-
Notifications
You must be signed in to change notification settings - Fork 354
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Auto-Populate POSIX Information on sign in using SSO [CM-399] #9755
Conversation
✅ Deploy Preview for determined-ui canceled.
|
strAgentUID := getSAMLAttribute(response, string(s.userConfig.agentUIDAttributeName)) | ||
tempAgentUID, err := strconv.Atoi(strAgentUID) | ||
if err != nil { | ||
logrus.WithError(err).WithField("agentUID", strAgentUID).Error("unable to convert to integer") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this error should be very rare / surprising but we should log it just in case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wdy think about having this parser return an err? the only place it's used does support returning an error that might be the right behavior here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great idea, thanks!
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #9755 +/- ##
==========================================
- Coverage 54.31% 54.04% -0.27%
==========================================
Files 1261 1261
Lines 155624 155714 +90
Branches 3534 3533 -1
==========================================
- Hits 84530 84159 -371
- Misses 70956 71417 +461
Partials 138 138
Flags with carried forward coverage won't be shown. Click here to find out more.
|
if err != nil { | ||
if err == sql.ErrNoRows { | ||
logrus.WithError(err).Warnf("no agent user group results from workspaceID=%d", workspaceID) | ||
} else if err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
workspaceID
is supposed to be optional, but bun throws an error if zero results are returned.
`agent_gid_attribute_name`, `agent_user_name_attribute_name`, or | ||
`agent_group_name_attribute_name`. Please visit :ref:`oidc master configuration | ||
<_master-config-oidc>` or :ref:`saml master configuration <_master-config-saml>` for details. If | ||
any of the fields are configured, they will be used and synced to the database. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't understand why it's accepting _master-config-saml
as a reference link but not _master-config-oidc
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
:orphan:
New Features
- Master Configuration: Add support for POSIX claims in the master configuration. It now accepts
agent_uid_attribute_name
,agent_gid_attribute_name
,agent_user_name_attribute_name
,
oragent_group_name_attribute_name
. Refer to the :ref:OIDC master configuration <master-config-oidc>
or :ref:SAML master configuration <master-config-saml>
for details. If any of these fields
are configured, they will be used and synced to the database.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kkunapuli i think maybe you added the leading underscore and its that part that is not needed. maybe something with the angle brackets. https://docs.readthedocs.io/en/stable/guides/cross-referencing-with-sphinx.html
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That was it - thank you so much @tara-det-ai!
dead50d
to
edf0afb
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
docs stamp not required to merge; left a suggested edit
strAgentUID := getSAMLAttribute(response, string(s.userConfig.agentUIDAttributeName)) | ||
tempAgentUID, err := strconv.Atoi(strAgentUID) | ||
if err != nil { | ||
logrus.WithError(err).WithField("agentUID", strAgentUID).Error("unable to convert to integer") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wdy think about having this parser return an err? the only place it's used does support returning an error that might be the right behavior here.
140ef56
to
f9258b7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Possible concern.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Possible issue
f9258b7
to
5800ffe
Compare
Group: dbData.Group, | ||
} | ||
|
||
if sessionData.AgentUIDSet { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another nit with this pattern.
I am imagining the following UX:
TL;DR: once a user as a UID/GID set, it can never be unset via Auth claims and would need to be manually removed.
- System admin configures
security.default_task.user_id: 1234
, inmaster.yaml
- Some impetus: results in
UserA
having AgentUID5432
being set in the auth claim. - Other impetus: results in
UserA
's AgentUID being removed from the auth claim for which the admin would expect that tasks run by that user would run as UID 1234, however, I suspect they will continue to run as 5432.
To be clear, I am OK with this behavior, I think... but I wanted to bring it up here for the following reasons:
- To get confirmation that what I speculation about the behavior here is correct.
- Document that this is the behavior we should expect.
- Get any input from folks other than me if this behavior is acceptable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tested this behavior today and confirmed that it works as I expected it might.
Once you have enabled this feature and an AgentUID/GID is set for a user in order to have have this revert back to using the security.default_task.uid
an admin needs to manually remove the AgentUID/GID settings for that user.
We discussed real would situations in which this type of thing could come and yesterday and the only real one we could think is if a customer switches IdPs and forgets to populate the Agent UID/GID attributes in the auth claim. In this situation we would likely want to keep the UID and GID of the users there and not remove them and have the system go back to user the default. Therefore, I think the current behavior is best.
reset manually. In order to have have the UID or GID revert back to using the | ||
security.default_task.uid(gid), an admin needs to manually remove the agent UID/GID settings for | ||
that user. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To automatically link custom claims, you can configure the attribute name with the relevant field. For example:
agent_uid_attribute_name: "custom_uid_attribute_name"
.. note::
Once this feature is enabled and an agent UID/GID is assigned to a user, it can only be reset manually.
To revert the UID or GID back to the default value specified by security.default_task.uid(gid)
, an admin
must manually remove the agent UID/GID settings for that user.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggested edit
Ticket
CM-399
Description
When the a determined master is configured to expected the POSIX claims in SSO login & they are provided in the claim, then we will populate the relevant fields for the user:
Also re-adds new fields to master configuration (original done here https://github.com/determined-ai/determined/pull/9690/files). The original PR was reverted because of CI errors.
Test Plan
Test using an Okta application.
OIDC
Recommended application:
carolina-oidc-test
, https://dev-2564556-admin.okta.com/admin/app/oidc_client/instance/0oacxxzecx7a9l5O85d7/#tab-generalposix_uid
(int),posix_gid
(int),agent_user_name
(string) andagent_group_name
(string)oidc
section:SELECT * FROM agent_user_groups;
and look at columnsuid
,gid
,user_
andgroup_
You can also try different combinations! A user should be able to specify any, none, or all of the new parameters.
SAML
Recommended application:
Determined SAML CI
, https://dev-2564556-admin.okta.com/admin/app/dev-2564556_determinedsamlci_1/instance/0oaganmj6zxHC3A575d7/#tab-assignmentssaml
section:user_
will be your first name andgroup_
will be your last name.Checklist
docs/release-notes/
See Release Note for details.