feat: Auto-Populate POSIX Information on sign in using SSO [CM-399] #9755
Conversation
kkunapuli
changed the title
✅ Deploy Preview for determined-ui canceled.
|
| strAgentUID := getSAMLAttribute(response, string(s.userConfig.agentUIDAttributeName)) | ||
| tempAgentUID, err := strconv.Atoi(strAgentUID) | ||
| if err != nil { | ||
| logrus.WithError(err).WithField("agentUID", strAgentUID).Error("unable to convert to integer") |
There was a problem hiding this comment.
I think this error should be very rare / surprising but we should log it just in case.
There was a problem hiding this comment.
wdy think about having this parser return an err? the only place it's used does support returning an error that might be the right behavior here.
There was a problem hiding this comment.
Great idea, thanks!
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #9755 +/- ##
==========================================
- Coverage 54.31% 54.04% -0.27%
==========================================
Files 1261 1261
Lines 155624 155714 +90
Branches 3534 3533 -1
==========================================
- Hits 84530 84159 -371
- Misses 70956 71417 +461
Partials 138 138
Flags with carried forward coverage won't be shown. Click here to find out more.
|
| if err != nil { | ||
| if err == sql.ErrNoRows { | ||
| logrus.WithError(err).Warnf("no agent user group results from workspaceID=%d", workspaceID) | ||
| } else if err != nil { |
There was a problem hiding this comment.
workspaceID is supposed to be optional, but bun throws an error if zero results are returned.
kkunapuli
changed the title
| `agent_gid_attribute_name`, `agent_user_name_attribute_name`, or | ||
| `agent_group_name_attribute_name`. Please visit :ref:`oidc master configuration | ||
| <_master-config-oidc>` or :ref:`saml master configuration <_master-config-saml>` for details. If | ||
| any of the fields are configured, they will be used and synced to the database. |
There was a problem hiding this comment.
I don't understand why it's accepting _master-config-saml as a reference link but not _master-config-oidc.
There was a problem hiding this comment.
:orphan:
New Features
- Master Configuration: Add support for POSIX claims in the master configuration. It now accepts
agent_uid_attribute_name,agent_gid_attribute_name,agent_user_name_attribute_name,
oragent_group_name_attribute_name. Refer to the :ref:OIDC master configuration <master-config-oidc>
or :ref:SAML master configuration <master-config-saml>for details. If any of these fields
are configured, they will be used and synced to the database.
There was a problem hiding this comment.
@kkunapuli i think maybe you added the leading underscore and its that part that is not needed. maybe something with the angle brackets. https://docs.readthedocs.io/en/stable/guides/cross-referencing-with-sphinx.html
There was a problem hiding this comment.
That was it - thank you so much @tara-det-ai!
kkunapuli
force-pushed
the
kunapuli/auto-populate-posix-info2
branch
from
dead50d
to
edf0afb
Compare
| strAgentUID := getSAMLAttribute(response, string(s.userConfig.agentUIDAttributeName)) | ||
| tempAgentUID, err := strconv.Atoi(strAgentUID) | ||
| if err != nil { | ||
| logrus.WithError(err).WithField("agentUID", strAgentUID).Error("unable to convert to integer") |
There was a problem hiding this comment.
wdy think about having this parser return an err? the only place it's used does support returning an error that might be the right behavior here.
kkunapuli
force-pushed
the
kunapuli/auto-populate-posix-info2
branch
from
140ef56
to
f9258b7
Compare
kkunapuli
force-pushed
the
kunapuli/auto-populate-posix-info2
branch
from
f9258b7
to
5800ffe
Compare
| Group: dbData.Group, | ||
| } | ||
|
|
||
| if sessionData.AgentUIDSet { |
There was a problem hiding this comment.
Another nit with this pattern.
I am imagining the following UX:
TL;DR: once a user as a UID/GID set, it can never be unset via Auth claims and would need to be manually removed.
- System admin configures
security.default_task.user_id: 1234, inmaster.yaml - Some impetus: results in
UserAhaving AgentUID5432being set in the auth claim. - Other impetus: results in
UserA's AgentUID being removed from the auth claim for which the admin would expect that tasks run by that user would run as UID 1234, however, I suspect they will continue to run as 5432.
To be clear, I am OK with this behavior, I think... but I wanted to bring it up here for the following reasons:
- To get confirmation that what I speculation about the behavior here is correct.
- Document that this is the behavior we should expect.
- Get any input from folks other than me if this behavior is acceptable.
There was a problem hiding this comment.
I tested this behavior today and confirmed that it works as I expected it might.
Once you have enabled this feature and an AgentUID/GID is set for a user in order to have have this revert back to using the security.default_task.uid an admin needs to manually remove the AgentUID/GID settings for that user.
We discussed real would situations in which this type of thing could come and yesterday and the only real one we could think is if a customer switches IdPs and forgets to populate the Agent UID/GID attributes in the auth claim. In this situation we would likely want to keep the UID and GID of the users there and not remove them and have the system go back to user the default. Therefore, I think the current behavior is best.
| reset manually. In order to have have the UID or GID revert back to using the | ||
| security.default_task.uid(gid), an admin needs to manually remove the agent UID/GID settings for | ||
| that user. | ||
|
|
There was a problem hiding this comment.
To automatically link custom claims, you can configure the attribute name with the relevant field. For example:
agent_uid_attribute_name: "custom_uid_attribute_name"
.. note::
Once this feature is enabled and an agent UID/GID is assigned to a user, it can only be reset manually.
To revert the UID or GID back to the default value specified by security.default_task.uid(gid), an admin
must manually remove the agent UID/GID settings for that user.
Ticket
CM-399
Description
When the a determined master is configured to expected the POSIX claims in SSO login & they are provided in the claim, then we will populate the relevant fields for the user:
Also re-adds new fields to master configuration (original done here https://github.com/determined-ai/determined/pull/9690/files). The original PR was reverted because of CI errors.
Test Plan
Test using an Okta application.
OIDC
Recommended application:
carolina-oidc-test, https://dev-2564556-admin.okta.com/admin/app/oidc_client/instance/0oacxxzecx7a9l5O85d7/#tab-generalposix_uid(int),posix_gid(int),agent_user_name(string) andagent_group_name(string)oidcsection:SELECT * FROM agent_user_groups;and look at columnsuid,gid,user_andgroup_You can also try different combinations! A user should be able to specify any, none, or all of the new parameters.
SAML
Recommended application:
Determined SAML CI, https://dev-2564556-admin.okta.com/admin/app/dev-2564556_determinedsamlci_1/instance/0oaganmj6zxHC3A575d7/#tab-assignmentssamlsection:user_will be your first name andgroup_will be your last name.Checklist
docs/release-notes/See Release Note for details.