Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: identity group auth #497

Merged
merged 9 commits into from
Jun 28, 2024
Merged

feat: identity group auth #497

merged 9 commits into from
Jun 28, 2024

Conversation

UnicornChance
Copy link
Contributor

@UnicornChance UnicornChance commented Jun 20, 2024

Description

Identity Plugin Pepr component for managing group authorization to applications. This is only the implementation, meaning a package (i.e. grafana) will need to be configured for this to work. This is also dependent on a new release of uds-identity-config.

How to test

Update the identity config image here and here to include/change : ttl.sh/uds-core-config:group-plugin-groups-attribute

In addition to the identity config image, update the grafana package to require a specific group to access the application like so:

apiVersion: uds.dev/v1alpha1
kind: Package
metadata:
  name: grafana
  namespace: {{ .Release.Namespace }}
spec:
  sso:
    - name: Grafana Dashboard
      clientId: uds-core-admin-grafana
      redirectUris:
        - "https://grafana.admin.{{ .Values.domain }}/login/generic_oauth"
      groups:
        anyOf:
          - /UDS Core/Admin

With those changes utilize the test-uds-core task to test, no user is created by default so either go into keycloak and setup the user manually or go to sso.uds.dev and register a user there, then navigate to the grafana.admin.uds.dev and you should be redirected to a login page and depending on if you're in the admin group or not be granted access to the grafana dashboard.

Related Issue

Relates to uds-identity-config PR

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Other (security config, docs update, etc)

Checklist before merging

@UnicornChance UnicornChance self-assigned this Jun 20, 2024
@UnicornChance UnicornChance changed the title feat: Identity Group Auth feat: identity group auth Jun 20, 2024
bburky
bburky previously requested changes Jun 24, 2024
src/pepr/operator/controllers/keycloak/client-sync.ts Outdated Show resolved Hide resolved
src/pepr/operator/controllers/keycloak/client-sync.ts Outdated Show resolved Hide resolved
@UnicornChance UnicornChance marked this pull request as ready for review June 27, 2024 13:10
@UnicornChance UnicornChance dismissed bburky’s stale review June 28, 2024 15:56

requested changes have been addressed, gh pr seems to think they weren't

@rjferguson21 rjferguson21 merged commit d71d83e into main Jun 28, 2024
12 checks passed
@rjferguson21 rjferguson21 deleted the group-auth-plugin branch June 28, 2024 16:19
@mjnagel mjnagel added this to the 0.23.0 milestone Jun 28, 2024
mjnagel pushed a commit that referenced this pull request Jul 8, 2024
🤖 I have created a release *beep* *boop*
---


##
[0.23.0](v0.22.2...v0.23.0)
(2024-07-04)


### ⚠ BREAKING CHANGES

* remove emulated gitlab endpoints from keycloak
([#483](#483))

### Features

* identity group auth
([#497](#497))
([d71d83e](d71d83e))


### Bug Fixes

* **docs:** re-ordered small paragraphs, clarified wording, and added
links to tech homepages
([#531](#531))
([6b2b46b](6b2b46b))
* **docs:** removed double-link which broke the markdown formatting in
pr template
([#532](#532))
([f41ced4](f41ced4))
* **docs:** uds-config.yaml example in k3d-slim-dev README
([#530](#530))
([2e1c53e](2e1c53e))
* operator retries and error logging
([#511](#511))
([cae5aab](cae5aab))


### Miscellaneous

* **deps:** update checkout action to latest sha
([#481](#481))
([c6f0137](c6f0137))
* **deps:** update dependency weaveworks/eksctl to v0.183.0
([#499](#499))
([9cb8e4d](9cb8e4d))
* **deps:** update grafana to 11.1.0
([#380](#380))
([499058a](499058a))
* **deps:** update istio to v1.22.2
([#512](#512))
([dcdadb4](dcdadb4))
* **deps:** update jest to v29.1.5
([#485](#485))
([9c392b9](9c392b9))
* **deps:** update neuvector to 5.3.3
([#467](#467))
([261057d](261057d))
* **deps:** update pepr to 0.32.2
([#473](#473))
([ab4bee9](ab4bee9))
* **deps:** update pepr to 0.32.3
([#494](#494))
([2e28897](2e28897))
* **deps:** update pepr to 0.32.6
([#516](#516))
([a9d3eec](a9d3eec))
* **deps:** update promtail to 3.1.0
([#335](#335))
([4457fce](4457fce))
* **deps:** update uds to v0.12.0
([#521](#521))
([8e587ff](8e587ff))
* **deps:** update uds-common tasks to 0.6.1
([#498](#498))
([4aa6e33](4aa6e33))
* **deps:** update zarf to v0.35.0
([#490](#490))
([86957cf](86957cf))
* docs linting changes
([#505](#505))
([0fe2015](0fe2015))
* remove emulated gitlab endpoints from keycloak
([#483](#483))
([495960c](495960c))
* update docs for group auth and readme for docs site
([#540](#540))
([ace7041](ace7041))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
rjferguson21 pushed a commit that referenced this pull request Jul 11, 2024
## Description
Identity Plugin Pepr component for managing group authorization to
applications. This is only the implementation, meaning a package (i.e.
grafana) will need to be configured for this to work. This is also
dependent on a new release of uds-identity-config.

## How to test
Update the identity config image
[here](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/zarf.yaml#L24)
and
[here](https://github.com/defenseunicorns/uds-core/blob/main/src/keycloak/chart/values.yaml#L10)
to include/change :
`ttl.sh/uds-core-config:group-plugin-groups-attribute`

In addition to the identity config image, update the grafana package to
require a specific group to access the application like so:

```yaml
apiVersion: uds.dev/v1alpha1
kind: Package
metadata:
  name: grafana
  namespace: {{ .Release.Namespace }}
spec:
  sso:
    - name: Grafana Dashboard
      clientId: uds-core-admin-grafana
      redirectUris:
        - "https://grafana.admin.{{ .Values.domain }}/login/generic_oauth"
      groups:
        anyOf:
          - /UDS Core/Admin
```

With those changes utilize the `test-uds-core` task to test, no user is
created by default so either go into keycloak and setup the user
manually or go to `sso.uds.dev` and register a user there, then navigate
to the `grafana.admin.uds.dev` and you should be redirected to a login
page and depending on if you're in the admin group or not be granted
access to the grafana dashboard.

## Related Issue
Relates to `uds-identity-config`
[PR](defenseunicorns/uds-identity-config#107)

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)

## Checklist before merging

- [x] Test, docs, adr added or updated as needed
- [x] [Contributor Guide
Steps](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)(https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md#submitting-a-pull-request)
followed
rjferguson21 pushed a commit that referenced this pull request Jul 11, 2024
🤖 I have created a release *beep* *boop*
---


##
[0.23.0](v0.22.2...v0.23.0)
(2024-07-04)


### ⚠ BREAKING CHANGES

* remove emulated gitlab endpoints from keycloak
([#483](#483))

### Features

* identity group auth
([#497](#497))
([d71d83e](d71d83e))


### Bug Fixes

* **docs:** re-ordered small paragraphs, clarified wording, and added
links to tech homepages
([#531](#531))
([6b2b46b](6b2b46b))
* **docs:** removed double-link which broke the markdown formatting in
pr template
([#532](#532))
([f41ced4](f41ced4))
* **docs:** uds-config.yaml example in k3d-slim-dev README
([#530](#530))
([2e1c53e](2e1c53e))
* operator retries and error logging
([#511](#511))
([cae5aab](cae5aab))


### Miscellaneous

* **deps:** update checkout action to latest sha
([#481](#481))
([c6f0137](c6f0137))
* **deps:** update dependency weaveworks/eksctl to v0.183.0
([#499](#499))
([9cb8e4d](9cb8e4d))
* **deps:** update grafana to 11.1.0
([#380](#380))
([499058a](499058a))
* **deps:** update istio to v1.22.2
([#512](#512))
([dcdadb4](dcdadb4))
* **deps:** update jest to v29.1.5
([#485](#485))
([9c392b9](9c392b9))
* **deps:** update neuvector to 5.3.3
([#467](#467))
([261057d](261057d))
* **deps:** update pepr to 0.32.2
([#473](#473))
([ab4bee9](ab4bee9))
* **deps:** update pepr to 0.32.3
([#494](#494))
([2e28897](2e28897))
* **deps:** update pepr to 0.32.6
([#516](#516))
([a9d3eec](a9d3eec))
* **deps:** update promtail to 3.1.0
([#335](#335))
([4457fce](4457fce))
* **deps:** update uds to v0.12.0
([#521](#521))
([8e587ff](8e587ff))
* **deps:** update uds-common tasks to 0.6.1
([#498](#498))
([4aa6e33](4aa6e33))
* **deps:** update zarf to v0.35.0
([#490](#490))
([86957cf](86957cf))
* docs linting changes
([#505](#505))
([0fe2015](0fe2015))
* remove emulated gitlab endpoints from keycloak
([#483](#483))
([495960c](495960c))
* update docs for group auth and readme for docs site
([#540](#540))
([ace7041](ace7041))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants