datahub-project
feat(auth): Add LDAP groups check during OIDC login
In our organization we have a security requirement that access to datahub is blocked if the user doesn't have a specific LDAP group. To achieve this, we have extended the current OIDC callback logic so that, after authentication, it now also checks if the user is part of at least one group, from a configurable list of groups. If not, an exception is raised and the login page shows the usual error message ("Failed to sign in using Single Sign-On provider. Please try again, or contact your DataHub Administrator."). We also made this message configurable. The change is fully backwards compatible as it is optional, configurable through env vars, and by default the flow remains the same.
IMO, current implementation is not maintainable and needs refactoring to better organize the code in separate module
On a separate thread, why not simply configure the ldap filter to exclude users unless they are in the required ldap groups? DataHub doesn't need to know about users which are not granted access. If you're just looking to filter users, just update the userFilter documented here.
It is true that the groups wouldn't be ingested, however those could be pulled in with this source I believe.
On a separate thread, why not simply configure the ldap filter to exclude users unless they are in the required ldap groups? DataHub doesn't need to know about users which are not granted access. If you're just looking to filter users, just update the
userFilterdocumented here.It is true that the groups wouldn't be ingested, however those could be pulled in with this source I believe.
In our case we actually don’t (can’t) use ldap directly at all. We get the users from the oidc provider, which under the hood returns the ldap groups in the callback. So our datahub instance isn’t aware of „raw“ ldap users - and we can’t filter on them that way.
