Composite claims in OIDC connector #3056
Conversation
Oded-B
changed the title
There was a problem hiding this comment.
@Oded-B Thanks for the contribution.
I expect's going to be some time before we get #1635 implemented, so I suggest we take a more structured approach, anticipating that other similar features may be added to connectors.
First of all, I find it a bit misleading that groups are not mentioned anywhere even though the concatenated claims end up as groups.
Secondly, I think it would be nice to add at least one level of config above it so that we can collect similar future additions.
A couple options I can imagine:
# ...
claimModifications:
groups:
newFromClaims:# ...
claimModifications:
newGroupsFromClaims:I'm not quite sure which one I like better yet. (@nabokihms WDYT?)
) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.10.0 to 0.11.0. - [Commits](golang/crypto@v0.10.0...v0.11.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Oded Ben-Ozer <[email protected]>
Bumps [helm/kind-action](https://github.com/helm/kind-action) from 1.7.0 to 1.8.0. - [Release notes](https://github.com/helm/kind-action/releases) - [Commits](helm/kind-action@v1.7.0...v1.8.0) --- updated-dependencies: - dependency-name: helm/kind-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Oded Ben-Ozer <[email protected]>
Signed-off-by: Cedric-Magnan <[email protected]> Signed-off-by: Oded Ben-Ozer <[email protected]>
Signed-off-by: Cedric-Magnan <[email protected]> Signed-off-by: Oded Ben-Ozer <[email protected]>
Signed-off-by: Cedric-Magnan <[email protected]> Signed-off-by: Oded Ben-Ozer <[email protected]>
* Add the ability to composite new claims in the OIDC connector, based on upstream claims Signed-off-by: Oded Ben-Ozer <[email protected]>
Signed-off-by: Oded Ben-Ozer <[email protected]>
and structure for future claim modification additions Signed-off-by: Oded Ben-Ozer <[email protected]>
|
I used the 2nd option ( |
- Add missing json tag. - Control delimiter cleaning with a configuration key. - Use better variable names - concatenate string using slice and join Signed-off-by: Oded Ben-Ozer <[email protected]>
Signed-off-by: Oded Ben-Ozer <[email protected]>
- Rename some vars - Cleanup some comments - Tiny refactor to improve readability Signed-off-by: Oded Ben-Ozer <[email protected]>
Co-authored-by: Márk Sági-Kazár <[email protected]> Signed-off-by: Oded Ben Ozer <[email protected]>
Improve naming Signed-off-by: Oded Ben-Ozer <[email protected]>
Signed-off-by: Oded Ben-Ozer <[email protected]>
|
LGTM, thank you! Once the build turns green, good to go. |
| ClearDelimiter bool `json:"clearDelimiter"` | ||
|
|
||
| // String to place before the first claim | ||
| Prefix string `json:"prefix"` |
There was a problem hiding this comment.
| Prefix string `json:"prefix"` | |
| Prefix string `json:"prefix"` |
Prefix scales badly because people may want to add prefixes, suffixes, or both, or only prefix specific groups.
This is the same problem we are struggling in Kubernetes (that will be fixed in upcoming releases with CEL).
| } | ||
| for _, claimName := range config.ClaimList { | ||
| claimValue, ok := claims[claimName].(string) | ||
| if !ok { // Non string claim value are ignored, concatenating them doesn't really make any sense |
There was a problem hiding this comment.
This is obscure for users.
- At least an error should be returned.
- I do not see any obstacles to support integers or boolean claims.
Overview
Adds the ability to compose new group claims elements in the OIDC connector, based on other claims.
So this OIDC connector config:
Would result in this element in the group claim which looks like this::
bk::acme-inc::super-duper-app::mainWhat this PR does / why we need it
After #2806 we are able to authenticate with JWT generated by CI systems.
The claim provided by those systems are usually static and if the upstream OIDC service doesn't support sophisticated query language in its IAM/RBAC mechanism the operator might be unable to find a configuration that provided the needed granularity.
For example, lets say you want a specific Buildkiite pipeline to run a sync action on an ArgoCD instance.
These are claim provided by Buildkite CI/CD system:
AFAIKT ArgoCD doesn't have any fancy query language in its RBAC config like big cloud providers IAM (regexs are supported to action field only)
So If you want to allow pipelines runs from a specific repo and branch combination, you would need to combine
organization_slug,pipeline_slugandbuild_branchclaims ( notice thesubclaim includes the git commit, making it unusable as reference for RBAC ).With this PR you'll be able to concatenate/compose multiple claims to a new element in the group claim:
This would be the resulting group :
bk::acme-inc::super-duper-app::mainAnd you can refrence it in ArgoCD RBAC like so:
Special notes for your reviewer
This is intended as a temporary solution until a more flexible solution is provided via #1635.
Because the problem is uniq to service-tied JWTs and only relevant for OIDC I believe a connecter-specific solution is acceptable.
Does this PR introduce a user-facing change?