Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure AD doesnt use the Admin fields to authenticate with #11614

Closed
aemneina opened this issue Feb 24, 2018 · 8 comments
Closed

Azure AD doesnt use the Admin fields to authenticate with #11614

aemneina opened this issue Feb 24, 2018 · 8 comments
Assignees
@sangeethah
Labels
area/access-control internal version/1.6
Milestone
v1.6.19

Comments

@aemneina
Copy link

Rancher versions:
rancher/server: v1.6.14

Steps to Reproduce:

  • authenticate with bogus admin credentials
  • put valid user credentials under 'test and enable' user account

Results:

  • Azure AD is enabled and user account is used for admin bindings and group searches.
@deniseschannon deniseschannon added this to the v1.6 - Apr 2018 milestone Mar 19, 2018
@loganhz
Copy link

loganhz commented Mar 21, 2018

@vincent99 I think this is a backend issue?
UI shows enabled as backend returns 20X in this case.

@superseb
Copy link
Contributor

I believe the admin credentials are not used, so they are not needed. @aemneina can clarify on this case.

@loganhz
Copy link

loganhz commented Mar 23, 2018

@aemneina Can I remove admin credentials from UI side?

@vincent99
Copy link
Contributor

vincent99 commented Mar 23, 2018
edited
Loading

I'm willing to believe that the creds are not tested during enabling auth, but don't think it's correct that they are not ever used at all (e.g. for determining the groups a user is a member of when using an account API key).

@loganhz loganhz removed the area/ui label Mar 23, 2018
@loganhz loganhz removed their assignment Mar 23, 2018
@deniseschannon deniseschannon modified the milestones: v1.6 - Apr 2018, v1.6 - Jun 2018 Apr 2, 2018
@prachidamle
Copy link
Member

@vincent99 @loganhz we can remove the Admin credentials field from UI. Azure provider uses an Azure assigned accessToken and refreshToken pair to grab the user's groups - we store these tokens in the account table when the user logs in using his password. Anytime later we need to access the user's groups/details these tokens suffice. If the accessToken has expired, refreshToken helps get a new pair of these tokens that is then stored with the account.

Thus even while using API keys, the tokens stored with the account are used and admin creds are not needed.

@prachidamle
Copy link
Member

I will test out the API keys usecase and confirm my understanding noted above.

@prachidamle
Copy link
Member

prachidamle commented Jun 29, 2018
edited
Loading

Yes tested with api keys against 1.6 and pulled my user identities correctly, confirmed that AzureAD provider does not need admin creds for any backend functionality

@prachidamle prachidamle assigned vincent99 and loganhz and unassigned prachidamle Jun 29, 2018
@loganhz loganhz mentioned this issue Jul 8, 2018
Merged
@prachidamle prachidamle mentioned this issue Jul 9, 2018
Merged
@sangeethah
Copy link
Contributor

Tested with v1.6.19-rc5.

While enabling Azure AD auth , user is not asked to enter admin credentials anymore.

screen shot 2018-07-13 at 5 44 25 pm

Verify all the existing functionalities continues to work as expected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sangeethah sangeethah

Labels
area/access-control internal version/1.6
Projects
None yet
Milestone
v1.6.19
Development

No branches or pull requests
7 participants
@aemneina @vincent99 @prachidamle @superseb @sangeethah @deniseschannon @loganhz