-
Notifications
You must be signed in to change notification settings - Fork 133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Operator disable create usergroup if detect user enabled external auth #1297
feat: Operator disable create usergroup if detect user enabled external auth #1297
Conversation
pkg/cluster/cluster_config.go
Outdated
return true, fmt.Errorf("failed to get Authentication CR cluster: %w", err) | ||
} | ||
|
||
return (authenticationobj.Spec.Type == "IntegratedOAuth" || authenticationobj.Spec.Type == ""), nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it appears there is a constant for this configv1.AuthenticationTypeIntegratedOAuth
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i was thinking to make it:
return (authenticationobj.Spec.Type != "OIDC"), nil
or should we only create if it is AuthenticationTypeIntegratedOAuth
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't have any strong opinion but sinceI don't know what are all the possible values (i.e. behind a feature flag like the OIDC
one) I would check if the type is among the supported values IntegratedOAuth
or "" to be on the safe side
@@ -83,6 +84,11 @@ func (r *DSCInitializationReconciler) Reconcile(ctx context.Context, req ctrl.Re | |||
// Set platform | |||
platform := currentOperatorRelease.Name | |||
|
|||
createUsergroup, err := cluster.IsDefaultAuthMethod(ctx, r.Client) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: this can probably be moved closed where it is actually in use so i.e. if there's no DSCI, then there's no even need to retrieve the auth config. Same as if the reconcile request is not about the DSCI.
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## incubation #1297 +/- ##
=============================================
Coverage ? 18.59%
=============================================
Files ? 30
Lines ? 2699
Branches ? 0
=============================================
Hits ? 502
Misses ? 2135
Partials ? 62 ☔ View full report in Codecov by Sentry. |
9d2a57c
to
17f8fae
Compare
@@ -212,11 +214,23 @@ func (r *DSCInitializationReconciler) Reconcile(ctx context.Context, req ctrl.Re | |||
|
|||
return ctrl.Result{}, nil | |||
default: | |||
createUsergroup, err := cluster.IsDefaultAuthMethod(ctx, r.Client) | |||
if err != nil { | |||
if !k8serr.IsNotFound(err) { // only keep reconcile if real error but not missing CRD or missing CR |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: it can probably be a single line if err != nil && !k8serr.IsNotFound(err)
pkg/cluster/cluster_config.go
Outdated
// for now, HPC support "" "None" "IntegratedOAuth"(default) "OIDC" | ||
// other offering support "" "None" "IntegratedOAuth"(default) | ||
// we only create userGroups for "IntegratedOAuth" or "" and leave other or new supported type value in the future | ||
return (authenticationobj.Spec.Type == configv1.AuthenticationTypeIntegratedOAuth || authenticationobj.Spec.Type == ""), nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: parentheses seems to be redundant
…nal auth - use internal Authentication CR Type "" or IntegratedOAuth to indicate if Operator should create usergroup or not CRD has validation to only allow "IntegratedOAuth", "", "None" or "OIDC" - only grant "get, watch , list" as least permission - remove duplicated rbac for "ingress", has been defined in other places - add object into cache - add CRD into unit-test - add unit-test: since we dont have auth CR, it should not create usergroup Signed-off-by: Wen Zhou <[email protected]>
Signed-off-by: Wen Zhou <[email protected]>
pkg/cluster/cluster_config.go
Outdated
authenticationobj := &configv1.Authentication{} | ||
if err := cli.Get(ctx, client.ObjectKey{Name: "cluster", Namespace: ""}, authenticationobj); err != nil { | ||
if errors.Is(err, &meta.NoKindMatchError{}) { // when CRD is missing, conver error type | ||
return false, k8serr.NewNotFound(configv1.Resource("authentications"), "cluster") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: suggest using a constant for "cluster" , since its repeated a few times.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated
Signed-off-by: Wen Zhou <[email protected]>
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: lburgazzoli The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
a5388ad
into
opendatahub-io:incubation
… external auth - manual cherry-pick from opendatahub-io#1297 Signed-off-by: Wen Zhou <[email protected]>
… external auth - manual cherry-pick from opendatahub-io#1297 Signed-off-by: Wen Zhou <[email protected]>
… external auth - manual cherry-pick from opendatahub-io#1297 Signed-off-by: Wen Zhou <[email protected]> (cherry picked from commit 5bed921)
… external auth - manual cherry-pick from opendatahub-io#1297 Signed-off-by: Wen Zhou <[email protected]> (cherry picked from commit 5bed921) Signed-off-by: Wen Zhou <[email protected]>
Description
feat: Operator disable create usergroup if detect users enabled external auth
(a different soltuion than feat: option to disable create default userGroup on ODH and self-managed #1278)
https://issues.redhat.com/browse/RHOAIENG-14214
How Has This Been Tested?
local build: quay.io/wenzhou/opendatahub-operator-catalog:v2.14214.8
1.
odh-admins
group, createodh-admins
group createdodh-admins
groupodh-admins
group createdtest on a cluster with external-auth setup
odh-admins
group and cannot see Group form UI (user management)Screenshot or short clip
Merge criteria