-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
First release of userinfo fecher tool (with Keycloak backend) #477
Comments
Reopening for #517 |
I think I personally would make a new Issue to change the common |
That is to be refined. |
I'm happy to let others refine, just tried to prevent this from some form of feature creeping 😅 |
Closing again, we have the default TLS in a separate ticket now. |
Description
The Stackable Data Plattform should integrate with identity providers to allow authorizing access based on arbitrary user attributes from those providers. The most common attributes will probably be groups and roles a user has, but other use cases are certain to come up, so this should be able to retrieve user configurable attributes as well.
Development
The current idea is to develop the userinfofetcher as a module in the opa operator https://github.com/stackabletech/opa-operator, to avoid additional build complexity by spinning this out into a project of its own.
If need be, it can still be moved out of the repo at a later date.
PoC code for this functionality is available in this branch: https://github.com/stackabletech/opa-operator/tree/spike/user-info-fetcher
Functionality
For an initial release the following items must be achieved:
Must Have
ADR
Some issues to be covered in the ADR:
CRD Design
Configuration of the userinfofetcher will be done inside of the existing Opa crd.
Option 1
Option 2
@sbernauer : have some decouplign and say its too complicated
Deployment
Currently the proposed deployment is for the UserInfoFetcher to run as a sidecar container in the opa pods. This would allow the userinfofetcher to only listen on the loopback interface and not be available from outside of the pod.
For this reason it should be possible to not run tls for the userinfofetcher, as the pod would need to be breached to compromise it - and at that point in time an attacker would have access to the certificate and key that can be used to authenticate as well.
For the first iteration it is agreed to go with the deployment model shown in the diagram above.
At later stages we may want to look into adding a central userinfofetcher as caching layer to avoid ddos-ing identity providers.
Definition of Done Checklist
Author
Reviewer
Acceptance
The text was updated successfully, but these errors were encountered: