Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SAML/SSO Authentication for Atlantis Web UI and API #4452

Open
1 task
tedwardd opened this issue Apr 18, 2024 · 0 comments
Open
1 task

SAML/SSO Authentication for Atlantis Web UI and API #4452

tedwardd opened this issue Apr 18, 2024 · 0 comments
Labels
feature New functionality/enhancement

Comments

@tedwardd
Copy link

tedwardd commented Apr 18, 2024
edited

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Describe the user story

This proposal is a re-issuance of the proposal in #2999; "WebUI: saml / sso and per user permissions" which was closed "Completed" without changes having been implemented.

Describe the solution you'd like

The Atlantis Web UI provides somewhat privileged functionality in the form of the Disable Apply Commands button as well as the ability to discard and unlock specific plans. Providing this via an unauthenticated web UI is a major security concern for some organizations. While Atlantis currently supports HTTP Basic Auth with a shared username and password, this is not sufficient for organizations with security policies prohibiting the use of shared login credentials.

Atlantis should provide, at a minimum, a way to authenticate users via a SAML provider. Ideally, this would also open the door to user accounts and roles through which distinct access controls could be configured for users or groups of users.

Describe the drawbacks of your solution

At present, Atlantis does not strictly require a stateful backend to function properly. The only consequence to running Atlantis in a stateless manner is that a restart of the container/pod hosting Atlantis will lose any current locks and plan information. If this feature provides more than just authn and authz, it will require a stateful backend to maintain user profile information. I would strongly encourage limiting the features for this to authn and authz only to permit SAML configuration information, loaded at runtime, to suffice for this feature.

Describe alternatives you've considered

The only mechanism at this time for providing SAML based authentication is via a reverse proxy such as NGINX. This, however, only provides authn and does nothing for authz so it is not a complete solution.
@tedwardd tedwardd added the feature New functionality/enhancement label Apr 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature New functionality/enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tedwardd