rancher
[RFE] Add optional filter on AzureAD auth group memberships
Describe the solution you'd like we have many users that have a lot of groups and we have discovered that it generates a lot of logs because all of their groups are displayed in the logs. We would like to use a filter so that only groups that begins with a specific name are being returned instead of all the groups the user has attached to his account. We saw in the function below that there is a filter option available to could help us reduce the number of groups being fetch.
// ListGroups fetches all group principals in a directory from the Microsoft Graph API. func (c azureMSGraphClient) ListGroups(filter string) ([]v3.Principal, error) { groups, _, err := c.groupClient.List(context.Background(), odata.Query{Filter: filter}) var principals []v3.Principal for _, u := range *groups { principal, err := c.groupToPrincipal(u) if err != nil { return nil, err } principals = append(principals, principal) } return principals, err }
We also suspect this impact the performance of rancher and we would like know what would you recommand to fix this?
Additional context we have many users that have a lot of groups and we have discovered that it generates a lot of logs because all of their groups are displayed in the logs.
UI portion over to QA per https://github.com/rancher/dashboard/issues/10881
Validation Template
Root Cause
Users desired to have a filter mechanism enabling them to limit the visible set of groups a user is attached to. This is intended as a means of reducing the amount of log data generated, as all visible groups appear in them.
This is not a bug to be fixed, it is an enhancement to be added.
What was fixed, or what change have occurred
The backend, specifically the AzureADConfig structure is extended with a new field groupMembershipFilter.
The field takes a string and passes this directly into filter clause of the group membership query.
This means that the field has to contain a filter clause in OData syntax.
Example: startswith(userPrincipalName,'fresh')
See also https://learn.microsoft.com/en-us/odata/concepts/queryoptions-overview#filter
Areas or cases that should be tested
Testing has to confirm that providing filter clauses properly reduces the set of groups returned.
What areas could experience regressions
Group membership queries with an empty filter clause should work as before, i.e. return all the groups a user is a member of.
Are the repro steps accurate/minimal?
There is no issue to reproduce.
@mouellet can you advise on what action you are taking that is producing the extensive logs?
Release Notes
Rancher General / UI
Extended Rancher's AzureAD auth provider with a filter field affecting listing the groups attached to a user. When set during configuration of the AzureAD Auth Provider the groups of a user are later filtered down as per the provided claus(es).
Beware: This filter does not affect general group listing. Only the list of groups for a user.
Beware: When filtering out a group all permissions the group would have given that user will not apply. As Rancher does not see that the user belongs to the group, due to the filter, it also does not see any permissions from that group. This means that filtering can have the side effect of denying users permissions they used to have.
Verified on v2.9-head f8c50bf and upgrade from v2.8.5 to v2.9-head f8c50bf
| Test cases | Status |
|---|---|
| Verify azure AD with filter returns items with less groups | PASS |
| Verify azure AD with filter returns items with less groups in audit logs | PASS |
| Refresh membership | PASS |
| Verify azure AD without filter returns items with all groups | PASS |
| Edit azure AD auth and enable filter | PASS |
| Edit azure AD and change the filter | PASS |
| Edit and remove the filter | PASS |
| Verify logging with a user outside of the group added in filter | PASS |
| Verify logging with a user from nested group added in filter | Blocked by https://github.com/rancher/rancher/issues/46169 |
| Add multiple filters in the filter tab | PASS |
| Add filter startswith(Name, 'anu') | PASS |
| Add filter startswith(ObjectID, 'bf6fa98e') | PASS |
| Verify filter appears post rancher upgrade | Blocked for nested checks https://github.com/rancher/rancher/issues/46169 |
| Add the filter by editing the authconfigs | PASS |
| Remove the filter by editing the authconfigs | PASS |
| Enable azure AD auth via terraform | Yet to be fixed https://github.com/rancher/rancher/issues/46209 |
Blocked tests will be validated as part of the logged ticktes.
@anupama2501 could you provide a brief description of GUI instructions for the docs team? We have an open related issue.
Limit users by group membership is the new field thats been added to azure AD auth providers. This field is optional while configuring azure AD. Users desired to have a filter mechanism enabling them to limit the visible set of groups a user is attached to.
This is intended as a means of reducing the amount of log data generated, as all visible groups appear in them.
Can you also add the following in the docs that was mentioned here:
Beware: When filtering out a group all permissions the group would have given that user will not apply. As Rancher does not see that the user belongs to the group, due to the filter, it also does not see any permissions from that group. This means that filtering can have the side effect of denying users permissions they used to have.
:warning: :warning: :warning:
The field name of Limit users by group membership is unfortunately bogus.
What gets limited is the list of groups for a user.
The field name claims the reverse, limit users by groups.