3. It's more question to developers/community. I think there is no option to prevent adding records in webapi.sec_role table. These user roles are not listed in ATLAS UI 100%.

[anthonysena]

Wiki updated to reflect this information.