dashboard icon indicating copy to clipboard operation
dashboard copied to clipboard

Published 20 hours ago verified publisher icon rancher

Configuring External Auth Provider: Add warning regarding local user mapping

Open richard-cox opened this issue 1 year ago • 2 comments

Internal Reference: SURE-7301

  • When a local auth provider admin configures an external auth provider an external auth provider user is requested and authenticated
  • The provided user is linked to a new admin principal
  • We need to make it clear this happens and why
  • Covers all external auth providers

Current docs https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config

richard-cox avatar Feb 15 '24 09:02 richard-cox

We should add a banner to the provide config page, with similar text to the docs - i.e.

"The account used to enable the external provider will be granted admin permissions. If you use a test account or non-admin account, that account will still be granted admin-level permissions. See External Authentication Configuration and Principal Users to understand why."

External Authentication Configuration and Principal Users should be a link to https://ranchermanager.docs.rancher.com/v2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config#external-authentication-configuration-and-principal-users and should open in a new tab - note v2.8 should be replaced with the correct docsBase url as we do for other docs links.

nwmac avatar Mar 12 '24 13:03 nwmac

QA suspects that this is easily automatible.

gaktive avatar Mar 13 '24 15:03 gaktive

We already have a banner on the bottom of the page for all the auth providers:

associatedWarning: 'Note: The {provider} user you authenticate as will be associated
  as an alternate way to login to the {vendor} user you are currently logged in
  as <code>{username}</code>; all the global permissions, project,
  and cluster role bindings of this {vendor} user will also apply to the {provider} user.'

As discussed with @nwmac the new message will replace the old one, and should go on top of the page as a warning(yellow) banner.

momesgin avatar Mar 19 '24 16:03 momesgin

@nwmac the old message was shown only when the authentication provider was NOT enabled, should the new message follow the same logic, or should it always be displayed?

Also the new message uses a past tense ("The account USED to enable ..."), that might sound incorrect if you're just about to enable the auth provider.

momesgin avatar Mar 19 '24 23:03 momesgin

Yeah, I think when only not enabled is fine.

I think the grammar is okay - maybe if it was 'The account that is used' is clearler

nwmac avatar Mar 22 '24 08:03 nwmac

Checking the test it seems it's looking for the element existence. An is visible test could complement the coverage. What's your opinion @yonasberhe23

izaac avatar Apr 03 '24 16:04 izaac

good call out @izaac. can you add this check @momesgin? once that's done i think we can move this to Done

yonasberhe23 avatar Apr 04 '24 19:04 yonasberhe23

good call out @izaac. can you add this check @momesgin? once that's done i think we can move this to Done

sure, I'll work on it

momesgin avatar Apr 04 '24 20:04 momesgin