pinniped icon indicating copy to clipboard operation
pinniped copied to clipboard

Published 20 hours ago verified publisher icon vmware-tanzu

Disallow usernames or group names that have "system:" as group name

Open anjaltelang opened this issue 3 years ago • 4 comments

If the Identity Provider has groups with group names starting with "system:", the Pinniped Supervisor should not allow these groups to get cluster specific tokens/certs. For example, if there is a group called "system:authenticated" in the Identity Provider, members of this group will have privileged access to the cluster. Any cluster specific RBAC should be handled using Kubernetes RBAC and policies.

Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like A clear and concise description of what you want to happen.

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.

Are you considering submitting a PR for this feature?

  • How will this project improvement be tested?
  • How does this change the current architecture?
  • How will this change be backwards compatible?
  • How will this feature be documented?

Additional context Add any other context or screenshots about the feature request here.

anjaltelang avatar Feb 04 '22 14:02 anjaltelang

  1. This applies to both the supervisor and the concierge
  2. system: should also be disallowed in usernames
  3. Related but a separate issue: all pinniped logins should always include a group such as pinniped:authenticated (as an unconfigurable/consistent building block for external consumers)

enj avatar Feb 04 '22 15:02 enj

Thanks @enj Changed the title to reflect this.

anjaltelang avatar Feb 04 '22 15:02 anjaltelang

Probably premature to ask about an issue that's undecided, but wondering - do you folks see this as a generalized mechanism for users to prohibit users/groups containing arbitrary/user defined prefixes? (along the lines of https://github.com/vmware-tanzu/pinniped/issues/558) - or is it more appropriate to have a separate issue for that use case?

I'm thinking of a scenario where an APIserver is running --oidc-issuer-url (+ prefix) along with Pinniped. (potentially pointing at separate IDPs)

mayankbh avatar May 23 '22 18:05 mayankbh

Hi @mayankbh! Thanks for commenting on this issue.

It sounds like you are requesting a way to configure Pinniped to prevent authN for “users/groups containing arbitrary/user defined prefixes”? If so, could you please create a new issue for that? We'd love to learn more about your use case, what type of configuration knobs that you had in mind, and what you would like to accomplish by using such a feature. You could add those notes to the new issue.

I think this issue was intended to only capture handling of the special system: prefixes.

cfryanr avatar May 25 '22 15:05 cfryanr