Gitlab OAuth Group Policy

[LucienBrule]

As a user I would like to be able to limit login from Gitlab to a subset of users, namely users who are part of my gitlab.com group.

The following would be how I expect this feature to be exposed:

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  - name: gitlab 
    mappingMethod: claim 
    type: GitLab
    gitlab:
      clientID: {...} 
      clientSecret: 
        name: gitlab-secret
      url: https://gitlab.com 
      ca: 
        name: ca-config-map
      # by group name
      group: mygroup
      # by email ending
      domain: mydomain.com

The Current behaviour is as follows:

Completion of the latest documentation leaves the cluster open to sign ins from any user of gitlab.com.

This leaves an issue in that there is no way to control who can sign into a gitlab application from inside gitlab, thus the client must restrict auth.

The current documented solution is to make a mapping method for an identity provider, presumably setting this to lookup as per https://access.redhat.com/solutions/5487011 , which would lead to something like https://access.redhat.com/solutions/5389931 . Mind you the documentation makes no mention of the permissive authentication, while on the google and github providers it is mentioned as a warning.

I found this PR #87 which adds a groupmapper, and found this issue https://issues.redhat.com/browse/RFE-106 which seems to be related.

Would it be possible to give Gitlab users a way to lock their sign ins to groups that isn't manual?

corresponding support request: https://access.redhat.com/support/cases/#/case/03146331

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[openshift-bot]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

[openshift-bot]

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

[openshift-ci]

@openshift-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.