dex icon indicating copy to clipboard operation
dex copied to clipboard

GitLab connector: add GitLab additional group with role

Open zvlb opened this issue 1 year ago • 14 comments

Overview

Issue - https://github.com/dexidp/dex/issues/2763 In this PR I add logic to add information about group Permission for user to GitLab connector.

Before MR:

Login with Gitlab Connector

time="2023-05-11T12:01:02Z" level=info msg="login successful: connector "gitlab", username="Vladimir Zemtsov", preferred_username="zvlb", email="***", groups=["group1", "group1/group1.1", "group1/group1.2", "group2", "group3"]
After MR (if set getGroupsPermission to true in connector config):
time="2023-05-11T12:05:22Z" level=info msg="login successful: connector "gitlab", username="Vladimir Zemtsov", preferred_username="zvlb", email="***", groups=["group1", "group1/group1.1", "group1/group1.2", "group2", "group3", "group1:owner", "group1/group1.1:owner", "group1/group1.2:owner", "group2:maintainer"]

If zvlb user has Owner-access to group group1 and Maintainer-access to group group2. (And have Reporter or Guest access to group3)

In GitLab, If you have access to some group, you have the same access to nested groups (oк Projects), but API request /oauth/userinfo returns information only about "main" groups. I add logic to add permission-postfix for nested groups.

What this PR does / why we need it

In my case, I want to use dex for authentification and use group-permission information to control users-access to my application.

Does this PR introduce a user-facing change?

If this PR will be applied I add information to docs

GitLab connector: add GitLab additional group with a role

zvlb avatar May 11 '23 12:05 zvlb

Hey @zvlb !

Thanks for the contribution!

I wonder if we should make this feature more generic. For example: allow users to format group names somehow:

  • %name%
  • %name%:%role%
  • %name%;%role%
  • %name_full_path%

We can make that an incremental change probably.

sagikazarmark avatar May 11 '23 19:05 sagikazarmark

@nabokihms what do you think?

sagikazarmark avatar May 11 '23 19:05 sagikazarmark

I wonder if we should make this feature more generic. For example: allow users to format group names somehow:

  • %name%
  • %name%:%role%
  • %name%;%role%
  • %name_full_path%

I think is not a good idea. %name% - it's GitLab group name? But in GitLab, we can have groups with the same name, but different paths. For example:

  • /group1/test-group
  • /group2/test-group In this case, we have 2 groups with the name test-group, but it's different groups with different permission

zvlb avatar May 12 '23 04:05 zvlb

I need some time to create unit tests

zvlb avatar Jun 01 '23 14:06 zvlb

@nabokihms @sagikazarmark Hi. Can we continue discussing this MR?

zvlb avatar Jun 20 '23 08:06 zvlb

Someone?

zvlb avatar Jul 13 '23 09:07 zvlb

I really wait for this feature in my production!

dolgovas avatar Jul 18 '23 08:07 dolgovas

Hello guys! We really need this PR to approve =)

progmatv avatar Jul 18 '23 08:07 progmatv

One more vote for PR

anatolychernov avatar Jul 18 '23 08:07 anatolychernov

can you merge this PR? really helpful

svbrsn avatar Aug 03 '23 12:08 svbrsn

Anyone? @nabokihms @sagikazarmark

zvlb avatar Aug 08 '23 05:08 zvlb

@zvlb thank you for the work! This looks very promising for me to manage argo roles based on gitlab's groups permissions. Is there any way to merge this and do some other future efforts to be more generic for use in other connectors? cc @nabokihms @sagikazarmark

eduherraiz avatar Dec 15 '23 18:12 eduherraiz

someone?

zvlb avatar Apr 10 '24 15:04 zvlb

????

zvlb avatar Jul 18 '24 12:07 zvlb