Add ADMIN roles through config file #3475
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
webbnh
previously approved these changes
Jul 1, 2023
|
We really need to do something about the legacy tests...it took seven tries to get this PR past Area-51. 🥴 |
PBENCH-1197 With the change to SSO, we've lost our own private realm and the ability to manage roles within it. We may be able to restore roles through Keycloak and LDAP groups, but this provides a temporary "quick and dirty" mechanism to define ADMIN roles for a server based on the username provided and cached from OIDC tokens. We define a simple `admin-role` config variable which can be defined to a comma-separated list of usernames to be granted ADMIN role. This value is processed by the authorization code when it caches local `User` objects for validation. I've added a functional test for the `audit` API, which requires ADMIN role, both to prove that it works and to provide a long-delayed minimal validation of auditing. (I decided not to merge this into the overloaded "datasets" test file, which means it can't easily be run last: this makes it a less rigorous "audit test", but that can be addressed later and it provides an "ADMIN role test" that's necessary now.)
npalaska
approved these changes
Jul 5, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PBENCH-1197
With the change to SSO, we've lost our own private realm and the ability to manage roles within it. We may be able to restore roles through Keycloak and LDAP groups, but this provides a temporary "quick and dirty" mechanism to define ADMIN roles for a server based on the username provided and cached from OIDC tokens.
We define a simple
admin-roleconfig variable which can be defined to a comma-separated list of usernames to be granted ADMIN role. This value is processed by the authorization code when it caches localUserobjects for validation.I've added a functional test for the
auditAPI, which requires ADMIN role, both to prove that it works and to provide a long-delayed minimal validation of auditing. (I decided not to merge this into the overloaded "datasets" test file, which means it can't easily be run last: this makes it a less rigorous "audit test", but that can be addressed later and it provides an "ADMIN role test" that's necessary now.)