Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reject user as 403 if not part of a oidc connector group #29

Closed
rvirdiz opened this issue Jun 15, 2020 · 2 comments
Closed

Reject user as 403 if not part of a oidc connector group #29

rvirdiz opened this issue Jun 15, 2020 · 2 comments

Comments

@rvirdiz
Copy link

rvirdiz commented Jun 15, 2020

Hi @yanniszark

I am using this service for multi-tenancy feature in Kubeflow.
As, oidc-authservice is used for authentication in Kubeflow dex+istio deployment.
I recently came up with one issue or bug, when using dex with ldap as an oidc connector.

Following are my dex logs, when user enters authentication info using oidc-authservice login page, which is configured using following example:
https://github.com/dexidp/dex/blob/master/Documentation/connectors/ldap.md#example-searching-a-active-directory-server-with-groups

time="2020-06-15T19:40:55Z" level=info msg="performing ldap search ou=users,dc=example,dc=com sub (&(objectClass=posixAccount)(uid=myldapuser))"
time="2020-06-15T19:40:55Z" level=info msg="username \"myldapuser\" mapped to entry uid=myldapuser,ou=users,dc=example,dc=com"
time="2020-06-15T19:40:55Z" level=info msg="performing ldap search 
cn=kubeflow,ou=groups,dc=example,dc=com sub (&(objectClass=posixGroup)(memberUid=myldapuser))"
time="2020-06-15T19:40:55Z" level=info msg="login successful: connector \"ldap\", username=\"LDAP_user\", preferred_username=\"\", email=\"[email protected]\", groups=[\"kubeflow\"]"

Here, the dex performs an user search in groupsearch filter, which allows user "myldapuser" to login if part of a ldap group "kubeflow" here.
But, even if user is not part of any group in ldapsearch filter like groups=[], it still allows user to login.
Ideally, which should not happen, if user is not part of a group.
Is there any way in oidc-authservice, where we can whitelist user groups, or reject the access request. as per the blog you posted.
https://journal.arrikto.com/kubeflow-authentication-with-istio-dex-5eafdfac4782

Will be looking forward to your reply.
Thanks.
@yanniszark
Copy link
Contributor

yanniszark commented Jul 1, 2020
edited
Loading

Hi @rvirdiz thanks for your interest!
The AuthService is about authentication, i.e. getting a user's identity (uid, groups, etc.).
Allowing/denying access based on this identity (e.g., if the user is member of a group) authorization and is not covered by the AuthService.
You may want to look into kubeflow/dashboard#42 which tracks group support in Kubeflow.

Another option we may pursue in the future is to make this identity available to Istio as well and enable you to use Istio Authorization Policy for this issue. Closing this issue as authorization is something we'd like to keep out of the authservice.

@rvirdiz
Copy link
Author

rvirdiz commented Jul 1, 2020

Thanks @yanniszark for the response.
Will check if it is possible to achieve the same in dex.
dexidp/dex#1752

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yanniszark @rvirdiz