dex
dex copied to clipboard
GitLab connector: add GitLab additional group with role
Overview
Issue - https://github.com/dexidp/dex/issues/2763 In this PR I add logic to add information about group Permission for user to GitLab connector.
Before MR:
Login with Gitlab Connector
time="2023-05-11T12:01:02Z" level=info msg="login successful: connector "gitlab", username="Vladimir Zemtsov", preferred_username="zvlb", email="***", groups=["group1", "group1/group1.1", "group1/group1.2", "group2", "group3"]
After MR (if set getGroupsPermission to true
in connector config):
time="2023-05-11T12:05:22Z" level=info msg="login successful: connector "gitlab", username="Vladimir Zemtsov", preferred_username="zvlb", email="***", groups=["group1", "group1/group1.1", "group1/group1.2", "group2", "group3", "group1:owner", "group1/group1.1:owner", "group1/group1.2:owner", "group2:maintainer"]
If zvlb user has Owner-access to group group1
and Maintainer-access to group group2
. (And have Reporter or Guest access to group3)
In GitLab, If you have access to some group, you have the same access to nested groups (oк Projects), but API request /oauth/userinfo returns information only about "main" groups. I add logic to add permission-postfix for nested groups.
What this PR does / why we need it
In my case, I want to use dex for authentification and use group-permission information to control users-access to my application.
Does this PR introduce a user-facing change?
If this PR will be applied I add information to docs
GitLab connector: add GitLab additional group with a role
Hey @zvlb !
Thanks for the contribution!
I wonder if we should make this feature more generic. For example: allow users to format group names somehow:
- %name%
- %name%:%role%
- %name%;%role%
- %name_full_path%
We can make that an incremental change probably.
@nabokihms what do you think?
I wonder if we should make this feature more generic. For example: allow users to format group names somehow:
- %name%
- %name%:%role%
- %name%;%role%
- %name_full_path%
I think is not a good idea. %name%
- it's GitLab group name? But in GitLab, we can have groups with the same name, but different paths. For example:
- /group1/test-group
- /group2/test-group
In this case, we have 2 groups with the name
test-group
, but it's different groups with different permission
I need some time to create unit tests
@nabokihms @sagikazarmark Hi. Can we continue discussing this MR?
Someone?
I really wait for this feature in my production!
Hello guys! We really need this PR to approve =)
One more vote for PR
can you merge this PR? really helpful
Anyone? @nabokihms @sagikazarmark
@zvlb thank you for the work! This looks very promising for me to manage argo roles based on gitlab's groups permissions. Is there any way to merge this and do some other future efforts to be more generic for use in other connectors? cc @nabokihms @sagikazarmark
someone?
????