Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(ldap): Support for handling DN based multiloaded roles #1058

Merged
merged 3 commits into from Jun 9, 2023
Merged

feat(ldap): Support for handling DN based multiloaded roles #1058

merged 3 commits into from Jun 9, 2023
+422 −14

Conversation

kirangodishala
Copy link
Contributor

Addresses spinnaker/spinnaker#6841

  • The PR allows for getting Ldap memberships for large number of users
  • Pagination support while fetching group memberships
  • Support for user IDs to user DNs mapping provided using batched LDAP queries
  • This is an opt-in feature using the below configuration:
auth:
  groupMembership:
    ldap:
      enableDnBasedMultiLoad: true

And to enable pagination, below configuration is also needed:

auth:
  groupMembership:
    ldap:
      enablePagingForGroupMembershipQueries: true

dbyron-sf
dbyron-sf approved these changes Jun 5, 2023
View reviewed changes
Copy link
Contributor

@dbyron-sf dbyron-sf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. FWIW, we've been running this code internally at Salesforce for ~2 years(with enablePagingForGroupMembershipQueries: true).

@dbyron-sf
Copy link
Contributor

@kirangodishala would you add a release note for this please? Note that I believe the branches for 1.31 have already been cut, but it hasn't been released yet, so the release notes still mention 1.31, though I believe this will first appear in 1.32.

@kirangodishala kirangodishala mentioned this pull request Jun 5, 2023
Merged
jvz
jvz approved these changes Jun 5, 2023
View reviewed changes
fiat-ldap/src/main/java/com/netflix/spinnaker/fiat/config/LdapConfig.java
* Fiat when logging in the user, eg. employee email. This attribute is used for creating a map
* of the user dn to user id.
*/
String userIdAttribute = "employeeEmail";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nitpick: the typical LDAP attribute for this is mail, but the default probably doesn't matter that much.

fiat-ldap/src/main/java/com/netflix/spinnaker/fiat/roles/ldap/LdapUserRolesProvider.java
public Pair<String, String> mapFromContext(Object ctx) {
DirContextAdapter context = (DirContextAdapter) ctx;
String userDN =
LdapNameBuilder.newInstance(LdapUtils.parseRootDnFromUrl(configProps.getUrl()))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for not using the deprecated DistinguishedName here! :)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, but the existing code still uses it!!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, that's why I even noticed this change 😁

fiat-ldap/src/main/java/com/netflix/spinnaker/fiat/roles/ldap/LdapUserRolesProvider.java

// This creates an "OR" filter of this form:
// (|(employeeEmail=foo@mycompany.com)(employeeEmail=bar@mycompany.com)(employeeEmail=bax@mycompany.com)...)
String userDNsFilter = String.format("(|%s)", String.join("", idFilters));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to refactor, but there's an LdapQueryBuilder DSL in Spring that makes dynamic queries like this easier to assemble (and handles escaping strings properly which may or may not be relevant depending on the email addressed used here): https://docs.spring.io/spring-ldap/docs/2.4.1/api/org/springframework/ldap/query/LdapQueryBuilder.html

@dbyron-sf
Copy link
Contributor

@Mergifyio update

@mergify
Copy link
Contributor

mergify bot commented Jun 9, 2023

update

✅ Branch has been successfully updated

@dbyron-sf dbyron-sf added the ready to merge Approved and ready for merge label Jun 9, 2023
@mergify mergify bot added the auto merged label Jun 9, 2023
@mergify mergify bot merged commit 3069204 into spinnaker:master Jun 9, 2023
5 checks passed
aman-agrawal pushed a commit to OpsMx/fiat-oes that referenced this pull request May 7, 2024
@kirangodishala @mergify @aman-agrawal
feat(ldap): Support for handling DN based multiloaded roles (spinnake…
6d4ce71 
…r#1058)

* feat(ldap): Support for handling DN based multiloaded roles

* feat(ldap): Support for handling DN based multiloaded roles.
Minor refactor.

---------

Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jvz jvz jvz approved these changes

@dbyron-sf dbyron-sf dbyron-sf approved these changes

@cfieber cfieber Awaiting requested review from cfieber cfieber is a code owner

@jonsie jonsie Awaiting requested review from jonsie jonsie is a code owner

Assignees
No one assigned
Labels
auto merged ready to merge Approved and ready for merge target-release/1.32
Projects
None yet
Milestone
No milestone
4 participants
@kirangodishala @dbyron-sf @jvz @spinnakerbot