Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support groups claims in dex static connector #3396

Closed
piotrmsc opened this issue Mar 28, 2019 · 9 comments
Closed

Support groups claims in dex static connector #3396

piotrmsc opened this issue Mar 28, 2019 · 9 comments
Assignees
@piotrmsc
Labels
area/security Issues or PRs related to security area/service-mesh Issues or PRs related to service-mesh kind/feature Categorizes issue or PR as related to a new feature.

Comments

@piotrmsc
Copy link

piotrmsc commented Mar 28, 2019
edited
Loading

Description
Currently, our RBAC roles are bound to static users via email, which is fine but tedious. In order to simulate production use case and enable proper e2e tests we need gorup claim in JWT.

  • We have to check if the latest version of dex support it, if so, then upgrade dex in kyma.
  • If it still does not support it (previously They did not want that in the static connector) then we need to fork it and add our implementation. Fork should be placed in kyma-incubator (if not already done in Browser cache needs to be cleared before opening console after kyma restart #2203).
  • Add "kyma-admins" group to admin user in dex-users-secrets.yaml and "kyma-developers" group to developer static user.
  • Remove the clusterrolebinding to "admin@kyma.cx" user and replace it with binding to group "kyma-admins". Note we do not create a binding for cluster role "kyma-developer" here. This is done by the admin to a specific namespace by role binding in the console.

You can use our old implementation as a reference from here dexidp/dex#1080

Reasons

Currently, Dex version used in Kyma does not support groups in JWT claims in static connector. With groups claim in JWT we can easily test integration scenarios for example in apiserver-proxy simulating production use of roles assigned to groups instead of user emails.

Attachments
@piotrmsc piotrmsc added this to the Backlog_Goat milestone Mar 28, 2019
@piotrmsc piotrmsc added area/security Issues or PRs related to security kind/feature Categorizes issue or PR as related to a new feature. area/service-mesh Issues or PRs related to service-mesh labels Mar 28, 2019
@piotrmsc piotrmsc modified the milestones: Backlog_Goat, Sprint_Goat_10 Apr 1, 2019
@piotrmsc piotrmsc mentioned this issue Apr 2, 2019
Merged
@piotrmsc piotrmsc modified the milestones: Sprint_Goat_10, Backlog_Goat Apr 3, 2019
@stale
Copy link

stale bot commented Jun 2, 2019

This issue has been automatically marked as stale due to the lack of recent activity. It will soon be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Jun 2, 2019
@Disper Disper removed the stale label Jun 5, 2019
@stale
Copy link

stale bot commented Aug 4, 2019

This issue has been automatically marked as stale due to the lack of recent activity. It will soon be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Aug 4, 2019
@piotrmsc piotrmsc removed the stale label Aug 5, 2019
@stale
Copy link

stale bot commented Oct 4, 2019

This issue has been automatically marked as stale due to the lack of recent activity. It will soon be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Oct 4, 2019
@piotrmsc piotrmsc removed the stale label Oct 4, 2019
@stale
Copy link

stale bot commented Dec 3, 2019

This issue has been automatically marked as stale due to the lack of recent activity. It will soon be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Dec 3, 2019
@Demonsthere Demonsthere removed the stale label Dec 4, 2019
@stale
Copy link

stale bot commented Feb 2, 2020

This issue has been automatically marked as stale due to the lack of recent activity. It will soon be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Feb 2, 2020
@jakkab jakkab removed the stale label Feb 5, 2020
@stale
Copy link

stale bot commented Apr 5, 2020

This issue has been automatically marked as stale due to the lack of recent activity. It will soon be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Apr 5, 2020
@piotrmsc piotrmsc removed the stale label Apr 6, 2020
@pbochynski pbochynski removed this from the Backlog_Goat milestone May 27, 2020
@piotrmsc piotrmsc self-assigned this May 29, 2020
@stale
Copy link

stale bot commented Jul 29, 2020

This issue has been automatically marked as stale due to the lack of recent activity. It will soon be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Jul 29, 2020
@jakkab jakkab removed the stale label Jul 29, 2020
@stale
Copy link

stale bot commented Sep 27, 2020

This issue has been automatically marked as stale due to the lack of recent activity. It will soon be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Sep 27, 2020
@piotrmsc
Copy link
Author

piotrmsc commented Oct 1, 2020

We will not implement this, currently we are aiming to get rid of our fork of dex. Ticket should be reopened if we decide that we a) still need that b) we will maintain the fork

@piotrmsc piotrmsc closed this as completed Oct 1, 2020
@piotrmsc piotrmsc removed the stale label Oct 1, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@piotrmsc piotrmsc

Labels
area/security Issues or PRs related to security area/service-mesh Issues or PRs related to service-mesh kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@pbochynski @Disper @Demonsthere @piotrmsc @jakkab