-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tracking issue for MVP IAM work #849
Comments
Do any of these bullets represent being able to list users in a group? I don't see one. Say you're on a project access page and some group has read access on that project. I would want to be able to click on the group and see who is in it. While we're using the JIT model for users, this list would necessarily be limited to users we're aware of because they've logged in. That might be confusing if there's a user you expect to see because you know they're in the group on the IdP side, but they don't show up because they've never logged into Oxide. |
Good call. I don't think there was anything there that covered that. I added this as "list users in groups, list groups associated with a user".
Yup. I don't think there's much we can do in the API to mitigate this but maybe we can do something in the console? e.g., a small "expecting to see somebody else here?" link to a help page? |
Right, good idea. We can at least explain it. |
We need an unauthed endpoint that returns a silo's display name and its associated IdPs to implement the login screen on console. We do need to know which silo you're in right? Will this get unblocked when we have subdomains for silos? |
Yeah, Silos already have their own DNS names, though people don't necessarily use them in development. In a real system, we'll know which Silo you're in based on the DNS name you came in through (really the TLS SNI name, but those are generally the same thing). I'm not yet clear on what we'll do in development for this, where people often aren't using TLS nor DNS. Even though we should know the Silo name already, for SAML, login starts when you |
In theory we could redirect to the SAML page automatically, but I think it's a better user experience if you're hitting a page where the user triggers it themself. 99% of the time I imagine thats just them clicking the only button there. As I understand it, multiple IdPs on a single silo is uncommon but also trivial to support with this UI: Those login endpoints sound good to me but @david-crespo and @zephraph are much more qualified to speak to that than I am. If we had those then the minimum we could return to serve this page would be: For dogfood would be move everything over to the IdP silo? So we don't have two silos on a single DNS name? |
Yeah, as I understand it, it would be easy from the UI perspective. It's nasty internally and we want to avoid it (see all the stuff in RFD 234). I can still see it being useful to see a landing page like that, though, so you know what you're even logging into.
I'm not sure how best to convey these. @david-crespo or @zephraph have thoughts about all this?
Yeah...I believe that right now, we have a DNS "A" record that points the dogfood DNS name to the Nexus IP. It works in terms of TLS for whatever Silos we've uploaded that certificate for. But it's working a little bit by accident because we haven't finished this work. Nexus doesn't know what Silo you're coming in for in that configuration. It just doesn't care because it doesn't use that information yet. (Another reason we don't want customers to do this is that we want to be in charge of DNS so that we can change IPs if we need to. At some point I think we want to change the dogfood DNS name to be a CNAME for the DNS name provided by the rack's own external DNS server. I think that's mostly unrelated, though.) In order to keep using the same DNS name for Dogfood, we'll have to implement support for what I'd call "DNS aliases", where you can specify that the rack should serve one Silo's endpoints (e.g., "the-silo.sys.some-internal-dns-name.example") at some other DNS name (e.g., "the-silo.company.example"). I believe this is not needed for FCS so we'll have to decide whether we want to do this feature anyway and use it in Dogfood or change the Dogfood DNS name to just use the rack-provided naming scheme. |
I've created issues for the open non-cleanup items so I think we can close this one. @benjaminleonard I think we ended up addressing what you wanted? |
(Original source. NOTE: some of the work in that doc is not part of Omicron (e.g., RSS parts) and so isn't mentioned here.)
NOTE: Unless a bullet item says otherwise, it's talking about support in Nexus and the API, not support in the CLI and console. CLI and console support are covered in separate bullet points towards the bottom.
Test with PingFederateservice accounts/login/{silo_name}/local
#3217 / Username/password login page console#1533)(user, role)
pairs in resource policy PUT body cause 500 #1185(resource_type, role_name)
tuple) in therole_assignments
tableCC @jmpesp what have I missed?
The text was updated successfully, but these errors were encountered: