Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding Gitlab groups as principals / Dockerfile improvements #62

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Adding Gitlab groups as principals / Dockerfile improvements #62

wants to merge 3 commits into from
+71 −22

Conversation

fuero
Copy link
Contributor

@fuero fuero commented Jun 6, 2017

When setting cashier up, I thought back to this post and about using Gitlab group membership as principals to map to usernames.

Sadly, this isn't supported but I'm guessing more people might want this. I've included and tested the implementation for gitlab, and added noop methods for the other providers.

Furthermore, I adjusted the Dockerfile to save a little space:

  • Command go to create smaller binaries . I've tried using UPX too, but it's too much of a hassle as it isn't in Alpine stable yet.
  • Merge several commands into a single RUN line creating fewer layers
  • Purge build dependencies after build
  • Remove sources

@patrickod
Copy link
Collaborator

I think the approach of passing group membership information in certificates as a static list of principals might not be the best approach as it means that group memberships are now tied to certificate lifetime instead of source lifetime in Gitlab i.e. you can be removed from a group and still have certificates that permit you to access resources relying on that group membership.

I think a better approach would be instead to use the AuthorizedPrincipalsCommand in OpenSSH itself to check these permissions dynamically at access time.

@fuero
Copy link
Contributor Author

fuero commented Jun 15, 2017

@patrickod point taken. To put this into perspective:

Same principle does apply to the user account's validity though. Deactivate it in Gitlab, and the certificate is still valid until the expiration date.

When using LDAP in the auth source system in a regular sync job manner, account locks/group removal may take up to the configured synchronisation interval.

Rigging OpenSSH to query Gitlab et al. does introduce a potentially unwanted direct dependcy on the auth system.

Without setting up OpenSSH, the introduction of the groups as principals has no effect.

So I'd recommend adding a paragraph to the docs detailing this problem and informing about the risks and leaving it to the admin setting this up to make the decision.

@aberoham
Copy link

Do ya'll know if there is any upstream work in OpenSSH or within a standards body to codify how extended attributes to SSH certificates should be handled by SSH implementations? Gravitational's Teleport system can be used with OpenSSHD's CA + Github Groups via oauth, basically encodes group membership in the issued certs. But older openssh versions would fail on unrecognized extensions to certs. It would be nice if there were a standard around encoding metadata in SSH certificates.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@fuero @patrickod @aberoham