Feature #3892

When new users are created based on REMOTE_USER authentication, their roles should be populated as well

Added by Jan Pazdziora over 4 years ago. Updated almost 4 years ago.

Status:Closed
Priority:Normal
Assigned To:Jan Pazdziora
Category:Authentication
Target version:Sprint 23
Difficulty: Bugzilla link:
Found in release: Pull request:
Story points-
Velocity based estimate-
Release1.6.0Release relationshipAuto

Description

The issue http://projects.theforeman.org/issues/3312 made the REMOTE_USER authentication usable for other authentication mechanisms than just HTTP Basic. When the user is populated in Foreman database upon successful logon, the issue http://projects.theforeman.org/issues/3528 made it possible to populate their name and email address based on information in the external identity provider like FreeIPA. The user no longer needs to be redirected to add their email address manually. These two issues have been implemented (as of Foreman 1.4) and are documented at http://projects.theforeman.org/projects/foreman/wiki/Foreman_and_mod_auth_kerb and in Foreman manual http://theforeman.org/manuals/1.4/index.html#5.7SPNEGOauthentication.

Beyond name and email address, another useful information that Foreman can obtain from external identity provider like FreeIPA is group membership which can be used to drive roles for Foreman users.
Based on http://www.freeipa.org/page/Environment_Variables#Proposed_Additional_Variables, we propose to populate group membership of the new user based on the REMOTE_USER_GROUP_N and REMOTE_USER_GROUP_# environment variables.

The current pull request for this feature is https://github.com/theforeman/foreman/pull/1328.

Followup feature is http://projects.theforeman.org/issues/5242 with pull request https://github.com/theforeman/foreman/pull/1391 which will make both user attributes and the group membership up-to-date after every external logon.


Related issues

Related to Foreman - Feature #813: Support AD group membership for authorization and authent... Closed 03/31/2011
Blocks Foreman - Tracker #5031: External authentication support New 04/02/2014
Blocked by Foreman - Feature #5241: Add support for external group mapping Closed 04/18/2014
Blocks Foreman - Feature #5242: Keeping user's attributes and group membership up-to-date... Closed 04/18/2014
Copied from Foreman - Feature #3528: When new users are created based on REMOTE_USER authentic... Closed 10/28/2013

Associated revisions

Revision fdc476db
Added by Jan Pazdziora almost 4 years ago

fixes #3892 - process REMOTE_USER_GROUP_N and REMOTE_USER_GROUP_#, add user to groups based on external user groups.

History

#1 Updated by Jan Pazdziora over 4 years ago

  • Copied from Feature #3528: When new users are created based on REMOTE_USER authentication, their attributes should be populated as well added

#2 Updated by Dominic Cleal about 4 years ago

  • Target version set to Sprint 21

#3 Updated by Dominic Cleal about 4 years ago

  • Related to Feature #813: Support AD group membership for authorization and authentication added

#4 Updated by Daniel Lobato Garcia about 4 years ago

  • Assigned To set to Daniel Lobato Garcia

#5 Updated by Dmitri Dolguikh about 4 years ago

  • Target version changed from Sprint 21 to Sprint 22

#6 Updated by Jan Pazdziora about 4 years ago

Filed pull request https://github.com/theforeman/foreman/pull/1328 which will process output of mod_lookup_identity's

LookupUserGroupsIter REMOTE_USER_GROUP

configuration.

#7 Updated by Dominic Cleal about 4 years ago

  • Status changed from New to Ready For Testing
  • Assigned To changed from Daniel Lobato Garcia to Jan Pazdziora

#8 Updated by Jan Pazdziora about 4 years ago

  • Description updated (diff)

#9 Updated by Dominic Cleal about 4 years ago

#10 Updated by Jan Pazdziora about 4 years ago

  • Blocked by Feature #5241: Add support for external group mapping added

#11 Updated by Jan Pazdziora about 4 years ago

  • Description updated (diff)

#12 Updated by Dmitri Dolguikh almost 4 years ago

  • Target version changed from Sprint 22 to Sprint 23

#13 Updated by Dmitri Dolguikh almost 4 years ago

  • Target version changed from Sprint 23 to Sprint 22

#14 Updated by Dmitri Dolguikh almost 4 years ago

  • Target version changed from Sprint 22 to Sprint 23

#15 Updated by Jan Pazdziora almost 4 years ago

  • Blocks Feature #5242: Keeping user's attributes and group membership up-to-date even during subsequent logons added

#16 Updated by Dominic Cleal almost 4 years ago

  • Release set to 1.6.0

#17 Updated by Jan Pazdziora almost 4 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF