The user-group-operator dynamically creates OpenShift groups and manages user group membership on first user login. Groups are automatically created and group membership is assigned when the User and Identity records are created in OpenShift.
Configuration is performed wyth UserGroupConfig resources and support configuring automatic group membership assignment based on user email domain, identity provider, or LDAP directory query.
The user-group-operator can be configured to inspect Identity records for users and use the extra.email
value to automatically assign users to groups based on their email address.
This configuration will cause groups to be created with a prefix email-domain.
.
A user with email alice@example.com
would be added to a user group called email-domain.example.com
.
apiVersion: usergroup.pfe.redhat.com/v1 kind: UserGroupConfig metadata: name: email-domain spec: emailDomainGroups: enable: true prefix: email-domain.
The user-group-operator can be configured to group users based on the identity provider used to authenticate them.
The configuration below would cause a user that authenticated with an identity provider named sso
to be added to the group identity-provider.sso
.
apiVersion: usergroup.pfe.redhat.com/v1 kind: UserGroupConfig metadata: name: identity-provider spec: identityProviderGroups: enable: true prefix: identity-provider.
The API group query accesses an arbitrary API endpoint and uses the response to define groups.
apiVersion: usergroup.pfe.redhat.com/v1 kind: UserGroupConfig metadata: name: api spec: api: - url: https://example.com/user/lookup authSecret: name: api-auth groupMappings: # Add user to admin group depending of value in "isAdmin" field - jmesPath: isAdmin valueToGroup: - group: admin value: true # Add user to groups with names that match the "roles" field returned by the API - jmesPath: roles
The auth secret currently only supports a JWT token style interface. An example auth secret could have:
apiVersion: v1 kind: Secret metadata: name: auth stringData: parameters: | grant_type: client_credentials client_id: openshift-user-group-operator client_secret: some-secret-string type: jwt url: https://sso.examplec.om/auth/token
OpenShift includes LDAP sync capabilities with oc adm groups sync
:
The Red Hat communities of practice provide automation for LDAP group syncing with the group-sync-operator:
If suitable these methods are likely preferrable to the the user-group-operator. This operator differs from these others by focusing on dynamically adding users to groups rather than preassigning group membership for users before login. This is particularly helpful for very large groups of users where only a small percentage are expected to ever login to the cluster. The other difference in functionality is that the user-group-operator can assign group membership based on any LDAP attribute value, not just group membership.
Note: The user-group-operator currently only supports finding groups by attributes on the user record.
This is compatible with RFC2307bis LDAP directories that provide the memberOf
attribute.
Support for group queries could be implemented, but is not currently planned.
The configuration below maps users who authenticate with the sso
identity provider to groups ldap-admin
and ldap-dev
.
Users are searched using the identity record extra.email
matched against the LDAP mail
attribute.
apiVersion: usergroup.pfe.redhat.com/v1 kind: UserGroupConfig metadata: name: ldap spec: ldap: - attributeToGroup: - attribute: memberOf valueToGroup: - group: ldap-admin value: cn=Admin,ou=Groups,dc=example,dc=com - group: ldap-dev value: cn=Dev,ou=Groups,dc=example,dc=com authSecret: name: ldap-auth identityProviderName: sso url: ldaps://ldap.example.com userBaseDN: ou=Users,dc=example,dc=com userSearchAttribute: mail userSearchValue: email userObjectClass: inetOrgPerson
Example LDAP authentication secret:
apiVersion: v1 kind: Secret metadata: name: ldap-auth stringData: bindDn: cn=read-only,dc=example,dc=com bindPassword: password
The user-group-operator includes support for looking up users against the Salesforce.com (SFDC) API and map user fields to group membership.
The configuration below maps users by name to the Salesforce federationId
field.
User groups are created according to the value of the partnerTier
field.
Group names will use the default salesforce-partnerTier-<VALUE>
group name.
Similar to the LDAP example above, a valueToGroup
can be given to control which field values will map to groups.
apiVersion: usergroup.pfe.redhat.com/v1 kind: UserGroupConfig metadata: name: salesforce spec: salesforce: - consumerKey: <Salesforce Consumer Key> consumerSecret: name: salesforce-consumer-secret fieldToGroup: - name: partnerTier url: https://login.salesforce.com userSearchField: federationId userSearchValue: name username: username@example.com
Example Salesforce consumer secret:
apiVersion: v1 kind: Secret metadata: name: salesforce-consumer-secret stringData: tls.key: | -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY-----