feat: Operator disable create usergroup if detect user enabled external auth #1297
Conversation
pkg/cluster/cluster_config.go
Outdated
| return true, fmt.Errorf("failed to get Authentication CR cluster: %w", err) | ||
| } | ||
|
|
||
| return (authenticationobj.Spec.Type == "IntegratedOAuth" || authenticationobj.Spec.Type == ""), nil |
There was a problem hiding this comment.
it appears there is a constant for this configv1.AuthenticationTypeIntegratedOAuth
There was a problem hiding this comment.
i was thinking to make it:
return (authenticationobj.Spec.Type != "OIDC"), nil
or should we only create if it is AuthenticationTypeIntegratedOAuth ?
There was a problem hiding this comment.
I don't have any strong opinion but sinceI don't know what are all the possible values (i.e. behind a feature flag like the OIDC one) I would check if the type is among the supported values IntegratedOAuth or "" to be on the safe side
| @@ -83,6 +84,11 @@ func (r *DSCInitializationReconciler) Reconcile(ctx context.Context, req ctrl.Re | |||
| // Set platform | |||
| platform := currentOperatorRelease.Name | |||
|
|
|||
| createUsergroup, err := cluster.IsDefaultAuthMethod(ctx, r.Client) | |||
There was a problem hiding this comment.
nit: this can probably be moved closed where it is actually in use so i.e. if there's no DSCI, then there's no even need to retrieve the auth config. Same as if the reconcile request is not about the DSCI.
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## incubation #1297 +/- ##
=============================================
Coverage ? 18.59%
=============================================
Files ? 30
Lines ? 2699
Branches ? 0
=============================================
Hits ? 502
Misses ? 2135
Partials ? 62 ☔ View full report in Codecov by Sentry. |
zdtsw
force-pushed
the
chore_groups3
branch
3 times, most recently
from
9d2a57c
to
17f8fae
Compare
| @@ -212,11 +214,23 @@ func (r *DSCInitializationReconciler) Reconcile(ctx context.Context, req ctrl.Re | |||
|
|
|||
| return ctrl.Result{}, nil | |||
| default: | |||
| createUsergroup, err := cluster.IsDefaultAuthMethod(ctx, r.Client) | |||
| if err != nil { | |||
| if !k8serr.IsNotFound(err) { // only keep reconcile if real error but not missing CRD or missing CR | |||
There was a problem hiding this comment.
nit: it can probably be a single line if err != nil && !k8serr.IsNotFound(err)
pkg/cluster/cluster_config.go
Outdated
| // for now, HPC support "" "None" "IntegratedOAuth"(default) "OIDC" | ||
| // other offering support "" "None" "IntegratedOAuth"(default) | ||
| // we only create userGroups for "IntegratedOAuth" or "" and leave other or new supported type value in the future | ||
| return (authenticationobj.Spec.Type == configv1.AuthenticationTypeIntegratedOAuth || authenticationobj.Spec.Type == ""), nil |
There was a problem hiding this comment.
nit: parentheses seems to be redundant
…nal auth - use internal Authentication CR Type "" or IntegratedOAuth to indicate if Operator should create usergroup or not CRD has validation to only allow "IntegratedOAuth", "", "None" or "OIDC" - only grant "get, watch , list" as least permission - remove duplicated rbac for "ingress", has been defined in other places - add object into cache - add CRD into unit-test - add unit-test: since we dont have auth CR, it should not create usergroup Signed-off-by: Wen Zhou <[email protected]>
Signed-off-by: Wen Zhou <[email protected]>
pkg/cluster/cluster_config.go
Outdated
| authenticationobj := &configv1.Authentication{} | ||
| if err := cli.Get(ctx, client.ObjectKey{Name: "cluster", Namespace: ""}, authenticationobj); err != nil { | ||
| if errors.Is(err, &meta.NoKindMatchError{}) { // when CRD is missing, conver error type | ||
| return false, k8serr.NewNotFound(configv1.Resource("authentications"), "cluster") |
There was a problem hiding this comment.
nit: suggest using a constant for "cluster" , since its repeated a few times.
Signed-off-by: Wen Zhou <[email protected]>
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: lburgazzoli The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-merge-bot
bot
merged commit a5388ad
into
opendatahub-io:incubation
… external auth - manual cherry-pick from opendatahub-io#1297 Signed-off-by: Wen Zhou <[email protected]>
… external auth - manual cherry-pick from opendatahub-io#1297 Signed-off-by: Wen Zhou <[email protected]>
… external auth - manual cherry-pick from opendatahub-io#1297 Signed-off-by: Wen Zhou <[email protected]> (cherry picked from commit 5bed921)
… external auth - manual cherry-pick from opendatahub-io#1297 Signed-off-by: Wen Zhou <[email protected]> (cherry picked from commit 5bed921) Signed-off-by: Wen Zhou <[email protected]>
Description
feat: Operator disable create usergroup if detect users enabled external auth
(a different soltuion than feat: option to disable create default userGroup on ODH and self-managed #1278)
https://issues.redhat.com/browse/RHOAIENG-14214
How Has This Been Tested?
local build: quay.io/wenzhou/opendatahub-operator-catalog:v2.14214.8
1.
odh-adminsgroup, createodh-adminsgroup createdodh-adminsgroupodh-adminsgroup createdtest on a cluster with external-auth setup
odh-adminsgroup and cannot see Group form UI (user management)Screenshot or short clip
Merge criteria